2014-10-28

Preferred SSLCipherSuite for mod_ssl

SSLCipherSuite DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:HIGH:!3DES:!ECDH:!SRP:!aNULL:!CAMELLIA:!PSK:!EXPORT:!eNULL

Provides: 
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
This is a modification of the ciphersuite list from http://www.matthewgkeller.com/blog/2014/01/09/ecdhe-vs-dhe-in-the-new-world-order/comment-page-1/

Primarily we are looking to remove elliptical curve ciphers in favor of discrete log methods (Schneier, 2013) due to the uncertainty of NSA compromization of ECC. We also try to prioritize the remaining available ciphers by preferring GCM mode over CBC mode.

  1. AES128 has better key schedule than AES256 (Schneier, 2013).
  2. We support "SSLv3" ciphers because in OpenSSL, TLSv1.0 ciphers are classified as SSLv3 ciphers.
Posted by at No comments:
Labels:

2014-10-27

SAP Internal Order Settlement Receiver Field

The value of this field depends on a business logic ruleset (thus, SAP GUI will report it as a structured field) when you inspect it from Internal Order display/Settlement rule tab. Here is (part of) the ruleset for determining the Settlement Receiver value: (Pseudo-SQL, NOT ABAP) 
CASE 
   WHEN COBRB.KONTY = 'CTR'
      THEN COBRB.KOSTL
   WHEN COBRB.KONTY = 'FXA'
      THEN COBRB.ANLN1
END
(FXA is fixed asset settlement).

h/t (http://scn.sap.com/thread/3416443)
Posted by at No comments:
Labels:

2014-10-22

Turn off the login menu in web2py

Use Case: when you do not need to manage users or access control in the web2py application, remove the login menu from the right side of the menubar: Remove instantiating Auth(db) in your model and remove all dependencies on the Auth object.
Posted by at No comments:
Labels:

web2py admin behind Apache proxy

So I have this web2py configuration where Apache httpd SSL proxies URLs of the form https://server/web2py/ to http://localhost:8081/web2py (web2py Rocket): 
RewriteEngine on

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !=localhost
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteRule ^/webpy$ /web2py/ [R,L]

ProxyRequests off
ProxyPass /web2py/ http://localhost:8081/web2py/

<Location /web2py/>
    ProxyPassReverse http://localhost:8081/web2py/
</Location>
This includes a modified global routes.py: 
default_application = 'init'    # ordinarily set in base routes.py
default_controller = 'default'  # ordinarily set in app-specific routes.py
default_function = 'index'      # ordinarily set in app-specific routes.py

BASE = '/web2py'

routes_in = (
    # do not reroute admin unless you want to disable it
    (BASE + '/admin', '/admin/default/index'),
    (BASE + '/admin/$anything', '/admin/$anything'),
    # do not reroute appadmin unless you want to disable it
    (BASE + '/$app/appadmin', '/$app/appadmin/index'),
    (BASE + '/$app/appadmin/$anything', '/$app/appadmin/$anything'),
    # do not reroute static files
    (BASE + '/$app/static/$anything', '/$app/static/$anything'),
    # reroute favicon and robots, use exable for lack of better choice
    ('/favicon.ico', '/examples/static/favicon.ico'),
    ('/robots.txt', '/examples/static/robots.txt'),
    # do other stuff
    ((r'.*http://otherdomain\.com.* (?P.*)', r'/app/ctr\g')),
    # remove the BASE prefix
    (BASE + '/$anything', '/$anything'),
)

routes_out = [(x, y) for (y, x) in routes_in]

logging = 'debug'

#fix ticket routing
error_message = '<html><body><h1>%s</h1></body></html>'
error_message_ticket = '<html><body><h1>Internal error</h1>Ticket issued: <a href="' + BASE + '/admin/default/ticket/%(ticket)s" target="_blank">%(ticket)s</a></body></html>'

def __routes_doctest():
    pass

if __name__ == '__main__':
    import doctest
    doctest.testmod()
But if you go to https://hostname/web2py/admin, it returns Admin is disabled because insecure channel. However, the channel IS secure since we are using SSL via the Apache. Offending Lines of code: applications/admin/models/access.py: 
if request.is_https:
    session.secure()
elif not request.is_local and not DEMO_MODE:
    raise HTTP(200, T('Admin is disabled because insecure channel'))
According to https://groups.google.com/forum/#!searchin/web2py-developers/request.is_local/web2py-developers/kkBvSzX4wO8/Rjom8huf4yMJ , request.is_local is False behind the Apache proxy, so calling https://server/web2py/admin fails both request.is_https (since the proxy forwards to http://) and request.is_local. Commenting out this block causes login dialog to fail (for the same reasons). Thus the correct modification is to use request.is_local = True
Posted by at No comments:
Labels: ,

2014-10-13

ETL for Reading ACL Analytics Exchange Server Job Logs (with AX Exception integration)

So you want have a machine way of reading the Job logs from ACL Analytics Exchange Server 3 or 4? Here's a SQL that lets you find out what analytic was started when and if any results were pushed to AX Exception: (Connect to the PostgreSQL database holding the backend of AX, by default it was called AclAuditExchangeDB in AX 3). 
select t1.starttime, t2.name as analytic_name, 
t4.name as analytic_project, t6.name as activity, 
t7.name as engagement, t3.resulttable, t3.destinationentity, 
t3.destinationanalytic 
from scriptjobs t1
left outer join
audititems t2
on t1.analyticid = t2.id
left outer join
scriptjobpublish t3
on t1.jobnumber = t3.jobnumber
left outer join
audititems t4
on t2.parentid = t4.id
left outer join
audititems t5
on t4.parentid = t5.id
left outer join
audititems t6
on t5.parentid = t6.id
left outer join
audititems t7
on t6.parentid = t7.id

where t1.starttime > '2014-10-01'
order by engagement, activity, t1.starttime
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)