Wednesday, September 01, 2010

My birthday gift to the world -- A Charity: Water campaign

Hi everyone,

This year, for my 24th birthday, I wanted to do something different. Inspired by Chris Sacca and the Charity: Water project, I want to try to donate $500 by September 30th, which I hope will be easily accomplished.

Please donate here: Charity: Water -- Sean's 24th Birthday.

I'll appreciate it, but the 25 people (5 families) with clean drinking water will appreciate it the most.

I've donated $5 to my own campaign to prove that I'm willing to put my money where my birthday-cake-eating mouth is.

I'm lucky as hell to be where I am, and hope those who know me will help support me in helping others.

Thanks!

Tuesday, August 31, 2010

How To: Enforce TLS Encryption on Tomcat Server 6.0

Note: I should begin this post by saying that I’m no expert on SSL or TLS encryption or the “handshakes” and negotiations that browsers and servers go through when giving the user a connection to secure material. Feel free to jump in on the comments if I get the terminology or methodology wrong.
As far as I understand it, SSL is pretty secure, but TLSv1 (its successor) is the max you can get on a standard web browser for encrypted traffic between the browser and the server today.
Recently, I was tasked with setting up a Tomcat server to enforce TLS for a government client. We had already defined a server.xml file that specified “TLSv1″ as the protocol and AES encryption. However, apparently Tomcat 6.0 doesn’t strictly enforce TLS if SSL is also enabled. That is to say, if TLSv1 is not enabled on the browser, but SSL is, the server will “fall back” to SSL in the hopes of displaying the content — I suppose it takes the “well, SSL is better than nothing” approach.
However, this wasn’t going to fly for my client — an institution with strict security rules for its web applications — which, really, is a good thing. If TLSv1 wasn’t enabled properly, the site shouldn’t display, even if SSL is enabled.
I looked around for how to do this, and to my surprise, it was incredibly difficult to find. After a great deal of Google searches and frustration, I finally found this post  on the old, archived Tomcat developers listserv/group [Note: I am currently working on finding the source link again. Will update when I do.] It turns out that there’s another attribute you can add to your server connector in server.xml — the “protocols” attribute (standing for "secure" I believe; not a pluralization)
So, in short, a Tomcat 6.0 connector in server.xml that enforces TLS looks something like the connector below (I’ve changed the password to a dummy, of course):
<Connector
port="8443"
protocol="HTTP/1.1"
protocols="TLSv1"
SSLEnabled="true"
enableLookups="false"
acceptCount="100"
maxThreads="200"
scheme="https"
keystoreFile="d:\keystore\.keystore"
keystorePass="changeme"
secure="true"
clientAuth="false"
sslProtocol="TLSv1"
cipher="AES"
allowUnsafeLegacyRenegotiation="false"
/>

I wanted to provide this bit of knowledge as a public service. Would love to hear about your own experiences enforcing TLS or security in Tomcat and other web servers in the comments! Please let me know if you’ve found this useful.

Site Rebirth

Hello, everyone! Since redirecting the SeanKilleen.com domain name to WordPress, I’ve been trying to invest more time into revamping the look and content of the site.
Initially developed as a place to archive old English papers (which I will leave up for humor’s sake have since taken down), I’d like to turn this space into a place to discuss technology, theatre, and whatever else suits my fancy.
As always, I look forward to any feedback and hopefully your readership in the future!