TeamCity vSphere (ESXi) Integration Explained

Written by William Roush on January 25, 2015 at 5:15 pm

I found the documentation of configuration and why certain things are set up a specific way a bit lacking on the new vSphere support from TeamCity, so here we do a dive into how everything works.

I’m going to assume you have a fairly good grasp on what TeamCity is and how to manage it, if you feel I’ve skipped anything and should go into better detail drop me a message either through the site’s contact page or a comment here.

TeamCity Cloud Integration

TeamCity’s cloud integration allows you to move your build agents from machines you may have online all day to a base image you clone out and spin up as required (and as many as required in whatever combination).

Benefits:

  • You’re not limited to 3 build agent configurations with the base TeamCity install, you’re limited to 3 active at any one time. Good for multi-platform environments.
  • Resources are only used when needed.
  • Every build can be a clean build (if you trash your build agents after a build).

Drawbacks:

  • Each virtual machine being a single build agent vs multiple build agents on a single machine with multiple cores may waste resources.
  • Build times will increase due to virtual machine build time.
  • You need to move to your build agents being stateless. (I’m dumb, Jody Shumaker corrects me in the comments)

Useful Repositories

JetBrains has published the plugins required to integrate with vSphere on Github here: https://github.com/JetBrains/teamcity-vmware-plugin/. I’m very thankful they’ve open sourced this because of the hangup mentioned later with the required resource pools.

Preparing Your Base VM

  1. Install the OS of your choice (so far Windows and *nix environments are supported out of the box, plugin needs updating if you want to support more).
  2. Install VMware tools.
    • This is used by TeamCity cloud to properly configure your build agent, and is required.
  3. Install all of your build tools
  4. Install Java for TeamCity build agent (if it isn’t part of your build tools).
  5. Install TeamCity build agent.
  6. Verify it shows up in TeamCity’s unauthorized agents list, check your agent parameters and compatible configurations.
  7. Shut down TeamCity build agent service on build agent virtual machine.
    • May want to remove the build agent from the unauthorized list at this point just to clean things up, but this is up to you.
  8. Remove name, serverURL and authorizationToken from conf/buildAgent.properties on the build agent.
    • This is to make your image generic, your cloud plugin and VMware tools will auto-populate these values for you, and in the event of you wanting to tweak the base virtual machine you don’t have to worry about it booting up as a valid build agent.
  9. Shut down the VM, and snapshot it (without a snapshot your virtual infrastructure will try to clone the entire VM, this will make spin up times for build agents extremely high.

Linux Caveats

In the most recent version of VMware on some Linux platforms when you go to install VMware tools you’ll be told to use open-vm-tools instead. At least on Debian 7 (and I haven’t tested other platforms) the vmware-rpctool binary ends up in /usr/bin instead of /usr/sbin like TeamCity expects. So we’ll just make a link for it:


$> ln /usr/bin/vmware-rpctool /usr/sbin/vmware-rpctool

I have an open issue with JetBrains on it to update their documentation.

Update: No longer an issue on the latest patch, quick turn-around from JetBrains!

Configuring Your Cloud

Go to Administration > Agent Cloud (under Server Administration) and add a new profile and give it a name.

I like to use a dedicated account for vSphere that has access only to specific folder in our environment, this includes network and datastores to prevent it from doing anything to the rest of the infrastructure.

  • Terminate instance idle time – This is the time a virtual machine that is spun up will wait without a task before being shut down, I set this fairly low (10 minutes).
  • Terminate instance (after first build completed) – This will trash a virtual machine after the build process is complete, I keep this on because I find this to be one of the major reason I’m doing this.
  • Cloud type (set to VMware vSphere)
  • vCenter SDK URL – You’ll set this to https://[vCenter FQDN]/sdk, it accepts self-signed certs provided by your vCenter box by default just fine.

Next we’ll need to configure some images, click “Add Image”, select a virtual machine from the pull-down list, pick a snapshot (you’re using snapshots, right?), select a folder that the clones will go into, select a resource pool (more on that later) and set the maximum number of virtual machines you want to be able to run at once.

If you don’t have resource pools because you’re on a version of vSphere that doesn’t support them, you’ll either have to wait till I get my fork done that removes this requirement and have JetBrains pull or, or download and remove the requirement yourself (I hear an older version of the plugin doesn’t require it but haven’t verified it).

Update: JetBrains beat me to it, issued a patch, works great now.

Verification And Validation

Successful build agent setupWhen you build a project with zero build agents installed, it’ll go into the queue. The TeamCity cloud plugin will spin up a virtual machine for you, and when that machine is registered it should show up with the name of the virtual machine. If this is what you got, success!

If not, feel free to post comments and I’ll see if I can help out.

Republic Wireless – A Customer’s Review

Written by William Roush on December 28, 2014 at 10:16 pm

A review from a user on Republic Wireless, a relatively new wireless carrier that uses WiFi to offload your phone calls and text messages, reducing costs and passing those savings off to you.

republicwireless_logowbg

Background On Republic Wireless

Republic Wireless is a wireless services provider started by the VOIP provider BandWidth. They differ from your common wireless providers by understanding the concept that anything the cell network can do, the internet can do better. They save you money by offloading as much as they can, including phone calls onto your wifi connection. This reduces their costs and they pass that onto you.

Plans

As of 12/28/2014 their plans are as follows:

Cost Features
$5  Unlimited talk, text and data on WiFi only.
$10  Unlimited talk and text on cell and WiFi.
$25  Unlimited talk, text and 3G on cell.
$40  Unlimited talk, text and 4G on cell.

You can jump between plans twice a month on their website at the click of a button, allowing you to jump on 4G when you’re going to some big city for a conference and will be pulling a lot of data, but fall back on 3G when you’re at home surrounded by WiFi you use often and your own computer and internet.

Dead Zones

The biggest thing I worried about up-front was dead zones. Well it’s basically Sprint when you’re on the cell network, so nothing new for me there. Coverage was a bit spotty but I never was unable to make calls, data usually suffered poorly in these places though. All the same problems I had when I was a Sprint customer I have now when I’m on the cell network.

However at work, there is a funny dead spot that affects all of us… well, did affect all of us. Now two of us are on Republic and we tag on our guest wireless to make phone calls, so while we have Verizon and Sprint people having to move around the building to find cell signal, us Republic users are strong phone and texting over WiFi.

Call Quality

First call I make I’m on wireless, nice and clear (relatively), arguably better than when I’m on the cell network. Walked on the other side of the house where my WiFi is spotty without thinking about it, after my call Republic had a message for me “Congratulations on your first WiFi to cell transfer!”, I honestly didn’t even notice.

When I’m on cell, again I notice no difference from Sprint’s network. Of course this is all “by ear” and phone quality is garbage as-is (when compared to higher quality VOIP services such as TeamSpeak).

Account Management Tools

The account management UI on the site is simple and easy to use and offers a few fun reports on WiFi offloading. Everything is consistently clean and minimal, without the need for a ton of additional text, details, and ads for other services plastered all over the screen as is common with other carriers.

Simple straightforward statement history page.

Simple straightforward statement history page.

Order status page showing the phone I ordered.

Order status page showing the phone I ordered.

Nice phone status page.

Nice phone status page.

Easy to read bill.

Easy to read bill.

Cool little offload graph

Cool little offload graph

Their mobile app leaves a lot to be desired, I can’t access billing, orders or my overall WiFi offloading, but is receiving improvements so we may see those sometime. Recently detailed data usage has been added, showing you how much data is being used on various networks including wireless, cell and roaming, and by what apps. Very useful.

Dashboard, not much to see here.

Dashboard, not much to see here.

My Account leaves much to be desired.

My Account leaves much to be desired.

New feature on the app, data tracking.

New feature on the app, data tracking.

New feature on the app, data tracking.

New feature on the app, data tracking.

 

Cost Savings

Sprint Republic
Data + Minutes $69.99 $25.00
Premium Data $10.00
Surcharges $4.15
Taxes $6.01 $5.17
Total $90.15 $30.17

$59.98/month in savings, I pay for my cell phone in 3 months.

Hardware Availability

Now for the bad news, Republic Wireless currently only offers 3 phones. The Moto X (just releasing the 2nd gen), the Moto G (1st gen) and the Moto E. The reason for this is that they have to put their own calling software on the phone to handle their WiFi offloading technology.

If you’re looking for a specific phone (or anything not Android) you’re out of luck for the time being. I think the range of phones offers a decent choice in features and prices, but I can see if you have your heart set on a phone you may be locked out of Republic Wireless.

I hope they consider porting their system to Cyanogenmod, opening up for unsupported phones that you can hack onto their network.

Also, Republic Wireless doesn’t subsidize your phone cost, so you’ll be dropping anywhere from $99-$300 on a new phone when you hop on Republic Wireless (used phones are available too at discounted rates).

Overall

Unless you need a specific phone or can’t deal with Sprint’s towers, go with Republic Wireless, you’re throwing money away if you don’t. If you’re currently on Sprint you’re dealing with their spotty towers AND not taking advantage of leveraging WiFi, stop doing that to yourself and get on Republic Wireless.

Looking at my bill and my early cancellation fees (yours may be different), I should have dropped them months ago and hopped on Republic Wireless for a massive savings by now.

I’ll come back after probably 6-12 months and update this on anymore findings…

Invision Power Revokes Perpetual/Lifetime Licensing – My Thoughts

Written by William Roush on December 28, 2014 at 1:56 am

A story about a board administrator’s experiences with Invision Power’s move to drop Perpetual/Lifetime licensing, and the responses from the community.

What Is Perpetual/Lifetime Licensing?

Perpetual/Lifetime licensing allowed those of us on the older Invision Power’s IP.Board software (prior to 2007) to have lifetime upgrades for as long as the product was around and only pay for support if we wanted to open support tickets. For someone that wanted to run the boards for an extended period of time and didn’t need to rely on support for anything could break even after quite a few years of operation (usually around 4 years).

The Decision To Purchase

Back in 2006 I was running a small board with a handful of users, mostly friends. I had some plans to expand the board that never really panned out, during this time Invision Power was closing out their lifetime licensing and I decided that dropping the extra cash for the software would be a worthwhile investment if I ever decided to start up a board again.

This is important, because I honestly haven’t really been using the software for the past 8 years, which sets the tone for why I feel burned. Recently I decided to investigate the use of IP.Board for a new project…

Invision Power’s Move To IPS4

So Invision Power is working on a new version of their forum software, called IPS4, it’ll consist of a “core” module and their forum software.

“With IPS4, we’ve changed directions somewhat in that IP.Board as we all know it will become a forums app within the suite. Members, profiles, search engine, ad management, spam mitigation and other key items are now part of the suite core. This allows for cleaner, more streamlined integration across the whole suite with the forums app no longer carrying the weight of the load which led to clunkier integration in the 3.x line.” – Lindy, IPS Management

No different than it is now...

No different than it is now…

Whoops, that’s how our software is technically licensed in 3.x, oh well. Sure more responsibilities are in the core, but the point still stands.

“After careful consideration, we determined the most appropriate thing to do is offer the ability for legacy customers to switch to the newest structure, free of charge — this would allow them access to anything current customers have access to. Legacy customers would receive six months free renewals, so there are no out of pocket expenses. After that period, renewals would then be $25 every six months, which would include all of the latest services such as chat and spam mitigation.” – Lindy, IPS Management

“After careful consideration, we decided to invalidate lifetime licensing and ask for more money.” Bold strategy cotton, lets see if it pays off.

“I would like to stress that these legacy licenses were only offered for 2 years – there really aren’t that many of them and even less exist today as most have converted to the new structure over the years to leverage hosted services such as spam mitigation. All told, these changes will only have a net impact on less than 4% of our license holders – of those 4% we’re not sure how many still even use their license. From IPS’ perspective, it makes sense to clean up our backend systems and rid them of 10-12yrs of accumulated coding provisions to handle different license types under different scenarios. Further, it allows us to more cleanly reintroduce our software as a true suite of community applications with seamless integration across the offerings.” – Lindy, IPS Management

If those of us with lifetime licensing don’t make up a substantial part of your customers, mind refunding that licensing then? Also, customers shouldn’t have licensed benefits revoked because you didn’t consider it in your billing software setup.

A forum member brought this up:

“The license was for IP.Board, not IP.Core + IP.Board. If IPS wanted to, they could call the forums “IP.Forums” or “IP.Discussions” starting with v4 and legacy license holders wouldn’t have any claim to it at all. Might be off of IP.Board, but since it’s a rewrite of the code and such, it could be given a different name and would be perfectly legit.” – Wolfie, Forum Contributor

However that wasn’t the case when Invision Power 2.x (around 2004) or 3.x (2009), when under both of these releases they could have just renamed the system (and if I’m not mistaken 3.x was actually rebranded to “IP.Board” from “Invision Power Board”).

Discussion link 1, discussion link 2

Further Iffy Behavior – Charging For Domain Changes

Another fee they’ve tacked on is some “administration” fee for changing your domain more than once every 6 months. In the early days of testing I hosted the site on a handful of different domains (all variances of the original domain name), it was a pain but I got the license changes done during the process. Now you pay $15.

“It’s to stop dishonest clients from “domain hopping” a licence in order to be able to get support on them all, instead of legitimately paying for support on them all.” – The Heff, Invision Power Client

That doesn’t make sense, you only get support for whatever the currently licensed and active board is. Auditing can easily track hopping, and paying $15 doesn’t prevent this (and is still much cheaper than buying multiple licenses), it barely impacts those that are stealing $200 pieces of software, and harms those that are experimenting or host multiple domains (and aren’t just reverse proxying their way to victory).

Also, this system is completely broken for lifetime license holders. Those “hacks” that make the system work are working well.

This sounds like a cash grab and less like they’re resolving an issue.

Leaving Early Adopters Out In The Cold

Mind you, the solution we’re being given is to give us a $100 credit towards a platform that we must pay $25 every 6 months for updates (something we got for free prior)! This is their “generous” offer to us (and they’re using this word so many times it’s raising my blood pressure. We get to decide if it’s generous, it’s pretty crass for you to be repeating it yourselves so often hopping we’ll parrot it back to you).

I think one of the biggest telling pieces is this bit from Lindy:

“Naturally, we consulted with our legal counsel just as a matter of due diligence and the option to simply discontinue legacy licenses without any further intervention was technically within our right, but we did not achieve our position as a respected leader in the industry by being that company. After feedback discussion from customers and other parties, we devised and fine-tuned this solution, which we think is very fair.” – Lindy, IPS Management

Pretty much telling me “yeah, we were so unsure about this we consulted a lawyer” is already pretty telling, you knew this wouldn’t go over so well you had to seek legal council.

“The goal behind this change is to allow the software and internal systems to move forward without provisions and hacks from purchases made a decade ago. When these licenses were offered, we had limited product offerings, no spam mitigation, chat, etc. Since introducing those, we’ve incorporated hack upon hack to accommodate older licenses because we genuinely do appreciate those early adopters and their purchases. Further, we had IP.Board – which was everything – the core and otherwise. In IPS4, we have a forums app, which is an independent component of the suite, much like Gallery, Blog, Nexus, Content, etc. Search engines, file/storage handling, members/profiles and much more is all part of the community suite core that all applications share. With that, the time has come to press forward for the future and we would very much like to take our early supporters with us – hence the, in my opinion, appropriately generous offer which in some cases, more or very close to the original purchase price; again, even after a decade of usage.” – Lindy, IPS Management

You’re telling me that because of your team’s inability to plan on how to support various configurations that you’re just dropping a chunk of your customers, a good chunk that is the reason you guys are here today? Your earliest adopters?

Let alone WordPress can monetize on a hybrid system of free/paid services, are you telling me Invision Power’s engineers can’t figure out how to write a system that’ll handle it?

Literally telling me they must “hack” the system to make it compatible is telling me they don’t know how to properly implement a system that’ll handle it.

Mind you these are my options if I stay with this product:

  1. Don’t upgrade, stop receiving updates when Invision Power stops updating 3.x, get my IP.Board install hacked.
  2. Upgrade, get two years free usage, then pay $50/yr after that.

At the end of the day, I’ll just find another board, but I’m sure going to recommend a long list of boards before this one now, and I’m going to feel really burned that I dropped money on the future of a product (literally), and got that taken away by the very company I gave money to.

 

And to leave with this tidbit:

“Please think about what the Internet has done in the past decade, how it has evolved and how we, as a company, have evolved. Ultimately, we need to move forward and we feel we’ve found a fair and just way for you to join us. We do recognize, however, that not everyone will feel that way and apologize for those ill feelings.” – Lindy, IPS Management

Literally “People are moving things to recurring payment services now, and we want a piece of that”, thanks Invision Power.

Intuitive Password Online Password Management Review

Written by William Roush on September 8, 2014 at 8:06 pm

A review for the online password manager Intuitive Password.

Disclosure: I was requested to look at Intuitive Password, I generally don’t look at online password managers due to a lack of self-interest in them, but I’d figure I’d give it a go if a reader suggests it.

Intuitive Password is a software as a service platform for storing and managing your passwords, similar to KeePass or PasswordState, but out on the internet where you don’t have to manage it and it’s nearly always available.

Registering

 

Registration page

Registration page

Registration page is really straight forward, just one minor complaint, the “security question” is an open-ended free form text field. This leads to people putting in things like “how many cubes away from John am I?” (I have actually run into this one before), which after a few guesses you’re into their account. Though honestly this is less Intuitive’s fault and more of how security questions can be broken. Just make sure you pick a really solid security question.

Gmail used to do the same thing, now they have more secure password reset options (phone call, recovery e-mail, or a Google-enabled device).

Logging In

On-screen keyboard, an attempt to fool keyloggers.

On-screen keyboard, an attempt to fool keyloggers.

One thing I noticed during the log-in process was a Javascript driven keyboard for password entry, on one hand this will fool a lot of keyloggers, on the other hand I have seen keyloggers that tracked enough to pull your password off of this (some take screenshots, others mouse positions on clicks). I couldn’t really imagine myself using it really.

Password Management

All that you'd really want.

All that you’d really want.

Password management is really straight forward and like every other password manager, give it a title, set the password. These fields are driven by what category your password resides in.

Password ratings give a quick visual cue on your password's security.

Password ratings give a quick visual cue on your password’s security.

Organization

Password category management is nice.

Password category management is nice.

The slick UI really helps with this, and the default layout shows that Intuitive Password isn’t just for logins, but any other encrypted information you want to keep. You can create additional custom categories, each with their own custom fields, leaving it up to you how much or how little you want to keep in here.

This software by default has security questions for general logins, domain/machine name, IP address, etc. for network logins. So a bit of thought was put into having a nice starting configuration for your categories.

Sharing

You can share individual passwords with other people, it’s as simple as inserting an e-mail address. Not exactly useful for larger teams without a lot of tedious work, but it’s good if you want to share a handful of passwords with another person.

Account Management

IntuitivePassword - Account Details

Account management is straight forward: ability to reset your password, your security question, set up two-factor authentication, pretty standard stuff. Biggest thing I like here is the display of the currently running version of the software. I always like to know when my SaaS platforms get updated (and push for this to be an option on projects I work on).

IntuitivePassword - Country Restrictions

An interesting feature I’ve observed was login restriction by country, pretty cool little feature.

Additionally they do support the concept of downloading all of your passwords in case you want to move to another platform which is always an awesome option (may be required by law in Australia, not sure), and have the ability to download/restore your own backups in case you’re paranoid about Intuitive Password’s team to be able to do that.

UI/UX

IntuitivePassword - UI

Intuitive Password has a pretty slick UI, I like the look and feel. The only complaint I have is that the textured background that permeates through all UI elements can sometimes make certain letters not the easiest to read (only had that happen once on a specific field), but generally the chosen font size and style makes everything really clear.

As for UX design, everything is pretty accessible and intuitive (heh), the only feature that wasn’t immediately apparent was sharing passwords (I was always mentally driven to the “shared” tab to try to figure things out, not to the bottom of your currently selected password). The integrated help is unobtrusive and very informative and is available throughout the software.

Quick Login

This is similar to your auto-type you have on similar software, this only applies to web based software (so no auto-logging into your games). It consists of a bookmarklet that pulls scripts from Intuitive Password’s servers and will attempt to log you in.

IntuitivePassword - Quick Login Training

If you attempt to quick login on to a page that Intuitive Password doesn’t know how to log into, it’ll ask you to train it to understand what the login process is. So instead of just jabbing at currently selected fields like KeePass does, it is actually somewhat aware of the website layout (though this wont work for those multi-step banking sites that have a massive amount of security theater going on).

Offline Storage

Offline storage is pretty cool, right now they only support sending you an HTML document with everything embedded. Your passwords sit in a base64 encrypted blob to be decrypted with an AES key derived from your offline password. They’re also looking at add Dropbox, Box, and OneDrive support in the future.

Mismatching password lengths.

Mismatching password lengths.

One thing I thought was a problem but figured out it was a major benefit was this password screen. Here I’m trying to type a 32 character long password (longer than the 20 character limit), here they only truncate the confirmation password field. This prevents silent truncation of passwords, which is a major thing I complain about in my up and coming post about password security theater causing massive user experience issues.

I like these little details that prevent me from accidentally doing dumb things.

Online Storage

Well if I was to investigate how passwords are stored offline, it only made sense to figure out how passwords are being transmitted online. Due to offline storage I had a lot of hopes for this, until I ran across this:

Password being sent embedded in the JSON response.

Password being sent embedded in the JSON response.

I’m kind of surprised that with all the care passwords are given on client-side storage that the server still handles decrypting/encrypting your password for you, meaning a breach at the cloud provider can put your passwords at risk.

This is why I generally like the option like CrashPlan provides — a second password so that the Software-As-A-Service provider CAN’T decrypt it even if they wanted to. There are methods that involve using a single password where this method could be viable (use a derived key from your password to sign something to verify your login instead of sending it to the server, send encrypted data to client to be decrypted with derived key… something of the sort).

Master Password

They do have the ability for you to add additional security to your passwords, via a “master password”, this is still sent to the server and decrypted server side, it really just adds a layer for if someone gets your account password on your desktop.

Overall

Intuitive Password is a pretty slick product, if you’re not paranoid and don’t mind storing your passwords online (and the provider having access) I’d definitely recommend it. I’ve been recommended to eyeball LastPass being as they apparently handle online password transmission differently, so keep an eye out for that review too.

Upsource EAP Preview – Repository Browser and Code Review From JetBrains

Written by William Roush on August 28, 2014 at 10:38 pm

This article is a bit out of date, JetBrains has made some changes that I need to review and update the relevant sections of this article.

Upsource is a new code browser and code review system by JetBrains, the guys behind popular development software like Resharper, IntelliJ IDEA and TeamCity.

Update: I’ve been talking with some of the developers, I’ve made notes around the article with things they’ve gotten back to me about.

Upsource Early Access Program

Upsource is currently available through it’s Early Access Program — Mind you everything you read here is about Upsource in it’s EAP state, I’ll be doing more reviews as the software evolves (JetBrains continuously adds awesome stuff to their software).

Requirements

Shame on me, didn’t check this at first. Threw it on a Linux machine with 2GB of memory, watched the entire system crash with out of memory exceptions. Oops.

The 8GB of RAM is a little steep, but it’s sitting on top of Java, so some memory hungry behavior is expected.

UpSource is a bit hungry resource wise.

Upsource is a bit hungry resource wise.

You may want to throw two CPU cores at it, startup was a bit slow, however once it was running the application was smooth.

Lets Get Started

So I unpack the zip file, install OpenJDK 7’s JRE, and fire up the services, Upsource is reported as online, but I’m met with a blank page while Java thrashes about. Very easy to set up though.

Project Management

Creating A Project

Creating a project is quite easy, give it a name, point it at your current repository sever, and away you go. No hang-ups here really.

Project Sprawl

At the current moment, for those of us working at places that have 40+ projects, it looks like there will just be a massive amount of horizontal sprawl going on, TeamCity had a similar issue until recently when project hierarchies were added, I’m sure this will end up in Upsource at some point.

This also includes the groups that are automatically created (“[project] Developers”, “[project] Observer”, and “[project] Project Admin”), these will be created for every repo you have, even though you’d likely have a ton of repos under one group schema.

Main Upsource UI

Main UpSource UI, showing projects and a news feed.

Main Upsource UI, showing projects and a news feed.

When logging in you view all available projects and your news feed. I really dig the news feed, showing all comments on your reviews and mentions for your user account. The main thing I don’t like is that getting to this page from a child project is annoying.

Project Status UI

Project overview UI is pretty straightforward.

Project overview UI is pretty straightforward.

The main project UI is pretty basic but gives you what you want, on the left side you see a handful of recent changesets with a nice visual tree. From here you can navigate to a commit to start a review, browse code in the repository or jump straight to analytics.

Analytics

This is one of those major extras I love with systems like Upsource and Crucible. This gives a very visual breakdown of who handles what commits, and who is handling what reviews.

Statistics for Redmine contributions pulled from Bitbucket

Statistics for Redmine contributions pulled from Bitbucket

The visualization is powerful, I’d like the ability to map multiple users together to a single user in Upsource (doable in Redmine, Crucible, etc.), please allow this setting to be global (a major problem that Crucible had the last time I used it).

 

Code Reviews

This is by far the biggest reason I was looking towards Upsource. Previously I’ve looked at using Crucible for our code review system, and like 90% of it, however there is a critical piece of functionality it lacks, and that is supporting a good UX workflow for post-commit review for multiple branches of code. Sadly Upsource also suffers from this problem (and straight up doesn’t support it, more on this later).

My Mercurial Workflow

Basic mercurial workflow I follow.

Basic mercurial workflow I follow.

The workflow process I follow is pretty straight forward, each bug or feature gets it’s own named branch on Mercurial, each branch is closed and merged onto a staging branch where things are tested, verified and reviewed, and once everything is approved onto default it goes to get tagged and released.

Where Upsource Fails To Support This Workflow

Update: This is planned to be fixed in the 1.0 release, I’ll see if the UI works well.

To create a review in Upsource you select a single commit and click “Create Review”, from here you can add more revisions using Upsource’s powerful search system.

There are a couple issues I have however, if I search for “branch:stage-1.1.0″, it will also apparently bring in any parent of the named branch “stage-1.1.0″ which will include all previous commits, so I can’t easily just add all commits I see on the search page.

I can search for each invididual commit ID by searching for “id:[] OR id:[] OR id:[]” for every included changeset, however there is a problem with including changesets from different branches (more on that later).

I’d love for some powerful way to select all items between the default commit at the bottom of the workflow image above and the last staging commit, this would make the workflow a thousand times easier and would instantly have me sold.

Code Review UI

 

Inline review is pretty clean, single-line comments leaves a little to be desired.

Inline review is pretty clean, single-line comments leaves a little to be desired.

The UI is pretty clean, one feature I do miss from ReviewBoard is being able to make block comments. This allows you to choose a range of line numbers by clicking and dragging and putting a comment on them. This allows you to bring a developer’s attention to a block of code instead of an individual line.

Side-by-side diffs are available too.

Side-by-side diffs are available too.

Side-by-side diffs are nice, double clicking allows you to still add comments to the commit, this wasn’t immediately apparent and they should probably leverage the same edit icon on the inline code review diffs.

 

Additionally, I really did prefer the nice single file UI that Crucible has, I’ve worked with some changes that can span 10-15 files, and hundreds of lines of changes. When these are all crammed onto the same page your scroll bar can get really tiny (and some other ill effects in terms of browser performance can begin to happen). These aren’t often, but when refactoring old code bases it’s bound to happen.

Code Review Process

Unlike Crucible there isn’t a predefined process, which is unfortunate, every time you do a review you add individual users to the review and individual users as watchers.

Completed reviews show a green check box near the user's icon.

Completed reviews show a green check box near the user’s icon.

I do like that you complete reviews, which is better over ReviewBoard which only includes a “ship it” button, so no way to mark a review as completed but the code quality insufficient for production.

Reviewing Code From Multiple Branches

Update: This is planned to be fixed in the 1.0 release.

So when attempting to review code from multiple branches (say from my example of the resulting code from bug 1 and bug 2 to be pushed to live), you are greeted with this error:

No multi-branch review support.

No multi-branch review support.

So even if I was patient enough to select each individual changeset it won’t support it.

Repository Browser

Code Display

Code browser, limited language support.

Code browser, limited language support.

The code display is pretty straight forward, lets you browse through your repository, uses the same display as your inline diff UI, only thing I wish I had here was multiple language support (even if it was a framework that 3rd parties could write tools for).

File History

File history, what more is there to ask for?

File history, what more is there to ask for?

File history is pretty straight forward, I seriously can’t think of anything to ask for.

Code Annotation

Annotation works like blame in Git/Mercurial.

Annotation works like blame in Git/Mercurial.

Code annotation is pretty nice, shows you who and what changeset the last changes came from, much like blame in Git and Mercurial, but this UI is a bit nicer and will let you navigate straight to the related changeset.

Final Thoughts

Sadly Upsource doesn’t support the code review process I’d need to adopt it, however JetBrains is known to constantly improve their product line and I’m eager to see this product continue to evolve. If you don’t mind per-commit reviews (instead of batching reviews based on branching policies) then I’d recommend you keep an eye out for Upsource coming out.

Required Features Before I’d Use it

  • Support for batched reviews, based off the results of multiple branches coming together.

Tasty Features

  • Ability to define a more strict revival process (all reviews require approval from [x] people from team [a] and/or [y] people from team [b]), with the ability to automatically mark a review as complete with this objective is met.
  • Approval/rejection of a code review.
  • Single-file review process that isn’t just side-by-side.
  • A little more love for the side-by-side UI.

Bugs I Ran Into

  • Every once in awhile when refreshing a page, I was greeted with an authentication failure error, refreshing the page a few times would generally fix this.
  • Adding an empty repository will have pretty bad consequences and errors everywhere.

Curiosities

  • On every page you navigate around Upsource you are greeted “Loading Upsource” UI element while the page loads, as if they intended it to be a single page application but moved away from it. At least I don’t typically see this behavior in an application that has a bunch of individual pages. Update: The application is supposed to be a single page application! Found a bug that apparently is known but they’re gathering info on, will be providing info to JetBrains to fix.

How VMware Can Make The Web Client Awesome

Written by William Roush on August 4, 2014 at 12:39 pm

Some pretty basic design principals that would make the web client on VMware awesome, including the ability to make it redundant and supported on free systems!

I was reading this article by Trevor Pott, which does a fairly good job dealing some major problems on VMware’s vSphere web client, and how absolutely terrible it is. However I have some major issues with this article, first of all is no real concrete suggestions on architecture changes (how do we handle the vCenter single point of failure? What about free clients? What about the Flash plugins?). Here I’m going to offer up some suggestions to reaffirm Trevor’s stance that VMware could and should do this better!

A True Single-Page Application

By far I figure one of the easiest ways to resolve all of our issues is a solid single-page application. This is the concept that the website you visit will load all the resources needed on your computer to run without refreshing the page. This is generally done using HTML5 and Javascript, common frameworks include AngularJS and Ember.JS. A giant flash application like the vSphere web client has now doesn’t really count.

How to Handle the API

Some suggestions on how to handle API calls to the hosts/vCenter:

  1. Transparent layer – Have the web server host a JSON based API that gets translated into the API calls to the host/vCenter box. This allows you to have very low overhead calls (as opposed to very noisy SOAP), and allow Javascript to do what it does best (talking in a native tongue instead of using Apache CXF for Javascript clients). This incurs minor overhead on the host running the web server to do the translations, this also effectively creates two web APIs you use (though arguably you wouldn’t support consumption of the JSON API).
  2. Reverse Proxy – This allows you to remove any difficulty with Javascript dealing with cross-port requests, but you’re going to be leveraging something like Apache CXF for the web services.
  3. Direct Communication – vCenter and VMware’s APIs already exist over HTTPS for web services, if you serve up the single-page application from the same domain/port in a hybrid host setup there will be no additional overhead!

In-Browser Remote Console

Now this is the one piece I will detail is pretty experimental, and by all means feel free to fall back to a Flash/Java console, but what I’d really like to see is a true in-browser console, look at solutions like Guacamole which runs a full VNC client in-browser. Of course there may be some barriers here (Guacamole requires server-side code, not sure how much overhead is acceptable on the Busybox management VM on vSphere).

The only feature I can’t think of reproducing in HTML5 is direct device access required for mounting ISOs/USB devices.

Addressing The Single Point of Failure

These thin API layers (or in one case non-existent) allows not only vCenter to support these single-page web applications, but also the individual hosts. Now it becomes safe to completely scrap the old vSphere desktop clients.

Browser Security

Trevor Pott does some hand-waving about security issues on browsers, and then goes in to complain that the problem really relies with Flash and Java Applets. I’d recommend dropping auto-sign on removing all need for plugins and leaving it at that.

The current desktop client embeds Java applets for some 3rd party tools, so to say it’s more secure is silly.

Speed

The old Windows client is imperceptible. Click and the info is there. Expanding a tree just completes in a time frame so short that a human can’t tell there was a delay.

Yeah, I’m not going to stand by this stance at all, the desktop client is a massively bloated slow piece of garbage. It eats a massive amount of memory, is prone to killing consoles and requiring you to play whack-a-mole in your process manager to kill the spawned processes and get it online again.

The web client is slower, but the desktop client isn’t some kind of idea of what we’d want to achieve, that was pretty bad to begin with.

Using PowerCLI it seems like most operations are pretty instant, so it just seems to be entirely overhead on the applications themselves, so a well-written single-page application could easily handle this and be lightning fast.

What’s ultimately the damning element of this is that Internet Explorer is the most common enterprise browser. In many environments, browsers that aren’t Internet Explorer are outright banned. 

This is more of a problem with your work environment than the web application itself. If you’re on IE11, things are pretty decent (Javascript is fast, support for modern things is pretty up to date). If you’re at a company that keeps you on IE8 and wont let you install Chrome, that is absolutely no fault of VMware’s.

 Other Options and Why I Think They’re Not Good Routes

Native Application

This is going back to the roots of the vSphere desktop client, which generally comes with the same problems (going to be Windows only). I highly doubt VMware will write some GTK+ Windows/Mac/Linux client. So far VMware has still been unwilling to patch a major problem with RVC, so I don’t think they’re giving attention to more “hip” languages like Python and Ruby.

Cross-Platform Application

The next option is planning on a cross-platform application, and I know what they’re going to do: what ever other vendor has done.

Java.

I don’t really think I need to say more, I have a love/hate relationship with Java, but most system admins have just the hate side. Mainly it comes down to writing cross-platform applications can be more costly in languages that aren’t like Java with a nice solid platform.

Mono is also an option, but I have a feeling VMware won’t jump on that boat this early.

Freebies

By far, one of the best parts of major infrastructure decisions: freebies. Additional features or supported platforms with reduced, little or no effort. This list is by no means exhaustive.

OSX/Linux Support

This has been a goal off and on for VMware, obviously fully HTML5 will get you 98% of functionality on OSX and Linux, with minor plugins needed for device management.

Mobile Support

Take that single-page web application, wrap it in a delivery method like PhoneGap, stylize it so that it fits better on the device (different CSS files for phone/tablet), and you’re going to have not just a small subset of features (like most current mobile apps available), but the ability to fully manage your VMware cluster from the ground up.

Overall

There is no reason that VMware should have shipped the web client in it’s current state, nor is it an example of why VMware shouldn’t dedicate resources to writing solid web-based management software, it misses most of the point while throwing all of it’s resources into a dying framework. A bit of design centered around delivering the things customers have been asking for could lead to a product that will put all competitors to shame, instead of turning them away from vSphere.

ScreenConnect Review

Written by William Roush on July 16, 2014 at 9:00 pm

Looking for remote support software that wont break the bank? Open to self-hosted alternatives? ScreenConnect is a viable feature-rich option with a very affordable price point.

ScreenConnect

What Is ScreenConnect?

ScreenConnect is self-hosted remote support software, an alternative to to LogMeIn Rescue, GoToAssist, or TeamViewer. The largest difference between ScreenConnect and its competitors is that it is self-hosted, where you deploy it on your own private servers.

Why Self-Hosted

Self-hosting comes with a variety of benefits, first is complete control over your traffic and environment. You can lock administration to internal access only, put it behind a reverse proxy, require additional authentication. The sky is the limit.

However, the biggest benefit to self-hosted (at least in this case) is the price.

Licensing

The cost of ScreenConnect at the time of posting is $325.00 per license. Each license entities you to one connected support session. A support session is defined as an active connection between a host and a guest. This means this support session can float between a small team where any one person can be supporting another at a time. This also means multiple techs can be on with a single guest and still only consume one license.

Lets break down the cost for 3 years of ownership with some competitors:

Solution Licensing Scheme 1st Year 2nd Year 3rd Year 3 year TCO
ScreenConnect $325/seat + 20% support renewal/year. $325 $65 $65 $455
TeamViewer $749 one time (1 authorized workstation). $749 $0 $0 $749
LogMeIn Rescue $1,188/yr $1,188 $1,188 $1,188 $3,564
GoToAssist $660/yr subscription $660 $660 $660 $1,980

Requirements

Full list of ScreenConnect requirements can be found here. One of the biggest benefits is that you can run ScreenConnect on a variety of server platforms, including Windows, OSX and Linux!

ScreenConnect achieves this by running a .NET application on top of the Mono platform. I’ve been weary about Mono before, but ScreenConnect’s performance and stability has changed my mind entirely about how commercially ready Mono is.

Download And Installation On Debian 7

Installation is easy, download the latest tar.gz file, unpack, run install, and follow the instructions:

root@screenconnect:~# cd /tmp
root@screenconnect:/tmp# wget http://www.screenconnect.com/Downloads/ScreenConnect_4.3.6563.5232_Release.tar.gz
root@screenconnect:/tmp# tar xvf ScreenConnect_4.3.6563.5232_Release.tar.gz
root@screenconnect:/tmp# cd ScreenConnect_4.3.6563.5232_Install/
root@screenconnect:/tmp/ScreenConnect_4.3.6563.5232_Install# ./install.sh
Welcome to the ScreenConnect Installer

The installer will do these things:
1) Prompt you for installation options
2) Display a list of actions to be taken
3) Prompt you for execution of the actions
4) Execute the actions

Where would you like to install ScreenConnect?
[/opt/screenconnect]

What would you like as the service name for this ScreenConnect installation?
[screenconnect]

The installation will perform the following actions:
- Install libavcodec-extra-53 with Advanced Package Tool (apt)
- Install libswscale2 with Advanced Package Tool (apt)
- Install libavutil51 with Advanced Package Tool (apt)
- Install libavformat53 with Advanced Package Tool (apt)
- Create service script at /etc/init.d/screenconnect
- Create startup links in /etc/rcX.d/ directories
- Copy files into /opt/screenconnect
- Initialize configuration files
- Start screenconnect service

Do you want to install ScreenConnect?
(Y/n): y

[[Removed installation output]]

Running 'Create service script at /etc/init.d/screenconnect'...
Running 'Create startup links in /etc/rcX.d/ directories'...
Running 'Copy files into /opt/screenconnect'...
Running 'Initialize configuration files'...
Running 'Start screenconnect service'...

Installation complete!

Trying to figure out the best URL for you to use...

To access your new ScreenConnect installation, open a browser and navigate to:

http://localhost:8040/Host

root@screenconnect:/tmp/ScreenConnect_4.3.6563.5232_Install#

Navigating to http://[your host’s IP]:8040/Host will present you a wizard which will walk you through the rest of the installation process, including setting up your primary administration account and configuring your licensing information (if you need a trial license visit http://www.screenconnect.com/Try-It-Now).
Setup Wizard2014-05-25 22_48_20-ScreenConnect Remote Support Software

Hosting a Support Session

Hosting a support session is easy, click the plus button next to the “Support” header on the left, and you’ll be greeted with a list of options for sending your support request out.

Lots of options, easy to use.

Lots of options, easy to use.

I generally use invitation only and generate URLs to send to people over chat/e-mail, ScreenConnect supports plugging into a SMTP server and sending mail for you, or leveraging your locally installed mail client to send e-mails (I prefer this configuration for this method).

Active sessions are displayed in a list form, easy to tell status and who is connected.

Active sessions are displayed in a list form, easy to tell status and who is connected.

Your end user will be presented with instructions on how to connect, ScreenConnect supports a variety of methods to attempt to get the end-user online, including leveraging ClickOnce and Java Web Start, standard methods you’ll see competitors using.

Easy to understand instructions for the end user.

Easy to understand instructions for the end user.

From there it’s like any other remote desktop support software, with a large array of tools at the top of your screen.

Connection Information

Connection Information

Wide array of audio options, including listening and sending audio.

Wide array of audio options, including listening and sending audio.

Screenshot capture and video capture.

Screenshot capture and video capture.

Various file transfer options, nothing out of the ordinary.

Various file transfer options, nothing out of the ordinary.

Customizable toolbox, upload files that will be available between all sessions.

Customizable toolbox, upload files that will be available between all sessions.

Display quality and management.

Display quality and management.

By far the biggest thing I love about ScreenConnect’s UI is how well it manages multi-monitor clients. In most other software switching between displays is always clunky or seems sort of “out of the way”, ScreenConnect makes it feel right.

Various additional features.

Various additional features.

Nothing out of the ordinary in terms of rescue features, various blanking of devices, blocking of input, safe mode support. A bunch of “must haves” have all been checked.

Meetings

Meetings are kind of the inverse of support requests, a single presenter and multiple viewers. The UI is tweaked a bit to support this concept a bit more. I’ve had some minor UI workflow issues with handing presenter around being a little clumsy, but other than that it works well.

The only downfall about using it for meetings over GoToMeeting or something similar is that ScreenConnect doesn’t support plugging it into a phone system (though I understand this isn’t a trivial task from both the programming and logistics end), so you’ll either need to set up a conference room on your phone system or use the built-in VOIP functionality.

Administration

Administration is fairly straight-forward, everything is done with role-based access, though you can lock things down and prevent users from accessing specific groups of machines, the difficulty to do so leaves much to be desired on the UI (though this is currently being worked on as I understand it).

A nice server status screen showing general health of the application.

A nice server status screen showing general health of the application.

Funny enough the status screen shots “Windows Firewall Check” even though I’m on a Linux host…

ScreenConnect supports theming, allowing you to bring it inline with your company’s brand (be aware though, changing themes restarts the web site, so don’t expect uninterrupted service if you’re messing with that).

Additionally ScreenConnect keeps an audit log in the admin control panel, very useful if you need to track down changes or actions taken against the system.

Overall

ScreenConnect packs a ton of punch for a low cost with a wide range of platform options on a stable and rapidly developed software package. One of the most impressive things I’ve seen about ScreenConnect is the speed at which they’ve moved forward and provided more features, iterated on parts that were lacking and end up delivering a stable polished product every time.

In my opinion it is a must-have. With UPNP support it allows small-time technicians to purchase a copy, install it and run it on their home machines with no effort at all, but it includes the feature set and stability to be used at your SMB office (and probably beyond).

Passwordstate – Enterprise Password Management Review

Written by William Roush on May 30, 2014 at 4:40 pm

An end-user review of Passwordstate, a shared web-based password list software that gets you all the additional features you wanted over KeePass and other equivalents.

Before we start… Sorry about the large gap in posts, a mix of writer’s block and working on a reviews for a handful of things (Zultys PBX, ScreenConnect, etc.), there will be MUCH more to come soon!

I’d also love to write about more IT subjects in Chattanooga (locally developed software, startups, IT community, or businesses), if you have any suggestions feel free to throw them my way!

What is Passwordstate?

Passwordstate is a web-based password management tool written by Clickstudios. Think of it as KeePass on the web, but deployed inside your own private network.

Why Use it Over KeePass?

I personally love KeePass, I can’t talk about it enough, I wrote a post awhile ago all about it. However as much as I like it, it falls short on some management features that I feel I need when working in a team of diverse responsibilities and access levels. While we can create a lot of process and hoop jumping to resolve this issue, I’d rather not if it could be avoided (plus, we’re IT, we want software to do the hoop jumping and process for us! That is what it is there for).

Prerequisites For Install

The requirements for installation are pretty straightforward, IIS7+ and MSSQL 2005+, once these requirements are made the install for Passwordstate is easy. I’m deploying it on IIS8 and MSSQL 2012 Express on top of Windows 2012 R2 for this review.

Organization

Password state makes everything pretty easy to get to, unlike KeePass passwords are kept in “password lists”, imagine these lists as folders in KeePass. These lists can have a long list of permissions and customizations added to them (see later in this review for those options). On top of password lists you can create folders to store groups of password lists.

Navigating password lists is pretty simple.

Navigating password lists is pretty simple.

In the example above we have a folder for development environment passwords, we could grant access to our storage admin to “Storage Arrays”, our DBA to “Database” and so on. Allowing fine control to lists. Additionally I have a personal password list named “William’s Password List”, more on personal password lists later. Password Management Creating and editing passwords is pretty straight forward, a handful of fields you’re pretty familiar with if you use a password vault. Nothing really too special here other than a very nice UX design.

Auditing

By far the biggest benefit over a system like KeePass is the ability to audit access to passwords. What to know who last updated the password on a service account? System admin scanned all passwords before leaving? KeePass won’t tell me any of that.

Simple UI, easy to grab a password or check recent audit events.

Simple UI, easy to grab a password or check recent audit events.

Audit reports can be sent at regular intervals to your e-mail so you can stay on top of what is going on.

Further details on the state of your password lists.

Further details on the state of your password lists.

Personal Password Lists

Personal Password List Passwordstate has a different kind of password list for personal use, you can make a list for yourself that has additional security features (while you can password regular password list, I usually can justify additional passwords on personal lists a lot easier). In this case I’ve put a separate password on it from my account, requiring another step of authentication. These lists cannot be seen by administrators and stick with you.

Keeping personal passwords centralized have many benefits too.

Keeping personal passwords centralized have many benefits too.

The ability to keep your passwords in Passwordstate allows you to easily hand over all account passwords for various pieces of software (for example, if you hold a lot of licensing portal credentials on your personal e-mail account).

Password List Options

Another very powerful addition over Keepass is the customization behind your password lists.

A long list of configurable options to help make each list customized to it's purpose.

A long list of configurable options to help make each list customized to it’s purpose.

You can have some lists sync with Active Directory, others have very strict password complexity requirements, some lists only available during work hours, and other lists have expiration dates.

Problems With Passwordstate

There are a handful of issues with Passwordstate, first and foremost is that everything has to be done via the web UI. While Passwordstate is configured for SSL upfront, I can understand the argument that browsers are one of the most exposed pieces of software we use on a daily basis, putting our passwords in that basket may not be the best idea.

Additionally if you lose your Passwordstate server, your passwords are unavailable. Passwordstate does provide high availability options (additional cost for that though), but I’d throw an export of your password list every once in awhile with a DB backup into a fire safe and offsite just in case things get really bad. Update: version 7 includes an ability to export to a KeePass database which will help if your network is down.

A small annoyance is I can’t do upgrades unless I set up a backup path, when I’m backing up the entire machine with Veeam and I do an upgrade after a snapshot, I really don’t care if I have to roll the entire VM back, but I don’t really have the option. Really minor gripe though, I know why they’ve done it (for those that don’t have good backups in place). Update: version 7 doesn’t enforce this allowing you to upgrade and rely on your own backups.

Overall

With it being free up to 5 users, I don’t see why not for small businesses! Even beyond that I’d say the additional safety and auditing is worth the relatively low price $37/user (that lowers as you add more users) and tops out at $4272 for unlimited user installs. This is by far not an exhaustive list of what Passwordstate can do (we’ve just skimmed the surface), so go grab a 5 user license and try it out today!

100% Qualys SSL Test A+

Written by William Roush on April 1, 2014 at 10:41 pm
Obtaining 100/100/100/100 on Qualys SSL Server Test

Obtaining 100/100/100/100 on Qualys SSL Server Test

For fun we’re going to poke at what it takes to score 100 across the board with Qualys SSL Server Test — however impractical this configuration may actually be.

Qualys SSL Server Test… What Is It?

Qualys SSL Server Test is an awesome web based utility that will scan your website’s SSL/TLS configuration against Qualys best practices. It’ll run through the various SSL and TLS protocol versions, test all the cipher suites, and simulate negotiation with various browser/operating system setups. It’ll give you not only a good basis for understanding how secure your site’s SSL/TLS configuration is, but if it’s accessible to people on older devices (I’m looking at you Windows XP and older IE versions!).

Getting 100/100/100/100

Late at night I was poking at some discussions on TLS, and wondered what it really took to score 100 across the board (I’ve been deploying sites that scored 100/90/100/90), so I decided to play with my nginx configuration until I scored 100, no matter how impractical this would be.

server {
  ssl_certificate /my_cert_here.crt;
  ssl_certificate_key /my_cert_here.key;

  # TLS 1.2 only.
  ssl_protocols TLSv1.2;

  # PFS, 256-bit only, drop bad ciphers.
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH;

  # Enable SSL session resume.
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;out 10m;

  location / {
    # Enable HSTS, enforce for 12 months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  }
}
Qualys wants only 256bit (or stronger) cipher suites.

Qualys wants only 256bit (or stronger) cipher suites.

This barely differs from our standard configuration (depending on if you chopse to mitigate BEAST instead of RC4 issues)

This barely differs from our standard configuration (depending on if you choose to mitigate BEAST instead of RC4 issues)

100/100/100/100 comes at a high price.

100/100/100/100 comes at a high price.

To get to having all 100s we drop pretty much all but the most modern browsers… oops!

100s Not Realistic

It seems you’ll want to aim for 100/90/100/90 with an A+. This configuration will give your users the ability to take advantage of newer features (such as Perfect Forward Secrecy and HTTP Strict Transport Security) and stronger cipher suites while not locking out older XP users, and without exposing your users to too many TLS vulnerabilities (when supporting XP, you have to choose between protecting against BEAST or use the theoretically compromised cipher RC4).

So we’ll want to go with something a little more sane:

server {
  ssl_certificate /my_cert_here.crt;
  ssl_certificate_key /my_cert_here.key;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  # PFS + strong ciphers + support for RC4-SHA for older systems.
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:RC4-SHA:HIGH:!aNULL:!MD5:!kEDH;

  # Enable SSL session resume.
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;out 10m;

  location / {
    # Enable HSTS, enforce for 12 months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  }
}

10/24/2014 Update: Removed SSLv3 due to POODLE exploit for A+ example.

Dan Kaminsky – Black Ops Of PKI

Written by William Roush on March 26, 2014 at 7:58 pm

Amazing talk by Dan Kaminsky discussing what is broken with X.509 (SSL). It’s an amazing dive into how X.509 works, various exploits, and the impeding problem of the Verisign MD2 root certificate that may be open to preimage attack sometime in the near future.