Farewell Enigmail

Thunderbird has End-to-End encryption right built into it’s very core. But at a price that was annoying to me. So I decided to keep the old 68 Version together with the enigmail plugin.

Until my system recently did an update and replaced the old thunderbird with the shiny new version 78. Which comes with its very own implementation of Pretty Good Privacy – better known as PGP.

Short recap: The Enigmail plugin used a system-installed GnuPG installation (Open Source PGP-Implementation). Thunderbird on the other hand uses a library called RNP.

This has 2 drawbacks. One is, that it is a bit harder to setup my current workflow which uses a private key located on a Yubikey that I have to unlock. The setup was not as easy as it was described in some of the descriptions on the internet. But that was mainly due to my own fault. A configuration setting that did work with Enigmail but didn’t with the new Version of Thunderbird.

The main issue is that RNP currently does not support hardware tokens. But luckily there is a flag that can delegate tasks that require private keys to a third party app. So I could setup the default GnuPG to handle the signing and the decryption process. One additional advantage is that I do not need to expose private keys to Thunderbird where they need to be secured by a single master password. But that is a different story.

RNP is not GnuPG

The – for me – more annoying part is, that RNP does not use the systemwide GnuPG keychain but its own one. So for me that means that I have to maintain two keychains with public keys.

I found that a bit awkward. So I looked for a way to automatically keep the two keychains in sync. And after a bit of digging I figured, that Thunderbird keeps a GnuPG compatible public keychain right in Thunderbirds profile folder. So all I have to do is write a cron-job that exports all the public keys from one keychain and moves them over to the respective other one. Already existing keys will not be imported, missing ones will be imported though.

So this is what I now have installed as cron-job:

#!/bin/bash
  
THUNDERBIRD_PROFILE=~/.thunderbird/<profile-folder>
gpg --no-default-keyring \
    --keyring=$THUNDERBIRD_PROFILE/pubring.gpg \
    --export \
    --armor | gpg --import --no
gpg --export --armor | gpg \
    --no-default-keyring \
    --keyring=$THUNDERBIRD_PROFILE/pubring.gpg \
    --import \
    --no

Optimization will follow soon by replacing the hard-coded path to the profile folder with a command that reads that from thunderbirds profile.ini file. But that is a different story.

The only drawback I have seen so far is that Thunderbird needs to be restarted after the script has actually imported one or more keys into the thunderbilrd keychain. Otherwise the new keys are not recognized.

But that is much less of a hassle and drawback than not being able to sign my outgoing email or decrypt my incoming mails.

Named Parameters

Currently an awesome RFC to introduce Named Parameters to PHP is in the voting phase. As I voted against this RFC and some people asked me about my reasoning I thought I share it here.

After this tweet I had some interesting conversations on and off twitter that made me think about my take on named parameters back and forth.

And as much as I like the idea of named parameters I still see one major issue in the currently proposed implementation: Changing Parameter names.

Continue reading Named Parameters

Fuck Cancer

That literally was the whole text of a tweet I send out some weeks back.

And it returned so much warmth and positive responsens for me that I want to share a bit more of the story.

Be warned: It is a sad story.

5 years ago

It all begins at the beginning of 2015 where my wife Anke was diagnosed with breast cancer. Dammit. But after all a lot happened in the last years and if it has to be cancer I’d rather have breast cancer than something else. The healing rates are rather good. So we went through this (with a lot of tears for sure) and came out stronger as a team and a family. It was sad that she couldn’t join me on my first conference gig in 2015 due to a slight overlap with her Chemotherapy but such is life.

So she won the battle. Since October 2015 everything was kind of OK. No one tells you about the fatigue that can be caused by the Chemotherapy or how slowly the body recovers after being swamped with poison multiple times for over half a year. But the main thing is: You are still alive!

Of course everything could have happened. So 5 years ago we settled everything. We went through all of it: Last will, living will, chats about how to handle the kids and all the little details that you think you will be able to handle together but that now need to be handed over. Just in case.

But everything went well. According to plan, one could say.

Well. Almost.

2020 sheds it’s light

End of last year suddenly some blood test results weren’t as they were supposed to be. That could be a sign of a new cancer but it could also be something else. So a lot of diagnosis startet again. But all results were negative. So it must be a false positive. I had a numb feeling about it but well, al the docs my wife was at couldn’t find anything and I mean they know what they are doing.

So everything was still fine.

Yes. I know what you’re thinking about! Exactly like that.

All this time Anke had issues with her back. Pain since time immemorial. But that somehow got worse. She started to walk with the dog more often but realized that herback was killing her. the amount of pain-medication shall not be revealed here, but well…. let’s put it that way. It’s good when you have sources to get prescription-only stuff. So to get to the root cause for that she made an appointment with an orthopedist. And they seemed to have found the cause for the pain. Two spinal discs that are a bit dislodged. Oh. And these shadows in your pelvis look like methastasis. Like about a dozen…

2020 finally hit

She came back that day and was completely calm. I’ve only seen her like that a handfull of times and the reason never was a good one. So I immediately canceled the call I was in at that moment and well… Imagine a lot of tears on boths sides.

At that point we didn’t know what might be the consequences. From what we heard before Methastases usually mean the end. Not necessarily right away, but that’s not something that will heal. So this is the end. The proverbial IT.

How do you handle that your whole dream of your life just shattered? She might not be able to see her kids grow. I might have to support my kids on my own in their relationships. I can’t share the joy and the tears when they marry. I will have to give them advice with their kids on my own. No getting old together. There was so much we wanted to do together.

That was barely 4 weeks ago.

But up to that time we didn’t know what it was. Three was just this MRT-Image with shadows where they didn’t belong to. So now more diagnosis. The uncertainty was perhaps the worst. No one was actually talking about metastasis as no one actually knew exactly what they were. The next day I looked for a specialist and luckily found one “nearby”. It’s interesting what you call nearby when you live in the countryside. But no matter where you want to go it’s always a 45-minute drive.

Luckily that specialist not only seems to know her stuff, the chemistry between her and Anke was just right from the start. So it looks like she is now in much better hands than the last time she fought the battle.

Finally

And now last tuesday the final results came. Anke is fighting against breast-cancer metastasis in at least her pelvis and her sternum. The therapy has started and we are talking about years that we might have togethre. Perhaps even more.

In the end we will see. There is nothing we can do other than accepting that cancer came back to stay. That the beast is now part of our live for the rest of our life.

The last weeks were hard. We talked about a lot of final szenarios. Anke started her bucket list and we might travel a tad more than we thought we would right now. We cried a lot. Death was never far away but now it is a part of our conversations . Between us two but also with our kids. And that seems to somehow take a lot of the panik.

I now have the great possibility to make the best of the time I have with the best person that I met in my life. And I don’t know how long that will be. But I know for sure that it will not be as long as we both would like it to be.

And what I learned from that tweet from the beginning is, that there are a lot of amazing people that I have the honour to call friends. That there are people in the world that are willing to support you. Sometimes people I never thought of. And that is amazing! Thank you for that!

So for now we are looking forward with the idea of still having some years together. Some tough years with pain and trauma but years we have together. So there still is some time to settle the final arrangements together. Unless one of us gets hit by a bus, that is…

Thanks for reading so far! Thanks for your support!

inspecting docker-networks

Or how not to handle a non-responsive docker container

TL;DR

Handle “Cannot start service XY: driver failed programming external connectivity on endpoint XY (ContainerID): Bind for 0.0.0.0: failed: port is already allocated” by inspecting dockers network stack and force-disconnect containers from the network.

The Problem

Today we had a non-responsive docker container that we couldn’t restart. docker-compose stop and such didn’t work. The container was still running and – especially nasty – also not responding. The website it usually provides only returned a 503 – Gateway not responding.

What to do?

Well… not what we did!
Continue reading inspecting docker-networks

Handle self-signed certificates with PHPs LDAP-Extension

Often I see questions on StackOverflow stating that connecting to LDAP-Servers secured with self-signed certificates is difficult and troublesome. Very often the accepted answer or the one with the most votes is actually the worst answer, as usually it requires to completely ignore certificates. So basically swapping the certificate would not be noticed, leaving the connection wide open for a Man-in-the-Middle attack and therefore somehow defeating the purpose of secure connections.

But how does one connect securely to an LDAP-Server secured with a self-signed certificate?

I did some tests and summarized my findings in a github-repo.

In essence it boils down to retrieving the current certificate either from the admin of the LDAP-Server or via OpenSSL using this command:

$ echo \
| openssl s_client -connect openldap:636 2> /dev/null \
| openssl x509 -text \
| sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' \
> /path/to/cert.pem

And then – at least when you have a supported PHP-Version – add the following lines to your ldap-code:

ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, '/path/to');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, '/path/to/cert.pem');

// either
$ldap = ldap_connect('ldaps://ldap.example.org:636');
// or
$ldap = ldap_connect('ldap://ldap.example.org:389');
ldap_start_tls($ldap);

Note: It’s important to call ldap_set_option before the first LDAP-Command and use null as the first argument. Otherwise it will not work 😉

You want more info? Have a look at the Repos README