Suramya's Blog : Welcome to my crazy life…

February 20, 2023

Fixing SSL error 61 on Citrix Workspace on Debian

Filed under: Computer Security,Computer Tips,Linux/Unix Related,Tech Related — Suramya @ 9:38 PM

Was trying to connect to a Citrix Workspace and kept getting the following error “You have not chosen to trust “Entrust Root Certification Authority – XX”, the issuer of the security certificate (SSL error 61)“. I have hit this error in the past and had fixed it but couldn’t find my notes from how I had fixed it back then, so I had to resort to searching on the web based on vague memories of how I had fixed. After a bit of effort I found two solutions that people had suggested:

Solution 1:

Create a symbolic link pointing the /opt/Citrix/ICAClient/keystore/cacerts directory to /usr/share/ca-certificates/mozilla/ , using the command below as root:

mv /opt/Citrix/ICAClient/keystore/cacerts /opt/Citrix/ICAClient/keystore/cacerts.bak
ln -s /usr/share/ca-certificates/mozilla/ /opt/Citrix/ICAClient/keystore/cacerts

Unfortunately, this didn’t resolve the problem for me.

Solution 2:

The second solution people recommended was to link /opt/Citrix/ICAClient/keystore/cacerts directory to the /etc/ssl/certs/ directory, using the command below as root:

mv /opt/Citrix/ICAClient/keystore/cacerts /opt/Citrix/ICAClient/keystore/cacerts.bak
ln -s /etc/ssl/certs/ /opt/Citrix/ICAClient/keystore/cacerts

After I linked the directory to /etc/ssl/certs things immediately started working without errors. This time I am blogging about it so that the next time I don’t waste time trying to find the solution.

– Suramya

December 21, 2022

“Linux is a meme and only autistic people use it” brainstorm from an anonymous coward

Filed under: Humor,Linux/Unix Related,My Thoughts — Suramya @ 8:28 PM

It is funny how people will make up stuff to explain why Linux (or any other OS) is difficult and why the person making the pronouncements can’t get it to do what they want it to do. Recently, the screenshot below came up in my feed and it made me laugh. As per the author only autistic people use Linux and everyone else “has just fallen for the meme”.


Linux is only for Autistic People

I have been using Linux almost full time since 2001 and am definitely not autistic. I can’t identify trains by their sounds and instead of not being able to talk to girls, according to some I sometimes talk too much. I have no interest in learning the names of the cast for any TV show and as far as I can tell I am leading a pretty normal life.

The genius who penned this (and I am of half a mind that this is just someone trolling Linux users) doesn’t seem to know that it is used to power 96.3% of the world’s top web servers and Android is based on Linux as well. It is the world’s 3rd most popular OS (after Windows and Mac) and while it has its own quirks it def doesn’t need you to know the in’s and out of the computer in order to use it. In fact in my experience, it is easier to install Linux and have a functional setup than it is to install Windows as Windows requires a lot of extra stuff to be installed in order to be productive while in Linux most of that is already pre-installed or built-in.

This was good for a laugh so I wanted to share it here.

– Suramya

November 15, 2022

Extracting Firefox Sites visited for archiving

Filed under: Computer Software,Linux/Unix Related,Tech Related — Suramya @ 3:01 AM

I have been using Firefox since it first version (0.1) launched back in 2003. At that time it was called Phoenix but had to change its name due to a trademark claim from Phoenix Technologies to Firebird which was then renamed to Firefox. Over the years I have upgraded in place so I had assumed that all my Browser History etc was still safely stored in the browser. A little while ago I realized that this wasn’t the case as there is a history page limit defined under the about:config. The property is called 

places.history.expiration.transient_current_max_pages: 137249

and on my system it is configured for 137249 entries. This was a disappointment as I wanted to save an archive of the sites I have visited over the years so I started looking at how to export the history from Firefox from the command line so that I can save it in another location as part of my regular backup. I knew that the history is stored in a SQLite database so I looked at the contents of the DB using a SQLite viewer. The DB was simple enough to understand but I didn’t want to recreate the wheel so I searched on Google to see if anyone else has already written the queries to extract the data and found this Reddit post that gave the command to extract the data into a file.

I tried the command out and it worked perfectly with just one small hitch. The command would not run unless I shutdown Firefox as the DB file was locked by FF. This was a big issue as it meant that I would have to close the browser every time the backup ran which is not feasible as the backup process needs to be as transparent and seamless as possible.

Another search for the solution pointed me to this site that explained how to connect to a locked DB in Read Only mode. Which was exactly what I needed, so I took the code from there and merged it with the previous version and came up with the following command:

sqlite3 'file:places.sqlite?immutable=1' "SELECT strftime('%d.%m.%Y %H:%M:%S', visit_date/1000000, 'unixepoch', 'localtime'),
                                                   url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER BY visit_date;" > dump.out

this command gives us an output that looks like:

28.12.2020 12:30:52|http://maps.google.com/
28.12.2020 12:30:52|http://maps.google.com/maps
...
...
14.11.2022 04:37:17|https://www.google.com/?gfe_rd=cr&ei=sPvqVZ_oOefI8AeNwZbYDQ&gws_rd=ssl,cr&fg=1

Once the file is created, I back it up with my other files as part of the nightly backup process on my system. In the next phase I am thinking about dumping this data into a PostgreSQL DB so that I can put a UI in front of it that will allow me to browse/search through the file. But for now this is sufficient as the data is being backed up.

I was able to get my browsing history going back to 2012 by restoring the oldest Firefox backup that I have on the system and then extracting the data from it. I still have some DVD’s with even older backups so when I get some time I will restore and extract the data from there as well.

Well this is all for now. Will write more later.

– Suramya

October 7, 2022

I am now a CEH (Certified Ethical Hacker)

Filed under: Computer Security,Linux/Unix Related,My Life — Suramya @ 6:23 PM

Gave my CEH (Certified Ethical Hacker) exam on 3rd Oct and have successfully cleared it.


Certification Number Certification Name Issue Date Expiry Date
ECC8907421563 Certified Ethical Hacker October 3, 2022 October 02, 2025

The exam was interesting and required a bit of memorization but over all not bad. I do wish they allow us to access the books or use the tools on the computer. I have a hard time remembering the parameters for commands and there were a few questions in there about what parameter would you use to do x. Normally I would do a man command before running it but here I had to remember the commands so it was a bit more annoying and required some extra effort to memorize, other than that the questions were great and required a lot of thinking and knowing the system.

Well this is all for now, will write more later.

– Suramya

October 4, 2022

Workaround for VPN Unlimited connection issues with latest Debian

Filed under: Computer Security,Linux/Unix Related,Security Tools,Tech Related — Suramya @ 5:58 PM

VPN’s are a great way to ensure that your communication remains private when using a pubic internet connection such as when you are connected to an Airport or Coffee shop Wifi. Plus they are good for getting access when a site is blocked where you are, for example in India VideoLan.org the main site for VLC Media player has been blocked for a while. I primarily use VPN Unlimited on all my systems as I have a lifetime subscription though I also have other VPN’s that I use sometimes.

Unfortunately, the native VPN Unlimited application for Linux has stopped working a while ago due to a compatibility issue with SSL. When I upgraded to the latest version of Debian back in July 2022 it suddenly stopped working with the following error message:

vpn-unlimited: symbol lookup error: /lib/libvpnu_private_sdk.so.1: undefined symbol: EVP_CIPHER_block_size

Reinstalling the software didn’t resolve the issue and neither did a search on the internet help. When I reached out to support they told me that Debian 11 wasn’t yet supported and they didn’t have an ETA for the new version to be released. They did recommend that I manually create & download an openvpn config from their site that would allow me to connect to the VPN manually using OpenVPN instead of the App. Unfortunately, the config generated didn’t work either as it would fail to connect with the following error message in the logs:

Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.0845]vpn[0x559d7fc46900,833a72d8-a08a-474e-a854-c926cd6c694a,"VPN Unlimited"]: starting openvpn
Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.0847] audit: op="connection-activate" uuid="833a72d8-a08a-474e-a854-c926cd6c694a" name="VPN Unlimited" pid=2829 uid=1000 result="success"
Sep 21 02:56:55 StarKnight kded5[2780]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: 2
Sep 21 02:56:55 StarKnight kded5[2780]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: 3
Sep 21 02:56:55 StarKnight NetworkManager[233850]: 2022-09-21 02:56:55 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless
"allow-compression yes" is also set.
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: OpenSSL: error:0A00018E:SSL routines::ca md too weak
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: Cannot load certificate file /home/suramya/.local/share/networkmanagement/certificates/E87E7A7D6DA16A89C7B4565273D3A792_hk_openvpn/cert.crt
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: Exiting due to fatal error
Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.1095] vpn[0x559d7fc46900,833a72d8-a08a-474e-a854-c926cd6c694a,"VPN Unlimited"]: dbus: failure: connect-failed (1)
Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.1095] vpn[0x559d7fc46900,833a72d8-a08a-474e-a854-c926cd6c694a,"VPN Unlimited"]: dbus: failure: connect-failed (1)

After a little more back and forth with the support team (which was extremely responsive and quick) which in turn reached out to their developers we identified the issue with the OpenVPN config. The fix for this will be deployed to all their servers by the end of this month. In the mean time I was given a workaround that resolved the issue for me. To fix the issue add this line to your OVPN file under the VPN section:

tls-cipher=DEFAULT:@SECLEVEL=0

More information on this is available in the OpenVPN forum. Keep in mind that this is not a really secure configuration and if you are working on something really top secret you should use another VPN till the issue is actually fixed instead of this workaround as it is not secure.

However, just wanted to share this here for others who might be having this same issue. Hope this helps.

– Suramya

October 3, 2022

Debian to allow non-free firmware in its default installer

Filed under: Linux/Unix Related,My Thoughts,Tech Related — Suramya @ 10:19 AM

One of the problems preventing new users from using Debian is that if your hardware is not supported by an Open (‘free’) driver/firmware then the system doesn’t install any and then it is a painful process to download and install the driver, especially if it is for the Wireless card. In earlier laptops you could always connect via a network cable to install the drivers but the newer systems don’t come with a LAN connection (which I think sucks BTW) so installing Debian on those systems is a pain.

Debian leadership has been debating on how to fix this over the past few months and there was a vote to decide Debian would handle non-free firmware going forward. Now the voting has completed and the verdict is in, Debian has decided that the Debian Official Installer Media can include firmware that is otherwise not part of the Debian system. The non-free firmware would be automatically installed and activated when the installer determines that it is needed for the OS to function. The setup would notify the user in such cases and provide instructions on how to disable the changes if required.

The Debian Project also makes the following statement:

We will include non-free firmware packages from the “non-free-firmware” section of the Debian archive on our official media (installer images and live images). The included firmware binaries will normally be enabled by default where the system determines that they are required, but where possible we will include ways for users to disable this at boot (boot menu option, kernel command line etc.).

When the installer/live system is running we will provide information to the user about what firmware has been loaded (both free and non-free), and we will also store that information on the target system such that users will be able to find it later. Where non-free firmware is found to be necessary, the target system will also be configured to use the non-free-firmware component by default in the apt sources.list file. Our users should receive security updates and important fixes to firmware binaries just like any other installed software.

We will publish these images as official Debian media, replacing the current media sets that do not include non-free firmware packages.

This is a great choice and will allow the installer to work pretty seamlessly for most users. I know there are purists who will be shouting and screaming that this is not the ‘true way for free software‘ but they will be a minority for the most part. Installers need to be simple, while allowing power users more granular control of the process. This change removes a major barrier in the adoption of Debian and makes the lives of millions of system administrators a lot easier.

Source: Slashdot: Debian Considers Changing How It Handles Non-Free Firmware
More details at: Debian Choose A Reasonable, Common Sense Solution To Dealing With Non-Free Firmware

– Suramya

October 2, 2022

Upgrading Debian Unstable – How to avoid obvious problems

Filed under: Computer Tips,Linux/Unix Related,Tech Related — Suramya @ 11:59 PM

If you are using Debian Unstable there is a possibility that your system might not work correctly after an upgrade, because as the name states it is an ‘unstable’ distribution that might have bugs. I use it because Debian Stable has older versions of the software available and I want to the latest versions if possible. Plus I don’t mind tinkering with the system if things break so that helps as well. Over the years I have found some easy ways to prevent the most obvious problems when upgrading and I will share them here.

First option is to upgrade the system regularly. You can decide what the frequency of the upgrade is but do it regularly. I upgrade twice a month and that ensures that the system has the latest updates and we are not so far out of sync that we need to download a ton of files for the upgrade. This is very useful when you don’t have much free space available in the root partition as the longer you wait the more files you have to download and the less free space we have for the actual upgrade.

Another thing I do that has helped me a lot is to ensure that you look at the packages being upgraded, specifically any packages being removed. Don’t upgrade if there are a lot of packages being removed without updated versions being installed. To give an example, I tried upgrading my system yesterday and it told me that it was going to “457 upgraded, 11 newly installed, 297 to remove and 0 not upgraded.” Looking at the packages it was going to remove I found that if I had blindly allowed the upgrade to proceed it would have ended up uninstalling my entire KDE install, VPN server and a whole bunch of other stuff. I waited for a day and tried again and the bug that was causing the system to insist on removing KDE during the upgrade was resolved and I was able to upgrade successfully.

I also pipe the output from the apt-get dist-upgrade command to a log file so that I have a log of what was changed and any errors are logged so I can look at it later in case there are issue. The command I use for that is as below:

apt-get dist-upgrade 2>&1 |tee ~suramya/Documents/Suramya/Computer\ Update\ Logs/StarKnight/2022/10032022

I keep all the logs from the upgrades so I can see exactly what was changed on the system and when. Makes it a lot easier to troubleshoot issues caused due to an upgrade.

If you have multiple systems, then I recommend you don’t upgrade all of them at the same time. I stagger them by a day or two so that in case of issues I have a working system. This has saved my sanity a few times.

Well, this is all for now. Do share any tips you might have for avoiding issues during an upgrade.

– Suramya

August 28, 2022

Debian looking at changing how it handles non-free firmware

Filed under: Computer Software,Linux/Unix Related,Tech Related — Suramya @ 5:38 PM

One of the major problems when installing Debian as a newbie is that if your hardware is not supported by an Open (‘free’) driver/firmware then the system doesn’t install any and then it is a painful process to download and install the driver, especially if it is for the Wireless card. In earlier laptops you could always connect via a network cable to install the drivers but the newer systems don’t come with a LAN connection (which I think sucks BTW) so installing Debian on those systems is a pain.

How this should be addressed is a question that has been debated for a while now. It was even one of the questions Jonathan Carter discussed in his post on ‘How is Debian doing’. There are a lot of people with really strong opinions on the topic and ‘adulterating’ Debian by allowing non-free drivers to be installed by default has a lot of people up in arms. After a lot of debate on how to resolve there are three proposals to solve this issue that are up for vote in September:

Proposal A and B both start with the same two paragraphs:
We will include non-free firmware packages from the “non-free-firmware” section of the Debian archive on our official media (installer images and live images). The included firmware binaries will normally be enabled by default where the system determines that they are required, but where possible we will include ways for users to disable this at boot (boot menu option, kernel command line etc.).

When the installer/live system is running we will provide information to the user about what firmware has been loaded (both free and non-free), and we will also store that information on the target system such that users will be able to find it later. The target system will also be configured to use the non-free-firmware component by default in the apt sources.list file. Our users should receive security updates and important fixes to firmware binaries just like any other installed software.

But Proposal A adds that “We will publish these images as official Debian media, replacing the current media sets that do not include non-free firmware packages,” while Proposal B says those images “will not replace the current media sets,” but will instead be offered alongside them.

And Proposal C? “The Debian project is permitted to make distribution media (installer images and live images) containing packages from the non-free section of the Debian archive available for download alongside with the free media in a way that the user is informed before downloading which media are the free ones.

Debian is not the more new user friendly system out there and a lot of distributions got popular because they took the Debian base and made it more userfriendly by allowing non-free drivers and firmware. So this is a good move in my opinion. Personally I feel that option B might be the best option that will keep both the purists and the reformers happy. I don’t think Option C is a good option at all as it would be confusing.

Source: Slashdot: Debian Considers Changing How It Handles Non-Free Firmware

– Suramya

August 16, 2022

Debian: My Favorite Linux Distro turns 29!

Filed under: Linux/Unix Related,My Thoughts — Suramya @ 9:23 PM

Debian, one of the most popular Linux Distributions that has served as the base for over 100 derivative distributions (See here for the partial list) is celebrating it’s 29th Birthday! I have been using it since 2003, so it’s been 19 years since I started using it and I have to say the OS has been improving constantly over the years while keeping the core values/stability.

I have tried other distro’s in the middle: Ubuntu, Mint, Knoppix but keep coming back to Debian because of the stability and functionality. I do use Kali as the primary OS on my laptop as I use that for my security research/testing but all other systems run Debian. I even managed to get it to work on my Tablet. 🙂

One note of caution/advice is to always look at the packages being changed/removed when you are upgrading esp if you are on the Unstable branch as things can break in that branch. Usually if I see that packages are being removed that I want to keep I just have to wait for a few days and the issue gets resolved. It is not the best distribution if you are looking for ‘newbie friendly’ but is one that will let you learn Linux the fastest. (Linux from Scratch will get you to learn more about Linux internals than you ever wanted if you can manage to get it to work and have the time required to install/configure it. For me the effort spent for the gain wasn’t worth it, but your mileage may vary.

In any case, I think I will be sticking with Debian for the foreseeable future. Here’s to another 30 years!

– Suramya

August 12, 2022

Multiple Linux Live CDs on a single USB Drive

Filed under: Computer Tips,Linux/Unix Related,Tech Related — Suramya @ 6:55 PM

Portable Boot disks are a life saver for a techie and I usually carry one with me most of the time (Its part of my keychain 🙂 ) However, the issue I would face was that I could only carry one live CD at a time on a USB stick and if I wanted another one then I would either have to search for the pendrive where I had already installed it or burn another one to the drive which was annoying, especially when I had to switch between OS’s frequently.

So I started searching for an alternative, something similar to the Ultimate Boot CD that allowed you to have multiple diagnostic tools on a CD but for Live Distros and installation media. Tried a bunch of ways but the easiest way I found was to use Ventoy to create a bootable USB.

You can download Ventoy from their GitHub Releases page, and the installation of the tool is as easy as extracting the file to a folder on your system and then running the correct executable for your system (They have executable’s for all architectures). Once you run the file as root, select the USB disk you want to use and click install. It takes about a minute for the software to install on the drive and once completed, it creates two partitions on the disk. The first partition named VTOYEFI is reserved for the boot files by Ventoy so ensure that you don’t change anything in that partition.

The second partition called Ventoy, is an exFAT partition and this is where we will copy all the ISO files for the distributions we want the disk to support. Installing a new OS/Tool/CD is as simple as copying the ISO file for the CD on to the partition. Once we have copied the files to the partition all you have to do is unmount the partition and your new disk is ready to use.

I installed the Debian Installer, Kali Live CD and Kali Installed on a 8GB drive with no issues. When I boot from the disk, I get a menu asking me to select the ISO I want to boot into and then the system boots into the boot menu for that image. So now I can carry one pen-drive with all the OS’s I would need to troubleshoot a system or reinstall the OS. I think you should be able to boot into windows installer as well using this method but I haven’t tried it yet so can’t confirm for sure.

Well, this is all for now. Will post more later.

– Suramya

« Newer PostsOlder Posts »

Powered by WordPress