Dumping SMTP over TLS traffic

This is the analysis of TLS traffic over SMTP by way of ssldump.  The server requested client cert and the client cert (gmail) was verified ok.  However, I could not identify which part dealt with SSL client certificate verification.

# ssldump -i eth0 port 25
New TCP connection #1: mail-ie0-f170.google.com(37742) <-> transfer(25)
1 1  1.4201 (1.4201)  C>S  Handshake
        Version 3.3
        cipher suites
        compression methods
1 2  1.4221 (0.0020)  S>C  Handshake
        Version 3.3

        cipherSuite         TLS_RSA_WITH_AES_128_GCM_SHA256
        compressionMethod                   NULL
1 3  1.4221 (0.0000)  S>C  Handshake
Error: short handshake length: expected 17172 got 16380
Error: short handshake length: expected 4608083 got 792
1 4  1.6004 (0.1782)  S>C  Handshake
1 5  1.6004 (0.0000)  S>C  Handshake
1 6  1.7820 (0.1816)  C>S  Handshake
1 7  1.7820 (0.0000)  C>S  Handshake
1 8  1.7820 (0.0000)  C>S  Handshake
Not enough data. Found 258 bytes (expecting 16384)
1 9  1.7820 (0.0000)  C>S  ChangeCipherSpec
1 10 1.7820 (0.0000)  C>S  Handshake
1 11 1.7916 (0.0096)  S>C  Handshake
1 12 1.7916 (0.0000)  S>C  ChangeCipherSpec
1 13 1.7916 (0.0000)  S>C  Handshake
1 14 1.9699 (0.1782)  C>S  application_data
1 15 1.9703 (0.0004)  S>C  application_data
1 16 2.1483 (0.1779)  C>S  application_data
1 17 2.1484 (0.0000)  C>S  application_data
1 18 2.1484 (0.0000)  C>S  application_data
1 19 2.1779 (0.0294)  S>C  application_data
1 20 2.3952 (0.2173)  S>C  application_data
1 21 2.3952 (0.0000)  S>C  application_data
1 22 2.5747 (0.1794)  C>S  application_data
1 23 2.5747 (0.0000)  C>S  application_data
1 24 2.7329 (0.1582)  S>C  application_data
1 25 2.9110 (0.1780)  C>S  application_data
1    2.9111 (0.0000)  C>S  TCP FIN
1 26 2.9113 (0.0001)  S>C  application_data
1 27 2.9115 (0.0002)  S>C  Alert
1    2.9115 (0.0000)  S>C  TCP FIN


New OFCA mobile speedtest app

This is the results of new OFCA speedtest app in testing 802.11ac WiFi speeds.  Surprise !!!


Opendkim SignTable and KeyTable

As a member of PISA and ISOC HK, I occasionally need to use the email address warren@isoc.hk and warren.kwok@pisa.org.hk from my web-based email client to send outgoing emails.  However, as the DKIM signature is binded to a single sender domain only, the outgoing emails bearing the above two mentioned sender addresses can not have DKIM signature.  Fortunately, opendkim provides a SignTable which specifies which email addresses outside the default domain can be issued with signature.  Interestingly, if the SMTP server is providing email hosting to multiple domains, all email addresses of the domains can be signed.   This also reminds me of the file KeyTable which of course by its name means different domains can use different keys and selectors.    If I have time, I will try all these out to strengthen my understanding on DKIM.


DKIM crashed

My DKIM signature on outgoing emails has crashed over 3 months.  As a good security practice, I changed the key some time ago and uploaded the public key as a DNS text record.  In the course of checking the key before updating the DNS, a space character was inadvertently inserted which I still could not figure out how such thing could have happened.  By now the root cause is known and rectified, every outgoing has reinstated the DKIM signature for the receiving SMTP server to verify.   What a bad luck.   

Some years ago, I stumbled through an IT magazine saying that PGP, S/MIME and DKIM are the protocols for securing emails.  While they are use public key cryptographic approach, DKIM can not encrypt the email body.  It can only authenticate the sender.  The other obvious advantage is that it can help the sender to gain higher scores in the sender reputation and the likelihood of treating emails from the sender as spam or malicious emails is much reduced.   Last but not least, the DKIM verification can also ensure that message body is not tampered by man-in-the-middle attack in the course of delivery. 




在此要奉勸那些80後, 不要拿走老豆老母嘅大半生積蓄或棺材本做首期, 佢哋無欠你架。 要上賊車就要靠自己, 輸贏都喺你自己,老豆老母吾喺你嘅賭本,兩老萬一遇上大病, 佢哋仲點會有錢入院做手術呀。



PuTTY, addicted to it forever !


Openvpn tcp port 443

唉,太大意了。居然用咗openvpn 預設的 udp port 1194, 這會被中國長城防火牆看穿晒。一定要改做 tcp port 443, 等防火牆錯誤理解被連接的 openvpn 機器為網上銀行平台。當然 tcp 比 udp 速度稍漫,但這點完全不重要。



802.11ac and 100 Mbps ports

If you find 802.11ac wireless routers which equip with 100 Mbps ports either in the LAN or WAN side, don't buy. This is a rubbish design.


Use an app instead of a calculator

When working on radio propagation distances, I need to convert between miles and kilometers. What comes to my mind is not a calculator. It is about downloading an app. Shit, what a useless person I am on this planet.


IPv6 privacy extension

Law enforcement agencies say they can track IPv6 devices or computers. They are wrong absolutely. PCs and smartphones have built-in "privacy extension" to prevent the last 64 bits being tracked.


Gparted live CD

I needed to change the file system of a hard disk from ext3 to NTFS for use by Windows.  Intuitively, I thought in a Linux envionment, it would involve the steps of fdisk /dev/sda1, delete partitions, create new primary partition, write on partition table, mkfs ntfs /dev/sda1.   All the command line  steps are not necessary. Just use Gparted live CD, (Gnome Partition Editor) after boot up, two clicks in the GUI can accomplish the  tasks.  There are other good functions such as resizing partitions and copy partition for the sake of image-backup. A geat discovery.  Nice to share in this personal blog.


802.11u, Passpoint and Hotspot 2.0

上星期有幸會見 WiFi Alliance CEO Mr Edgar Figuerora, 終於搞清楚 802.11u, Passpoint 同 Hotspot 2.0 三套技術的相関配合。802.11u 是將無線連線介面轉接至不同網絡,如 3G / 4G 跳至 WiFi , 可達至流動數據卸載 ( cellular offloading)。而Passpoint 則是替支援 802.11u 的器材進行互相兼容的驗證計劃。至於 Hotspot 2.0, 則是一套龐大的基礎設施規格,涉及認證,保密,計費,漫遊協議等。以小弟意見,在可見將來,各網絡商都會投資在 Hotspot 2.0 基建,固網商可提供高效能的 WiFi平台,進軍流動服務,亦可將 Hotspot 2.0 基建租予給流動網絡商。當然,那些同時經營固網及流動網的服務商更加會掌握 Hotspot 2.0,以援衝頻譜需求。WiFi 面世經已超過15年,到了今天,還不停地改良和增加功能,這要多謝 IEEE 的網絡專家多年來所付出的努力。


HKTV 開台壓力測試

已準備好今晚10點至11點 HKTV 開台壓力測試,我所有用得嘅資源,包括手提電腦,小米盒子,平板,手机,3G, 4G, 1000Mbps 寬頻,802.11n/ac 路由器傾巢盡出。王維基,我幫到你盡了。


protecting .hk ccTLD systems

Yesterday, when doing a half-yearly clean up of my authoritative name servers, I found the measures of  protecting ".hk" ccTLD systems from DDoS attacks as a result of malicious querying "popvote.hk" still in place.  I purposely  attached a screen dump for easy recall of my memory.

The solution was to tell clients that popvote.hk was hosted here and there was no need to go through “.hk”.  HKCERT and HKISPA jointly appealed to all ISPs to do this in order to protect all kinds of service using .hk domains.   Up to now, I am still not sure how many of them agreed to implement the interim measures.

On this related matter, attacks of popvote.hk brought some good development to the local ISP industry.  Some ISPs have used resolvers and authoritative name servers in the same machines.  During the attack period, larger volume of queries flooded their resolvers which made the authoritative name severs not workable.  How could they explain to their customers the situation.  If I were one of the customers, I would definitely ask popvote.hk was none of my business, why attacks on "popvote.hk" made all my name records vanished.  In the light of increasing DNS attacks, ISPs in Hong Kong should have realised that they could not bundle a resolver and an authoritative name server in  the same machine.




I had used dkim-milter for over a year.  This milter was pretty good but due to its phasing out, I had to switch to opendkim.  To do the configuration was pretty easy as I had gained some experience in dkim-milter.  Up to now, I still have no idea the percentage of my dkim-signed outgoing emails being permitted as reputable sender and not treated as suspicious spam.  The fact is do it. If Facebook, Gmail, Yahoo all do it, why hesitate not to follow suit. 


rsync + ssh and scp

Something I could have misunderstood for a long time.  I always think scp is powerful for retrieving files by a local host from a remote server but all the files obtained will have permissions and access rights set to the one who invoke the scp command.

#scp -P 1234 -R user@xyz.com:/remote/path/ /local/path/

This is not desirable for restoration purpose  as the original attributes have been lost.  I turn to use rsync like the one below:

#rsync -chavzP --stats --rsh='ssh -p1234' user@xyz.com:/remote/path/ /local/path/

As I have always said, rsync is one of the most powerful backup tools ever existed in the world.  The more you learn, the more you love it.


sine wave with MS powerpoint

Don't laugh. I am not able to draw a sine wave with MS powerpoint. I don't want to use excel for importing such a graph from math equation.  


802.11u or Passpoint

This so called 3G-WiFi auto-connect is by means of an app. It is not 802.11u, not Passpoint, not Hotspot 2.0. Still need to wait for smartphones in the mass market to support Passpoint.


WiFi 路由器速度跌咗八成

屋企隻 TP-LINK 802.11n 屋企隻 TP-LINK 802.11n 路由器速度在拾呎距離跌咗八成,所有 config 都檢查清楚正常,正想買新機之際,突然想起未 check 天線。唉,三兜天線同軸接口,有兩兜完全無扭實。唉,太疏忽了,我應否重新再考工程師牌!,所有 config 都檢查清楚正常,正想買新機之際,突然想起未 check 天線。唉,三兜天線同軸接口,有兩兜完全無扭實。唉,太疏忽了,我應否重新再考工程師牌!