Monthly Archives: October 2021

Linux, Red Hat, Security, Webserver, Zabbix

(35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Leave a comment

When using Zabbix on a Centos8/RHEL8 machine the following error occurred whil trying to monitor an HTTPS-website via the build in web scenarieos:

(35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

The error itself also shows up when trying to use curl to connect to the website:

$ curl -D - https://<some-legacy-website-> -k
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

That error occurs if the server uses an older cipher-suite that’s considered unsafe by the default crypto policy used in Centos8/RHEL8.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

To work around that problem, the legacy cipher suites must be enabled by:

# update-crypto-policies --set LEGACY

Although a restart is recommended after issuing the command, for me it also worked without the need of issuing a reboot.

Android

Removing Android Bloatware and backing up Stock apps

Leave a comment

Quite a lot of new Android devices come with lots of bloatware that is preinstalled on the phone/tablet. For some apps it’s possible to deactivate these apps in the built in app management. However, most apps are installed as system apps and do not provide the possibility to be uninstalled.

Thankfully there is a possibility to also remove these apps via ADB.

Before removing any app it’s advised to first create a backup of all the installed APKs in case you remove any app that might be needed and therefore cause errors.

adb shell pm list packages > installed_packages.txt

foreach($line in ( Get-Content .\installed_packages.txt) )
{
    $app=$line.Split(":")[1]
    $app_path=$(adb shell pm path $app).Split(":")[1]
    Write-Host -ForegroundColor Yellow "$app : $app_path"
    adb pull $app_path ".\backup\$app.apk"
}

The above script will create a backup of all APKs currently installed on the device (including the ones which have been installed by the user).
To successfully run the script, adb needs to be in the path and initially pairing between the PC and the Android device must be established.

Removing the bloatware:

adb shell pm uninstall--user 0 <packagename>

#e.g. for AR-emoti-apks provided by samsung
adb shell pm uninstall --user 0 com.samsung.android.aremoji

Lists of mappings between the readalbe name (like in the Android apps management) and the package name (for Samsung devices) can be found on https://docs.samsungknox.com (e.g. https://docs.samsungknox.com/CCMode/T878U_Q.pdf)

Deployment

iPXE Network boot that supports Virtualbox VMs

Leave a comment

iPXE is pretty nice when it comes to network booting computers as it offers lots of scripting functionality at a very early stage of the deployment as it could be configured to load an iPXE script from an webserver. The script provided by the webserver itself can be created dynamically with any scripting language of your choice depeding on parameters that get handed over.

That provides the possibilityty, to automatically roll out systems that have been specified in an inventory. In case a machine can not be found in the inventory you could provide a menu where an users can manually choose what shall be done and lots more.

Not a problem for bare metal machines and also most VMs. However – Oracle with Virtualbox – also seem to have discovered the advantages of virtual box for their virtual machines and every Virtualbox VM will initially load iPXE.
As that’s an iPXE binary with very little capabilities, this could cause issues when trying to PXE boot an Oracle Virtualbox VM via iPXE as the dhcp-server used for iPXE will get the iPXE identifier form Oracls built in iPXE binary instead of the one that will be initially provided via the DHCP-server.

If the iPXE-script, which is loaded in the second stage, uses the console-command, the deployment will halt as that functionality is not supported by Oracles iPXE binary.

To work around this problem we can modify the user-class identifier provided by our iPXE binary to provide something different than the default “iPXE”-string and use that to make sure that our dhcp-server will always provide our ipxe binary in case a new client tires to PXE boot.

To change the “iPXE” userclass string to a custom string, you have to open the “src/net/udp/dhcp.c” file, once the iPXE repository was checked out.

The interesting part is somewhere down at line 90 in the file:

If you don’t want to change to much code – just change any character to somthing else:

e.g.

DHCP_USER_CLASS_ID, DHCP_STRING ( 'i', 'P', 'X', 'E' ),
TO
DHCP_USER_CLASS_ID, DHCP_STRING ( 'x', 'P', 'X', 'E' ),
or
DHCP_USER_CLASS_ID, DHCP_STRING ( 'C', 'S', 'T', 'M' ),

Whatever is defined there will be the new user-class identifier that can be used to determine if our custom iPXE was loaded or if the iPXE binary from another vendor is used.

Once the change was done the ipxe file needs to be recompiled and copied to the tftp servers directory.

The check for the custom user-class identifier in dnsmasq would look like: (CSTM as the userclass identifier)

...

# Boot for iPXE. The idea is to send two different
# filenames, the first loads iPXE, and the second tells iPXE what to
# load. The dhcp-match sets the ipxe tag for requests from iPXE.
dhcp-boot=ipxe.efi
dhcp-userclass=set:ipxe,CSTM
dhcp-boot=tag:ipxe,http://10.16.96.16/script.ipxe

...

A nice example on how dnsmasq can be configured for iPXE can be found at in the iPXE Forum.

Simple script to test if the chan works properly:

#!ipxe
console --x 1024 --y 768
dhcp
config