Friday, December 12, 2014

Debugging Apache Start/Reload

After adding a new virtual host config file for apache, I tried to reload apache, but getting following:
>> service apache2 reload
Reloading web server config: apache2 failed!
However, I also found that there's no apparent way to read the log which may tell why "apache2 failed" (no error in apache log as well). So, I used strace
strace -Ff service apache2 reload &> /tmp/t
Then by search "log" keyword in /tmp/t, we can get:
Process 62754 detached
[pid 62750] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 62754
[pid 62750] --- SIGCHLD (Child exited) @ 0 (0) ---
[pid 62750] rt_sigreturn(0x11)          = 62754
[pid 62750] write(1, "Action 'configtest' failed.\n", 28) = 28
[pid 62750] write(1, "The Apache error log may have mo"..., 48) = 48
[pid 62750] exit_group(1)               = ? 
Yes, here is it! It's saying that "configtest" is failed which is causing "apache failed".
So, here's comes a better way to debug my config file:
>> apachectl configtest
apache2: Syntax error on line 268 of /etc/apache2/apache2.conf: Syntax error on line 26 of /etc/apache2/sites-enabled/nphw3.conf: use of macro 'VHost' defined on line 2 of /etc/apache2/sites-enabled/nphw3.conf  with 2 arguments instead of 3
Action 'configtest' failed.
The Apache error log may have more information. 

Saturday, December 6, 2014

TLS/SSL Study Note

Preface

In the third assignment of "Network Security Practice", we are asked to trace TLS/SSL traffic package. I am writing down my understanding of TLS/SSL after studying on Wikipedia and other sites.

Procedure

Objects

  1. CLIENT A
  2. SERVER A: serving the desired application services for CLIENT A
  3. SERVER B: the server which issues digital certification for SERVER A

Steps

  1. [CLIENT] → [SERVER A]
    • request secure connection
    • offer a list of supported cipher suites
  2. [SERVER A] → [CLIENT]: send back followings:
    • picked cipher/hash function
    • its identification (digital certificate), mostly contains:
      • servername
      • trusted certificate authority
      • public encryption key
  3. [CLIENT] → [SERVER B]: check validity of SERVER A
  4. [CLIENT] ←→ [SERVER A]: generate the session key
    • [CLIENT] encrypts a random number using received public key, then send out the result
    • [SERVER B] decrypts with its private key, then get the random number
  5. [CLIENT] ←→ [SERVER A]: start various application-layer communications by encrypting/decrypting with the picked hash function & the random number

Reference