tls – Why is my RADIUS Certificate not automatically signed with the root CA Certificate on my iPhone

Please bear in mind that whatever you are trying to use is dependent of mutual support on the server/authenticator and client sides. This is not always trivial to achieve.

Why do I need to trust the server’s certificate if I have the root CA’s certificate installed?

This behaviour is entirely dependent on the client’s implementation (the supplicant). Yes having the server cert signed by the CA should be seen as a significant proof of trust, provided it’s not expired or revoked (if the client checks).

On a windows workstation for example you can either trust CAs specifically or let the user review and accept the server side certificate at the first connection. But if the server side cert is signed by one of the selected CAs, the user doesn’t get a dialog about the cert.

AFAIK the whole point of certificate-based authentication is to prevent MiTM attacks that other methods are vulnerable against.

Conceptually it is instead about mutual authentication, and providing solid proof to the client that the server is being spoofed. It is up to the client to decide what to do with that information. Hopefully and usually it drops the connection. If not, it’s as much at risk of MiTM as if it didn’t use cert based authentication.

There is a username option when selecting the network on the iPhone, which does get matched against a backend SQL database by the freeradius server regardless of that username existing the server accepts the authentication. This page notes that the username is used in inner and outer authentication but to me, that doesn’t seem to make sense as there is no inner and outer identity in EAP-TLS.

Conceptually you could have another EAP authentication dialog within the EAP-TLS channel once that is established. For example EAP-TTLS is often used to protect less secure authentication protocols like PAP. So this is left as an option for the server and client implementations to negotiate through the existing supported protocols and/or custom implementations.
This could also be used for a kind of multi factor authentication whereby a station and a user authenticate separately so that the admin can revoke access to the device or the user independently.

Column Default Value Based on Root URL

I have a tab in an MS Teams team where users can view our upcoming corporate training sessions (i.e. modern Events). In each event description, I am putting a link to a sign up form. The sign up form is a modern list in MS SharePoint Online. In this list, there is a column to specify the event to which the user wants to sign up. I want this column to be automatically filled using the column default value function in SharePoint. The default value would be based on the root URL that led the user to the sign up form. For example, if the user was viewing training session X in Teams, it means the root URL is the event X URL. So, the formula would be: IF (Root URL) = (URL of event X) then "X", ELSEIF (Root URL) = (URL of event Y) then "Y"... and so on.

Does this hypothetical (Root URL) function even exist? If not do you have any suggestion for how I can tell which event the user is coming from such that I can fill the column automatically?
Thanks.

Root test for complex series and cancelling powers with absolute values

The root test for convergence of a complex power series is given as

$$lim_{n rightarrow infty} sqrt(n){left|a_{n}right|} = L$$

If $a_n = frac1{(1+i)^n}$ then I read that when applying the root test I can just remove the powers since they cancel out:

$$lim_{n rightarrow infty} sqrt(n){left|a_{n}right|} = lim_{n rightarrow infty}sqrt(n){left|frac1{(1+i)^n}right|} = lim_{n rightarrow infty} left|frac1{(1+i)}right|$$

Why is it ok to cancel the root outside the absolute function with the power inside the absolute function? For any given $n$ the expression might be negative so I feel this shouldn’t be possible.

Thank you.

active directory – Migrate to new AD domain, but keep old DFS root

I have an Active Directory domain (we’ll call OLD.TLD) in production and need to change the name (for reasons I won’t elaborate on).

There are many, many files with links to a DFS namespace in this domain. They mostly use the NetBIOS Name, so a referral would be something like \OLDDFSFOLDER which refers to \SERVERFOLDER.

At the end of the process, everything will be in the new domain (NEW.TLD) and the server will be SERVER.NEW.TLD. But it’s necessary for \OLDDFS to work even after the old domain is gone.

I’ve considered the one-shot domain rename, changing just the FQDN but leaving the NetBIOS name intact. But this will cause a lot of havoc for people working from home. (plus it will keep NetBIOS as a requirement).

So instead, I thought about migrating to a new domain with ADMT.

In order to investigate this, I:

  • created a test domain TEST.TLD in a new forest
  • created a two-way forest trust between OLD.TLD and TEST.TLD
  • created a DNS stub zone in OLD.TLD to point to TEST.TLD
  • created DNS CNAME records in TEST.TLD to refer SERVER to SERVER.OLD.TLD and OLD to OLD.TLD. Also there are CNAMEs to point the old domain controllers to the old domain.

So now, accounts in TEST.TLD can access \OLDDFS without any problems. Next I tried to see if I could fool the test domain into thinking that \OLDDFS was in the new domain. This is a process I envision happening as the final step of migration before removing the trust, and taking the old domain controllers down.

  • Created a domain DFS namespace for TEMP.TLD and added a couple of folder referrals to it, so that I can tell the two apart.
  • Disabled NetBIOS over TCP/IP in TEMP.TLD
  • Changed the CNAME record for OLD to point to TEST.TLD.
  • cleared all three DFS caches, as well as DNS server and local caches.

However when I try to access \OLDDFS, I get all of the \OLD.TLDDFS folders. Is there another setting I need to change? Is it even possible to ‘alias’ a domain DFS namespace this way?

SOC2 and the CentOS root user

One of our customers has the following requirement: according to SOC2 they need to block access to the CentOS root account.

They mean any access, even with su root or sudo su.

We have blocked the SSH access, but they claim it is not enough.

Do you know where in SOC2 possible to find the requirements to block access to an OS root account?

blockchain – how to find the block height from merkle root?

I have the merkle root, using this value, how to get the block hash or its height?
There is this merkle root available in getblock RPC output:

./bitcoin-cli getblock 0320d6c1bd3c4cd2a08d6f76acb50b06a3ed766b058d247fbda3147aecfef388
{
“tx”: [
“bccf4c873984245694f64263a3392c4d67c6a6f60efe4ed53aa4965f6d8b7dc0”
],
“hash”: “0320d6c1bd3c4cd2a08d6f76acb50b06a3ed766b058d247fbda3147aecfef388”,
“confirmations”: 2,
“size”: 180,
“height”: 102,
“version”: 536870912,
“versionHex”: “20000000”,
“merkleroot”: “bccf4c873984245694f64263a3392c4d67c6a6f60efe4ed53aa4965f6d8b7dc0”,
“num_tx”: 1,
“time”: 1593523883,
“mediantime”: 1593467398,
“nonce”: 1,
“bits”: “207fffff”,
“difficulty”: 4.656542373906925e-10,
“chainwork”: “00000000000000000000000000000000000000000000000000000000000000ce”,
“previousblockhash”: “1664a604a6c8e603e311c6759f7693343ad77896c53de1bcef37de04dbcbbbc5”,
“nextblockhash”: “1924c8db1b986f398a12d5481fcc293913a2dab2ee7fbcb0e131d7941e5201c2”
}

using different transaction hashes, I got the merkle root value, now I need to know which block has this merkle root as in getblock.

debian – Running an X program as root no longer possible with xhost +localhost?

Trying to run any X program as root typically results in some error/warning with the string “cannot open display”. In the past, I could just fix this by doing xhost +localhost

This no longer appears to work (on Debian 10). How do I do this these days?

[WTS] VPS in Europe [NL] from only $5.35 |full root access, managed support included!

VPSGet has a vision of providing best quality services with affordable prices for each customer.
We know how to cook virtual servers!

Our servers are located at Tier III datacenter in Netherlands, Europe .
Test IP: 213.108.198.4 . Test download files : 100Mb, 1Gb

VPS Features :
Free Managed Support upon request. *
• Additional discounts on quarterly, annually, or longer billing cycles.
• Full Root Access
• SSD powered RAID-10 storage (gr8 perfomance for most usage cases)
• Monthly Full VPS backups on external storage included in all packages
• 2x Xeon E5 processors per server node.
• Easy to use ClientArea: manage your account and services from one place.
• SolusVM Control Panel: separate access to manage only VPS services. + whitelabeled API reseller accounts available!
• TUN/TAP/PPP (you can use any VPN)
• 100Mbps or more connection for each VPS (multiple uplinks on each node)
• Free IPv6
• 99.9% Uptime Guarantee
• 30 days Money Back Guarantee
• Instant Setup
• A lot of Linux distributions for choise. Custom OS templates . OS templates-on-request.
• No Contract
• 24×7 Support (in-house team)
• Daytime LiveChat (CET).
• Up to 30 IPv4 add-on available per VPS for only $1 per IP for customers who using our services for 6+ monthes .
Many Payments methods available: Bitcoin, Paypal, Credit/Debit cards, 2checkout, Webmoney/Paymentwall, Payza, BankWire.
We also accept Altcoins: Ethereum, Ethereum Classic, Litecoin, Dash, ZCash, Monero, Dogecoin, Decred, BitConnect, PeerCoin, WAVES, ZenCash, Ripple. Additional discounts if pay with ETH or LTC, read more

____________________________
VPS Packages
10 extra IP’s add on available for all packages!

VZ-1
$5.35 per month
1 CPU Core
512Mb RAM
20Gb Storage Space
100Mbps connection
30 Days Money Back Guarantee
10 IPv6 included
1 extra IPv4 Add-On available
Basic managed support included
More Info/Compare

VZ-2
$8.95 per month
1 CPU Core
1Gb RAM
40Gb Disk Space
100Mbps connection
30 Days Money Back Guarantee
10 IPv6 included
5 extra IPv4 Add-On available
Basic managed support included
More Info/Compare

VZ-3
$17.95 per month
2 CPU Cores
2Gb RAM
60Gb Storage Space
100Mbps connection
30 Days Money Back Guarantee
3 IPv4 included *new!
10 IPv6 included
10 extra IPv4 Add-On available
Basic managed support included
More Info/Compare

VZ-4
$35.9 per month
4 CPU Cores
4Gb RAM
80Gb Storage Space
100Mbps connection
30 Days Money Back Guarantee
4 IPv4 included *new!
10 IPv6 included
10+ extra IPv4 Add-On available
Fully managed support included
More Info/Compare

VZ-5
$71.95 per month
8 CPU Cores
8Gb RAM
100Gb Disk Space
300Mbps connection
30 Days Money Back Guarantee
Premium Managed included (+ server monitoring on request)
5 IPv4 included *new!
10 IPv6 included
25+ extra IPv4 Add-On available
More Info/Compare

—————————-
We provide a lot of OS templates for customers. Some of them are available during the ordering and the others are in reinstall list. This list is being updated time to time.
We also can add the specified OS template upon customer’s request.

Should you have any pre-sales questions please do not hesitate to contact our Sales Team!

.(tagsToTranslate)webmaster forum(t)internet marketing(t)search engine optimization(t)web designing(t)seo(t)ppc(t)affiliate marketing(t)search engine marketing(t)web hosting(t)domain name(t)social media

Vps In Europe [nl] From Only $5.35 |full Root Access, Managed Support Included!

VPSGet has a vision of providing best quality services with affordable prices for each customer.
We know how to cook virtual servers!

Our servers are located at Tier III datacenter in Netherlands, Europe .
Test IP: 213.108.198.4 . Test download files : 100Mb, 1Gb

VPS Features :
Free Managed Support upon request. *
• Additional discounts on quarterly, annually, or longer billing cycles.
• Full Root Access
• SSD powered RAID-10 storage (gr8 perfomance for most usage cases)
• Monthly Full VPS backups on external storage included in all packages
• 2x Xeon E5 processors per server node.
• Easy to use ClientArea: manage your account and services from one place.
• SolusVM Control Panel: separate access to manage only VPS services. + whitelabeled API reseller accounts available!
• TUN/TAP/PPP (you can use any VPN)
• 100Mbps or more connection for each VPS (multiple uplinks on each node)
• Free IPv6
• 99.9% Uptime Guarantee
• 30 days Money Back Guarantee
• Instant Setup
• A lot of Linux distributions for choise. Custom OS templates . OS templates-on-request.
• No Contract
• 24×7 Support (in-house team)
• Daytime LiveChat (CET).
• Up to 30 IPv4 add-on available per VPS for only $1 per IP for customers who using our services for 6+ monthes .
Many Payments methods available: Bitcoin, Paypal, Credit/Debit cards, 2checkout, Webmoney/Paymentwall, Payza, BankWire.
We also accept Altcoins: Ethereum, Ethereum Classic, Litecoin, Dash, ZCash, Monero, Dogecoin, Decred, BitConnect, PeerCoin, WAVES, ZenCash, Ripple. Additional discounts if pay with ETH or LTC, read more

____________________________
VPS Packages
10 extra IP’s add on available for all packages!

VZ-1
$5.35 per month
1 CPU Core
512Mb RAM
20Gb Storage Space
100Mbps connection
30 Days Money Back Guarantee
10 IPv6 included
1 extra IPv4 Add-On available
Basic managed support included
More Info/Compare

VZ-2
$8.95 per month
1 CPU Core
1Gb RAM
40Gb Disk Space
100Mbps connection
30 Days Money Back Guarantee
10 IPv6 included
5 extra IPv4 Add-On available
Basic managed support included
More Info/Compare

VZ-3
$17.95 per month
2 CPU Cores
2Gb RAM
60Gb Storage Space
100Mbps connection
30 Days Money Back Guarantee
3 IPv4 included *new!
10 IPv6 included
10 extra IPv4 Add-On available
Basic managed support included
More Info/Compare

VZ-4
$35.9 per month
4 CPU Cores
4Gb RAM
80Gb Storage Space
100Mbps connection
30 Days Money Back Guarantee
4 IPv4 included *new!
10 IPv6 included
10+ extra IPv4 Add-On available
Fully managed support included
More Info/Compare

VZ-5
$71.95 per month
8 CPU Cores
8Gb RAM
100Gb Disk Space
300Mbps connection
30 Days Money Back Guarantee
Premium Managed included (+ server monitoring on request)
5 IPv4 included *new!
10 IPv6 included
25+ extra IPv4 Add-On available
More Info/Compare

—————————-
We provide a lot of (B)OS templates for customers(/B). Some of them are available during the ordering and the others are in reinstall list. This list is being updated time to time.
We also can add the specified OS template upon customer’s request.

Should you have any pre-sales questions please do not hesitate to contact our Sales Team!

Smooth root certificate rotation – Information Security Stack Exchange

I am surprised that I couldn’t find one concrete example of how to do root certificate rotation. For example:

  • Root CA has 2 years validity period
  • Intermediate CA has 9 months validity period
  • leaf certificate has a 3 months validity period

The renwal/replace time are:

  • Root CA is going to be replaced every 1 year
  • Intermediate CA is going to be replaced every 6 months
  • leaf certificate is going to be renewed every 2 months

This gives

  • 1 month buffer for service to renew its certificate before the certificate expires.
  • 3 months buffer for intermediate CA to sign new service certificate. By the time the old intermediate CA expire, all the old issued certificates are expired as well.
  • 1 year buffer to distribute the new root certificates to client. We want to give enough time for clients to pull the new root certificate before the old one expires.

Questions:

  • We have root 1 and root 2 overlapped for 1 year, when should we start signing new CSR using root 2 certificate?

If the one year overlapped time is just for cert distribution, by the time root 1 expired, all clients should already have root 2 trusted. However, by the time root 1 expires, we haven’t signed any new server certificates with root 2. It means when the time root 1 expires, all the services will be down. I guess we will need to ensure all services are using cert from root 2 before we can retire root 1? and we also have to ensure all clients have root 2 key before issuing server certificates using root 2? I think that makes sense but in terms of timeline, how should we managed that? In the 1 year overlapped time, maybe we can do 6 months distribution time, and 6 months signing time. so by the time root 1 retire, everything will be running on root 2 already?

And if we are using private CA, (lets say AWS private CA) , do we need to implement a service to ensure things above will happen?

Given that we own all the clients and servers.