Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Web Server - Ask For Help / Re: Intermittent error using Twilio SMS example
« on: November 23, 2021, 01:12:20 AM »
Ooh! 
Definitely going to try that out...
Thanks for the follow-up!
Definitely going to try that out...Thanks for the follow-up!
2
Web Server - Ask For Help / Re: Intermittent error using Twilio SMS example
« on: November 22, 2021, 10:09:00 AM »
Hi Casey,
I don't believe Bruce has managed to get Subject Alternative Name (SAN) checking into NetTalk, yet. I suspect what you were running into is one of the servers that Twilio uses to receive requests could potentially have a certificate where the Fully Qualified Domain Name (FQDN) used to reach Twilio is listed as a SAN of a larger certificate, rather than the Common Name (CN), or primary FQDN, on the certificate. Most browsers won't complain all that much as long as the FQDN it's reaching out to is listed either as the CN, or a SAN, because they have that checking built in.
We'll get there, someday. Until then, your workaround is the solution. I prefer to make this toggle an option for the user, so they can decide if they want to accept the implied risk of not checking the CN; but I hate encouraging less secure habits like that.
As for billing for SMS ... FWIW, my personal suggestion would be to simply offer your customers the ability to supply their own access token to the Twilio service, and they buy the service directly from Twilio if they want to use it. That may not work with your application model, I don't know. For our SaaS offering, we will provide a "default" configuration that can be overridden by our customers if they don't want to use our supplied configurations, but we pay for the "default" services directly and consider it a cost of doing business.
Regards,
Flint
I don't believe Bruce has managed to get Subject Alternative Name (SAN) checking into NetTalk, yet. I suspect what you were running into is one of the servers that Twilio uses to receive requests could potentially have a certificate where the Fully Qualified Domain Name (FQDN) used to reach Twilio is listed as a SAN of a larger certificate, rather than the Common Name (CN), or primary FQDN, on the certificate. Most browsers won't complain all that much as long as the FQDN it's reaching out to is listed either as the CN, or a SAN, because they have that checking built in.
We'll get there, someday. Until then, your workaround is the solution. I prefer to make this toggle an option for the user, so they can decide if they want to accept the implied risk of not checking the CN; but I hate encouraging less secure habits like that.
As for billing for SMS ... FWIW, my personal suggestion would be to simply offer your customers the ability to supply their own access token to the Twilio service, and they buy the service directly from Twilio if they want to use it. That may not work with your application model, I don't know. For our SaaS offering, we will provide a "default" configuration that can be overridden by our customers if they don't want to use our supplied configurations, but we pay for the "default" services directly and consider it a cost of doing business.
Regards,
Flint
3
Web Server - Ask For Help / Re: NT12 Let's Encrypt: The URL for the Fetch command was blank
« on: November 08, 2021, 03:56:22 PM »
I did eventually get a successful callback, but I don't know why ... nothing actually changed!
[11/08/21-16:52:43] Server Restarted
[11/08/21-16:52:43] Dates: <redacted> From: 8 NOV 2021 To: 6 FEB 2022
[11/08/21-16:52:43] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:43] Certificate received For <redacted>
[11/08/21-16:52:42] Requesting Certificate For <redacted>
[11/08/21-16:52:42] Finalized. Will now fetch certificate
[11/08/21-16:52:41] Finalize Request <redacted>
[11/08/21-16:52:41] Hostname resolved to: <redacted>
[11/08/21-16:52:41] Challenge was valid. Will now finalize
[11/08/21-16:52:41] Status: "valid"
[11/08/21-16:52:41] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:41] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:41] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:41] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:41] Get Authorize <redacted>
[11/08/21-16:52:40] Checking Status
[11/08/21-16:52:40] Notify Server Challenge is Ready
[11/08/21-16:52:40] LE Server will now fetch http://<redacted>:80/.well-known/acme-challenge/6Gq6qERm5kqIbwgx0lTZTJYjxa3MBzg9BRigmMHtHnE
[11/08/21-16:52:40] Challenge Token Saved C:\Clarion\WebApp\ws\.well-known\acme-challenge\6Gq6qERm5kqIbwgx0lTZTJYjxa3MBzg9BRigmMHtHnE
[11/08/21-16:52:40] Get Authorize <redacted>
[11/08/21-16:52:39] Authorize Request <redacted>
[11/08/21-16:52:38] Registering Account <redacted> at https://acme-v02.api.letsencrypt.org/acme/new-acct
[11/08/21-16:52:37] Time to update the certificate <redacted>
[11/08/21-16:52:37] Dates: <redacted> From: 9 JUN 2021 To: 7 SEP 2021
[11/08/21-16:52:36] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:36] Created C:\Clarion\AccuFund\bin\certificates\<redacted>.csr.der
[11/08/21-16:52:36] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:43] Server Restarted
[11/08/21-16:52:43] Dates: <redacted> From: 8 NOV 2021 To: 6 FEB 2022
[11/08/21-16:52:43] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:43] Certificate received For <redacted>
[11/08/21-16:52:42] Requesting Certificate For <redacted>
[11/08/21-16:52:42] Finalized. Will now fetch certificate
[11/08/21-16:52:41] Finalize Request <redacted>
[11/08/21-16:52:41] Hostname resolved to: <redacted>
[11/08/21-16:52:41] Challenge was valid. Will now finalize
[11/08/21-16:52:41] Status: "valid"
[11/08/21-16:52:41] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:41] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:41] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:41] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:41] Get Authorize <redacted>
[11/08/21-16:52:40] Checking Status
[11/08/21-16:52:40] Notify Server Challenge is Ready
[11/08/21-16:52:40] LE Server will now fetch http://<redacted>:80/.well-known/acme-challenge/6Gq6qERm5kqIbwgx0lTZTJYjxa3MBzg9BRigmMHtHnE
[11/08/21-16:52:40] Challenge Token Saved C:\Clarion\WebApp\ws\.well-known\acme-challenge\6Gq6qERm5kqIbwgx0lTZTJYjxa3MBzg9BRigmMHtHnE
[11/08/21-16:52:40] Get Authorize <redacted>
[11/08/21-16:52:39] Authorize Request <redacted>
[11/08/21-16:52:38] Registering Account <redacted> at https://acme-v02.api.letsencrypt.org/acme/new-acct
[11/08/21-16:52:37] Time to update the certificate <redacted>
[11/08/21-16:52:37] Dates: <redacted> From: 9 JUN 2021 To: 7 SEP 2021
[11/08/21-16:52:36] Setting Folders for Domain [<redacted>]
[11/08/21-16:52:36] Created C:\Clarion\AccuFund\bin\certificates\<redacted>.csr.der
[11/08/21-16:52:36] Setting Folders for Domain [<redacted>]
4
E-Mail - Ask For Help / Re: DKIM Signing
« on: November 08, 2021, 02:40:46 PM »
Hi Rupert,
I know this is an old post, but I didn't see any replies, here, so I'm guessing you haven't solved it.
I assume you acting as the mail client, or the mail server? If you are acting as the mail client, then the mail server is charged with signing the message on the way out. If you're using GSuite, or Office365, for instance, there are plenty of resources for configuring DKIM. If you're acting as the mail server, then I'm afraid I don't have any guidance for you, but there must be RFCs on the subject you could lean on.
I know this is an old post, but I didn't see any replies, here, so I'm guessing you haven't solved it.
I assume you acting as the mail client, or the mail server? If you are acting as the mail client, then the mail server is charged with signing the message on the way out. If you're using GSuite, or Office365, for instance, there are plenty of resources for configuring DKIM. If you're acting as the mail server, then I'm afraid I don't have any guidance for you, but there must be RFCs on the subject you could lean on.
5
Web Server - Ask For Help / Re: NT 12.19 Security question
« on: November 08, 2021, 01:12:46 PM »
Hi Jeff,
This could be part of the problem. The EXE in particular needs to be signed, but you should also sign the DLLs as a matter of best practice. I'm not certain that it will have any impact on your app's ability to run, but Windows certainly would complain about it. You could first try signing the app with your home-built code signing certificate, and then cause the server to trust the signer (you). That would tell you if it is having an impact on running the process. Then when you're comfortable with the behavior of the application, revoke the trust in your self-signed code signing certificate, and purchase and sign with a public code signing certificate.
Running as Admin with Windows 7 compatibility mode may have allowed the app to create folder locations or registry keys that it couldn't create before, and once that task was completed, your app runs fine without elevation or Windows 7 compatibility mode.
HTH
Quote
The exe is not signed
This could be part of the problem. The EXE in particular needs to be signed, but you should also sign the DLLs as a matter of best practice. I'm not certain that it will have any impact on your app's ability to run, but Windows certainly would complain about it. You could first try signing the app with your home-built code signing certificate, and then cause the server to trust the signer (you). That would tell you if it is having an impact on running the process. Then when you're comfortable with the behavior of the application, revoke the trust in your self-signed code signing certificate, and purchase and sign with a public code signing certificate.
Running as Admin with Windows 7 compatibility mode may have allowed the app to create folder locations or registry keys that it couldn't create before, and once that task was completed, your app runs fine without elevation or Windows 7 compatibility mode.
HTH
6
Web Server - Ask For Help / NT12 Let's Encrypt: The URL for the Fetch command was blank
« on: November 08, 2021, 12:59:28 PM »
I have run into a small issue with the LE client in NetTalk. Presently using NT 12.26. What does this message mean?
[11/08/21-13:48:26] The URL for the Fetch command was blank
[11/08/21-13:48:26] Get Authorize <redacted>
[11/08/21-13:48:25] Authorize Request <redacted>
[11/08/21-13:48:24] Registering Account <redacted> at https://acme-v02.api.letsencrypt.org/acme/new-acct
[11/08/21-13:48:23] Time to update the certificate <redacted>
[11/08/21-13:48:23] Dates: <redacted> From: 9 JUN 2021 To: 7 SEP 2021
[11/08/21-13:48:22] Setting Folders for Domain [<redacted>]
[11/08/21-13:48:22] Created C:\Clarion\AccuFund\bin\certificates\<redacted>.csr.der
[11/08/21-13:48:22] Setting Folders for Domain [<redacted>]
[11/08/21-13:48:26] The URL for the Fetch command was blank
[11/08/21-13:48:26] Get Authorize <redacted>
[11/08/21-13:48:25] Authorize Request <redacted>
[11/08/21-13:48:24] Registering Account <redacted> at https://acme-v02.api.letsencrypt.org/acme/new-acct
[11/08/21-13:48:23] Time to update the certificate <redacted>
[11/08/21-13:48:23] Dates: <redacted> From: 9 JUN 2021 To: 7 SEP 2021
[11/08/21-13:48:22] Setting Folders for Domain [<redacted>]
[11/08/21-13:48:22] Created C:\Clarion\AccuFund\bin\certificates\<redacted>.csr.der
[11/08/21-13:48:22] Setting Folders for Domain [<redacted>]
7
Web Server - Ask For Help / Re: Ephemeral ports with NetTalk?
« on: August 30, 2017, 02:10:04 PM »
>> I'm not 100% sure I understand what you mean by "pop up".
What I mean is, we're trying to ensure that we have a local web server to respond to a simple GET (the reason we need one is a different topic for a different day), but we can't rely on the operating system to just have one laying around. So the approach I'm thinking about would be to start a very basic web server for the task, and shut it down immediately after its purpose is fulfilled. So the short answer here, is "yes."
>> The port number is an expression, so you can put a variable in there
But how do I get Windows to tell me what port to use? Because Windows will know what ports are currently used, I assume, and my program will not. But my program could be running many times (say: 100), with each instance needing to start a web server concurrently on a unique port number.
Alternately: can I test within a web server procedure whether a given port number is already in use, and randomly choose another port to use? This would fulfill the same purpose, as far as I am concerned.
What I mean is, we're trying to ensure that we have a local web server to respond to a simple GET (the reason we need one is a different topic for a different day), but we can't rely on the operating system to just have one laying around. So the approach I'm thinking about would be to start a very basic web server for the task, and shut it down immediately after its purpose is fulfilled. So the short answer here, is "yes."
>> The port number is an expression, so you can put a variable in there
But how do I get Windows to tell me what port to use? Because Windows will know what ports are currently used, I assume, and my program will not. But my program could be running many times (say: 100), with each instance needing to start a web server concurrently on a unique port number.
Alternately: can I test within a web server procedure whether a given port number is already in use, and randomly choose another port to use? This would fulfill the same purpose, as far as I am concerned.
8
Web Server - Ask For Help / Ephemeral ports with NetTalk?
« on: August 29, 2017, 02:01:55 PM »
Is it possible to pop up a simple NetTalk web server on-the-fly, to handle a simple GET against localhost from a Windows app? The trick is that it needs an ephemeral port, because we could theoretically have many such popup servers running at any given moment, so I want the system to issue the port number to me.
9
Web Server - Ask For Help / Re: uploading net talk application on godaddy windows hosting
« on: August 29, 2017, 01:53:10 PM »I believe there may be some confusion between web hosting and server hosting. If you purchased one of their web hosting products I do not believe you can run a NT application on it. I think you need to purchase either a dedicated server or a Virtual Private server.
That is my understanding, as well. Virtual Private would be the minimum you would need to run anything but an IIS-based site.
10
Web Server - Ask For Help / Re: Need help in changing my app to SSL
« on: June 22, 2017, 09:00:10 PM »
Sukhendu,
I would make certain that you copy the following DLLs from your clarion/accessory/bin directory to your working directory (the directory where your EXE is running from):
Then make sure you copied both the .crt (public key, or "certificate") AND .key (private key) to your working certificates directory. You should now have two files in your certificates directory:
If either one is missing, then your app can't load it into memory, and the handshakes will fail.
Then make sure you change the 'certificates\settings.crt' back to 'certificates\settings', in your app. If you have copied the code from the example, chances are it is appending the extensions automatically.
When you deploy, definitely, yes. But for local testing, there's no need.
I would make certain that you copy the following DLLs from your clarion/accessory/bin directory to your working directory (the directory where your EXE is running from):
- libeay32.dll
- libssl32.dll
- msvcr90.dll
- ssleay32.dll
Then make sure you copied both the .crt (public key, or "certificate") AND .key (private key) to your working certificates directory. You should now have two files in your certificates directory:
- settings.crt
- settings.key
If either one is missing, then your app can't load it into memory, and the handshakes will fail.
Then make sure you change the 'certificates\settings.crt' back to 'certificates\settings', in your app. If you have copied the code from the example, chances are it is appending the extensions automatically.
Quote
Do I need to create a new certificate?
When you deploy, definitely, yes. But for local testing, there's no need.
11
Web Server - Ask For Help / Security: Why might a GET on /_vti_bin/shtml.exe/_vti_rpc return a 200 response?
« on: June 22, 2017, 08:42:47 PM »
I've been practicing with nikto against a NetTalk web server, trying to expand on recent training. The tool reports a number of informational items, one of which is this:
If I replay the request through a proxy (I used Burpsuite Pro), the request looks like this:
The response looks like this:
A similar request does the same thing:
Response:
The resources /_vti_bin/shtml.dll/_vti_rpc and /_vti_bin/shtml.exe/_vti_rpc certainly do not exist, and I would have expected a 404 response.
Code: [Select]
OSVDB-28260: POST /_vti_bin/shtml.exe/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611: Gives info about server settings.If I replay the request through a proxy (I used Burpsuite Pro), the request looks like this:
Code: [Select]
GET /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1
Connection: close
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:002763)
Host: [redacted: IP]The response looks like this:
Code: [Select]
HTTP/1.1 200 OK
Date: Fri, 23 Jun 2017 04:28:33 GMT
Server: NetTalk-WebServer/8.31
Expires: Thu, 23 Jun 2016 04:28:33 GMT
Content-Length: 41
Content-Type: application/json
Cache-Control: no-store, no-cache, must-revalidate, private,post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Set-Cookie: SESSIONID=[redacted]; path=/; HttpOnly
Connection: close
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
[redacted: return data]A similar request does the same thing:
Code: [Select]
POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1
Connection: close
Content-Length: 57
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:003486)
Content-Type: application/x-www-form-urlencoded
Host: [redacted: IP]
method=open+service%3a3%2e0%2e2%2e1105&service%5fname=%2fResponse:
Code: [Select]
HTTP/1.1 200 OK
Date: Fri, 23 Jun 2017 03:24:47 GMT
Server: NetTalk-WebServer/8.31
Expires: Thu, 23 Jun 2016 03:24:47 GMT
Content-Length: 41
Content-Type: application/json
Cache-Control: no-store, no-cache, must-revalidate, private,post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Set-Cookie: SESSIONID=[redacted]; path=/; HttpOnly
Connection: close
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
[redacted: return data]The resources /_vti_bin/shtml.dll/_vti_rpc and /_vti_bin/shtml.exe/_vti_rpc certainly do not exist, and I would have expected a 404 response.
12
Web Server - Ask For Help / Security: Is it possible to drop a connection without sending a response?
« on: June 15, 2017, 11:02:51 AM »
Easy question, that hopefully has a simple answer: in a NetWebServer procedure, is it possible to drop/close a connection without sending a response?
For instance, if the incoming session ID contains characters other than A-Za-z0-9, can I simply ignore the request because this is most certainly malicious? If I receive enough of these kinds of requests, I would like to add the IP to a blacklist and never respond again.
For instance, if the incoming session ID contains characters other than A-Za-z0-9, can I simply ignore the request because this is most certainly malicious? If I receive enough of these kinds of requests, I would like to add the IP to a blacklist and never respond again.
13
Web Server - Ask For Help / Re: Multiple lines in a radio Option
« on: March 14, 2016, 06:48:25 AM »
Roberto,
If the tags are being encoded by the server (i.e., translated from <br> to <br>), then I would expect that behavior. If you can find a way to get the server to offer up the un-encoded string, then you should get what you're looking for.
Flint
If the tags are being encoded by the server (i.e., translated from <br> to <br>), then I would expect that behavior. If you can find a way to get the server to offer up the un-encoded string, then you should get what you're looking for.
Flint
14
Web Server - Ask For Help / Re: Multiple lines in a radio Option
« on: March 13, 2016, 07:15:07 AM »
What if you try explicitly putting <br /> tags instead of CRLF between each option?
Regards,
Flint
Regards,
Flint
15
The Rest - Ask For Help / Re: WiFi traffic encryption
« on: February 09, 2016, 10:27:04 AM »
Wolfgang,
Based on a cursory search, yes, WPA2 does mean the air traffic is encrypted between radios: https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
With a sufficiently large and random key, you can make it very difficult to crack the encryption outright. More appealing would be to attack other components of the network, such as the router itself, or the thermostat you're interfacing with. All bets are off if someone can gain physical access to any device on the network.
Do the simple things: use a large and random key, disable WPS, use MAC address whitelists, disable SSID broadcasting, etc.
Flint
Based on a cursory search, yes, WPA2 does mean the air traffic is encrypted between radios: https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
With a sufficiently large and random key, you can make it very difficult to crack the encryption outright. More appealing would be to attack other components of the network, such as the router itself, or the thermostat you're interfacing with. All bets are off if someone can gain physical access to any device on the network.
Do the simple things: use a large and random key, disable WPS, use MAC address whitelists, disable SSID broadcasting, etc.
Flint