UNIX Consulting and Expertise
Golden Apple Enterprises Ltd. » Archive of 'Dec, 2009'

NVidia: Mad Science Comments Off on NVidia: Mad Science

0E34C31F-C290-4E36-A2CF-D90A5D0232CC.jpg

In possibly one of the best named marketing efforts ever, NVidia have announced their “Mad Science” promotion – just in time for Christmas! The deal is simple – buy a Tesla card now, and get a free upgrade to the equivalent Fermi based card when they start shipping:

When you purchase a Tesla C1060 GPU Computing Processor through this promotional offer, you will qualify for a no penalty upgrade to a Tesla C2050 or a Tesla C2070 GPU Computing Processor. Start experiencing GPU computing today on a Tesla C1060 and be assured to be one of the first to receive the new Fermi-based Tesla C2050/C2070 GPU Computing Processor.

Sun Grid Engine for Dummies Comments Off on Sun Grid Engine for Dummies

DanT has posted up a fantastic introduction to Sun Grid Engine. Most discussions of Grid Engine assume a decent level of knowledge of clustering and distributed load balancing – fine if you know your stuff, not so good if you want to get up to speed with little prior knowledge.

Dan’s post breaks down the concepts behind Grid Engine and provides an excellent explanation on how and why it works. This is a really great resource and is well worth a read through – even if you’re not planning on deploying a Grid Engine solution, it’s well worth understanding the technology and how it works.

Sun HPC Consortium presentations and videos posted Comments Off on Sun HPC Consortium presentations and videos posted

Alongside the recent SC09 show, Sun ran their HPC Consortium, which featured a number of interesting technical presentations from Sun and their customers. Obviously there was a big focus on using technologies within HPC, but discussions on things like file system roadmaps and how to scale performance with multi-chip hardware solutions are just as relevant to business as they are to HPC.

So it’s great to see that Sun have posted PDFs of the presentations, and videos of the discussion panels, up at the HPC Consortium website.

Head on over to https://meeting-reg.com/sunhpcc/presentations.php to get the full list.

There’s a lot of good content there and some very interesting discussions.

Flash Storage fun – and some NIS+ news Comments Off on Flash Storage fun – and some NIS+ news

A couple of Sun blog posts that make excellent Friday reading. Sun are coming up with some great applications of Flash storage technology, and it’s gratifying to see this sort of “Mad Science” R&D resulting in some solid commercial solutions.

First up, Benoit Chaffanjon explores the Sun Flash Accelerator F20 cards, which are used inside the Sun Oracle Database Machine.

Next, Adam Leventhal explores the pros and cons of mirroring or striping Logzilla devices in the Sun Storage 7000s.

Both posts are a great read and give solid examples of the ways solid state storage can be exploited for some really big performance and scalability gains.

And, on a totally unrelated note, a loathsome technology that I have long had a hate-hate affair with, NIS+, has been removed from Solaris! Ironic that NIS+ has been outlived by NIS, the technology it was designed to replace.

OpenSSL tricks – checking https ports Comments Off on OpenSSL tricks – checking https ports

Checking whether or not your web server is running is pretty simple – telnet to port 80, issue a HEAD request, and make sure you get a valid response. What’s less well known is how to test an https session – in this post I’ll go through the nice tool the OpenSSL toolkit gives us.

People think of OpenSSL as a collection of libraries that enable us to build in SSL support to a variety of things – webservers, LDAP servers, etc. OpenSSL also happens to be a toolkit in binary form that’s built along with the libraries, and it’s a pretty powerful bit of kit.

First of all, we can use the s_client functionality to test an https connection:

bash-3.2$ openssl s_client -connect www.siliconbunny.com:443

CONNECTED(00000003)
depth=0 /C=GB/ST=Berkshire/L=Crowthorne/O=Silicon Bunny/CN=www.siliconbunny.com/[email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=GB/ST=Berkshire/L=Crowthorne/O=Silicon Bunny/CN=www.siliconbunny.com/[email protected]
verify return:1
---
Certificate chain
 0 s:/C=GB/ST=Berkshire/L=Crowthorne/O=Silicon Bunny/CN=www.siliconbunny.com/[email protected]
   i:/C=GB/ST=Berkshire/L=Crowthorne/O=Silicon Bunny/CN=www.siliconbunny.com/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDpjCCAo4CAQAwDQYJKoZIhvcNAQEEBQAwgZgxCzAJBgNVBAYTAkdCMRIwEAYD
VQQIEwlCZXJrc2hpcmUxEzARBgNVBAcTCkNyb3d0aG9ybmUxFjAUBgNVBAoTDVNp
bGljb24gQnVubnkxHTAbBgNVBAMTFHd3dy5zaWxpY29uYnVubnkuY29tMSkwJwYJ
KoZIhvcNAQkBFhp3ZWJtYXN0ZXJAc2lsaWNvbmJ1bm55LmNvbTAeFw0wNDA4MTcy
MjExMTJaFw0xNDA4MTUyMjExMTJaMIGYMQswCQYDVQQGEwJHQjESMBAGA1UECBMJ
QmVya3NoaXJlMRMwEQYDVQQHEwpDcm93dGhvcm5lMRYwFAYDVQQKEw1TaWxpY29u
IEJ1bm55MR0wGwYDVQQDExR3d3cuc2lsaWNvbmJ1bm55LmNvbTEpMCcGCSqGSIb3
DQEJARYad2VibWFzdGVyQHNpbGljb25idW5ueS5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDfMrAWj1SU9IKclxLucFaptJZ3eehlV7VI+gNjeIV1
bLTaBvIR/k4e2dYArG05ZZwXu+N8zvqDQfzJaFV4z5a/1nGjzx63VexRM6ix79NX
I1/hJ3m6qU+C0Iy0lbKIy60r8F3DS5N+URZDHyQTb0zV9c9+4WFPpc6J+zDeRP0r
WfF2CDzSV16snTonLzSe7NAL0Br9+5sp26vERX0+Syg1pSG15c3YKMnaNbF8dquE
UC1SAso8PPgKdw9Fle38ulWbX6Lr6gXEWvo1Vb61SEiTz+pcv4fPXtHix4knifIF
kqs+rvELYCGuIWV0gTFuF3/opGazSRub8U2Af9QjjJvdAgMBAAEwDQYJKoZIhvcN
AQEEBQADggEBANnYch3XCiteZRnzeVtmmmDjpn7OVfc/V9QzL8mVTVdopd/oVScI
4gyz2lDpLxiLeXA86WDpai2rys7aXGjwIBtSaHHt1O5bYG6kR+H3RLunklIaJhBr
0bj9Hffa15POEEctZdfMO3OJ/4nR8Bd6lJRllvF4qkDsbKnwEXd/IB33sVtvtNxM
LUAgtq8BaeLysUMxVRbsFJ01J6uyv6Y6OtzY3QedkP+ig3+IkWqgPm1zTh1CflSH
OUXeMQnPl8mN6s7deg1WBmiSgc6um3Tb5NoL1CmRPamJip5DqPffR+EboxReRiRJ
fofgD0cIKKghQsHXxWL8OcqrfDQpC9BgUWw=
-----END CERTIFICATE-----
subject=/C=GB/ST=Berkshire/L=Crowthorne/O=Silicon Bunny/CN=www.siliconbunny.com/[email protected]
issuer=/C=GB/ST=Berkshire/L=Crowthorne/O=Silicon Bunny/CN=www.siliconbunny.com/[email protected]
---
No client certificate CA names sent
---
SSL handshake has read 1630 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 80F355438981C329BEF0BB1CCA4936906EE0A0F71C0B7AD4A873629081E7452A
    Session-ID-ctx: 
    Master-Key: BD04DC16B134FBB2B5F5833FEB72853245EC060536AD6F4A6FEBA7DFD47F607693795F9CE3B1F291593E489B685FAE70
    Key-Arg   : None
    Start Time: 1260328910
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

This allows us to form a proper SSL connection to the web server – we can see the certificate, check it’s validity, and then run our HEAD request check as well. We’re not just doing a basic “are you listening?” check – openssl is forming the same https connection a client would, so this is very handy when checking out certificate mis-matches or bizarre client errors.

Within the same session we can then start talking http and check our server is doing the right thing:

HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 09 Dec 2009 02:02:43 GMT
Server: Apache
X-Pingback: http://grond.gaeltd.com/xmlrpc.php
Cache-Control: max-age=0
Expires: Wed, 09 Dec 2009 02:02:43 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8

closed

Worst case you can do this testing direct on your web server, but pretty much most machines should have OpenSSL installed, and at a minimum you should look at adding it to your collection of tools on your laptop or memory stick.

Another interesting and lesser known use of OpenSSL is for file encryption.

This is an example using OpenSSL’s enc function to encrypt a text file using the Blowfish cipher:

bash-3.2$ openssl enc -e -a -salt -bf -in testfile.txt -out testfile.blowfish
enter bf-cbc encryption password:
Verifying password - enter bf-cbc encryption password:

You’re prompted twice to enter a password to be used, then OpenSSL will encrypt the file for you.

Decrypting a file is very similar – calling the enc function in decrypt mode (-d) and changing your input and output files:

bash-3.2$ openssl enc -d -a -bf -in testfile.blowfish -out tomcat-testfile.txt
enter bf-cbc decryption password:

Using OpenSSL like this for file encryption gives you simple, easy access to quite strong encryption algorithms, but without the hassle of managing key files that you get with PGP – so can be an ideal solution for things like managing sensitive webserver log files.

The last OpenSSL trick to look at is hashing functions – specifically we want to calculate a message digest to check that a file hasn’t been tampered with.

Although outdated md5 is still the most commonly used hash function to check a file’s integrity – most often you’ll be looking at md5 checksums to verify a large file has been fully downloaded, or that it’s not been tampered with.

All we need to do is call OpenSSL with it’s digest function, specify the hash algorithm to use, and then give it a file to check. Classic case here – I want to verify that the checksum for the VPN software I’ve downloaded matches up:

bash-3.2$ openssl dgst -md5 -c Tunnelblick_3.0b22.dmg 
MD5(Tunnelblick_3.0b22.dmg)= 5b:d3:6d:2a:06:22:9f:58:00:01:f8:e1:15:48:7c:d9

Although md5 is the most common hash function in use, it’s considered outdated and has been deprecated in favour of stronger functions like SHA-1 – which are just as easy to use via OpenSSL:

bash-3.2$ openssl dgst -sha1 -c Tunnelblick_3.0b22.dmg 
SHA1(Tunnelblick_3.0b22.dmg)= 7f:56:1c:96:68:4a:fc:b3:f6:27:99:11:41:89:ed:7e:30:97:28:7f

Hopefully this has given you an idea of the power and flexibility of the OpenSSL tookit. A big advantage of utilising OpenSSL in this way is that it can easily be scripted, given you some very powerful tools for carrying out simple sanity checks on remote, publicly accessible servers.

Top of page / Subscribe to new Entries (RSS)