CFHTTP calling HTTPS urls

Written on 6 February 2015, 02:46pm

Tagged with: , ,

To use HTTPS with the cfhttp tag, you might need to manually import the certificate for each web server into the keystore for the JRE that ColdFusion uses.

Here is how to do that:
1. Load the HTTPS url in your browser and export the certificate as a .cer file (see link above for more details)

2. Copy the .cer file on the CF server

3. Locate the path of ‘Java Home’ in CF Admin. It should be something like /usr/java/jre1.7.0_51, usually with a symlink to /usr/java/default.
The keystore location should be {Java Home}/lib/security/cacerts and it’s password protected.

4. Import the .cer file into the keystore:

#/usr/java/default/bin/keytool -import -keystore 
/usr/java/default/lib/security/cacerts -alias thomas 
-file thomas.cer -storepass changeit

5. Check that the certificate was installed:

#/usr/java/default/bin/keytool -list -keystore 
/usr/java/default/lib/security/cacerts -storepass changeit -alias thomas 
# thomas, Feb 6, 2015, trustedCertEntry, Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

6. Restart ColdFusion server

See also this and that.

Cryptography basics

Written on 3 December 2014, 11:07pm

Tagged with: , ,

1. Steganography

The science of hiding the existence of a message, as opposed to cryptography. A type of security through obscurity.
Ex. message written on the head of a messenger and sent only when it’s covered by the messenger growing hair; microdots; physical templates applied to a long text to highlight only some of the words.

2. Cryptography

The practice of secured communication. The science of encrypting a message, or concealing the meaning of a message.

  • Transposition ciphers – letters do not change, but move position
  • Substitution ciphers – letters change, but keep position
    1. Caesar shift: all the letters of the alphabet shift a number of positions (from 1 to 26)
    2. Simple monoalphabetic substitution: substituting a different letter for every letter. The cipher alphabet is fixed throughout the encryption. Both methods fail to basic frequency analysis
    3. Monoalphabetic with Homophones: a plaintext letter can be enciphered in many ways (typically numbers or symbols) – making the encryption resistant to a basic frequency analysis
    4. Polyalphabetic substitution – alphabet matrix + password repeated until it has the same length as the plain text message (Vigenère cypher). The cipher alphabet changes during the encryption; the change is defined by a key. The longer the key, the more secure; but less practical for everyday use.
  • A mix between transposition and substitution: ADFGVX (used to send Morse code messages)
  • One time pad – the only form of encryption that is unbreakable, relying on a random key that is the same length as the message. Each key can be used only once. Impractical for extended use.

3. Cryptanalysis

The science of deducting the plain text from a cyphertext, without knowledge of the key.
One of the most used methods at the beginning: frequency analysis

substitution cipher

basic cryptanalisis

Random things #6

Written on 28 November 2014, 11:27am

Tagged with: , , , , ,

1. A few things about yum:

yum plugins
yum update openssl package (heartbleed anyone?)

Info about yum and openssl packages:
yum info yum
yum info openssl

Run yum without plugins:
yum --noplugins

Update openssl package:
yum update openssl

To check that a certain CVE (common vulnerability and exposure) is fixed in the current installation:
rpm -q --changelog openssl | grep CVE-2014-0224

To check openssl version:
openssl version -a

2. vi quick commands:

insert to start editing
escape to stop editing
:x to save and exit (in view mode)
u to undo (in view mode)

3. SFTP Sublime Text plugin is awesome

And it’s only $20