Category Archives: GNU/Linux

All about my involvement in the free software world.

Managing SSL for Jenkins with Sectigo Certificates

At VMSoft, I manage a Jenkins instance that uses SSL. To configure SSL using a certificate issued by Sectigo (in my case), the supplied .crt and .key files must be imported into a keystore, which is then passed as a Jenkins startup parameter.

The process of creating a keystore from the .crt and .key files involves using the openssl command-line utility to create a PKCS#12 file:

openssl pkcs12 -export -in <file_name>.crt -inkey <file_name>.key -out jenkins.p12

Next, convert the resulting .p12 file to a .jks file using the keytool utility, which comes bundled with the JDK:

keytool -importkeystore -srckeystore jenkins.p12 -srcstoretype PKCS12 -destkeystore jenkins.jks -deststoretype JKS

Finally, make Jenkins aware that you want to use HTTPS by editing the jenkins.xml configuration file. Modify the jenkins.war command-line arguments by appending the following:

--httpPort=-1 --httpsPort=8443 --httpsKeyStore=<path_to_key_store_file> --httpsKeyStorePassword=<key_store_password>

Note: If your Jenkins instance fails to start, check the error log. If you see an error like:

java.security.UnrecoverableKeyException: Cannot recover key

ensure that the password you provided during the creation of both the PKCS#12 file and the .jks file is the same. Inconsistent passwords can cause this error.

Copying Cyrillic URLs in Google Chrome and Firefox

Using Google Chrome, I encountered strange bug affecting the copying and pasting of cyrillic urls.

When pasting, the non ASCII characters in the Url are converted to Punycode.

Performing some tests revealed that the same behaviour is present also in Firefox.

Punycode produced by Google Chrome and Firefox

Punycode produced by Google Chrome and Firefox

Doing some research led me to Issue 68718, unfortunately marked as WontFix stating:

Links on Wikipedia itself are a red herring, as comment 50 notes -- they're escaped in the page source.  The actual issue here is demonstrated by the link in comment 0.  We escape URLs when copying them.  This behavior matches Firefox 4 (by default) and Safari 5, though not IE9.

We added this behavior on  issue 2820  to fix a variety of problems in languages like Japanese.  Because those problems resulted in users unable to navigate to the pasted links, whereas this issue seems to be solely about cosmetics (in that escaped URLs are ugly and hard to read), preserving that behavior change seems like the more important thing to do.

Workarounds

Few things can be done if this issue is affecting your day to day usage of Google Chrome…

  • Before copying the URL add any character at the end of it, then erase it. After this operation the copied URL will preserve its structure not producing punycode when pasted.
  • Use the COPY URL extension.
  • Use a different browser. Microsoft Edge on Windows and Safari on OSX are producing the expected results.

Featured Image: https://wallpapercave.com/w/A7ZAUTz

Gentoo Linux

Gentoo: No image size information in Dolphin

Dolphin 16.04.3

Dolphin 16.04.3

One thing that was not working with my Gentoo installation was the information for image dimensions (and image data in general) in Dolphin. The resolution is to rebuild Dolphin with the semantic-desktop use flag turned on.

echo "kde-apps/dolphin semantic-desktop" &gt;&gt; /etc/portage/package.use/dolphin
emerge --ask kde-apps/dolphin

I thing that this flag should be on by default when building a system with KDE desktop profile or at least mentioned somewhere in the Gentoo wiki.

Gentoo Linux: Ugly fonts in NetBeans and how to fix them

I recently installed Gentoo GNU/Linux + KDE 5 on my dev machine. One thing that was bugging me was the crappy font rendering in NetBeans.

To relolve the problem, locate your netbeans.conf file. Usually under /etc in your NetBeans installation folder, and append to netbeans_default_options the follwing:

-J-Dswing.aatext=true -J-Dawt.useSystemAAFontSettings=lcd --laf Metal

This will enable font smoothing in SWING and use default system settings for font smoothing. The last entry –laf Metal sets the preferred UI theme for the IDE, it should be Swing based theme such as Metal or Numbus.

Happy coding 🙂

ERROR: dev-python/cryptography-1.1.2::gentoo failed (compile phase)

Latest

emerge --sync
emerge --update --deep --newuse @world

broke “dev-python/cryptography” on my development “server”. By server I mean Intel Celeron at 400Mhz with 768Mb of RAM. Currently running MySQL, Apache, Apache Tomcat, Samba and Deluge.

i686-pc-linux-gnu-gcc -O2 -march=pentium2 -pipe -fomit-frame-pointer -fno-ident -fPIC -I/usr/include/python2.7 -c /var/tmp/portage/dev-python/cryptography-1.1.2/work/cryptography-1.1.2-python2_7/temp.linux-i686-2.7/_openssl.c -o /var/tmp/portage/dev-python/cryptography-1.1.2/work/cryptography-1.1.2-python2_7/temp.linux-i686-2.7/var/tmp/portage/dev-python/cryptography-1.1.2/work/cryptography-1.1.2-python2_7/temp.linux-i686-2.7/_openssl.o
/var/tmp/portage/dev-python/cryptography-1.1.2/work/cryptography-1.1.2-python2_7/temp.linux-i686-2.7/_openssl.c:2096:15: error: ‘SSLv2_method’ redeclared as different kind of symbol
 SSL_METHOD* (*SSLv2_method)(void) = NULL;

As the build error says dev-python/cryptography is looking for SSLv2. Doing

equery u openssl
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for dev-libs/openssl-1.0.2h-r2:
 U I
 + + asm                : Support assembly hand optimized crypto functions (i.e. faster run time)
 + + bindist            : Disable EC algorithms (as they seem to be patented) -- note: changes the ABI
 - - cpu_flags_x86_sse2 : Use the SSE2 instruction set
 - - gmp                : Add support for dev-libs/gmp (GNU MP library)
 - - kerberos           : Add kerberos support
 - - rfc3779            : Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)
 - - sctp               : Support for Stream Control Transmission Protocol
 - - sslv2              : Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https
 + + sslv3              : Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https
 - - static-libs        : Build static versions of dynamic libraries as well
 - - test               : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in
                          make.conf/package.use anymore
 + + tls-heartbeat      : Enable the Heartbeat Extension in TLS and DTLS
 - - vanilla            : Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes
                          drastically
 + + zlib               : Add support for zlib (de)compression

Reveled that OpenSSL is build with ought SSLv2 suport. Adding sslv2 use flag for OpenSSL and rebuilding resolved the problem.

echo "dev-libs/openssl sslv2" > /etc/portage/package.use/openssl

According to me, this is a bug in “dev-python/cryptography“. The ebuild should do some kind of checking if sslv2 use flag is enabled, or it should introduce use flags controlling the version of ssl used.