Test a connection for SSL3/TLS1.1/TLS1.2

One of the EMS Servers in my project needs SSL3 disabled. Quickly the question arises how do I test a connection for SSL3 or TLS 1, 1.1 or 1.2 explicitly. There are two tools that can help you there: openssl and nmap. Both tools are available for free and can be used remotely to test your server.

OpenSSL

openssl s_client -connect SERVER:PORT -ssl3 -CApath PATH_TO_TRUSTED_CERTIFICATES -certform DER

For SERVER you enter the hostname or IP Adress of the server you want to test
PORT will be the port that will have SSL or TLS enabled.
PATH_TO_TRUSTED_CERTIFICATES will be path to the trusted certificates. This may be useful for self-signed certificates your server is used. The certform parameter sets the format of the trusted certificates.
Use -ssl3 flag to test explicitly for SSL3. -tls1, -tls1_1 or -tls1_2 is for testing explicitly for TLS 1.0, 1.1 or 1.2.

The output may look like this

SSL-Session: Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA

You can deduce a TLS 1.0 connection was made with the DHE-RSA-AES256-SHA cipher suite.

NMAP

nmap is an useful tool too. Here you will be presented with a list of available cipher suites for each protocol.

nmap --script ssl-enum-ciphers SERVER -p PORT

Insert for SERVER the server name or IP adress of your server and for PORT the port number running SSL or TLS.

Which version of OpenSSL supports TLS 1.1 and TLS 1.2 or does TIBCO EMS support TLS 1.1 and TLS 1.2

In my current project we got quite confused which version of OpenSSL (or more correctly which branch of OpenSSL) starts supporting TLS 1.1 and TLS 1.2.

The OpenSSL project page is not very explicit there. But the OpenSSL Cookbook, which is accessible for free here provided us with an answer:

The version 1.0.1 [OpenSSL 1.0.1] is especially significant because it is the first version to support TLS 1.1 and 1.2.

This means that a Tibco EMS Server based on an pre 1.0.1 version of OpenSSL will not support TLS 1.1 or 1.2. At the time of writing the Tibco EMS Servers beginning from 8.2.2 version start to use OpenSSL 1.0.1p.

Java StringFormat format specifiers

I like using the String.format method in Java when concatenating strings together. It’s a bit ugly to have something like "The error "+e.getMessage()+" occurred.". Using String.format("The error %s occurred", e.getMessage()) a bit easier to read and I can externalize the string much easier. However I often forget the format specifiers available in Java. Here is a list of some common specifiers I use regularly.

%s	String
%f	decimal values
%n	New line
%d	numbers

For more detailed info look at the Formatter class. It’s quite powerful and you find some more interesting specifiers.

Cygwin: mapping your Windows drives

So there we are again. You are using cygwin to perform some handy unix tasks on Windows. Unfortunately, the initial mapping of the Windows drives in Cygwin is a bit uncomfortable via /cygdrive/ (e.g. /cygdrive/c). I like to place some symbolic links such as /c to access my C-Drive on Windows to make my life with cygwin a bit easier. Here are the commands:

ln -s /cygdrive/c /c
ln -s /cygdrive/k /k
ln -s /cygdrive/l /l
ln -s /cygdrive/o /o

Android facebook_non_json_result when trying to retrieve the profile picture

So I started some development on Android and so it just happened that I wanted to use the Facebook API. My aim was to retrieve my profile picture. I figured the appropriate graph request using graph API explorer from Facebook. When trying to implement the API request like this

new GraphRequest(
        AccessToken.getCurrentAccessToken(),
        "me/picture",
        null,
        HttpMethod.GET,
        new GraphRequest.Callback() {
            public void onCompleted(GraphResponse response) {
                try {
                    String picUrlString = (String) response.getJSONObject().getJSONObject("data").get("url");
                } catch (JSONException | IOException e) {
                    e.printStackTrace();
                }
            }
        }
).executeAsync();

I always received a response stating a FACEBOOK_NON_JSON_RESULT. So looking back in Facebook’s graph API explorer I noted a little checkbox with the label redirect checked. Some googling showed me that I needed to provide a parameter to my GraphRequest that disallows the redirect. Hence the correct request must be:

Bundle params = new Bundle();
params.putBoolean("redirect", false);

new GraphRequest(
        AccessToken.getCurrentAccessToken(),
        "me/picture",
        params,
        HttpMethod.GET,
        new GraphRequest.Callback() {
            public void onCompleted(GraphResponse response) {
                try {
                    String picUrlString = (String) response.getJSONObject().getJSONObject("data").get("url");
                } catch (JSONException | IOException e) {
                    e.printStackTrace();
                }
            }
        }
).executeAsync();

Hope it’ll help you!

View a CSR with OpenSSL

Viewing a CSR is possible with openssl. just type the following command:

openssl req -noout -text -in mycsr.csr


If your CSR is DER encoded provide -inform DER that is:

openssl req -noout -text -in mycsr.csr -inform DER


Generate a CSR with OpenSSL

This below generates a new private 2048bit key and a certificate signing request (CSR).


openssl req -new -newkey rsa:2048 -nodes -out mycsr.csr -keyout mykey.key -subj "/C=US/ST=New Jersey/O=def/OU=ghi/CN=*.mysite.com"


Getting folder sizes on UNIX

Over time your disk gets full on your development machine running some kind of UNIX and the question comes up on how to find the folders taking so much space:

du -s */ .[!.]*/ | sort -n

The .[!.]* allows listing up those hidden folders. Very handy indeed.

If you want to dig deeper into the sub directories then things get a bit more complicated. But here it is:

find ./ -type d -exec du -s {} + | sort -n

Improving TIBCO Designer’s performance

The Tibco Designer must have been developed in an ancient time, where memory must have been expensive and not so abundant. There’s no reason why else the default settings for the Designer are set so low.

Anyway, probably after some horrible experiences working with the designer in large BusinessWorks project you just want to tweak the Designer. The way to do it is via the designer.tra file. You would find it in a typical Windows installation under C:\tibco\designer\5.x\bin. Open it with with your favourite text editor.

Here you will first increase the Java Heap Space to 1G. This is done under

## Specifies the initial Java heap size to allocate
tibco.env.HEAP_SIZE 1G

Increasing the heap will provide you with a significant boost. But looking with the visualjvm into the Designer’s process, you’ll notice that the PermGenSpace is pretty low. To increase it use the entry java.extended.properties. I’ve set it to
512M. I also added a few other settings there too. The details on those can be found here.

My final config looks like this:

## Specifies the initial Java heap size to allocate
tibco.env.HEAP_SIZE 1G

java.extended.properties=-XX:+AggressiveOpts -XX:-UseParallelGC -XX:-UseConcMarkSweepGC -XX:MaxPermSize=512M -XX:+UseFastAccessorMethods -Xverify:none -Dsun.java2d.pmoffscreen=false

This was all using Java JDK 6. It might be interesting how Tibco Designer is performing under JDK 8.

Find all constraints in Oracle DB

Sometimes (or maybe quite often) you get a problem with some DB constraint in Oracle. But unfortunately you don’t exactly know which table this constraint is being applied to (e.g. you are using system generated constraint names). With this sql below, you can query the constraint name and find out which table and column, constraint type you are dealing with.

select * from all_constraints where constraint_name='Some Constraint Name'