Friday, 30 January 2015

Compile OpenSSH 6.7 with LibreSSL on OSX (10.10 / Yosemite)

Lets say you want to use the newest version of OpenSSH on your MacBook / OSX for reasons like:
  • your current version is too old for newer ciphers, key exchanges, etc.
  • you trust LibreSSL more than some OSSLShim
  • you are just some hipster that wants to have cipherli.st running
No worries, in this short tutorial I will show you how to compile OpenSSH 6.7p1 from source without replacing your current installed ssh implementation shipped by OSX.

We will be using LibreSSL instead of OpenSSL which is easier to compile and might be more secure than OpenSSL itself.

Some of the gists I took from here: https://github.com/Homebrew/homebrew-dupes/blob/master/openssh.rb

Get sources


$ wget \
http://mirror.is.co.za/mirror/ftp.openbsd.org/OpenSSH/portable/openssh-6.7p1.tar.gz \
http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.17.tar.gz \
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.3.tar.gz

Compile LibreSSL


$ tar xvfz libressl-2.1.3.tar.gz
$ ./configure --prefix=/opt/libressl --with-openssldir=/System/Library/OpenSSL --with-enginesdir=/opt/libressl
$ make
$ sudo make install

Compile ldns


$ tar xvfz ldns-1.6.17.tar.gz
$ cd ldns-1.6.17.tar.gz
$ ./configure --with-ssl=/opt/libressl
$ make
$ sudo make install

Compile OpenSSH


$ tar xvfz openssh-6.7p1.tar.gz
$ cd openssh-6.7p1

$ wget \
https://trac.macports.org/export/131258/trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch \
https://gist.githubusercontent.com/sigkate/fca7ee9fe1cdbe77ba03/raw/6894261e7838d81c76ef4b329e77e80d5ad25afc/patch-openssl-darwin-sandbox.diff \
https://trac.macports.org/export/131258/trunk/dports/net/openssh/files/launchd.patch

$ patch -p1 < 0002-Apple-keychain-integration-other-changes.patch
$ patch -p1 < patch-openssl-darwin-sandbox.diff
$ patch -p1 < launchd.patch

$ autoreconf -i
$ export CPPFLAGS="-D__APPLE_LAUNCHD__ -D__APPLE_KEYCHAIN__ -D__APPLE_SANDBOX_NAMED_EXTERNAL__"
$ export LDFLAGS="-framework CoreFoundation -framework SecurityFoundation -framework Security"
$ ./configure \
--prefix=/opt/openssh \
--sysconfdir=/etc/ssh \
--with-zlib \
--with-ssl-dir=/opt/libressl \
--with-pam \
--with-privsep-path=/opt/openssh/var/empty \
--with-md5-passwords \
--with-pid-dir=/opt/openssh/var/run \
--with-libedit \
--with-ldns \
--with-kerberos5 \
--without-xauth \
--without-pie
$ make
$ sudo make install


Use newly installed ssh-agent



$ sudo nano /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
/usr/bin/ssh-agent > /opt/openssh/bin/ssh-agent

$ sudo launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
$ sudo launchctl load /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

Set alias


$ echo "alias ssh=/opt/openssh/bin/ssh" >> ~/.bash_profile


Reboot!


(verify with "ssh -V")

Saturday, 22 November 2014

Hunspell spell checking under PHP with enchant

The spell checking that works perfectly on Google Chrome, OpenOffice and Mozilla Firefox is available to you and PHP as well - all thanks to open source software!

The above mentioned apps use the "Hunspell" library, which can be used directly under PHP without the usage of ugly (and unsecure) exec/system calls.

The following steps I did on my OSX MPB (10.10 / Yosemite) but they will be very similar on any Linux/Unix system (well, might even be easier on Ubuntu or Debian via their package system).
Just make sure you at least use libenchant 1.5


Compile and Install hunspell 


$ wget http://downloads.sourceforge.net/hunspell/hunspell-1.3.3.tar.gz 
$ tar xvfz hunspell-1.3.3.tar.gz
$ cd hunspell-1.3.3
$ ./configure
$ make
$ sudo make install

Compile and Install libenchant 


$ wget http://www.abisource.com/downloads/enchant/1.6.0/enchant-1.6.0.tar.gz 
$ tar xvfz enchant-1.6.0.tar.gz 
$ cd enchant-1.6.0
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install

Compile and Install php-enchant (in this case as shared lib)


(there is currently a bug in the configure file that will not recognize your libenchant version and thus not giving you some of the newer features, patch is here)

$ cd php-5.5.14/ext/enchant/
$ phpize
$ ./configure
$ make
$ sudo make install

Something something extension=enchant.so in your php.ini... Dictionaries

$ cd Dicts
$ sudo wget https://chromium.googlesource.com/chromium/deps/hunspell_dictionaries/+archive/master.tar.gz 
$ sudo tar xvfz master.tar.gz

Sample usage 

Wednesday, 12 November 2014

Compile libffi under OSX (10.10 / Yosemite)

Sometimes when playing around and compiling stuff you can mess up your system badly.

In this case I was compiling libffi on my OSX 10.10 system without knowing that other Apps were linking to it - especially Adobe Acrobat Reader (but it seems as Skype is also depending on it). Unfortunately it is linking to a 32bit version of that library and thus crashing on startup (though the screenshot is actually from after I deleted the library out of frustration).


Libffi is distributed by Apple/OSX directly, so it won't help to re-install Adobe Acrobat Reader or Skype, instead you will just have to recompile it!

I would not consider it a common problem as most MacBook Fanboys do not even know what a terminal is, but just in case, here are the steps to create a fat file (e.g. universal binary supporting 32bit and 64bit architecture) of libffi for your OSX 10.10 (Yosemite) system:

 

Download libffi and prepare

$ wget ftp://sourceware.org/pub/libffi/libffi-3.1.tar.gz 
$ tar xvfz libffi-3.1.tar.gz
$ cd libffi-3.1
$ rm -rf ~/libffi
$ mkdir -p ~/libffi/32 ~/libffi/64

Compile libffi as 32bit

$ make clean
$ CXXFLAGS=-m32 CFLAGS=-m32 LDFLAGS=-m32 ./configure --prefix=/usr --build=i386-apple-darwin14.0.0
$ make
$ cp i386-apple-darwin14.0.0/.libs/* ~/libffi/32

Compile libffi as 64bit

$ make clean
$ CXXFLAGS=-m64 CFLAGS=-m64 LDFLAGS=-m64 ./configure --prefix=/usr --build=x86_64-apple-darwin14.0.0
$ make
$ cp x86_64-apple-darwin14.0.0/.libs/* ~/libffi/64

Create Fat File/Lib aka "Universal Binary" and Install (poor mans version)

$ lipo -create ~/libffi/{32,64}/libffi.a -output /usr/lib/libffi.a
$ lipo -create ~/libffi/{32,64}/libffi.6.dylib -output /usr/lib/libffi.6.dylib
$ ln -s /usr/lib/libffi.6.dylib /usr/lib/libffi.dylib


All done! Now go enjoy your working system again... oh of course you could also use macports, I guess..

Monday, 11 August 2014

Compile Lighttpd with LibreSSL

As LibreSSL is gaining popularity you might want to switch your compiled Lighttpd version with one that uses LibreSSL for your https.

Tested on Debian Squeeze, but should work on Wheezy/Ubuntu in a similar way.

Prerequisites

$ sudo apt-get install make gcc libev-dev libpcre3-dev zlib1g-dev libbz2-dev gamin libgamin-dev liblua5.1-0-dev
$ wget \
http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.35.tar.gz \
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.0.5.tar.gz
$ tar xvfz libressl-2.0.5.tar.gz && tar xvfz lighttpd-1.4.35.tar.gz

Compile & Install LibreSSL

We are installing it in a non-standard path so it won't interfer with your existing openssl/libssl(-dev)

$ cd libressl-2.0.5
$ ./configure --prefix=/opt/libressl
$ make 
$ sudo make install

Verify the LibreSSL Installation

$ /opt/libressl/bin/openssl version
LibreSSL 2.0

Compile Lighttpd with LibreSSL

$ cd ../lighttpd-1.4.35
$ wget https://gist.github.com/lifeofguenter/7ef3fe9e089fcb24baed/raw/316108a350f69d622c17d0801cc429388cf36cef/lighttpd-libressl.patch
$ patch -p1 < lighttpd-libressl.patch 
$ ./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--with-libev \
--with-pcre \
--with-zlib \
--with-bzip2 \
--with-fam \
--with-lua \
--with-openssl=/opt/libressl
$ make
$ sudo make install

Verify the Lighttpd Installation

$ lighttpd -v
lighttpd/1.4.35 (ssl) - a light and fast webserver
Build-Date: Aug 11 2014 12:54:04

Please have a look at the following URLs for further Documentation on configuring Lighttpd + SSL:

Wednesday, 6 August 2014

Parallel/Asynchronous DNS resolving in PHP

In PHP one key for a scalable and performant web application is parallelism, whenever and wherever possible, even if you use queues. The most popular usage of parallelism in PHP is probably curl_multi_*.
In this post I will show you how to do multiple DNS requests lightning fast with two different approaches / PHP extensions.

In both cases the DNS requests are done asynchronously, meaning even with multiple requests the whole process will only take as long as the longest request takes (in theory).

PHP's internal DNS functions rely on resolv.conf and in most cases it is not heavily optimized, defaulting to a rather long timeout of 5 seconds.
So even if you are only needing single DNS lookups both extensions might still be interesting as you can dynamically change the behavior of that, which what PHP is all about, or?


pecl-ares


pecl-ares offers PHP bindings for the c-ares library (affiliated with cURL).
I was happy that Michael Wallner (you might know him for pecl-http) offered help to revive the code, as it has not had a release since 4 years. So to get it running with the current c-ares version and a modern system, you should have a look at its git.
pecl-ares also allows the usage of callbacks which might be useful for certain scenarios.

Installation (assuming php-fpm)

$ sudo apt-get install libc-ares-dev php5-dev
$ git clone https://git.php.net/repository/pecl/networking/ares.git php-ares
$ cd php-ares
$ phpize
$ ./configure
$ make
$ sudo make install
$ sudo echo "extension=ares.so" > /etc/php5/mods-available/ares.ini
$ sudo php5enmod ares

Usage


It does not offer yet any documentation, but the source code is easy to understand, so anyways here is an example:

<?php

$ares = ares_init([
    'timeoutms' => 2000,
    'tries'     => 1,
    //'udp_port'  => 53,
    //'tcp_port'  => 53,
    'servers'   => ['8.8.8.8'],
    'flags'     => ARES_FLAG_NOALIASES|ARES_FLAG_NOSEARCH,
]);

$q = [];
$q[] = ares_query($ares, null, 'www.lifeofguenter.de', ARES_T_A);
$q[] = ares_query($ares, null, 'lifeofguenter.de', ARES_T_A);

do {
    $n = ares_fds($ares, $r, $w);
    ares_select($r, $w, 100);
    ares_process($ares, $r, $w);
} while ($n);

foreach ($q as $query) {
    var_dump(ares_result($query, $errno, $errstr));
}

ares_destroy($ares);
unset($ares);


php-rdns


php-rdns offers OOP PHP bindings for librdns (same guy behind rspamd) and uses libev for event looping. "We" recently developed it for a client of ours and released it as open source. It is highly simplified and some things might not yet be implemented or working correctly, but if you are interested we are always happy to see a pull request. Initial development was done by Alexander Solovets and later bug-fixing by Eduardo Silva (lead dev/founder of monkey webserver).

Installation (assuming php-fpm)


$ sudo apt-get install libev-dev php5-dev
$ wget https://github.com/weheartwebsites/php-rdns/releases/download/v0.1.1/rdns-0.1.1.tgz
$ tar xvfz rdns-0.1.1.tgz
$ cd rdns-0.1.1/
$ phpize
$ ./configure
$ make
$ sudo make install
$ sudo echo "extension=rdns.so" >> /etc/php5/mods-available/rdns.ini
$ sudo php5enmod rdns
$ /etc/init.d/php-fpm restart

Usage

(full  documentation on GitHub)

<?php

$rdns = new RDNS;
$rdns->addServer('8.8.8.8');

$rdns->addRequest('www.lifeofguenter.de', RDNS_A, 2);
$rdns->addRequest('lifeofguenter.de', RDNS_A, 2);
$replies = $rdns->getReplies();
ksort($replies);

var_dump($replies);
unset($rdns);

You might also be interested in ReactPHP or swoole, which are event-driven solutions to this problem.