Plesk is a right pain when it comes to having your site successfully audited as being PCI compliant, as it has it’s own versions of everything that it uses that you need to patch/fix/SSL upgrade or disable.

Luckily most of these are started with the xinetd daemon, so for SMTPS certificate problems (port 465 if my memory servers me correctly) simply create a folder to move the ones you don’t want into (in my case I used /etc/xinetd.disabled) and move the following files out of /etc/xinet.d

mkdir /etc/xinetd.disabled
mv /etc/xinetd.d/smtps_psa /etc/xinetd.disabled/.
mv /etc/xinetd.d/submission_psa /etc/xinetd.disabled/.

and restart your xinetd

/etc/init.d/xinetd restart

Then the last tasks should be to create valid SSL certificates for the Qmail and disable weak SSL ciphers in Plesk.

To disable weak SSL ciphers in Plesk edit the Plesk config file and add the following line

/etc/sw-cp-server/applications.d/plesk.conf

ssl.cipher-list = “TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH”

so the file will now look like this

include_shell "/usr/local/psa/admin/conf/ssl-conf.sh"
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
index-file.names = ("index.php")

Creating Qmail self signed SSL Certificates is best illustrated at the following guide http://www.akadia.com/services/ssh_test_certificate.html

References:
How to create a self-signed SSL Certificate
How to find out which process is listening on which port
port 8443 medium strength SSL ciphers in Plesk
Generating QMail SSL Certificates

SSL throws a weird error in that if you have http (port 80) bound to one IP address [say an internal one] and you bind https (port 443) to a different IP address [say an external one] then SSL throws the following very undescriptive error:

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

To fix, edit your Apace configuration file in /etc/httpd/conf/httpd.conf (or similar) and make sure that both virtual hosts have the same IP address – job done 🙂

references: here and here

More PCI compliance checks meant that we found a number of scripts in some of the simpler pages on our sites (email register for example) were subject to possible cross-site scripting attacks

(see the Wikipedia entry for a pretty good explanation of what they are and why you need to fix them http://en.wikipedia.org/wiki/Cross-site_scripting)

Anyway – here’s the quick code to fix pretty much any form using htmlspecialchars to encode the input.

Original: (note the weakness in using REQUEST_URI here)

<form method=”post” action=”<?php echo $_SERVER[‘REQUEST_URI’]; ?>” id=”registerTop” class=”smallForm”>

Fixed: (note the replacement of PHP_SELF for REQUEST_URI to stop injection of different pages)

<form method=”post” action=”<?php echo htmlspecialchars($_SERVER[‘PHP_SELF’],ENT_QUOTES); ?>” id=”registerTop” class=”smallForm”>

Happy days – PCI test passed 🙂

PCI compliance … grrrr… understand why it needs to be done but crikey is it a boring process to do.

Anyway, turns out that Plesk 8.3, the default from our lovely hosting provider at Media Temple, isn’t PCI compliant as it uses an old Apache install

However, never fear, easy fixes at hand 🙂

Upgrade 8.3 to 8.6
/usr/local/psa/admin/sbin/autoinstaller --select-release-id PLESK_9_2_2 --upgrade-installed-components

/usr/local/psa/admin/sbin/autoinstaller


So here I am, throwing my hands up and shouting at the screen, as as far as I can tell PHP is converting POST variables names from Market Live like

billContact.person.firstName=Alex&

to

billContact_person_firstName=Alex&

anyway… it is !!!!!

Aparrantly .s are not valid in variables names in PHP so it converts them to _s automatically!

http://stackoverflow.com/questions/283751/php-replaces-spaces-with-underlines

Wow – how annoying is that – and just thought I’d share the pain with everyone else…..

Plesk as provided by Media Temple on all it’s servers is great, however I do ocassionaly get the ‘where the heck is button to do that’ feeling with it and as much as I try the very feature I’m looking for is there, just hidden away.

One that has thwarted me a number of times is how to change the default SSL certificate for a domain when you install a new SSL certificate. You would have thought Domains -> Certificates, or Server -> Certificates -> Make Default would do the trick, but nope neither works.

However… if you click on Server -> IP Addresses ->  <Your IP Address> -> you get the ability to select which SSL ceriticate you want for the server et voila job done.

No if only that was easier to find (hence why the Abridged Learnings lives :-))

I’ve bitten the bullet with my Acer Aspire One and upgraded it to Windows XP Service Pack 3 from it’s original Linux based installation just to allow me to use it more easily when I’m travelling.

The good news is that if you chose to do this, most things work perfectly with a vanilla install of XP, and the drivers from the Acer site here , that is all except the High Definition Audio Driver which sturbonly refuses to work even with the Realtek drivers from the Acer site.

After reading around, this is because you also need to install the Intel/Microsoft UAA Bus Driver for High Definition Audio in order to enable these, which can be downloaded from the Intel site here by searching for UAA.zip in the drivers.

Now here’s the real kicker with this – the Intel UAA drivers only come with installations that work on Windows XP Service Pack 1 and 2 _not_ Service Pack 3 as when you run any of the other installations it tells you that these drivers cannot be installed on your service pack.

So…. you have to cheat a little. Run the installer from the US folder called ‘KB888111XPSP2.EXE’ and when the installer displays the alert box to tell you that the driver is in-compatible, open a new explorer window and you will see that the installer has created a temporary folder on your C Drive called  c:\24e6bea25c91f82885b372e21 or similar.

Copy the whole contents of this folder off to another folder of your own (I used c:\drivers\intel\unpacked) and then go and find your broken PCI device in your Control Panel -> System -> Properties display and update the driver by telling it that you Have a Disk (Google how to install drivers from a disc if you get stuck at this point) and tell it that the drivers it needs are in <the directory you copied the files to>\commonfiles

Your Aspire One should now whizz away for a while and find a new driver called Microsoft UAA Bus Driver for High Definition Audio, and once installed will leave you with another uninstalled device called ‘Audio Device on High Defition Audio Bus’.

Now install the Realtex drivers from Acer for your sound card and after a significant wait the above yellow icon disappears and you get a nice ‘Realtek High Definition Audio’ speaker and driver installed.

All done!

I’ve recently had to turn Mac .dfonts into PC ttf’s and thought I’d share the process

1.       Split the .dfont into respective parts

Mac .dfonts are basically containers (like zip files) and contain a number of Mac format TTF fonts. To split them using DfontSplitter

http://peter.upfold.org.uk/blog/2008/03/11/dfontsplitter-convert-dfont-files-to-ttf/

and/or Fondu if you prefer the command line (me!)

http://fondu.sourceforge.net/

2.       Convert them to PC TTF

Drag the TTFs into FontLab 4 (a great tool from Fontlab (http://www.fontlab.com/) and then File -> Generate Fonts to get the resultant PC TTF files ready to go

Phew!

Alex

I’ve always had problems trying to run Java based application servers on Media Temple Dedicated Virtual Servers (DV Servers), as although they have lots and lots of disk space and bandwidth, they seem to have very small memory spaces that you can run containers in.

Java by default powers up with about 1024Mb of memory requirements, so if you are installing Apache Tomcat (java servlet engine) or Red 5 (Open Source Flash Video server – very good, try it out) you have to seriously reign in the memory these guys try and use when powering up.

For reference the best way to achieve this is using the -Xms and -Xmx parameters, so in my case I added the following to the startup.sh script for Tomcat

JAVA_OPTS=’ -Xms128M -Xmx128M’
export JAVA_OPTS 

Ideally I’d like a bit more memory to play with, but at least it works like this and the old application I’m supporting can run 🙂

My iPhone is on T-Mobile as the ex-owner wanted to keep the O2 number that came with it, and I have a corporate account with T-Mobile.

All works nicely, but obviously you want to configure your T-Mobile account to mimick the default iPhone account that it originally came with, so here’s what you need.

1. T-Mobile Web & Walk

You need to add the very reasonable £7.99 package to your account and wait a few hours for it to be activated, then you get up to a Gig of data a month (I believe) to play with.

2. Configure the EDGE settings on your iPhone

Settings -> General -> Network – EDGE

APN = general.t-mobile.eu
Username = user
Password = pass

et voila – off browsing we go when we’re away from the wireless network!