用 OpenSSL 產生 CSR

shtzeng Posted in 系統設定,Tags:
17 5 月 2016
0

人懶就會有程式的產出 Orz
我只是不想一直打 openssl 的指令
所以就寫了 build_csr.sh 出來了 

#!/usr/bin/env bash

if [ $# -lt 1 ]; then
  echo 1>&2 "$0: Please use \"$0 aaa.domain.com\" or \"$0 *.domain.com\" to generate key and csr files."
  exit 2
fi

DOMAIN=${1//\*/star}

openssl req -new -newkey rsa:2048 -nodes -out "$DOMAIN".csr -keyout "$DOMAIN".key -subj "/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=$1"

其中 subj 部分是公司資訊
偷 Yahoo 的樣式給大家看
請參考這篇 Certificate signing request 維基百科

結果範例 

$ ./build_csr.sh aaa.domain.com
Generating a 2048 bit RSA private key
...........................................+++
.....+++
writing new private key to 'aaa.domain.com.key'
-----
$ ./build_csr_y.sh *.domain.com
Generating a 2048 bit RSA private key
..................+++
................................+++
writing new private key to 'star.domain.com.key'
-----
ls
aaa.domain.com.csr      aaa.domain.com.key      build_csr.sh          star.domain.com.csr     star.domain.com.key
$

可以用 openssl req 指令來檢查 CSR 資訊 

$ openssl req -in star.domain.com.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=California, L=Sunnyvale, O=Yahoo Inc., OU=Information Technology, CN=*.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d0:46:97:78:c9:5f:b3:9a:2e:83:39:ed:f7:22:
                    44:ac:cc:e8:44:8b:9a:61:53:b8:39:46:8a:18:58:
                    79:51:65:c3:3a:68:a0:3e:93:71:d5:71:c8:a9:2f:
                    ba:74:f5:10:29:83:26:fa:50:cd:51:e9:0b:35:4d:
                    54:e0:25:70:96:b9:69:15:dc:12:df:51:be:65:34:
                    cc:de:00:44:7f:06:cc:78:a3:2e:6a:54:8a:49:8c:
                    12:4c:70:9d:8f:42:af:ab:87:c6:2e:4f:de:13:e4:
                    e5:0e:b7:4b:ec:ac:11:11:40:44:31:98:98:61:71:
                    83:52:0f:9e:36:e8:5c:1f:b5:ef:a4:35:fe:c7:7c:
                    2d:04:8b:fe:0d:77:b8:4a:e1:5d:04:70:b1:23:07:
                    26:4e:33:70:c3:ee:08:a7:b8:76:f6:a4:2f:17:a3:
                    b5:09:59:a4:33:2b:8c:87:e8:bb:48:f7:7c:5c:46:
                    3e:36:cb:95:c4:6b:ef:b0:e1:aa:97:b0:3d:b9:17:
                    3f:24:aa:e7:b1:a3:b8:35:26:1e:5d:4c:54:af:72:
                    62:ef:01:68:b3:81:f1:d0:f8:0b:a3:26:1e:04:ff:
                    de:9a:5b:61:33:68:45:00:14:33:20:4d:4e:e9:8c:
                    1e:02:a2:95:ab:b0:25:bb:de:10:c6:a5:37:f9:f2:
                    64:83
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        42:81:9b:1f:64:8a:07:61:89:2b:0d:9b:30:31:db:e7:62:b6:
        15:af:f1:b8:97:0d:cb:ad:db:76:d4:2d:43:ad:17:3e:dc:31:
        2f:40:08:a3:b3:d4:0d:9e:91:c8:33:d0:24:28:d6:ea:cb:af:
        54:b0:03:6c:d4:1c:e7:d2:7c:9d:93:02:77:79:64:1b:d3:b9:
        46:2d:ab:aa:c1:f7:b6:f7:e8:3f:e0:c7:61:ff:62:65:3f:38:
        8d:54:ea:8a:a4:17:56:e7:ea:20:7d:68:4b:9c:ce:37:b7:b5:
        06:1e:62:90:b7:7f:13:27:33:27:1d:b9:80:29:fb:c6:af:f9:
        cc:80:8c:3c:70:71:c5:07:29:55:51:d8:78:3b:0a:f0:35:5f:
        95:0f:75:d3:e6:5b:a9:5e:a0:81:51:5b:f1:38:a1:64:41:f9:
        a5:49:4d:b0:cc:9f:0a:4f:c4:4d:94:61:d7:e8:e4:e3:b7:04:
        af:07:02:29:52:d2:ce:bc:59:e2:7e:e1:da:60:e7:4a:ad:e7:
        57:05:90:6a:fb:b4:5d:cf:fa:b4:a8:7b:40:06:af:fe:c2:f1:
        00:f6:3e:d5:f6:3c:a0:68:00:24:de:80:84:c3:24:46:e4:4e:
        a3:a1:bf:d0:7e:4b:04:c0:51:77:8c:48:c9:d1:a1:89:41:98:
        d6:2a:58:d3
$

以上只是範例
請勿任意委造他人網域發佈憑證 :p

更新目錄下所有 repos

shtzeng Posted in 系統設定
16 5 月 2016
0

總是會有一個需求
每次要用某個 repository 的時候就要先更新一次
避免 merge 或 conflict 的發生
我記得上次也寫了一隻 update.sh
不過離職了就飛了 (我什麼都沒備份 xd)
這次再寫一次 xddd

環境:Mac
  

#!/usr/bin/env bash

lists=$(ls);

for list in $lists
do
    if [ $list != 'update.sh' ]; then
        echo ">> $list";
        cd $list;
        git pull;
        cd ..;
    fi
done

MySQL Redundant Indexes 問題與檢測

shtzeng Posted in MySQL,Tags:
09 5 月 2016
0

上班又用到了,所以乾脆寫下來 XD

參考 https://www.percona.com/blog/2006/08/17/duplicate-indexes-and-redundant-indexes/
 

I call redundant indexes BTREE indexes which are prefix of other index, for example KEY(A), KEY (A,B), KEY(A(10)). – First and last are redundant indexes because they are prefix of KEY(A,B)


意即現在有三個 INDEX
KEY(A)
KEY(A,B)
KEY(A(10))
因為 B+TREE 結構問題, KEY(A) 跟 KEY(A(10)) 其實都與 KEY(A,B) 部分相同
刪除 KEY(A) 及 KEY(A(10)) 並不會影響效能 (因為會轉而參考 KEY(A,B))
但這樣會造成空間上的浪費,所以要刪除掉這類的 INDEX

 

檢測方法可以透過 Percona Toolkit 下的 pt-duplicate-key-checker 來檢測
簡單寫個 shell script 列排程,若有找到重複的就通知

dh key too small

shtzeng Posted in 網路設備
03 5 月 2016
0

今天第一天上班
一開始就是報到、設定電腦、裝螢幕之類的
然後慢慢交接之類的

下午法克ㄉㄉ拿了一台 ASUS AP 給我玩玩順便測功能
測到 OpenVPN 時
用 Tunnelblick 連線一直出現錯誤
打開 log 後發現錯誤點

TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

最後找到的是這個問題
因為去年 OpenSSL 一堆問題大爆炸
Diffie-Hellman Algorithm 也中槍
所以紛紛要求提高安全性至少到 768 bits
解決之到在上文中有提到

openssl dhparam -out dh2048.pem 2048

後的結果置換掉 ASUS AP 上的 Diffie-Hellman Cipher
就可以正常使用 Tunnelblick 連 ASUS AP 上的 OpenVPN Server 啦