Wednesday, November 24, 2010

Authentication web clients with SSL certificates

HTTPS allows clients to make sure that the traffic they are sending and receiving to/from the web server is encrypted, so noone can peek on it while it traverses the network. It also allows, by verifying who signs the SSL certificate, if the client is talking to the web server that it wants to talk to, and not to a fake/forged/impostor server. This is good for client security.

However, you may want to make sure that the web server is serving the right client, and not an impostor. You may control this with user and password authentication, but what if a former employee still know the credentials and accesses your system from another location? You may want to make sure that your system is only accessed from particular clients. There are several strategies to achieve this, simplest of which is IP filtering, but that just doesn't cut it, specially if you have dynamic IP addresses or there is heavy NATting around. So, how do you authenticate the client machine? Maybe even, the web browser from which your application is being used?

The answer is SSL client authentication. Your web browser has an installed certificate. When it wants to access your web server, it must cipher contents with that certificate. The web server verifies it, and if it does not like it, it refuses to serve content.

I think I will be needing this, so I looked it up. Here's the link: http://www.freebsddiary.org/openssl-client-authentication.php

Once I set it up, I'll write down my version of how to do it.

Tuesday, March 2, 2010

Resizing Virtualbox hard disk image

I recnetly ended up with my Windows XP virtual machine having no free space on its virtual hard drive. I was too lazy to reinstall into a larger VDI, so I googled a little bit and found that it is possible to move the contents of my current virtual disk to a bigger one following these directions:

You will need Virtualbox, of course, and an ISO image of the gparted live CD. I hope you find it as useful as me.

Tuesday, February 9, 2010

JDBC options for PostgreSQL SSL connection

Hi:

I was trying to find out which options I need to pass to the PostgreSQL JDBC driver in order to establish an SSL connection to the RDBMS. I found that the following are required:

  1. ssl=true (doh!)
  2. sslfactory=org.postgresql.ssl.NonValidatingFactory
The second one is only required if the SSL certificate used by the RDBMS is not signed by a trusted authority.

I hope someone finds this useful.

Monday, February 8, 2010

Change emacs font size

Hi:

Sometimes i think emacs font (under X11) is very big. I got tired of it, googled a bit and found out that

meta-x customize-face RETURN default
Takes you to a nice menu where you can set size. Just change that 120 for whatever you like (100 for me). Then set for current session and save for all future sessions. This creates an entry in .emacs file.