| Cannot boot Solaris server after power outage Posted: 05 Jul 2021 08:49 PM PDT There is a power outage and the Solaris server cannot boot. Please help. Boot device: disk File and args: seek failed FCode aborted. $boot failed Evaluating: The file just loaded does not appear to be executable.
screenshot of putty  |
| Domain Controller 2019 Event ID 1074, Reason Code: 0x50006 Lsass.exe terminated unexpectedly Posted: 05 Jul 2021 08:21 PM PDT The process wininit.exe has initiated the restart of computer Domain Controller 2019 on behalf of user for the following reason: No title for this reason could be found Reason Code: 0x50006 Shutdown Type: restart Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073740767. The system will now shut down and restart. Faulting application name: lsass.exe, version: 10.0.17763.1, time stamp: 0xf1beaffa Faulting module name: verifier.dll, version: 10.0.17763.1, time stamp: 0x197d3cfd Exception code: 0xc0000421 Fault offset: 0x0000000000006646 Faulting process id: 0x2a4 Faulting application start time: 0x01d77174ea850ebe Faulting application path: C:\Windows\system32\lsass.exe Faulting module path: C:\Windows\System32\verifier.dll Report Id: 62e62818-ccba-40c1-a815-e036fe1c42c9 Faulting package full name: Faulting package-relative application ID: I detected that when I stop NETLOGON Services, server 2019 doesn't restart unexpectedly. But when start NETLOGON Services, it still restart every 5 ~ 10 minutes.  |
| Two files, same permissions, Apache says one is forbidden Posted: 05 Jul 2021 08:37 PM PDT I have two files in a directory that is accessible to the Interent. It's part of a WordPress installation. Here are the directory contents: # ls -lah total 11M -rw-r--r--. 1 apache apache 2.9M Jul 6 01:49 June_16.pdf -rw-r--r--. 1 apache apache 2.6M Jul 5 14:17 June_23.pdf -rw-r--r--. 1 apache apache 2.4M Jul 5 14:17 June_30.pdf ... few other files...
They all have the same permissions. Except I can view / download two of the files, but cannot view / download the one of them. For the one I cannot view / download, Apache gives a 403 forbidden failure. It happens for this pdf file no matter what directory I put it in. On my local machine (MacOs), I can view the file and it's a valid pdf. I also cannot upload this PDF file via the WordPress Media Upload page. What could be going on here? Just FYI here are links to the files: https://www.qctonline.com/wp-content/uploads/2021/07/June_16.pdf https://www.qctonline.com/wp-content/uploads/2021/07/June_23.pdf https://www.qctonline.com/wp-content/uploads/2021/07/June_30.pdf  |
| How can I make TCP packets bound for a private address reach their target? Posted: 05 Jul 2021 07:08 PM PDT I am not a network admin, so sorry if I get terminology wrong here. I am working with two computers, one at my work behind a firewall acting as a server and my home computer acting as a client, and an authorization program that sends TCP packets to get authorization. Currently, the program sends TCP packets to the external IP address of the server that then get routed through a static nat to the server's private address. This works at first, then after the first connection is made the program will try to directly send the next packets to the private IP address. The program allows me to change the IP address it tries to connect to on the client-side but that is about it. I thought there might be a way to change outbound traffic addresses on the client-side, but I just have a home router with no sophisticated controls. I have also tried setting up a VPN connection through my work's firewall to the server computer with no luck. Is there any way to make the private IP address of the server computer reachable, or is there a way to route traffic directly to the server?  |
| /var/lib/kubelet/pki/kubelet.crt is expired, How to renew it? Posted: 05 Jul 2021 07:07 PM PDT The kubernetes cluster in on 1.21.2. The kubelet is also on 1.21.2 kubelet --version Kubernetes v1.21.2 kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.2", GitCommit:"092fbfbf53427de67cac1e9fa54aaa09a28371d7", GitTreeState:"clean", BuildDate:"2021-06-16T12:57:56Z", GoVersion:"go1.16.5", Compiler:"gc", Platform:"linux/amd64"}
When i am trying to "kl get no" I am getting below error kl get no error: You must be logged in to the server (Unauthorized) **Note: kl is alias of kubectl** I checked my /var/lib/kubelet/pki/kubelet.crt and it was expired.
In kubelet.crt, the issuer is below Subject: CN=aparapu@1591592441 Subject Public Key Info: Public Key Algorithm: rsaEncryption
Need help in renew this kubelet.crt.  |
| UFW block port UDP 67 on all but specific interface? Posted: 05 Jul 2021 08:55 PM PDT I am new to UFW, trying to quit iptables for something that appears to be a lot easier at face value. I am just trying to get my head around the logic and do not know much about it yet. I have a global listening UDP port 67 that I am unable to disable due to configuration issues with a 3rd party application. so the plan is to block this port on all but a specific interface / IP, its still needed but only one side of the network. how would I do this using UFW? lets say the interface I want to allow is eth0 with the static IP 192.168.0.50  |
| Reinstalling ESXi - How to retrive data Posted: 05 Jul 2021 07:46 PM PDT I have lost ESXi password and I want to reinstall the ESXi on server. How I can get the Vms up and running after installing ESXi since I am using Physical SAN to store them (including Vcenter). Please note I have 2 Servers  |
| fail2ban wont start/Python syntax error Posted: 05 Jul 2021 06:12 PM PDT I installed fail2ban on my Ubuntu 18.04 server. But when i try to start the service i get this error. fail2ban.service: Start request repeated too quickly. fail2ban.service: Failed with result 'exit-code'. Failed to start Fail2Ban Service. When i run the client as a user on another post suggested i get a Python syntax error: > fail2ban-client -start Traceback (most recent call last): File "/usr/bin/fail2ban-client", line 34, in <module> from fail2ban.client.fail2banclient import exec_command_line, sys File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banclient.py", line 231 def configureServer(self, async=True, phase=None): ^ SyntaxError: invalid syntax
How can i fix this. I couldn't find any other info online regarding this issue. Thanks!  |
| How can I record a video using a Logitech webcam and an EV3 with EV3DEV? Posted: 05 Jul 2021 04:35 PM PDT I have an EV3 that is running EV3DEV and I would like to record a video using a Logitech webcam. I have connected to the EV3 via SSH through PuTTY. I wouldn't mind using fswebcam but when I try to install it, it just says robot@ev3dev:~$ sudo apt-get install fswebcam
Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package fswebcam robot@ev3dev:~$
Even when I type sudo apt-get update it says this: robot@ev3dev:~$ sudo apt-get update
[sudo] password for robot:
Err:1 http://http.kali.org/kali kali-rolling InRelease Could not resolve 'http.kali.org' Reading package lists... Done W: Failed to fetch http://http.kali.org/kali/dists/kali-rolling/InRelease Could not resolve 'http.kali.org' W: Some index files failed to download. They have been ignored, or old ones used instead.
Can someone please help!!!  |
| What are the cons of chiplet technology? Posted: 05 Jul 2021 04:13 PM PDT I have been looking at all the advantages listed for chiplet technology that Intel, AMD have been implementing. What are the disadvantages of chiplet technology? Is the communication between chiplets slower than communication in the monolithic alternative?  |
| Service unable to use mysql when starting up Posted: 05 Jul 2021 04:09 PM PDT I'm having an odd error. i've setup Postfix & ASSP, ASSP to use mysql databases and all is well. If I run perl assp.pl no worries life is good. But however if I setup assp to run as a service (so that it auto starts) it does start, but none of the tables are imported, it either doesn't have access to perl, or it doesn't have access to mysql... I've tried elevating the permissions, and just about everything I can think off... What might be causing this? /etc/systemd/system/assp.service [Unit] Description=AntiSpam SMTP Proxy After=mysql.service network.target [Service] Type=oneshot RemainAfterExit=true ExecStart=/usr/bin/perl /var/db/assp/assp.pl /var/db/assp/ ExecStop=/usr/bin/killall /usr/bin/perl User=root [Install] WantedBy=multi-user.target
Any advice would be very much appreciated :) Startup Log The startup log actually shows the error. But I am unsure if it's a perl or mysql permission error. Jul-06-21 00:52:41 [Worker_10001] Whitelist database error: Can't locate object method "connect" via package "DBI" at sub main::checkDBCon line 63. Jul-06-21 00:52:41 [Worker_10001] Persblack database error: Can't locate object method "connect" via package "DBI" at sub main::checkDBCon line 63. Jul-06-21 00:52:41 [Worker_10001] Redlist database error: Can't locate object method "connect" via package "DBI" at sub main::checkDBCon line 63. Jul-06-21 00:52:41 [Worker_10001] Delaydb database error: Can't locate object method "connect" via package "DBI" at sub main::checkDBCon line 63. Jul-06-21 00:52:41 [Worker_10001] Delaydb.white database error: Can't locate object method "connect" via package "DBI" at sub main::checkDBCon line 63. Jul-06-21 00:52:41 [Worker_10001] Pbdb.white.db database error: Can't locate object method "connect" via package "DBI" at sub main::checkDBCon line 63. Jul-06-21 00:52:41 [Worker_10001] Pbdb.black.db database error: Can't locate object method "connect" via package "DBI" at sub main::checkDBCon line 63. Jul-06-21 00:52:41 [Worker_10001] Pbdb.rbl.db database error: Can't locate object method "connect" via package "DBI" at sub main::checkDBCon line 63
 |
| Controlling Egress calls of kubernetes pods based on intermediate host file Posted: 05 Jul 2021 08:14 PM PDT Can I modify and use /etc/host.allow file or something similar to restrict the outgoing (egress) calls from my kubernetes pods. If there is intermediate lookup happening while making an egress call from pod to external domain(lets say google.com), then I should be able to use hosts.allow kind of config to control and restrict the access of outgoing calls?
For example I want to allow google.com and block gitHub.com. Note: I see in my default pods that coredns pod is already present with image: rancher/coredns-coredns:1.8.3. I understand that it comes default with k3s. PS: I have already explored calico and other external (third party) network policy but they are not fulfilling my requirement.  |
| From AWS to GCP - Is downtime unavoidable during migration? Posted: 05 Jul 2021 05:48 PM PDT I'm trying to migrate a bitnami wordpress from AWS to GCP. I would like to avoid downtime during the migration. As a new learner, I am not sure how to best handle this. I have encountered some roadblocks. Typically on Load Balancer and SSL I would like to use a load balancer on GCP. I prefer Google's managed certificate but the domain's IP is tied to AWS's server. I have to release them from AWS first and that will be quite a bit of downtime waiting for GCP to validate and provision. If I were to use own certificate on GCP's load balancer just for the migration purpose to avoid downtime, will there be downtime if I switch back to Google's managed SSL? The bitnami wordpress VM's on GCP has a dummy self-signed root certificate pointing to example.com CN=example.com that I can't remove, more likely I don't know how to. How can I remove or replace that with actual domain name? I am unable to generate a letsencrypt on GCP's server because the domain is still tied to AWS's server. Again, I have to release them first before I can use it on GCP and that will result in downtime. If I use SSL on loadbalancer, do I still need to install SSL on server? Will the virtual host 443 work without SSL installed on the server? Is it possible to create the loadbalancer without providing a SSL for frontend? I don't see an option to do so on GCP's console. I understand my questions are probably very elementary. I really appreciate any directions at this point. Thanks  |
| How to block container communication (172.17.0.0/16) except of the default gateway with iptables Posted: 05 Jul 2021 09:46 PM PDT I am using docker to run containers.
I don't want the containers to have access to the other containers but I want them to still have access to external communication like using apt update. The containers network is 172.17.0.0/16, if I just block like that: iptables -I FORWARD -i docker0 -d 172.17.0.0/16 -j DROP
It works but then they can't use apt update, it can't find from where to download because it probably goes out from the gateway.
Therefore I wanted to allow connection to the gateway (172.17.0.1) so I tried to allow it like that: iptables -A INPUT -i docker0 -d 172.17.0.1/32 -j ACCEPT iptables -A OUTPUT -o docker0 -d 172.17.0.1/32 -j ACCEPT
But the problem still exist, it can't use apt update: Err:1 http://archive.ubuntu.com/ubuntu focal InRelease Temporary failure resolving 'archive.ubuntu.com'
Only when I remove the block rule it works again: iptables -I FORWARD -i docker0 -d 172.17.0.0/16 -j DROP
 |
| AADSTS650052: The app needs access to a service (\"http://rts.powerapps.com\") Posted: 05 Jul 2021 04:02 PM PDT I'm trying to debug a RapidCMS site locally. I use AAD to authenticate the user against my domain. For no apparent reason I am now receiving this error when launching my app: Microsoft Sign in Sorry, but we're having trouble signing you in. AADSTS650052: The app needs access to a service (\"http://rts.powerapps.com\") that your organization \"REDACTED\" has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions. I've never done anything with PowerApps and cannot find any reference to it in the code or on my Azure AD applications.  |
| How to Change Default System Wide UMASK on Ubuntu 18.04? Posted: 05 Jul 2021 09:05 PM PDT The default umask on 18.04 LTS is 0022. I want to set it to 0027 system wide. So for example when logrotate renames old log files, it respects the 0027 umask. There are no logins on the system only ssh. So this is not a question that can be solved by editing /etc/login.defs Ideas? Googled this for hours and haven't found a reliable answer.  |
| Nginx bind to external IP only (listen hostname:port) Posted: 05 Jul 2021 05:03 PM PDT I'd like to specify an nginx server that listens only on external IP of an hostname given in listen directive. My server has domain name foobar.example.com which resolves to public IP 1.2.3.4. When I configure nginx server like this server { #listen 3330; listen foobar.example.com:3330; server_name foobar.example.com; location / { proxy_pass http://127.1.0.1:3330; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
it listens on 127.0.0.1:3330 though. Why is that? How can I make it to bind to 1.2.3.4:3330 instead without hardcoding the IP address in the config file? # dig +noall +answer foobar.example.com foobar.example.com. 2648 IN A 1.2.3.4 # dig +noall +answer -x 1.2.3.4 4.3.2.1.in-addr.arpa. 2828 IN PTR foobar.example.com. # dig +noall +answer -x 127.0.0.1 1.0.0.127.in-addr.arpa. 0 IN PTR foobar.example.com. 1.0.0.127.in-addr.arpa. 0 IN PTR foobar.
Just FYI: When I use just listen 3330 and keep the rest unchanged, nginx listens on 0.0.0.0:3330 and, as you suspect, all hell breaks loose on first request to http://foobar.example.com:3330. :-)  |
| Drupal 8 + nginx + php 7 Image style: could not create file or folder Posted: 05 Jul 2021 04:02 PM PDT I'm running Drupal 8.5.3 on Centos7 with Nginx + PHP7 + PHP 7 FPM After successfully running Drupal installation, i want add a article but image thumbnai return 404 error. The image upload to sites/default/files folder but image style folder can not create. My drupal staus and Error 404 image style after upload image for article This is my nginx config server { listen 80; # access_log off; access_log /home/drupal8.mds.com.vn/logs/access.log; # error_log off; error_log /home/drupal8.mds.com.vn/logs/error.log; root /home/drupal8.mds.com.vn/public_html; index index.php index.html index.htm; server_name drupal8.mds.com.vn; # Custom configuration include /home/drupal8.mds.com.vn/public_html/*.conf; location / { #try_files $uri $uri/ /index.php?$args; try_files $uri /index.php?$query_string; } location ~ '\.php$|^/update.php' { fastcgi_split_path_info ^(.+\.php)(/.+)$; #fastcgi_split_path_info ^(.+?\.php)(|/.*)$; #fastcgi_split_path_info ^(.+\.php)(/.+)$; include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 32k; fastcgi_buffers 8 16k; fastcgi_busy_buffers_size 32k; fastcgi_temp_file_write_size 32k; fastcgi_intercept_errors on; fastcgi_param SCRIPT_FILENAME home/drupal8.mds.com.vn/public_html$fastcgi_script_name; } location ~ /\.(?!well-known).* { deny all; access_log off; log_not_found off; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~* \.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|is$ gzip_static off; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; access_log off; expires 30d; break; } location ~* \.(txt|js|css)$ { add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; access_log off; expires 30d; break; } location ~ \..*/.*\.php$ { return 403; } location ~ ^/sites/.*/private/ { return 403; } location ~* ^/.well-known/ { allow all; } location ~ (^|/)\. { return 403; } location @rewrite { rewrite ^/(.*)$ /index.php?q=$1; } location ~ /vendor/.*\.php$ { deny all; return 404; } location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 try_files $uri @rewrite; } location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 try_files $uri /index.php?$query_string; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { try_files $uri @rewrite; expires max; log_not_found off; } }
For drupal 7 i have same issue but i can hack core in modules/image function image_style_url($style_name, $path){ //Create derivated image if not exist ductm add if(!file_exists($file_url) && !file_exists($uri)){ if(file_exists($path)){ $currentStyle = image_style_load($style_name); image_style_create_derivative($currentStyle, $path, $uri); } } return $file_url;
permission nginx user sites/default/files/styles  |
| How to block SendGrid spam with sendmail? Posted: 05 Jul 2021 08:02 PM PDT Sendgrid and MailChimp are the two biggest sources of spam captured in my spam-folder. I'd like to block them before they get there. Fortunately, in an effort to appear "legitimate" the spammers gracefully identify themselves. Sendgrid in particular inserts two special headers: X-SG-EID and X-SG-ID. What's the best way to block on the sendmail level -- before it even hits procmail and/or IMAP-server? I'm thinking of a header-database (such as /etc/mail/SPAM-HEADERS) and a LOCAL_CONFIG section with a header-rule like: F{SpamHeaders} /etc/mail/SPAM-HEADERS H*: $>CheckHdr SCheckHdr ... ??? ...
Note, I don't care for the header's value -- as long as the header itself is present, I want to reject the message. Preferably -- with a header-specific condemnation. For example, if the SPAM-HEADERS database contains line X-SG-ID We love getting spam from SendGrid, just not today
I'd like sendmail to reply to any message with X-SG-ID among headers with 553 We love getting spam from SendGrid, just not today.  |
| Host name is not resolved (host cannot connect) Posted: 05 Jul 2021 03:07 PM PDT I think this is not a usual "hostname not resolved" issue and I don't think this relates to the service I am talking about below: - I have a cluster installed with Anaconda's jupyter notebook, the notebook is up and its port is up. Basically, jupyter notebook is a service running on the host and user accesses it from his or her workstation.
- To access the service, user will need to go to http://host:port
- On the host, I am able to use http://localhost:port
- On the same host, when I try http://host:port, I get rejected with the error: could not connect to host
I am able to ping the host from my workstation and my colleague's workstation. So what is wrong here? Thank you very much. Any hint is appreciated.  |
| freeradius gives "no shared cipher" for windows 10 client Posted: 05 Jul 2021 05:03 PM PDT I have a working configuration of 802.1X authentification on my switch. The radius server is a freeradius instance with EAP-TLS configured. Everything works fine on linux (and android devices), but when I try to hook up a windows 10 pc I'm getting a strange error from the freeradius server: <...> Debug: eap_tls: Continuing EAP-TLS Debug: eap_tls: Peer sent flags --L Debug: eap_tls: Peer indicated complete TLS record size will be 174 bytes Debug: eap_tls: Got complete TLS record (174 bytes) Debug: eap_tls: [eaptls verify] = length included Debug: eap_tls: (other): before/accept initialization Debug: eap_tls: TLS_accept: before/accept initialization Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Debug: eap_tls: <<< recv TLS 1.2 [length 00a9] Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Debug: eap_tls: >>> send TLS 1.2 [length 0002] ERROR: eap_tls: TLS Alert write:fatal:handshake failure Error: tls: TLS_accept: Error in error Error: tls: TLS_accept: Error in error ERROR: eap_tls: Failed in __FUNCTION__ (SSL_read): s3_srvr.c[1418]:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher ERROR: eap_tls: System call (I/O) error (-1) ERROR: eap_tls: TLS receive handshake failed during operation ERROR: eap_tls: [eaptls process] = fail <...>
So, look like no shared cipher. Now, to the strange part. TLSv1.2 is used, when the server replies to a client-hello message, it picks a single cipher suite and other variable configuration parameters. When a linux system is connecting, these parameters are: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, null compression, ECDHE curve secp384r1, signature algorithm SHA512+ECDSA. The interesting part is that this configuration is offered/supported by the windows system (in client-hello), but the radius server fails with no shared cipher. Only difference between these hellos are tls extensions: ocsp stampling, session tickets, extended master secret and renegotiation (all from the windows system, see below). Is this possible that some of these extensions causes the freeradius (and openssl) replying with no shared cipher? Here is the client-hello packet from the windows system. Right after this packet the NAS replies with failure. SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 169 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 165 Version: TLS 1.2 (0x0303) Random GMT Unix Time: Oct 12, 2016 22:32:27.000000000 MSK Random Bytes: cfee7182be38061f0202a3b3ec374724eec7a7eea20270ad... Session ID Length: 0 Cipher Suites Length: 60 Cipher Suites (30 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 64 Extension: status_request Type: status_request (0x0005) Length: 5 Certificate Status Type: OCSP (1) Responder ID list Length: 0 Request Extensions Length: 0 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 8 Elliptic Curves Length: 6 Elliptic curves (3 curves) Elliptic curve: Unknown (0x001d) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp384r1 (0x0018) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 20 Signature Hash Algorithms Length: 18 Signature Hash Algorithms (9 algorithms) Signature Hash Algorithm: 0x0401 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0501 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0201 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0403 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0503 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0203 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0202 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Extension: Extended Master Secret Type: Extended Master Secret (0x0017) Length: 0 Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0
Here is the client-hello from a linux system (working without problems): SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 293 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 289 Version: TLS 1.2 (0x0303) Random GMT Unix Time: May 18, 2087 18:43:39.000000000 MSK Random Bytes: a8052b4f8ba5439503d03da61ea2eaad449c9c3a3e9f2ac6... Session ID Length: 0 Cipher Suites Length: 172 Cipher Suites (86 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3) Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a) Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069) Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037) Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086) Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2) Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f) Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031) Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030) Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099) Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098) Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043) Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010) Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 76 Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 28 Elliptic Curves Length: 26 Elliptic curves (13 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp521r1 (0x0019) Elliptic curve: brainpoolP512r1 (0x001c) Elliptic curve: brainpoolP384r1 (0x001b) Elliptic curve: secp384r1 (0x0018) Elliptic curve: brainpoolP256r1 (0x001a) Elliptic curve: secp256k1 (0x0016) Elliptic curve: sect571r1 (0x000e) Elliptic curve: sect571k1 (0x000d) Elliptic curve: sect409k1 (0x000b) Elliptic curve: sect409r1 (0x000c) Elliptic curve: sect283k1 (0x0009) Elliptic curve: sect283r1 (0x000a) Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 32 Signature Hash Algorithms Length: 30 Signature Hash Algorithms (15 algorithms) Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0602 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0501 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0502 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0503 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0401 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0402 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0403 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0301 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0302 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0303 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0201 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0202 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0203 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3)
The server-hello for the linux system (with the negotiated parameters): Version: 802.1X-2001 (1) Type: EAP Packet (0) Length: 558 Extensible Authentication Protocol Code: Request (1) Id: 183 Length: 558 Type: TLS EAP (EAP-TLS) (13) EAP-TLS Flags: 0x80 1... .... = Length Included: True .0.. .... = More Fragments: False ..0. .... = Start: False EAP-TLS Length: 1562 [2 EAP-TLS Fragments (1562 bytes): #6(1014), #8(548)] [Frame: 6, payload: 0-1013 (1014 bytes)] [Frame: 8, payload: 1014-1561 (548 bytes)] [Fragment Count: 2] [Reassembled EAP-TLS Length: 1562] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 57 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 53 Version: TLS 1.2 (0x0303) Random GMT Unix Time: Jun 23, 2069 22:43:44.000000000 MSK Random Bytes: f55c140ff16bab468b8f5d2f21e3cc8237090f9eebf23476... Session ID Length: 0 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Compression Method: null (0) Extensions Length: 13 Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) TLSv1.2 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 1155 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1151 Certificates Length: 1148 Certificates (1148 bytes) REDACTED TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 247 Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 243 EC Diffie-Hellman Server Params Curve Type: named_curve (0x03) Named Curve: secp384r1 (0x0018) Pubkey Length: 97 Pubkey: 0409c1e40a860e38d72cc95fe4bed9bc01b2874f79fa74d3... Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Length: 138 Signature: 30818702414f82bf2dc1f20e19ca281784a1023607d4ae4f... TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 83 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 75 Certificate types count: 3 Certificate types (3 types) Certificate type: RSA Sign (1) Certificate type: DSS Sign (2) Certificate type: ECDSA Sign (64) Signature Hash Algorithms Length: 30 Signature Hash Algorithms (15 algorithms) Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0602 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0501 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0502 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0503 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0401 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0402 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0403 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0301 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0302 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0303 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0201 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0202 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0203 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3) Distinguished Names Length: 37 REDACTED Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0
 |
| TFS BuildHttpClient UpdateDefinition C# example Posted: 05 Jul 2021 10:03 PM PDT I need to update a vNext Build Definition programmatically. The reason for the need to programmatically update the build definition is that we are running the RTM version of Team Foundation Server 2015, and as of that release certain parts of the vNext Build Definitions are not exposed to the web GUI, and there is (as yet) no other way to change them. (Assuming that you want to keep your database in a supported state, and refuse to modify the database directly.) Our corporate environment and all machines recently went through a domain change. The TFS server was moved to the new domain with no issues. However, the vNext Build definition has an internal reference to the old server name in the URL field, which still has the old domain name inside it. So far, I have the following code which should update the URL of each build definition of a certain project. The call to GetDefinitonsAsync clearly returns the proper build DefinitionReferences to me, but UpdateDefinitionAsync does not seem to have any effect. List<DefinitionReference> bds = new List<DefinitionReference>(); . . . { Uri tfsURI = new Uri("http://<tfsserver>:8080/tfs/<collection>"); WindowsCredential wc = new WindowsCredential(true); BuildHttpClient bhc = new BuildHttpClient(tfsURI, new VssCredentials(wc)); var task = Task.Run(async () => { bds = await bhc.GetDefinitionsAsync(project: "projectname"); }); task.Wait(); foreach (var bd in bds) { BuildDefinition b = (BuildDefinition)bd; b.Url = b.Url.Replace("<server>.<olddomain>", "<server>.<newdomain>"); var task1 = Task.Run(async () => { await bhc.UpdateDefinitionAsync(b); }); task1.Wait(); } }
This code snippet compiles and runs without error. However, when I examine the build definition afterward, it has not been updated and remains as before. There are no exceptions seen by the debugger, and there are no event viewer or DebugView messages of relevance. Regarding the above code snippet, I am uncertain about whether I am suppose to obtain the BuildDefinition that I need to pass to UpdateDefinition by casting the DefinitionReference (subclass) to BuildDefinition or not, but I see nothing close in the BuildHttpClient class that will give me a BuildDefiniton from a DefinitonReference. Any help would be appreciated. Thanks!  |
| Juniper SRX IPSec tunnel to Microsoft Azure Dropping Posted: 05 Jul 2021 06:08 PM PDT I'm a bit stumped and was hoping to find some guidance here. I've configured an IPSec tunnel to Microsoft Azure from my Juniper SRX240 (12.1X44-D45.2). The tunnel works fine but phase 2 drops when there is no traffic running across the tunnel (doesn't matter from which side traffic originates). I've tried playing around with DPD but Azure doesn't support it. I've also configured VPN monitor to a destination on the other end of the tunnel but this also didn't work. In my "show log kmd" I am seeing P2 no proposal chosen messages after the drop occurs. I should add that phase 1 never drops. This would be ok but unfortunately I have to statically route the remote ranges over the tunnel and since the tunnel doesn't (and can't) have an IP address, my next hop is st0.2. When phase 2 drops, so does the static route and routing follows the next more specific route. So there's no way to bring the tunnel back up automatically at this time. I would greatly appreciate any advice or assistance on the matter. I need the tunnel to stay up even when there's no traffic running over it. Please see my config below. set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL dh-group group2 set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-algorithm sha1 set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL lifetime-seconds 28800 set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL protocol esp set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96 set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-256-cbc set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600 set groups GENERIC_GROUP security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL set groups CUSTOMER_GROUP interfaces st0 unit 2 family inet set groups CUSTOMER_GROUP security ike policy IKE_POLICY mode main set groups CUSTOMER_GROUP security ike policy IKE_POLICY proposals IKE_PROPOSAL set groups CUSTOMER_GROUP security ike policy IKE_POLICY pre-shared-key ascii-text omitted set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY ike-policy IKE_POLICY set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY address omitted set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY external-interface vlan.457 set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY version v2-only set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN bind-interface st0.2 set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor optimized set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor destination-ip 192.168.183.2 set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike gateway IKE_GATEWAY set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POLICY set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN establish-tunnels immediately set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match source-address AZURE_ZONE-RANGE set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match destination-address CUSTOMER-PRIVATES set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match application any set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow then permit set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ike set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ssh set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services snmp set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services telnet set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ping set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE address-book address AZURE_ZONE-RANGE 192.168.183.0/24 set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE interfaces st0.2 host-inbound-traffic system-services all set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE1 10.0.0.0/8 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE2 172.16.0.0/12 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE3 192.168.0.0/16 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE1 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE2 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE3 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST interfaces vlan.456 host-inbound-traffic system-services all set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 0.0.0.0/0 next-hop 1.1.1.1 set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.183.0/24 next-hop st0.2 set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.0.0/16 next-hop 172.31.0.2 set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 10.0.0.0/8 next-hop 172.31.0.2 set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 172.16.0.0/12 next-hop 172.31.0.2
This is what the kmd logs look like. [Jul 9 13:56:40]Added (spi=0xffa48b1d, protocol=0) entry to the spi table [Jul 9 13:56:40]Construction NHTB payload for local:1.1.1.1, remote:2.2.2.2 IKEv2 P1 SA index 1241218 sa-cfg IPSEC_VPN [Jul 9 13:56:40]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg IPSEC_VPN [Jul 9 13:56:40]ikev2_packet_allocate: Allocated packet db4000 from freelist [Jul 9 13:56:40]Received authenticated notification payload No proposal chosen from local:1.1.1.1 remote:2.2.2.2 IKEv2 for P1 SA 1241218 [Jul 9 13:56:40]ikev2_decode_packet: [db4000/dfe400] Received packet: HDR, N(NO_PROPOSAL_CHOSEN) [Jul 9 13:56:40]ikev2_state_child_initiator_in: [db4000/dfe400] Error: Mandatory payloads (SAr,Ni,TSi,TSr) missing [Jul 9 13:56:40]ikev2_process_notify: [db4000/dfe400] Received error notify No proposal chosen (14) [Jul 9 13:56:40]ikev2_state_error: [db4000/dfe400] Negotiation failed because of error No proposal chosen (14) [Jul 9 13:56:40]IPSec negotiation failed for SA-CFG IPSEC_VPN for local:1.1.1.1, remote:2.2.2.2 IKEv2. status: No proposal chosen [Jul 9 13:56:40] P2 ed info: flags 0x82, P2 error: Error ok [Jul 9 13:56:40]IPSec SA done callback with sa-cfg NULL in p2_ed. status: No proposal chosen [Jul 9 13:56:42]ikev2_packet_allocate: Allocated packet db4400 from freelist [Jul 9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Setting ed pkt ctx from VR id 4 to VR id 4) [Jul 9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Received packet: HDR [Jul 9 13:56:42]ikev2_packet_allocate: Allocated packet db4800 from freelist [Jul 9 13:56:43]ikev2_packet_allocate: Allocated packet db4c00 from freelist
Like I said, it works perfectly well until there's no traffic and I have no idea what else to try. Thanks in advance!  |
| How to manage the nfs client after a nfs service restart? Posted: 05 Jul 2021 08:02 PM PDT After a restart of the NFS service, how do I manage the clients? All the clients I have do not have an NFS entry in the /etc/fstab, so I will not be able to do mount -a to refresh the connections. Could using exportfs -v be enough to restablish the connections ?  |
| Share Exchange Calendar with Company Wide Distribution List Posted: 05 Jul 2021 10:03 PM PDT I have just created a user/calendar in Exchange 2010 for "Team Lunches." All employees should have editing capabilities to this calendar in order to schedule lunches with their team and for everyone to see when each team is meeting for lunch during the month. I want to add the distribution list for all company employees as the "-User" to be granted 'Owner' Access Rights. How do I do this in Exchange Management Shell? (without having to run a command for each employee individually or logging into a thin client and manually adding each employee to the permission list in the team lunch calendar via Outlook?) Due to new user restrictions, I can't post images. My command line looks like: Add-MailboxFolderPermission -Identity teamlunch@DOMAIN.com:\calendar -User AllEmployees@DOMAIN.com -AccessRights Owner
Error looks like: The user "AllEmployees@DOMAIN.com" is either not valid SMTP address, or there is no matching information. +CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], InvalidExternalUserIDException +FullyQualifiedErrorId : BFAE0537,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission Do I need to make adjustments in command line or with the distribution list in exchange management console? Any help would be much appreciated. Thanks!  |
| Monitoring network output bandwidth of server for each IP address Posted: 05 Jul 2021 09:05 PM PDT I've got a network of static file serving servers. I use nginx to serve the files, and munin to monitor the network traffic. I want to know the output bandwidth of the server that goes to each IP address downloading a file to evaluate the bandwidth each Internet Service Provider in my country is downloading from my servers. The average output bandwidth of servers is about 700MB/s (9 servers, most of them have 4 1Gbits/s ports bonded). How can I do this?  |
| Encryption on Solaris (using Keystore) Posted: 05 Jul 2021 06:08 PM PDT I am trying do draft up a secure way to encrypt (on the fly, invoking it from an app) and decrypt sensible information (credit cards) using AES-256. The target platform is: cat /etc/release Solaris 10 10/09 s10s_u8wos_08a SPARC The optimal solution would be to be able to save the keys inside a Key Store, and use encrpyt/decrypt (paired with UUENCODE so that the resulting encrypted string can be saved inside a normal DB field). We have succesfully tested the whole chain using just AES-128 (out-of-the-box with a basic Solaris install) and we understand we need to upgrade the target env. with the correct Solaris package to get to AES-256 [SUNWcry package - the unbundled Solaris Data Encryption Kit]. What escapes me is how to make "encrypt" access a key from the keystore. Oracle documentation mentions "-K" as a command line parameter (note this is an uppercase K) to do this (see here, for example), but the "-K" switch seems not to be available on our test machine. Is this possible? Is this linked to the specific Solaris version? If not, can we obtain this by installing something else? (We haven't yet installed the crypto package to get to AES-256 so no idea if this will come "for free" with that).  |
| sendmail: website and email on same domain/server Posted: 05 Jul 2021 03:07 PM PDT I am using sendmail for my website, my email address is also using the same server name. So, www.zedsaid.com and nic@zedsaid.com. Sendmail seems to not want to actual deliver the mail to my inbox, but rather wants to deliver it locally on the server, which I don't want. Here is what I get when I try to send a test: zedsaid:/etc# echo "Subject: test" | /usr/lib/sendmail -v nic@zedsaid.com nic@zedsaid.com... Connecting to [127.0.0.1] via relay... 220 zedsaid.com ESMTP Sendmail 8.14.3/8.14.3/Debian-5+lenny1; Thu, 12 May 2011 15:34:11 -0700; (No UCE/UBE) logging access from: zedsaid.com(OK)-zedsaid.com [127.0.0.1] >>> EHLO zedsaid.com 250-zedsaid.com Hello zedsaid.com [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP >>> VERB 250 2.0.0 Verbose mode >>> MAIL From:<root@zedsaid.com> SIZE=14 250 2.1.0 <root@zedsaid.com>... Sender ok >>> RCPT To:<nic@zedsaid.com> >>> DATA 550 5.1.1 <nic@zedsaid.com>... User unknown 503 5.0.0 Need RCPT (recipient) >>> RSET 250 2.0.0 Reset state >>> RSET 250 2.0.0 Reset state root... Using cached ESMTP connection to [127.0.0.1] via relay... >>> MAIL From:<> SIZE=1038 250 2.1.0 <>... Sender ok >>> RCPT To:<root@zedsaid.com> >>> DATA 050 <root@zedsaid.com>... aliased to nnhubbard 250 2.1.5 <root@zedsaid.com>... Recipient ok 354 Enter mail, end with "." on a line by itself >>> . 050 nnhubbard... Connecting to local... 050 nnhubbard... Sent 250 2.0.0 p4CMYBLv009705 Message accepted for delivery root... Sent (p4CMYBLv009705 Message accepted for delivery) Closing connection to [127.0.0.1] >>> QUIT 221 2.0.0 zedsaid.com closing connection
sendmail.mc: divert(-1)dnl #----------------------------------------------------------------------------- # $Sendmail: debproto.mc,v 8.14.3 2010-01-29 14:02:50 cowboy Exp $ # # Copyright (c) 1998-2008 Richard Nelson. All Rights Reserved. # # cf/debian/sendmail.mc. Generated from sendmail.mc.in by configure. # # sendmail.mc prototype config file for building Sendmail 8.14.3 # # Note: the .in file supports 8.7.6 - 9.0.0, but the generated # file is customized to the version noted above. # # This file is used to configure Sendmail for use with Debian systems. # # If you modify this file, you will have to regenerate /etc/mail/sendmail.cf # by running this file through the m4 preprocessor via one of the following: # * make (or make -C /etc/mail) # * sendmailconfig # * m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf # The first two options are preferred as they will also update other files # that depend upon the contents of this file. # # The best documentation for this .mc file is: # /usr/share/doc/sendmail-doc/cf.README.gz # #----------------------------------------------------------------------------- divert(0)dnl # # Copyright (c) 1998-2005 Richard Nelson. All Rights Reserved. # # This file is used to configure Sendmail for use with Debian systems. # define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail.mc, v 8.14.3-5+lenny1 2010-01-29 14:02:50 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE dnl # dnl # General defines dnl # dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot() dnl # into this directory before writing files. dnl # If *all* your user accounts are under /home then use that dnl # instead - it will prevent any writes outside of /home ! dnl # define(`confSAFE_FILE_ENV', `')dnl dnl # dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!! dnl # Remove `, Addr=' clauses to receive from any interface dnl # If you want to support IPv6, switch the commented/uncommentd lines dnl # FEATURE(`no_default_msa')dnl dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl dnl # dnl # Be somewhat anal in what we allow define(`confPRIVACY_FLAGS',dnl `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl dnl # dnl # Define connection throttling and window length define(`confCONNECTION_RATE_THROTTLE', `15')dnl define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl dnl # dnl # Features dnl # dnl # use /etc/mail/local-host-names FEATURE(`use_cw_file')dnl dnl # dnl # The access db is the basis for most of sendmail's checking FEATURE(`access_db', , `skip')dnl dnl # dnl # The greet_pause feature stops some automail bots - but check the dnl # provided access db for details on excluding localhosts... FEATURE(`greet_pause', `1000')dnl 1 seconds dnl # dnl # Delay_checks allows sender<->recipient checking FEATURE(`delay_checks', `friend', `n')dnl dnl # dnl # If we get too many bad recipients, slow things down... define(`confBAD_RCPT_THROTTLE',`3')dnl dnl # dnl # Stop connections that overflow our concurrent and time connection rates FEATURE(`conncontrol', `nodelay', `terminate')dnl FEATURE(`ratecontrol', `nodelay', `terminate')dnl dnl # dnl # If you're on a dialup link, you should enable this - so sendmail dnl # will not bring up the link (it will queue mail for later) dnl define(`confCON_EXPENSIVE',`True')dnl dnl # dnl # Dialup/LAN connection overrides dnl # include(`/etc/mail/m4/dialup.m4')dnl include(`/etc/mail/m4/provider.m4')dnl dnl # dnl # Default Mailer setup MAILER_DEFINITIONS MAILER(`local')dnl MAILER(`smtp')dnl dnl # Masquerading options FEATURE(`always_add_domain')dnl MASQUERADE_AS(`zedsaid.com')dnl FEATURE(`allmasquerade')dnl FEATURE(`masquerade_envelope')dn
l Does this mean that it is sitting in the user nic's mail folder on the server? I want this email to be sent over smtp and go to my actual inbox. Help?  |
No comments:
Post a Comment