bearlog - Latest Comments

Re: Nginx SSL Config for Forward Secrecy

bear — Mon, 05 Aug 2013 16:40:01 -0000

Thanks for the update - I tweaked the cipher list with your change

Re: Nginx SSL Config for Forward Secrecy

devin — Sat, 03 Aug 2013 22:02:38 -0000

I added the cipher :DHE-RSA-AES256-SHA before:RC4-SHA

This seems to satisfy Firefox21, etc.

Re: Nginx SSL Config for Forward Secrecy

devin — Sat, 03 Aug 2013 21:17:52 -0000

I had PFS working on qualsys with nginx and your cipher list, but now it is failing Firefox21, etc. Anyone else having trouble?

Re: Deploy secrets and git – why you should not combine them

bear — Sat, 06 Jul 2013 22:50:52 -0000

I didn't go into detail because it varies based on how you deploy. With something like Fabric or Capistrano, I would build a local file from a template with the secret values loaded into memory from the secure store.

Puppet and Chef have similiar methods of retrieving named items or structures from an encrypted store.

Deploying a server is, well at least for how I do it ;), always a provision step followed by a configuration step.

Re: Deploy secrets and git – why you should not combine them

Paddy Foran — Sat, 06 Jul 2013 21:49:26 -0000

Right, but I guess my point is, how do you deploy a deploy server? I'm assuming you have a deploy procedure for deploy servers, so how does that configuration information end up on the deploy servers?

Re: Deploy secrets and git – why you should not combine them

bear — Sat, 06 Jul 2013 19:13:33 -0000

Most shops have two groups of people who need to know the configuration and/or deploy secrets: Ops and QA/Devs and each need a different set of secrets and they should not have any knowledge about each other. For instance devs need something to use when working locally but that dev server should not be the same as what Ops deploys - hence their secrets are not shared.

In all of the environments i've worked or created, the secrets are always pushed from the deploy servers to the production servers as part of the configuration management step and are stored in their own environment.

I guess some could store the secrets in a private git server that is behind the firewall and all of that, but I would still consider that sub-par because of the social aspect as I mentioned.

Re: Deploy secrets and git – why you should not combine them

Paddy Foran — Sat, 06 Jul 2013 19:06:32 -0000

So how would you suggest storing deploy secrets? Git has the nice benefit of being easy to share with the people who need access to these secrets and being easy to backup and make redundant to prevent against lost data. How can I get those properties in a more secure way?

Re: Nginx SSL Config for Forward Secrecy

bear — Sat, 06 Jul 2013 16:19:21 -0000

I should be find for IE10 for everything *except* the forward secrecy as IE10 doesn't support the ciphers required IIRC

Re: Nginx SSL Config for Forward Secrecy

Wayne — Fri, 05 Jul 2013 16:00:06 -0000

I just tried this and it works for every browser except IE 10. Any workarounds?

Re: Nginx SSL Config for Forward Secrecy

Kiran Jonnalagadda — Mon, 01 Jul 2013 17:37:27 -0000

Yes, that is correct. I'm @Kiran Jonnalagadda on Twitter and I've used your settings for my servers, which I've blogged about here: https://blog.hasgeek.com/20...

Re: Nginx SSL Config for Forward Secrecy

bear — Mon, 01 Jul 2013 17:33:39 -0000

thanks - I updated the post again, can you double check that I put it in the proper spot?

what is your twitter handle - I want to give you credit for enhancing the config to make it even better!

Re: Nginx SSL Config for Forward Secrecy

Kiran Jonnalagadda — Mon, 01 Jul 2013 17:17:13 -0000

Thanks! I just tried your string with ssllabs.com and noticed that this does not enable Forward Secrecy with IE9 and IE10. They need an additional cipher: ECDHE-RSA-AES256-SHA (just before the last RC4-SHA). Adding that fixed it.

Re: Nginx SSL Config for Forward Secrecy

bear — Mon, 01 Jul 2013 17:06:20 -0000

ugh! great catch (the $ comes from the terminal I was cutting and pasting from)

I updated the post with the full cipher string.

Re: Nginx SSL Config for Forward Secrecy

Kiran Jonnalagadda — Mon, 01 Jul 2013 13:38:20 -0000

FWIW, I've used your config as a reference for my config. Here's my version: https://blog.hasgeek.com/20...

Re: Nginx SSL Config for Forward Secrecy

Kiran Jonnalagadda — Sat, 29 Jun 2013 12:35:28 -0000

Mike, is the last line complete, or does it really end in a '$' and not a ';' ? I tried it on my server and lost TLS 1.0 and 1.1; only 1.2 worked. Then I appended 'RC4:HIGH:!aNULL:!MD5' to the list and support came back along with Forward Secrecy for all browsers except IE9 and IE10.

Re: XMPP features now missing from GTalk (aka Hangout Chat)

Rae — Fri, 24 May 2013 02:32:32 -0000

I'm not a technical person, I'm just pissed that my gtalk contacts are not migrated to hangouts, that I'm being forced to use google+

Re: XMPP features now missing from GTalk (aka Hangout Chat)

Dmitri Smirnov — Tue, 21 May 2013 04:05:22 -0000

Google Apps users are in the same position, so Google screwed them over too. They can choose to either upgrade or wait to be forced to upgrade.

Re: I welcome Google as the new Borg

Harald Steindl — Mon, 20 May 2013 12:55:39 -0000

Moving away from XMPP in general and federation in particular is BAD, BAD, BAD! Google you screwed up big time!

Re: XMPP features now missing from GTalk (aka Hangout Chat)

Julius Schwartzenberg — Mon, 20 May 2013 09:25:13 -0000

How do you connect to Hangouts with XMPP? As I replied to the other post. I do not really see any changes. (I do not have Android and never use the chat function on G+.)
I don't think they can disable federation for their business users who pay for having a Jabber service with federation.

Re: XMPP features now missing from GTalk (aka Hangout Chat)

Dmitri Smirnov — Mon, 20 May 2013 08:10:08 -0000

The bridge is most likely something they threw together to allow old GTalk users to talk to new Hangouts.

After you switch to Hangouts (right now it's voluntary, but I'm pretty sure they will pull the plug soon enough), federation is gone and only remnant of XMPP is that you can still login to Hangouts via XMPP, but all your buddies from outside Google will be gone, statuses won't work and all you will be able to do - is send one2one messages. Pretty much the same you can do with Facebook Messenger. I'd say it's pretty much "we are too lazy to make a decent client for desktop for those, who doesn't use Chrome all the time, so you can have that). Also, my trust in google is gone and I won't be surprized if they drop that as well shortly.

Re: I welcome Google as the new Borg

bear — Mon, 20 May 2013 05:12:10 -0000

Your GMail account is still using the GTalk interface - sign into only Google+ or on your Android after updating and you will see that while you receive presence updates you will not be able to send or receive any chat messages.

Re: XMPP features now missing from GTalk (aka Hangout Chat)

bear — Mon, 20 May 2013 05:10:16 -0000

Thanks for the response and helping me see more of the details from someone else's view.

Now I guess we get to explore what type of "bridge" they are building (and what materials it's made of - to extend their metaphor.)

Re: I welcome Google as the new Borg

Julius Schwartzenberg — Mon, 20 May 2013 05:01:16 -0000

I don't really get it. I can sign in with Psi to my Gmail account and everything works like it always did, including chat in Gmail, federation, etc. I don't see what they removed.

Re: XMPP features now missing from GTalk (aka Hangout Chat)

Dmitri Smirnov — Mon, 20 May 2013 04:41:03 -0000

Nope, those correcting you are wrong. All that is said in that thread is that they won't pull the plug on old GTalk right away and will let you connect to new hangouts from your favourite XMPP client for the time being.
But federation is gone, since Google now wants to wall off it's users and build a proprietary IM network hoping to outphase all other IMs. It's like a nightmare, at least we still have email that is interoperable (hope they won't try to "fix" that as well).

Re: XMPP features now missing from GTalk (aka Hangout Chat)

Bartosz Małkowski — Mon, 20 May 2013 02:56:01 -0000

"Not federated support, but supports interop with XMPP clients. Meaning you can continue to use XMPP clients to log in to Google Talk and those messages will interop with folks on Hangouts."

Gracious lord!

P.S. I'm pissed off!