We have C++ code that uses TCP/IP to communicate between a client and server and use TLS 1.2 for encryption between the two. I'd like to implement TLS session resumption as it would speed up reconnections, which will be very often in our software. I've scoured SO and lots of other places and come up with very little for definitive answers. The closest I've found is this: https://forums.iis.net/t/1239418.aspx?How+to+enable+TLS+session+resumption+or+Optimize+TLS+handshake+on+Windows+2016+
The instructions from that site are reproduced here:
To enable TLS session tickets on win2k12 r2 and win2k16, you need to follow these steps:
Create a key (DWORD) in registry with value 1 HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableSslSessionTicket
Create a new TLS session ticket key through this powershell command: New-TlsSessionTicketKey -Password -Path "C:\KeyConfig\TlsSessionTicketKey.config" -ServiceAccountName "System" https://technet.microsoft.com/en-us/itpro/powershell/windows/tls/new-tlssessionticketkey
Enable TLS session ticket key through this powershell command: Enable-TlsSessionTicketKey -Password -Path "C:\KeyConfig\TlsSessionTicketKey.config" -ServiceAccountName "System"https://technet.microsoft.com/en-us/itpro/powershell/windows/tls/enable-tlssessionticketkey
Reboot the server to enable TLS session ticket generation. Reboot is required for the registry entry to take effect.
But I have some issues with it. I could do it in PowerShell, but I'd prefer to do it in C++ code. We don't use HTTP, only TCP/IP. And the service account you specify in Enable-TlsSessionTicketKey may be a user account and not one of the well-defined system accounts.
It can't be this hard, can it? It's not on by default, is it? I'm looking at a Wireshark capture and it doesn't look like it's on. In my Client Hello packets I see: session_ticket len=0, extended_master_secret len=0, renegotiation_info len=1. In my Server Hello messages I don't see any session ticket. I see: extended_master_secret len=0, renegotiation_info len=1.
After opening a support ticket with Microsoft, they did finally provide the means to do this. It's still not great, but it works. Not great because we have to do some in a Powershell script (rather do it in code) and the service account cannot be a normal user account.
You must pass in ASC_REQ_SESSION_TICKET (an undocumented option) into
the AcceptSecurityContext call on the server side. This will allow
the server to generate a ticket
Do steps 2, 3, and 4 above to create a session ticket then enable it in the Powershell script
Make sure you only create a single credential on the client side.
The service account must be one of these: System, LocalService, NetworkService, or SID of virtual accounts. We used NetworkService
Related
I am trying to register my bluetooth SDP service in C++ linux as shown here: Example 4-9. Describing a service
Where or how can I check exactly that the service is registered? I've tried viewing all services while running bluetoothctl or sdptool browse commands but service with my UUID is not shown there.
I've also tried changing the service group (not sure how it is called) in sdp_uuid16_create(&rootUuid, PUBLIC_BROWSE_GROUP) call to, for example, sdp_uuid16_create(&rootUuid, SERIAL_PORT_SVCLASS_ID) and searching with sdptool search SP as it is shown here Bluetooth Profiles but it does not take any effect.
When I run discovering services program (first paragraph on the site) on my other PC, it finds the service pretty fine.
The document you linked to is refering to a version of BlueZ that most systems don't run anymore.
Many of the tools it refers to (such as hciattach, hciconfig, hcitool, hcidump, rfcomm, sdptool, ciptool, and gatttool) were deprecated by the BlueZ project in 2017.
There is also the following SO question talking about the changes that have happened to BlueZ: Bluetooth SDP - where is sdpd?
Libraries such as https://github.com/nettlep/gobbledegook are examples of using the new D-Bus API in C.
The BlueZ documentation for the APIs are available at:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/doc
I've managed to check all local SDP records by typing sdptool browse local. In this case I can see my record the lowest in list:
Service Name: Service Name
Service Description: Service Description
Service Provider: Service Provider
Service RecHandle: 0x10010
Service Class ID List:
UUID 128: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1
Profile Descriptor List:
"Serial Port" (0x1101)
Version: 0x0100
My application runs in Windows and is implemented using C++/Qt.
The application will invoke another application deployed in the Linux server which in turn will invoke some third party tools. The Linux server application will send some status updates based on the running of third party tools. Usually the third party application will run for hours and the updates will be sent at various stages. The Linux server may also has to send some files in addition to the status updates and the Windows client will also send some files required for the running of those third party tools.
I planned to implement this in libssh2 since file transfers can be done and applications can be executed as well using libssh2_channel_exec(). Updates can be sent and received through non-blocking socket transfers. Also the transfers must be secured and they are password authenticated, so I thought SSH will conform my requirements.
I also looked into Qpid of apache which implements the AMQP. The messaging seems to be a more appropriate one for my status updates since the updates are less frequent. But I am not so sure about the secured connection, password authentication and also the application invocation.
So, which one can I choose between these two? Or is there any other better option available? I am not quite used to network programming so any pointers, links regarding this are welcome..
Have you considered some web-based solutions like XML-RPC, REST, SOAP or other? Note that you can either have constant network connection and stream updates or just make your client ask for update as often as it needs.
Also, I think that building solution based on some of these protocols will give you easier coding - no need for some low-level solutions when you have great libraries. As for security part, I would consider SSL that is part of HTTPS protocol to be secure enough. Of course you can also do it hybrid style, for example SSH tunel to secure server and use SSH key authorization.
But if you are sure youwant SSH or AMQP then use first one - I think it has better security. Also, try not using username/passowrd. Instead use mentioned above keys.
Start with SSH, and then consider layering other protocols on top. You can use SSH port forwarding to create a VPN connection to a server, and maybe that will make it easier to use something like AMQP or 0MQ.
I'm trying to use S3 as an off site file location for a database backup. On my home dev machine this works just fine, I just do a dump out from mySQL and then
<cffile action = "copy"
source = "#backupPath##filename#"
destination = "s3://myID:myKey#myBucket/#filename#">
and all is good. However, the production server at work is behind a router/firewall controlled/managed by a 3rd party. I read somewhere that S3 needs port 843 open to work (and then lost that reference) but does the CF built in function connect to a particular IP at amazon so I could ask for that port open for just that IP?
I see that you found some answers via comments on Ray Camden's blog post about the S3 functionality, with information contributed by Steven Erat, but for the sake of completeness here on Stack Overflow and for others who may find this question, here is that information:
By default, all communication from your CF server and S3 is done over HTTPS on port 443. There is a Java system property (s3service.https-only), which defaults to true, and will do the communication over http and not over https if you set it to false. Sorry, I don't know how you might change it, unless maybe as a JVM argument.
The IP of any given bucket could be different (and possibly change over time), so you can't necessarily get by on opening a port for a single IP -- but luckily you shouldn't have to since it's all done over SSL/443.
What does use port 843 is the Amazon S3 console, an optional flash-based web interface for managing your bucket(s).
This is a newbie question... I want to create a service which responds to emails sent to it.
Just to illustrate. If a user sends an email to handlethis#example.com with some instructions, I want a program at example.com (which is a domain I own) to read the email and act accordingly.
I strongly doubt I can do this with standard web hosts (which are shared), so I welcome suggestions on where I can host something like this (at the cheapest rate).
What will the "program" be written in? Can I use php, etc or is it some specific "email-handling" language!?
Thanks!
S
FWIW, I think this question should be posed on serverfault.com rather than here.
I confirm this is something most shared hostings can't do: You need to be able to create a scheduled task/cron job which checks your e-mail account every x minutes.
You might consider a virtual server hosting. A bit more pricey but much more flexible.
The script would be written in php on Linux or in VBS/JScript/.NET on Windows. I've written such a script in JScript on Windows, using a component that implements POP3.
Are there any alternatives to LogonUser and for impersonating given account in order to access network resources? I'm looking for the method of impersonation which would let me connect to machine in foreign domains (or, workgroup machines for the same matter).
For initial data I have: machine name, username (or domain\username), cleartext password.
I know there's a way to establish connection using WNetAddConnection to a \\machinename\ipc$, then most network functions will run in a context of that account, however win2008 added another twist and some functions still use the account, that thread is running under.
I'm also aware, that there's some way to get an impersonation token using SSPI. Have anyone experimented with those tokens, are they good for accessing shares, SCM, remote registry and stuff? Is is what WNetAddConnection is using?
EDIT: To clarify, the reason I cannot use LogonUser is because I need to impersonate user in a non-trusted domain or workgroup
EDIT2: Another clarification: the item I'm trying to implement is similar to psexec, e.g.:
program should not modify host or active directory configuration (e.g.: create temporary local users, etc). Moreover assumption cannot be made that it is running on DC or not
there can be no assumptions made about which software is pre-installed on the remote host, only condition given is that windows file sharing is enabled on target
Account/password is known to be working on target, but target machine may be in local domain, foreign domain, not in domain at all.
EDIT3: I would really love to hear more about SSPI InitializeSecurityContext / AcquireCredentialsHandle option. Is there anybody who has been working with this API extensively? Is it possible to use the tokens returned with impersonation, so that a thread can access network shares and copy files, etc? Can someone post a working code snippet?
EDIT4: Thanks to Marsh Ray, problem got resolved. If anyone is looking to see the proof-of-concept code, it is here
If you're wanting to "access network resources" outside of your forest, do that with WNetAddConnection2/3 as you mentioned, or use the standard RPC APIs with RPC_ C__ AUTHN__ GSS__ NEGOTIATE and and explicit credentials structure.
Normally, "impersonation" is something that happens on the server side. The server side will be able to impersonate the connection as the account you're connecting as.
But the key is this: impersonation only makes sense for impersonating an account the server can access in his local SAM/domain/forest directory. If the client and server are in different forests, they clearly can't agree on the SID of an account for an impersonation token (except for the case of well-known SIDs like Administrator which serve mainly to confuse this kind of thing), and that seems necessary to check against DACLs etc.
Perhaps what you want is to call LogonUserEx with the LOGON32__ LOGON__ NEW__ CREDENTIALS flag. This should succeed (even in a different forest - it doesn't actually authenticate the credentials you give it) giving you a token with the username/password you specified. You may have to use DuplicateToken to turn this into an impersonation token. Then you can use SetThreadToken to replace the token on your thread.
IMHO this isn't really "impersonation", you're just using the credentials outright, but it allows you to access network resources transparently as the arbitrary username/password you supply.
Edit: Oh yeah, be aware that there is no protection against man-in-the-middle on this type of connection. The client especially cannot strongly authenticate the server (short of heroics like IPSEC), so in theory you can't trust anything the server tells you.
The theory goes that you pass the credentials as a SEC_WINNT_AUTH_IDENTITY structure to the AcquireCredentialsHandle function that creates the handle used in InitializeSecurityContext. I never tried this on foreign domains though and I don't know if it works.
Doing this directly and reliably via the Windows API seems next to impossible, plus Windows does so much work behind the scenes to make network access "just work". Plus the impersonation side of things only works for the single thread that called the APIs.
But... you can run a whole program under a different user... such as when you run a service.
So you could edit the registry in your main program to run various services under different security tokens and use IPC/Sockets to communicate with those processes from your main application. ie. a whole bunch (or restarting and reconfiguring the same process) of helper processes running under the different user(s) which your main app abuses.
I realize this is a hack but it seems viable ;)
You could open a command line, map the drive using the plaintext username and password. Then disconnect the drive:
net use m: \\machinename\share password /user:username
... do stuff ...
net use m: /delete
http://technet.microsoft.com/en-us/library/cc756153(WS.10).aspx