Blog

Blog Archives - 1 Record(s)

Year: '2014' - Month: '4'

10
April 2014

Gavin Pickin

Heartbleed - Heartbeats - and other Heart filling stories

CFML Server, cfObjective, Chit Chat, ColdBox, Conferences, OpenSSL, Server Admin

Yes, I still have a heartbeat, although my blog didn't have much of one for a while, that is true. The heart filling story, is that my mum and dad flew in the day after my last blog post, so I've been spending a lot of time with my parents, sharing experiences with their grandchildren. They live in New Zealand, so they do not visit too often, and my busy life got even busier. I have been busy, but you have to wait and see the fruit of my labor, more about that below. Of course, this week, you can't go far without talking about Heartbleed, so I have a few tips for those of you fighting Heartbleed too.

First, most importantly, Heartbleed. If you didn't hear about it already, I'm not sure why you're hiding under a rock, but still reading my blog. Its a massive dangerous security hole, and the worse part, 66% of the internet is vulnerable, and it leaves no trace, so everyone has to fix it, and re-key everything touched by openssl, since your private keys might be in the wild now.

I had to do my due diligence, and have been working on our servers, being Centos 6.5, we were running a compromised of openssl. One thing to remember with Red Hat and Centos, they do not continue to update the versions of their products, like openssl, instead, they backport the security fixed. So, 1.0.1e is a compromised version, Centos backported the fix, and if you do a simple yum update openssl - it will update to 1.0.1e-16.el6_5.7 which is patched. Knowing this, its simple to remove the exploit, and remove future risks of keys being released, UNLESS you have other modules and packages that need to be updated too.

httpd uses mod_ssl to serve pages by ssl, and if you only update openssl, without mod_ssl you will still be vulnerable.
You can test your servers with this tool: http://filippo.io/Heartbleed/
I am usually weary of websites that test for vulnerabilities, because they can build up a list of vulnerable sites, but this one seems to be the most reputable one around.

Ok, now we're discussed heartbleed, and the heart filling story of my parents coming to see their grandchildren, and my heartbeat, now we can talk about what work I've been slaving away on.

This week, speaker's slides were due for cf.Objective() presentations, so the awesome Content Advisory Board can review them. This was a pressing deadline, with my talk being a 5 day course jammed into 60 minutes, it was really hard to fit the content in, focusing on making sure the content met the description for the session, and what would give the attendees the best value out of it. I ended up meeting the deadline, and feeling great about the content, and I can say I have added some ColdFusion 11 material that I had not found anywhere else on the internet yet. I worked hard to extend my presentation to include ColdFusion 11, even though I hit some roadblocks, and I could not find much online, so I tried a few things, and I got lucky. My presentation will help you get CF9, CF10, CF11, Railo and a Railo Cluster all running on the same machine, serving files through apache, differentiating CFML engine based on the apache virtual hosts.

If you aren't going to make it to cf.Objective(), you will have to wait a little longer for all those juicy details, if you are at cf.objective(), look me up in the schedule, and come support me.

I have also been preparing for another conference, Into the Box, happening in Bloomington, MN, the day before cf.objective(). I am presenting one session, Just Mock It, and co-presenting another, Meet the Family, where you can get a quick overview and introduction to some of the ColdBox standalone libraries, and how you can quickly add them into any project, even a framework free legacy app, and harness the power of these enterprise stand alone products.

Most people make one major invalid assumption about ColdBox - You have to use all of ColdBox or none of it. - THIS IS NOT TRUE

ColdBox has several powerful and completely separate standalone products, that can help you add value to your project quickly and easily, whether you have no framework, a homebrew framework, an old framework, even something new and awesome like fw/1.

Meet the Family will try and help everyone see the power of these standalone libraries with a getting started guide to get them up and running, each library in 10 minutes, with time for questions. We have been building a legacy app, and since I am new to using the ColdBox libraries, I thought it would be best for me to design this legacy no framework app, and in the presentation, we'll show you how to add TestBox, WireBox, CacheBox and LogBox, to transform your app, adding lots of enterprise level power, while not re-inventing the wheel.

Framework One has integrated TestBox recently, as Sean Corfield stated "Why reinvent the wheel when there are quality packages available". Sean also added WireBox so you can choose between DI/1, WireBox, and although not recommended, ColdSpring.

If you're going to make it to cf.Objective(), come a day early, enjoy 14 great sessions, for a great price, and better value with a lot of sponsor goodies, including business cards and hackmycf subscriptions to name a few.

http://www.intothebox.org

Want a sneak peak at our Meet the Family Presentation - Here is a screenshot.

Blog Search