Quick note here to always check your Source Address Translation setting on your virtual server since you can log a Connection error: ssl_hs_rxhello:7295: unsupported version (70) in curl when connecting to a VIP and spend quite a bit of time thinking that it's ssl related when it really isn't.
You may also see: SSLRead() return error -9806 in curl.
I've been running into rendering issues with IE11 lately where html pages are not getting rendered as expected even though they show up fine in chrome, firefox, and safari. I'm still digging into this but it seems like it could be due to Internet Explorer being put into Enterprise Mode for "internal" web sites, (where "internal" means any web site matching the domain name of the organization--for example, *.somedomain.com). Has any one else come across this?
Enterprise Mode defaults to sending an IE8 user agent instead of an IE11 user agent and the meta tag that developers are encouraged to place in their html (<meta http-equiv="X-UA-Compatible" content="IE=edge">) is designed to tell the browser to use the best rendering mode of the browser. If IE11 sends an IE8 user agent because Enterprise Mode is enabled, does it then get rendered as IE8 even though the HTML could be standards compliant and rendered with IE11's standards compliant engine?
Well, after an almost two year hiatus away from this blog, it's time for me to start posting stuff again. To kick things off, here is an update to cryptonark that fixes an issue with ssl certificate validation. You can grab it from the Downloads page and the changelog is available on the main CryptoNark page.
Thanks to Olivier Mengué for pointing this issue out.
Today, I am releasing CryptoNark version 0.5.6, which contains three notable changes/improvements:
The changelog for all released versions is on the CryptoNark info page and you can download it from my Downloads page.
I came across this error just the other day. cURL throws the following error when I was trying to connect to an https host:
Unknown SSL protocol error in connection to <hostname>:-9846
Connecting to the same host using openssl's s_client, the following error was thrown:
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
Turns out, the server my client was trying to connect to was so old, it didn't support TLS! The workaround for this was to force an ssl3 connection.
I updated my OpenSSL Version Matrix again to reflect new versions of OpenSSL released since June 5 2014, including the three new versions of OpenSSL that were released yesterday, (October 15, 2014) to address four security issues.
It's only been a few days since the 0.5 release but I've been busy updating CryptoNark with some bug fixes and also added in support for Windows. One caveat: I've only tested this on WIndows 8.1 under a Strawberry Perl 5.18.2 installation. Please let me know if there are any issues on older/newer versions of Strawberry Perl.
One additional item to note in this version. SSLv2 connections to some sites were causing perl to crash when running on Windows. I've modified the subroutine that is making SSLv2 calls to make it more stable but on those sites that it was crashing on, cnark now falsely (?) reports that an sslv2 connection with an RC4-MD5 cipher is possible. I'm still investigating this issue. It does not happen on all sites.
You can download the new CryptoNark v0.5.5 release from the Downloads page and you can see the changelog at the CryptoNark page on this site.
I updated my OpenSSL Version Matrix post again to include the three new OpenSSL versions recently released. The matrix is now current as of June 7, 2014 with Perl code you can steal. I still use Tie::Hash::indexed in all my modules to order this hash in the order you see it in the post.
Also, the Kindle edition of chromatic's Modern Perl: 2014 Edition is available so grab a copy--it's a steal.
It has been a while since the last release but here's new version 0.5 of CryptoNark. New features and changes in this release include the following (but are mainly centered on certificate validation):
A big thank you to all who have downloaded this over the years and emailed issues to me. As always, downloads are available off of the CryptoNark page.
This first fairly useful iControl example using Perl and SOAP::Lite solves a fairly time-consuming problem if you want to print all the pools and pool members from one of your BigIP LTM's and you're not really sure how to do it with the tmsh commands (or tmsh scripting). If you have a large number of pools and are using a web browser, you could spend hours clicking on a pool, then clicking the Members tab, then clicking on Pools, then selecting the next pool, then the Members tab for *that* pool, etc. Very time consuming.
This example uses the get_member_v2() method. It first grabs all the pools on that ltm using the get_list() method, then loops through each one and prints the pool followed by the pool members using get_member_v2().
There are other examples of this script out there but this one is the first version of the one I wrote for my own job. Some values have been sanitized and replaced with placeholders, ($host, $uid, and $pwd in my script). If you were to copy and paste this script verbatim into your new Perl script, it won't work until you replace those values.
#!/usr/bin/env perl use Modern::Perl; use Mozilla::CA; use SOAP::Lite; #use SOAP::Lite +trace => [ qw (all -transport) ]; # Pick one or the other. If the former doesn't work # try the latter use iControlTypeCast; # Same directory as your script # --OR-- #use lib '[/path/to/your/icontrol/modules/directory/]'; $ENV{HTTPS_CA_FILE} = Mozilla::CA::SSL_ca_file(); # IMPORTANT - Values in ALL_CAPS are placeholders # Swap out the values with your own values my $host = "IP_ADDRESS_OR_HOSTNAME_OF_YOUR_BIGIP"; my $port = "443"; # Usually... # Replace with your userid and password # An account with Operator rights is all that is required here my $uid = "YOUR_ICONTROL_USERID"; my $pwd = "YOUR_ICONTROL_PASSWORD"; sub SOAP::Transport::HTTP::Client::get_basic_credentials { return "$uid" => "$pwd"; } # This is the base request my $req = SOAP::Lite -> uri('urn:iControl:LocalLB/Pool') -> proxy("https://$host:$port/iControl/iControlPortal.cgi"); # Add authorization header; Otherwise the # initial request will fail eval { $req->transport->http_request->header ( 'Authorization' => 'Basic ' . MIME::Base64::encode("$uid:$pwd", '')); }; # Grab a list of all pools on this BigIP my $pools = $req->get_list(); my @list = @{$pools->result}; say "BigIP LTM: $host"; # Iterate through the list of pools and get the pool members. foreach my $pool (@list) { say " $pool"; my $poolmember = $req->get_member_v2( SOAP::Data->name(pool_names => [$pool]) ); my @memberListAofA = @{$poolmember->result}; my @memberListA = @{$memberListAofA[0]}; foreach my $member_def (@memberListA) { my $address = $member_def->{"address"}; my $port = $member_def->{"port"}; say " $address:$port"; } }