Wednesday, May 28, 2008

SVN Error: Unknown command 'lock'

For above error update SVN client to SVN 1.2 or above.

Wednesday, May 14, 2008

Apache Installation with SSL: no OpenSSL headers found

If you get above error that means apache was not able to find the opensssl C header files for compiling withs SSL. First of all make sure you have OpenSSL installed on your machine, if not please install it. If you openssl installation is not at standard location then use --with-ssl=/path/to/your/openssl option with apache configuration.

My openssl was in /usr/local/ssl, which seemed to be standard location, but it Apache did not recognize it, I guess because it expects it in /usr/local/openssl. Anyways following worked for
./Configure --enable-ssl --with-ssl=/usr/local/ssl/

Open SSL installion issue on Solaris

I was installing openssl-0.9.7 on solaris when I got following error:
cc1: error: invalid option `arch=ultrasparc'

This was very strange, I googled but could not find the answer. Then I checked the operating system details, and here are the details:
uname -m --> sun4u
uname -r --> 5.9
uname -s --> SunOS
uname -v --> Generic_118558-28
gcc -v --> 3.4.6
I was using default ./config for installtion, which was selecting solaris-sparcv9-gcc as os/compiler flag. It assumed since i am using gcc version > 3.0 it would recognize -march=ultrasparc option. But since my compiler didn't understand that, I used following command.
bash# ./Configure solaris-sparcv9-gcc27
This forces it the config to not use the -march... option. So the above error disappeared, but resulted in one more error: 'ar command not found'
This time solution was easy, I just added /usr/ccs/bin to the path and it worked.


Monday, May 05, 2008

HTTP Redirect : Do it the right way !

There are two ways to redirect a user to a different page:
A) Server redirect : This is where server notifies the client in HTTP Response header that the page has been moved somewhere else. This is done by sending one of following response status code in response Header

  • Permanent Redirect (301)
  • Temporary Redirect (307)
  • Undefined redirect (302)
Here client do not need to get the body of the response before redirecting. In this method when a client contacts server for a document the server itself, configured to redirect the document to another address, replies to the client that it should instead look at the new address. Examples:
JSP/Servlet: response.sendRedirect("PATH_TO_NEW_RESOURCE");
Perl:
print "Status: 301 Moved Permanantly\n";
print "Location: PATH_TO_NEW_RESOURCE\n\n";
Apache mod_rewrite:
rewriteEngine on
rewriteRule OLD_PATH PATH_TO_NEW_RESOURCE [R=permanent,L]

B) Client redirect : This is done in HTTP response body as opposed to the HTTP response header. This can be done either by HTTP META Header tag:
<META HTTP-EQUIV=REFRESH CONTENT="1; URL=PATH_TO_NEW_RESOURCE">
Or using JavaScript:
<script type="text/javascript"> window.location.href='PATH_TO_NEW_RESOURCE'; </script>

Here the client need to download the full body of the response, look for refresh instruction or Javascript code block and then proceed for new address.

Clearly you should use Method A (Server Redirection), Disadvantages of using Method B are:
1) It causes Browsers to flickr and refresh as the old page is loading.
2) The Meta tag could really break the Back button, You would have faced this problem with many pages, after clicking the back button and it keeps coming to the same page. Braking the back button is really a sin from UI design perspective, it is the second most used browser feature and you don't want to break it. User can get really annoyed with this, close the window, and may not visit your site.
3)The HTTP status code of the page will remain 200, most search engines will continue to think the location is valid. Any page rank of the old location will not be transferred to the new location.

Moreover in Method A the server also gives some information about the purpose and type of redirection, which allows the Client to behave differently depending on the type of redirect (302, 307 or 301).

Friday, May 02, 2008

Android Vs. OpenMoko

While microsoft is continuing to annoy users with enforcing new Vista OS for PC, which sucks big time. Other players are clearly seeing future in Mobile phone. While Apple iPhone is clearly the winner currently, Google has launched Android and has got a lot of media attention, even though the first working phone is not available yet. Though Trolltech's Qtopia GreenPhone and Openmoko could not get such the media attention, but they are worth mentioning.
Future of GreenPhone doesn't look so green to me, but Openmoko will go a long way. They have recently open sourced the CAD files for NEO handset. So with Openmoko you can pretty much create your own cell phone. While this sound good for geeks, it might not be so attractive for end users. A normal consumer would want a well finish product, and some branding too. Here Android has a unfair advantage over Openmoko.
With $10 million prize tag, Android is bound to get lot of innovation from developer community. So innovation, Google Brand, backing of Open Handset Alliance may well get Android platform way ahead of competition. But it will be interesting to see how Apple reacts to Android challenge. I don't have much expectations form Windows Mobile and Symbian.

Thursday, May 01, 2008

SVN branches and tags

I always prefer SVN over CVS, because SVN really is improvement over CVS. For detailed comparison you can read this and this. Many CVS old timers don't like the concept of tagging and branching in SVN. There are no tags and branches really in SVN, you just have ability to copy folders with history of changes. Tags and Branches then becomes just concept as to how you would want to implement them. Normap convention is to put branches under branches dir and tags under tag dir, which would make it look like this:


--my-module
|
--tags
|
--branches
|
--trunk
And to restrict check-ins to tags, I would prefer a normal code of conduct between developers, but still if you want to the enforce the policy using SVN, make changes to authz fille and add following
[/tags]
* = r
make sure you edit the svnserve.conf file and set authz-db = authz.

JSON formatter

Here is a JSON formatter on the lines of Javascript formatter. Sometimes these prove to be useful to understand badly formatted useful code.

Configuting SSL with Jetty

This Jetty doc page provides how to configure SSL for Jetty. But this is not enough, you would want do disallow weaker ciphers in Jetty its not, and this article explains how to do it. But remember the name it expects in "ExcludeCipherSuites" are Java Cipher names and not OpenSSL cipher name.

SSL Testing

Here is a very good OWASP wiki page on testing SSL. I would like to add my 2 cents to it:
- You would need nmap for port scan. But on windows you would need windows packet capture library before installing nmap. To run nmap on windows vista, you need to run it with elevated privileges. You open an elevated command prompt by right-clicking on the command prompt
link and using "run as administrator".
-Download nessus and install SSL plugin for nessus, you would need plugin with IDs (21643 and 10863)

SSL setup using Apache

Download stable version of Apache 2.2 from apache download site
Install Apache with ssl,

  • gzip -d httpd-.tar.gz | tar xvf
  • cd httpd-
  • ./configure -prefix --enable-ssl --enable-setenvif
  • make
  • make install
Use keytool or openssl to generate private key and certificate file (you can also obtain a certificate from CA). Create a directory named ssl in $APACHE_HOME/conf
copy the certificate (server.cert) and private key (server.key) files in this directory.
Secure the private key, by changing the permissions:
> cd /conf/ssl

> chmod 400 server.crt server.key


Minimal configuration for SSL in httpd.conf:
# Enable SSL
SSLEngine On
# Path to the server certificate
SSLCertificateFile /conf/ssl/server.crt
# Path to the server private key
SSLCertificateKeyFile /conf/ssl/server.key
#Change the server binding to listen on 443
Listen myserver.mydomain.com:443

Securing SSL setup : httpd.conf changes
# SSL-V2 is flawed, disallow its use
SSLProtocol All -SSLv2
# Disallows the situation where, though the server supports high-grade encryption, the client negotiates a low-grade (e.g., 40-bit) protocol suite, which offers little protection:
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
#Enforce strict SSL access policy
SSLOptions +StrictRequire
#Allow access only through SSL
<virtualhost>
RedirectPermanent / https://my.mchek.com/
</virtualhost>

Additional configuration:
SSLMutex file: /logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shm/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
SSLVerifyClient none
SSLProxyEngine off
<Directory />
SSLRequireSSL
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0


For more detailed installation instruction and explanations this is a good article.