Fixing OpenSSL on WordPress Windows PHP 5.6+


i ran into OpenSSL errors during the Disqus plugin setup.
there’s tons of hits suggesting various solutions, below is the very simple solution that worked for me…

Sample error messages:

SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failed to enable crypto in ...


  1. download latest cacert.pem
  2. place it in a pertinent folder (e.g. $\wp-includes\certificates)
  3. edit your php.ini > openssl.cafile={full path to cacert.pem}

Ethereum 101 on Windows

background / baseline context

  • I’m not even remotely suggesting that this is new info but even though there’s some very friendly guides already cooking out there, I ran into mild snags and this is my attempt to really grease the rails on the way to running the greeter sample smart contract
  • now that we have Ubuntu running natively on Windows 10 this, the native windows binary path for what are obviously linuxy bits sorta feels like a less direct path to success but IIRC i had initial snags that kicked me in this direction
  • these commands target a local private net instance… we get free gas this way so i figure inhale that immediate gratification as quickly as possible and use that energy to conquer our next ether mountain

getting spun up and ready to spend some ether

  1. feels like the canonical starting point so keep that handy -BUT- for starters, the referenced Windows binary installation url was down for me as of this writing
  2. so here’s the geth install bits… geth is the preferred CLI based server and admin console (installed to C:\Program Files\Geth for me)
  3. and we’ll also need the smart contract compiler “SOLC” (C:\Program Files\cpp-ethereum)… make sure those are both in your path
  4. create a working folder for this instance (aka “private network”) and make it current, hereby referred to as {workdir}
  5. throw together a genesis.json like so, filling in the as blanks as noted (from here 1)
    “nonce”: “0x0”,
    “timestamp”: “0x0”,
    “parentHash”: “0x0000000000000000000000000000000000000000000000000000000000000000”,
    “extraData”: “0x0”,
    “gasLimit”: “0x8000000”,
    “difficulty”: “0x400”,
    “mixhash”: “0x0000000000000000000000000000000000000000000000000000000000000000”,
    “coinbase”: “0x0”,
    “alloc”: { “0x0”: {“balance”: “20000000000000000000”}}

    • nonce: throw in a self generated hex guid … one way to create a guid would be to install ScriptCS.exe and then System.Guid.NewGuid().ToString("n") … recommend installing ScriptCS and anything else via Chocolatey Windows package manager
    • coinbase & alloc: note that later we’ll replace those “0x0” values with your primary account number as where you want your mined ether to deposit and build up
  6. initialize your working folder files:
    [crayon]geth –dev –datadir . init genesis.json[/crayon]
  7. do ourselves a big favor and create a default javascript file to toss in any of our own custom convenience routines to be available whenever the server starts up… save the following to e.g. helpers.js (referenced in the ethStart.cmd below)
    function balance() { return web3.fromWei(eth.getBalance(eth.accounts[0])) + ” ethers”; }

  8. save the following to ethStart.cmd and launch it to fire up the server
    geth –dev –mine –minerthreads 1 –datadir . –networkid 399524671 –etherbase 0x057c86cae703b08c59fa6a9f066dbcc241da52a7 –rpc –rpcapi “eth,net,web3,personal” –rpccorsdomain * –password pw.txt –preload “helpers.js” console
    ::move unlock into command line after primary account is created
    ::–unlock 0

    • 2 full CLI option reference
    • networkid: make yours up
    • datadir: crucial your other files are in the current working folder
    • dev: developer mode… this seems to make certain initialization steps do a faster minimal burn
    • unlock: this will prompt you for password and thereby start server with specified etherbase aka coinbase account unlocked to enable spending ether which is REQUIRED TO SUBMIT ANY TRANSACTIONS, including our first hello world sample smart contract!! =)
    • etherbase: update this with your primary account, next step…
    • password: create pw.txt with the same password you specify in next step…
    • rpc: fire up the http-rpc endpoint… defaults to: http://localhost:8545
    • preload: loads our custom convenience routines
  9. create your primary account: personal.newAccount("fill in a password") … this will output the hex number of your first account# aka primary aka eth.accounts[0]
  10. stop the server with CTRL-D
  11. plug this account# into genesis.json and ethStart.cmd > coinbase & alloc properties… and add the unlock parm back into ethStart.cmd
  12. drumroll… restart ethStart.cmd … watch for any errors in the output
  13. i had to wait a few minutes for mining activity like below to kick in… it would be interesting to hear what it’s doing during this extended delay…
    I1222 23:12:12.999058 miner/worker.go:542] commit new work on block 8 with 0 txs & 0 uncles. Took 0s
    I1222 23:12:12.999559 miner/worker.go:542] commit new work on block 8 with 0 txs & 0 uncles. Took 0s
    I1222 23:13:13.817780 miner/worker.go:344] 🔨 Mined block (#8 / 7d659f91). Wait 5 blocks for confirmation
    I1222 23:13:13.818278 miner/worker.go:542] commit new work on block 9 with 0 txs & 0 uncles. Took 497.4µs
    I1222 23:13:13.818777 miner/worker.go:542] commit new work on block 9 with 0 txs & 0 uncles. Took 0s
    I1222 23:14:10.930228 miner/worker.go:344] 🔨 Mined block (#9 / b076ded1). Wait 5 blocks for confirmation

    • definitely try miner.start(1) from the geth javascript command line if nothing happens after say 3 minutes tops
    • good troubleshooting ref 3
  14. once you see mined block output, then try balance() and you should see a few ethers piling up in your kettle
    “50 ethers”
  15. here is my actual full happy output for your reference… don’t worry, all “secret” values herein (e.g. account#, password, etc) are local testnet only / completely sacrificial
    geth –dev –mine –minerthreads 1 –datadir . –networkid 399524671 –etherbase 0x057c86cae703b08c59fa6a9f066dbcc241da52a7 –rpc –unlock 0 console
    I1222 23:07:20.578872 ethdb/database.go:83] Allotted 128MB cache and 1024 file handles to C:\Users\beej1\AppData\Roaming\Ethereum\beejnet\geth\chaindata
    I1222 23:07:20.620876 ethdb/database.go:176] closed db:C:\Users\beej1\AppData\Roaming\Ethereum\beejnet\geth\chaindata
    I1222 23:07:20.621873 node/node.go:175] instance: Geth/v1.5.3-stable-978737f5/windows/go1.7.3
    I1222 23:07:20.621873 ethdb/database.go:83] Allotted 128MB cache and 1024 file handles to C:\Users\beej1\AppData\Roaming\Ethereum\beejnet\geth\chaindata
    I1222 23:07:20.661879 core/genesis.go:93] Genesis block already in chain. Writing canonical number
    I1222 23:07:20.662377 eth/backend.go:282] Successfully wrote custom genesis block: e5be92145a301820111f91866566e3e99ee344d155569e4556a39bc71238f3bc

    I1222 23:07:20.662877 eth/backend.go:301] ethash used in test mode
    I1222 23:07:20.663381 eth/backend.go:193] Protocol Versions: [63 62], Network Id: 399524671
    I1222 23:07:20.663381 eth/backend.go:221] Chain config: {ChainID: 0 Homestead: DAO: DAOSupport: false EIP150: EIP155: EIP158: }
    I1222 23:07:20.663880 core/blockchain.go:214] Last header: #6 [1b77c210…] TD=917760
    I1222 23:07:20.664380 core/blockchain.go:215] Last block: #6 [1b77c210…] TD=917760
    I1222 23:07:20.664380 core/blockchain.go:216] Fast block: #6 [1b77c210…] TD=917760
    I1222 23:07:20.665379 p2p/server.go:336] Starting Server
    I1222 23:07:22.797260 p2p/discover/udp.go:217] Listening, enode://f2db422043fb3f846d2b429e0c2c99c1c2943ed2eea111d48dbafd203a250369e8c5ed56364d2248651647a094a4649529d3faf23e4b038f961ccc80cadf628a@[::]:61740
    I1222 23:07:22.798761 p2p/server.go:604] Listening on [::]:49887
    I1222 23:07:22.798761 whisper/whisperv2/whisper.go:176] Whisper started
    I1222 23:07:22.798761 eth/backend.go:481] Automatic pregeneration of ethash DAG ON (ethash dir: C:\Users\beej1\AppData\Ethash)
    I1222 23:07:22.799260 eth/backend.go:488] checking DAG (ethash dir: C:\Users\beej1\AppData\Ethash)
    I1222 23:07:22.800262 node/node.go:340] IPC endpoint opened: \.\pipe\geth.ipc
    I1222 23:07:22.813263 node/node.go:410] HTTP endpoint opened: http://localhost:8545
    Unlocking account 0 | Attempt 1/3
    I1222 23:08:28.727457 cmd/geth/accountcmd.go:200] Unlocked account 057c86cae703b08c59fa6a9f066dbcc241da52a7
    I1222 23:08:28.727954 miner/miner.go:137] Starting mining operation (CPU=1 TOT=2)
    I1222 23:08:28.728455 miner/worker.go:542] commit new work on block 7 with 0 txs & 0 uncles. Took 0s
    I1222 23:08:28.728955 vendor/] Generating DAG for epoch 0 (size 32768) (0000000000000000000000000000000000000000000000000000000000000000)
    I1222 23:08:28.730457 vendor/] Generating DAG: 0%
    I1222 23:08:28.730958 vendor/] Generating DAG: 1%
    I1222 23:08:28.730958 vendor/] Generating DAG: 2%
    I1222 23:08:28.730958 vendor/] Generating DAG: 3%
    I1222 23:08:28.731456 vendor/] Generating DAG: 4%
    I1222 23:08:28.731456 vendor/] Generating DAG: 5%
    … skipping …
    I1222 23:08:28.752959 vendor/] Generating DAG: 97%
    I1222 23:08:28.752959 vendor/] Generating DAG: 98%
    I1222 23:08:28.752959 vendor/] Generating DAG: 99%
    I1222 23:08:28.753459 vendor/] Generating DAG: 100%
    I1222 23:08:28.753459 vendor/] Done generating DAG for epoch 0, it took 25.0043ms
    Welcome to the Geth JavaScript console!

instance: Geth/v1.5.3-stable-978737f5/windows/go1.7.3
coinbase: 0x057c86cae703b08c59fa6a9f066dbcc241da52a7
at block: 6 (Thu, 22 Dec 2016 22:58:56 PST)
datadir: C:\Users\beej1\AppData\Roaming\Ethereum\beejnet
modules: admin:1.0 debug:1.0 eth:1.0 miner:1.0 net:1.0 personal:1.0 rpc:1.0 shh:1.0 txpool:1.0 web3:1.0

I1222 23:12:12.999058 miner/worker.go:542] commit new work on block 8 with 0 txs & 0 uncles. Took 0s
I1222 23:12:12.999559 miner/worker.go:542] commit new work on block 8 with 0 txs & 0 uncles. Took 0s
I1222 23:13:13.817780 miner/worker.go:344] 🔨 Mined block (#8 / 7d659f91). Wait 5 blocks for confirmation
I1222 23:13:13.818278 miner/worker.go:542] commit new work on block 9 with 0 txs & 0 uncles. Took 497.4µs
I1222 23:13:13.818777 miner/worker.go:542] commit new work on block 9 with 0 txs & 0 uncles. Took 0s
I1222 23:14:10.930228 miner/worker.go:344] 🔨 Mined block (#9 / b076ded1). Wait 5 blocks for confirmation


saving “greeter” sample smart contract to your blockchain

now we can jump into the greeter hello world sample

  1. save this to greeter.js
    var _greeting = “Hello World!”
    var greeterContract = web3.eth.contract(;

    var greeter =,{from:web3.eth.accounts[0], data: greeterCompiled.greeter.code, gas: 300000}, function(e, contract){
    if(!e) {
    if(!contract.address) {
    console.log(“Contract transaction send: TransactionHash: ” + contract.transactionHash + ” waiting to be mined…”);
    } else {
    console.log(“Contract mined! Address: ” + contract.address);

  2. fire that greeter.js which compiles the greeter contract and send it off to be committed to your blockchain via: loadScript("greeter.js")
    • expecting output:
      I1222 23:58:58.069301 internal/ethapi/api.go:1045] Tx(0x293ae70fcfaa52d875cbc8fb72937da69983724016321eea944eda2b1a87732b) created: 0xec99e07dc19d075761456f8c33558ba2148eb048
      Contract transaction send: TransactionHash: 0x293ae70fcfaa52d875cbc8fb72937da69983724016321eea944eda2b1a87732b waiting to be mined…
  3. again, sit and twiddle your thumbs for an excruciatingly long time (7 minutes for me!?!?)… and hopefully you eventually see output
    Contract mined! Address: 0xec99e07dc19d075761456f8c33558ba2148eb048
  4. now we finally get to do: greeter.greet()
    • expected output
      “Hello World!”


Fun next steps…

1. Get BlockApps Strato rolling

  • Strato4 is a convenient REST API layer on top of raw Ethereum

    Each BlockApps node exposes a RESTful api to interact with the node. This allows you to deploy contracts/publish transactions with simple REST calls. Bloc-server also generates a REST api for each smart contract you deploy with it. This allows for a clean separation from your dapps frontend and smart contracts

  • Solidity extension for Visual Studio has an nicely easy run through on setting up BlockApps

  • BlockApps Strato GitHub Readme is also short install guide with the following steps
  1. install nodeJS / npm via: choco install nodejs
  2. npm install -g blockapps-bloc
  3. test your Ethereum dev net apiUrl is listening: curl http://localhost:8545, expecting output: {"jsonrpc":"2.0","error":{"code":-32600,"message":"EOF"}}
  4. create a fresh BlockApps project…
    1. CD into PARENT directory of your new project folder
    2. block init and follow the prompts – the Visual Studio extension link has nice screenshots
    1. then CD into your project folder
    2. bloc genkey – will prompt for password and create initial “admin” user, expecting output: transaction successfully mined!
  5. bloc start fires up the Strato server listening for REST requests, expecting output:
    bloc is listening on
    api is pointed to http://localhost:8545 with profile strato-dev

    • that’s pretty cool we’re running on top of our own custom dev net
  6. (open yet another CMD window) curl "http://localhost:8000/users", expecting: ["admin"]
  7. continue on with the guides…
  8. particularly this Ether transfer example
    • tip, curl "http://localhost:8000/users/admin" yields the necessary user address number
    • sample transfer: curl -X POST -d "password=ann0ying&toAddress=39b32d2be0c29c1011f7d1481f945b9d355cae96&value=10" http://localhost:8000/users/admin/a962a8e09ae6a096258d988588f2e8639cd2a664/send
    • ran into this error: {"errorTags":["transactionResult","submitTransaction","Transaction"],"message":"txHash must be a hex string (got: [object Object])"}
    • only mention of this kind of error i’ve found so far has no response
    • i got node.exe JS file breakpoints working in Visual Studio 2015… a little tricky because bloc “spawn”s the main web listener as child process… so basically tweak this %appdata%\npm\node_modules\blockapps-bloc\bin\main.js line as so var server = spawn('node', ['--debug-brk=5859', 'app.js' ]); and follow this VS guide
    • debugging showed me the underlying error back from ethereum is missing request id… which i ran across firing basic curl requests at ethereum when i left out {“id”: number} on my curl calls… so i hacked that into the source {myProj}\node_modules\blockapps-js\js\Transaction.js but then…
    • the next error i’m stuck on now is The method _ does not exist/is not availableso something is off
    • even though Strato is basically happy with my Ethereum install enough to execute the new user APIs no problem
    • i posted issue on their forum
    • [update 2016-12-24] not only did support respond promptly next day but it was Kieren James-Lubin (kjameslubin) the founder no less! turns out, quote: “You must run a Strato node to be able to use bloc. No other Ethereum client supports it… You can use or launch one from the Azure market place or contact us at to install.”… so, that is welcome clarity straight from the horse’s mouth… a rare luxury that i am grateful for on this christmas eve… we’ll hop over to those other options … and the adventure continues… 🙂


2. get cracking on some real DAPPs!!


Handy References

Exposing Azure Function web API to native & web clients through Azure AD authentication


Azure AD writeups are prevalent but I was really struggling to find examples of calling the same Azure Function API, secured by Azure AD Authentication, by both Native as well as Web clients (since we can only select one app type in the Azure AD App registration, not both).


The kicker solution for me was having both a web and native App registration (i.e. two Client Id’s) and providing the WEB App registration’s Application Id as the “RESOURCE” parameter to the AuthenticationContext.AcquireTokenAsync() call in the Native app (see code sample below).

So the web registration is tied directly to the Azure Function… and then we’re piggybacking the web registration by requesting the web as the resource parameter in the native client call … i haven’t seen this documented yet so i can’t say whether this is an officially preferred solution.

Basic Steps

This is a good getting started guide guide, in parity with current landscape.

  1. get your Azure Function working as a web api… probably doesn’t matter whether web or native comes first but it seems like the web is more “trusted” from an OAuth standpoint and more clearly documented… OAuth refers to native clients as “public” and requiring a couple more OAuth contortions than web clients.
  2. create a Web type entry for your Function under New Portal > Azure Active Directory > App registrations… all the defaults are good, except you’ll need to create the Reply URLs that are valid for you… reply url is a parameter to your ADAL.js client call… in the end this entry provides the crucial Application Id aka Client Id
  3. now configure this web registration for AD Auth via New Portal > App Services > {your Function app} > Function app settings > Configure authentication > Authentication Providers > Azure AD > Express >
    1. Azure AD App = the Web App registration name you gave above
  4. Now create another Azure AD > App registration as Native type and (HERE’S THE KICKER) > Settings > Required Permissions > Add > Select an API > TYPE IN YOUR web App registration name in the search box and it’ll show up to be selected
  5. finally, use the Application Id guid from your web app as the RESOURCE parameter to the AcquireTokenAsync() call in your native app

Working ADAL.js web client code sample

function adalResultHandler(err, token) {
  if (err) {
    lobibox.notify("error", { size: "mini", title: "Azure AD Auth", msg: err });
    return false;
  } else {
    //lobibox.notify("info", { size: "mini", msg: "login successful\nuser: " + + "\ntoken: " + token });
    return true;

var adal = new AuthenticationContext({
  instance: "",
  tenant: "{your domain}",
  clientId: "{your web guid}", // your Azure AD > App registrationS > {your web api} > APPLICATION ID
  //NUGGET: these "reply URLs" are set under Azure Portal > AD > App registrations > {your App Service} > Settings > Reply URLs
  //NOT under {your App Service} > Settings > (Manage) Auth > AD > Redirect URLs !!!
  redirectUri: window.location.href, //REPLACE WITH YOUR REDIRECT URL
  popUp: true

adal.callback = function (err, token) { if (adalResultHandler(err, token)) doSomething(); }


Working Xamarin Native iOS app client code sample

private const string Instance = "";
private const string Tenant = "{your domain}"; //common //COMMON OR YOUR TENANT ID // "", //"4be68759-0968-4760-b716-f82711a28fcb", //
private const string ClientId = "{your native guid}"; //from your Azure AD > App registrations > {your ***NATIVE*** api} > APPLICATION ID
private const string RedirectUri = "https://{your azure function api name}";
private const string ResourceId = "{your web guid}"; //take this from your Azure AD > App registrations > {your ***WEB*** api} > APPLICATION ID // **isn't that interesting, we're requesting another API as the "resource" of this api**

var Azure_OAuth2_Authority_Url = $"{Instance}/{Tenant}/oauth2/authorize");
var authContext = new AuthenticationContext(Azure_OAuth2_Authority_Url);

var authResult = await authContext.AcquireTokenAsync(ResourceId, ClientId, new Uri(RedirectUri), await _platformParameters.GetAsync()); //_platformParameters is something i whipped up special
CurrentUser = new HfcUserAuth
  FirstName = authResult.UserInfo?.GivenName,
  LastName = authResult.UserInfo?.FamilyName,
  AccessToken = authResult.AccessToken,
  IdToken = authResult.IdToken

Typical error responses

Various attempts at sussing out a valid resource value for the AcquireTokenAsync() in my Xamarin Forms native iOS app would yield the following error:
AADSTS65005: The client application has requested access to resource <xyz>. This request has failed because the client has not specified this resource in its requiredResourceAccess list

i was also getting these where {app} was the resource i was passing when i had the ClientId parameter wrong
AADSTS50001: The application named {app} was not found in the tenant named {tentant}.

Helpful references

What is my Tenant Id or “Authority” URL ???

Wanted to mention this in closing since “Tentant” is currently so ambiguously referred to in the documentation i ran into…
New Portal > Azure Active Directory > App registrations > Endpoints is where you pull the “Authority” Url from the “OAUTH 2.0 AUTHORIZATION ENDPOINT” slot – the main argument for new AuthenticationContext()

for example:
this “9198…” guid is your Tenant Id (don’t worry this one is made up)

our tenant appears to be simply our azure ad domain name, at least in typical configurations… so this works here as well:


Lighter Spin on ADAL in Xamarin Forms


new-up the elusive “PlatformParameters” in your AppDeligate.cs::FinishedLoading / MainActivity.cs::OnCreate

ts;wm (too short; want more ; )

thankfully we have solid writeups on ADAL with XF… this post is just me trying to boil it down to essence and PCL as much as possible…
(BTW: ADAL = Active Directory Auth Lib… i needed it for PowerBI embedding)


the first post keeps the platform specific surface area pretty minimal but also winds up wrappering the stock ADAL classes quite a bit…
the second post seems pretty minimal and leverages CustomRenderers for the right timing to grab this context… seems like a good general trick to tuck away…

the approach i came to is grabbing this context right up front in app initialization and then providing it through dependency injection later…
both pieces of that are basically one liners which feels nice
also it’s now conveniently available to other services should needs arise…
and theoretically we’ve kept things clean for TDD but honestly i don’t readily see how to test this flow since it requires interactive auth… i’ll have to read up on how people generally recommend mocking this kind of thing

iOS AppDeligate.cs::FinishedLoading()

  public partial class AppDelegate : Xamarin.Forms.Platform.iOS.FormsApplicationDelegate
    public override bool FinishedLaunching(UIApplication app, NSDictionary options)

      var prismApp = new App(new iOSInitializer());

      var finishedLaunchingResult = base.FinishedLaunching(app, options);
      //KeyWindow won't be populated until after FinishedLaunching
      prismApp.Container.RegisterInstance(typeof(IPlatformParameters), new PlatformParameters(UIApplication.SharedApplication.KeyWindow.RootViewController)); // ** here's the beef **

      return finishedLaunchingResult;

Android MainActivity.cs::OnCreate

  public class MainActivity : Xamarin.Forms.Platform.Android.FormsAppCompatActivity
    protected override void OnCreate(Bundle bundle)


      Xamarin.Forms.Forms.Init(this, bundle);
      var prismApp = new App(new AndroidInitializer());

      prismApp.Container.RegisterInstance(typeof(IPlatformParameters), new PlatformParameters(this)); // ** here's the beef **

then later in calling code just reference via DI

    public PowerBIService(IPlatformParameters platformParameters)
      _platformParameters = platformParameters;

Free SSL Certs is a wonderfully progressive initiative… free certs for all, to promote better internet security, nice!

this windows tool made quick work of plugging it into IIS vs the more unix’y stuff they suggest on their home page
literally just seconds to launch the win tool and hitting a key to select which IIS site you want the cert for… none of the ol’ CSR hassle, yay!


  • your web server has to be reachable on the public internet at the domain url (port 80) you wish to gen the cert for
  • the win tool will be most automatic when you plug your domain into the host-header (port 80)

Note: The LetEncrypt certs come set to expire in 90 days – BUT, the windows tool schedules a recurring task to reach out and automatically renew the certs before that expiration. Pretty slick… will have watch if that actually works come time.

Chrome Blacklist Blocker (PowerShell)

If you need this, you’ll know why 😉

Save ChromeBlacklistBlocker.ps1 somewhere local.

You can run it via right mouse > “Run with PowerShell”.
It will dump out some event text whenever it notices a registry change.
(this is currently commented out and latest code hides the powershell console window after launch)

Or more permanently, put a shortcut like this into your “shell:startup” folder:
powershell.exe -ExecutionPolicy Bypass {path}ChromeBlacklistBlocker.ps1

It will monitor the HKLMSoftwarePolicies registry branch and delete the value named “1” under GoogleChromeExtensionInstallBlacklist.
This value is specific to my scenario but is of course editable to your specific needs.

You can test it is working by creating the “1” value yourself and it should disappear.

Another good way to test is to fire gpupdate.exe force a group policy update – again, if you need this, that should make sense 🙂

More Google search keywords: block registry key

[SOLVED] Comodo v7 blocking HTTP/S and FTP/S on Windows 8.1 IIS 8.5

Besides opening incoming HTTP ports in the firewall via “Global Rules”, the annoying thing for me to find was also adding an “Application Rule” for “Windows Operating System” on those same ports.

Comodo v7.0.317799.4142

And this guy explains what’s necessary for FTP very nicely…

  • in comodo > global settings > application rule – add 20,21 & 5000-6000 as allowed incoming TCP ports on “Windows Operating System”… you will also hopefully get prompted to allow svchost which is responsible for running the ftpsvc
  • on internet router – forward ports 20,21 and 5000-6000
  • in IIS FTP settings
  • filezilla settings
    • require explicit ftp over tls

KeePass + Cloud Storage = (near) Password Nirvana

Update 2015-09-27: Neato! In June of 2015 the author has applied a mod which allows for KeePassHttp to be served from somewhere other than localhost… there are security implications to be considered here but as long as you know how to cover your bases it opens some nice possibilities to have a single KeepPass instance provide password resolution to multiple clients… e.g. a VM guest, other machines in your home, etc. Not provided in ready to run plgx file yet but following the self compile instructions found in the readme was fairly trivial.

KeePass2 – Password management application

  • 10 years mature
  • Free
  • Windows, Linux, Mac, Android and iOS versions
  • DropBox compatible (Google Drive, etc)
  • Autofill browser plugins
  • Rich text area for notes (e.g. challenge phrases and other reminders)
  • Open source (.Net)

  • Mac (and Linux) can run the Windows.exe via Mono
  • Initially ran native KyPass Companion on the Mac side (~$8). Have since switched back to the free mainstream build (see below)

  • On Android phone using Keepass2Android (free) with solid results

  • Provides special keyboard which facilitates autofill

  • DropBox and other cloud drives well supported (synchronize)
  • Handy yet still secure Quick Unlock feature
  • Consider a good android lock screen as additional layer of protection

I’m glad I finally took the time.  I (forced 😉 my wife to run the Windows version on her desktop and we share the same database file with our financial, healthcare, etc logins. So either of us can get into whatever we need wherever we are. It gives me peace of mind that she would have ready access to those important things in case I was somehow unavailable (knock wood). If you’re putting up with some other convoluted hodge podge as I was, please give this general idea a shot by wading in slowly and see if it makes your life easier as it has for me.

 2013-01-01: My main password file was corrupted

and I couldn’t log in.

  • Turns out I had a wonky entry that kept growing upon subsequent saves. Maybe compression algorithm was backfiring or something like that.
  • The offending entry was under KeePassHttp which just stores the authorized connection for each particular browser, so it was a no brainer to kill and recreate.
  • My kdbx file had grown to 28MB! after deleting it was back down to a measly 16k.
  • KyPass Companion was doing the most recent suspect saves causing massive growth so I can’t help but wonder.

DropBox really shines

  • Thanks to DropBox’s inherent versioning I could readily fallback to a working copy
  • Dropbox also showed the disturbing progression in larger file sizes over short amount of time
  • as well as which client that was driving those suspect saves – KyPass on my Mac
  • really gotta hand it to that product team, top notch stuff

KyPass’s questionable involvement gave me a reason to give the mainline KeePass2 another look…

Banging KeePass2 for OS X into shape

  • Updated from current v2.23 build to the latest official v2.24 build by dropping the latest KeePass.exe from the Windows zip bundle into the Contents/MacOS folder. This is promising; hopefully to never suffer the envy of a more recent build.
  • Contents/MacOS is also where plugins like KeePassHttp.plgx should be dropped.
  • KeePassHttp is working just fine for me running under this mono version.
  • Make sure to disable “Show a notification when credentials are requested” under Tools > KeePassHttp Options. Otherwise both KeePass and browser would freeze upon every login page request.

Nice to have’s in KeePass not currently available in KyPass Companion:

  • Automatic save-on-change (via triggers facility)
  • Autoload of the MRU kdbx file upon launch
  • Synchronization

[SOLVED] Error: “The following plugin is incompatible with the current KeePass version”

  • Running on Mac via mono, turns out lldb is somehow the process forked by mono which hosts the KeePassHttp listener on port 19455
  • In my situation this pesky error was apparently caused by a crashed orphan lldb holding onto the port and blocking subsequent launches of KeePassHttp
  • Simply “KILLALL lldb” from terminal to resolve

Debug notes:

  • mono>debug.txt -v /Applications/KeePass{version}/Contents/MacOS/keepass.exe
  • Noticed SocketException well into the KeePassHttp plugin’s constructors call stack and started to realize the error message was misleading
  • Xamarin Studio will debug the running instance:
  • First, enable debugger break on SocketException: Run > Exceptions > enter SocketException in the search
  • Run > Debug Application > browse to keepass.exe

  • Xamarin Studio will also reverse gen back to C# source (not that we need it in this case but it’s good to know for future) – just create a new project and add the assembly (DLL or EXE) as a reference and click into it to see the readable source conversion of all classes.

[SOLVED] Acer Aspire One won’t boot Syslinux USB thumbdrive

Looks like my particular issue was the default partition size on my 16GB thumbdrive. Once I formatted the USB with a 2GB partition and installed Syslinux to that, it booted up right away where previously it would hang on the first “Syslinux Copyright Peter Anvin” message. More details:

  • Acer Aspire One model#: 722-C62bb (looks like this is an 11” model)
  • Always handy to have another computer to work from (for web searching, trial and error formats on the USB drive, etc) when trying to fiddle with boot issues on another… my other computer is a Win8 desktop.
  • Syslinux actually came into my picture because I was looking to create Comodo’s Rescue Disk. Comodo (v6.2) has a convenient point and click process to push their linux based rescue disk to a USB.
  • I used diskpart (on my Win8 box) to create the smaller partition… here’s the core commands:
    • list vol (to get a feel for your windows drive letters and not format the wrong one 🙂
    • list disk (same for raw physical disks)
    • select disk X (MAKE SURE YOU CHOOSE THE RIGHT ONE!!)
    • clean (THIS WIPES THE DISK!!!)
    • create part primary size=2048 (2GB worked for me in this context)
    • active
    • format fs=fat label=”COMODO” quick (I chose old school FAT filesystem looking for most downlevel compatibility, not sure if it was actually necessary vs FAT32. NTFS is notably the least compatible option for linux booting. Quick means do a quick format.)
  • Then I just let Comodo do it’s thing and that result booted up right away for me – yay 🙂

Enable SSL Connections to SQL Server

“SQL Server Transport Encryption” is a good Google phrase for this technology.

Obtain an SSL Certificate

A self signed certificate is easy and works fine… here’s one way:

  • Get the IIS 6.0 Resource Kit Tools:
  • All you’ll need is the “SelfSSL.exe” tool so the custom install is minimal.
  • Find SelfSSL.exe in default install path: C:Program FilesIIS Resources
  • Good reference for SelfSSL usage:, scroll down to “Generate a Self Signed Certificate with the Correct Common Name”
  • Command line example:
    1. SelfSSL /N:CN=MWR-TRO-V2 /V:1999999
    • The /V: part is the validity duration of your cert, in days. I believe 1999999 is the max, which corresponds to around 5475 years in the future (that ought’a last ya 😉
    • The /N:CN= part is the “Common Name” this cert will be tied to… in this case that needs to be the true machine name of your database server.
  • “Do you want to replace the SSL settings for site 1 (Y/N)?” => No
  • Now you have a cert registered in your “personal certificate store” – next we’ll extract it for installation on db server.
Fire up the MMC “Certificates Console” to manage your new cert

  • Good reference:
  • Open the MMC console: Start > Run > mmc [enter] (or Windows-R) (MMC Fig.1)
  • Add the cert snapin: click File > Add/Remove Snap-in (MMC Fig.2)
  • select Certificates under Available snap-ins… and hit Add button… (MMC Fig.3)
  • select Computer Account… then Next… (MMC Fig.4)
  • select Local computer, and then Finish… (MMC Fig.5)
  • lastly, hit OK (MMC Fig.6)
  • You may wish to save this MMC configuration for future convenience (MMC Fig.7)

Export the cert as a pfx file

…to be installed on your database server

  • Certs installed via the above process will be your “Personal > Certificates” folder (Export Fig.1)
  • Right mouse desired certifcate > All Tasks > Export > Next … (Export Fig.2)
  • “Export the private key?” => Yes … Next… (Export Fig.3)
  • Select PFX format, “Include all certs…”, “Export extended”, NOT “Delete…”, Next … (Export Fig.4)
  • Enter a password, hit Next… (Export Fig.5) – ** REMEMBER THAT PASSWORD **
  • Save the pfx file (Export Fig.6)
  • Finish… OK (Export Fig.7)

Import cert on database server

  • Login to your DB server desktop
  • Launch MMC Cert Console same as above
  • Go to Personal > Certs
  • Right mouse All Tasks > “Import”… (Import Fig.1)
  • Next… (Import Fig.2)
  • Browse… (Import Fig.3)
  • Next … (Import Fig.4)
  • Enter Password, select “Mark this key as exportable”, Next… (Import Fig.5)
  • “Place all certificates in the following store” => Personal… Next… (Import Fig.6)
  • Finish (Import Fig.7)

    Activate SSL encryption on DB server

    • Fire up SQL Server’s Network Configuration Utility
      • Start  > All Programs > Microsoft SQL Server {version} > Configuration Tools > SQL Server Configuration Manager” 
    • then under “SQL Server Network Configuration”
    • Right click “Protocols for MSSQLServer”
    • select “Properties”
    • set  “Flags tab > Force Encryption” to Yes
    • and select the installed cert on the “Certificates” tab
    • voila!
    • login to the instance with an SSMS Query window
    • fire this command to verify all connections are encrypted:
      1. SELECT encrypt_option, * FROM sys.dm_exec_connections WHERE session_id = @@SPID
    • Tip: SP_WHO2 is handy for obtaining spids