Talk smtp to gmail with openssl s_client

Here are the basic commands to talk smtp to gmail.

We will send email from sender@gmail.com to recepient@gmail.com
The gmail password of sender@gmail.com is "my secret password".

Preparation:

To authenticate, we need our user/pass in base64 format:
base64("sender@gmail.com") = c2VuZGVyQGdtYWlsLmNvbQ0K
base64("my secret password") = bXkgc2VjcmV0IHBhc3N3b3Jk

To get the base64 encoded string, google "base64 online encoder" and click on any of the online encoder/decoders.

If you're using Gmail's two-step authentication

Go to https://security.google.com/settings/security/apppasswords and get a one-time password.

Ending the DATA of the email.

To end the DATA part, we need to press dot (".") and then Enter (which should send CRLF).

Important NOTE: I'm on a macbook, and the terminal client sends LF when I press enter. When I want to send CRLF, I press Ctrl+V, Enter. If you don't know what I'm talking about, after the dot (".") if it doesn't work with dot and Enter, press [dot, Ctrl+V, Enter].

The commands

We will use S_client which is like telnet, but supports SSL (encrypted telnet). You will need OpenSSL for that purpose.

[mihail@arch ~]# openssl s_client -connect smtp.gmail.com:587 -starttls smtp
[a lot of text will be printed - ssl info. For simplicity ignore it.]
---
250 SMTPUTF8
auth login
334 VXNlcm5hbWU6
c2VuZGVyQGdtYWlsLmNvbQ0K
334 UGFzc3dvcmQ6
bXkgc2VjcmV0IHBhc3N3b3Jk
235 2.7.0 Accepted
helo
250 mx.google.com at your service
mail from:<sender@gmail.com>
250 2.1.0 OK dc8smxxxxwib.7 - gsmtp
rcpt to:<recepient@gmail.com>
250 2.1.5 OK dc8smxxxxwib.7 - gsmtp
data
354 Go ahead dc8smxxxxwib.7 - gsmtp
from:<sender@gmail.com>
to:<recepient@gmail.com>
subject:manual smtp with gmail
some text as the body of the email
more lines of text

.
250 2.0.0 OK 1414600919 dc8smxxxxwib.7 - gsmtp
quit
221 2.0.0 closing connection dc8smxxxxwib.7 - gsmtp
read:errno=0
[mihail@arch ~]#

 

 

Update1:

If you want to use SSL 465, the command is:
#openssl s_client -connect smtp.gmail.com:465 -tls1

(here you need to start with HELO, and then AUTH LOGIN - I don't know why)

Update2:

Also, some accounts fail with:

3073894076:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

I don't know why. It seems like it wants to fall back to ssl3.

Mapping the OSI model to the TCP/IP stack

I have always had issues with mapping OSI to TCP/IP. This is a nice picture:

OSI TCP Model Comparison

Left is OSI, right is TCP/IP.

Source: http://www.thebryantadvantage.com/OSI%20TCPIP%20Model%20Mapping%20CCNA%20Certification%20Tutorial.htm

My difficulty was mapping the Session from OSI in a http connection. Or is the http protocol a presentation or application layer. According to the following picture, there is no session layer, or it is skipped:

tcpipmap

 

Source: http://www.protocols.com/pbook/tcpip1.htm

Curious enough, there is nothing in the presentation layer.

Force Integrated graphics on VMware Fusion (and probably other apps) on OS X 10.8 Mountain lion (avoid discrete graphics)

With OS X 10.8 gfxCardStatus is no longer capable of enforcing Integrated Graphics card only.

When one uses VMWare Fusion, the discrete graphics card is enforced, which drains the battery too fast.

I have not found any solution online to fix this. But I managed (thanks to PePe) to discover one.

How to use Integrated Graphics Card with VMware Fusion on OS X 10.8:

  • Install gfxCardStatus
  • Before launching VMware Fusion, click on Integrated only (click it several times until it has the checkbox on the Integrated only):

Screen Shot 2013-02-15 at 2.05.32 PM

  • Then launch VMWare Fusion, start whatever virtual machine. And don't do anything inside. Leave it idle.
  • There's a BackTrack 5 R3 with the integrated graphics card:

Screen Shot 2013-02-15 at 2.08.15 PM

  • There's a BackTrack 5 R3 VM and a Windows XP (both idle) with the integrated graphics card:

Screen Shot 2013-02-15 at 2.12.34 PM

  • I'm using iStatMenus to check my power consumption. Here's my power consumption with the two VMs:

Screen Shot 2013-02-15 at 2.07.10 PM

  • Cody Krieger (the creator of gfxGraphicsStatus) says that even if it says that the Integrated is being used, the Discrete (NVidia) is still being powered on, which invalidates the whole exercise.
  • How do I know that I'm saving power? Well, let's go to Discrete and check the power consumption:

Screen Shot 2013-02-15 at 2.16.56 PM -> discrete

  • Now, let's check what the consumption is (the same two idle VMs):

 Screen Shot 2013-02-15 at 2.20.26 PM

 

  • So instead of having 3:27 hours left, I now have 1:22 hours left. My consumption 2.5 Amp, instead of 1.1 Amp.
  • I can't directly go back though:

Screen Shot 2013-02-15 at 2.27.07 PM

  • What I have to do is to stop VMware completely (Cmd + Q), go to Integrated only again and restart all the VMs
  • This is something that I discovered today. So it may not be working as expected, but for now it seems it is.
  • My setup:
    • OS X 10.8.2 on a Macbook Pro 8.2 (A1286, Quad Core i7 2.3 Ghz, 16gb RAM, 256gb OCZ Vertex 3, AMD Radeon HD 6750M 1GB)
    •  VMware Fusion 5.0.1 with 2 VMs - Windows XP Pro and Backtrack 5 R3 (both were idle during this setup).

 

Notes on keeping the SSD clean (more free disk space)

I have one of the fastest SSD drives, but unfortunately didn't have the heart to buy the 240Gb, but the 120GB version. Now, 120GB is definitely enough, but this is my primary machine, and I'm doing several different kinds of things on it, so I need space for all the projects.

How do I keep it clean:

CleanMyMac

First I run automatic tools like CleanMyMac (free):

It definitely will find stuff that you missed.

Disk Inventory X

This is another type of program - it says how much disk is used by any folder, so it's easy to find the bigger users of space:

With it I found the /private/var/vm/sleepimage file (8gb) - keeps the data when the laptop goes to sleep. I can safely use the 8gb space until my laptop goes to sleep.

It is free.

OmniDiskSweeper

Same as the former, but all is textual.

Windows XP

I have a Windows XP vm. Keeping it clean is not easy. I use Free Disk Analyzer. It works similarly to OmniDiskSweeper and Disk Inventory X:

System Volume Information

Last time I saved 2.79 GB from this folder. My Computer -> Preferences -> System Restore (there's a slider in XP).

Compacting VirtualBox (.vdi) VMs

VirtualBox is great, because it it's free, but it has many quirks - not that good integration on copy/paste, files, shortcuts and so on. The biggest issue is that compacting the image is weirdly done

  • Defragment the VMs drive (this step is always important regardless of the virtualization software)
  • Zero out the free space. Now this is unnecessary with VMWare and Parallels. It is done with sdelete - a free windows software by SysInternals (you remember these guys? Mark Russinovich?).
    • command is "sdelete -c -z c:\"
  • Compacting the virtual disk (.vdi) is done with this command (the command comes with VirtualBox) (case-sensitive):
    • "VBoxManage modifyhd /fullpath/to/windowsdisk.vdi --compact"

Other concerns

  • I always delete the Windows update files - today I saved 500mb.
  • No swap file for windows - too slow. Few gigs.
  • Now I have no swap for OS X too (500mb).
  • 7GB from compacting the VM
  • Moved some stuff to the Time Machine (20GB)
  • Deleted a lot of temp files and swap files (20 GB)
So now I have a lot more free space. I have spent only an hour for it. Next time it will just take a few minutes.
Wow, the 240GB Vertex 3 now costs as much as I paid for the 120GB less than a year ago. Crap.

Johny I hardy knew ye

I first heard this tune in Die Hard 3. After all I like Bruce Willis since third grade. It got stuck in my head. After a few days of out loud humming it was time to find it. It's called

Waltz of the Banker

After some time searching I found out that the original tune is actually a popular traditional Irish anti-war and anti-recruiting song. It is generally dated to the early 19th century. The original refers to the soldiers from Athy, County Kildare that fought in "Sulloon" (Ceylon - present day Sri Lanka) for the East India Company (in what history knows as the Kandyan Wars though the term was not familiar to the Irish). It has become a definitive anti-war song. It's called

Johnny I Hardly Knew Ye


Check out the refrain:
Ye haven't an arm, ye haven't a leg, hurroo, hurroo
Ye haven't an arm, ye haven't a leg, hurroo, hurroo
Ye haven't an arm, ye haven't a leg
Ye're an armless, boneless, chickenless egg
Ye'll have to be put with a bowl out to beg
Oh Johnny I hardly knew ye.

There's one more version I found. It's a popular song of the American Civil War that expressed people's longing for the return of their friends and relatives who were fighting in the war. That's called

When Johnny Comes Marching Home

Review: TED

TED (Technology, Entertainment and Design) is

a global set of conferences curated by the American private non-profit Sapling Foundation, formed to disseminate "ideas worth spreading." (Wikipedia).

So actually TED are presentations in every field imaginable and most of them are really good. And some of them are inspiring. I use Miro player to download them and watch them when I have some free time.

Highly recommended.

Personal favourites:

 

Mac OS X finally with a real Java

A quote from a newsletter from Oracle.

Oracle and Apple Announce OpenJDK Project for OSX; Java SE 7 and 8 JSRs Approved

Good news all around! Oracle and Apple announced the OpenJDK project for Mac OS X. Apple will contribute most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X, including a 32-bit and 64-bit HotSpot-based Java virtual machine, class libraries, a networking stack and the foundation for a new graphical client. OpenJDK will make Apple's Java technology available to open source developers so you can access and contribute to the effort.

Furthermore, the JCP Executive Committe has approved the JSR "quartet" for Java SE 7 and Java SE 8. With this ratification, the Java standard will progress through the JCP while the open source reference implementation will be delivered through the OpenJDK project. See you on OpenJDK!

-The Oracle Technology Network Team (See Team Blog)

This means Java SE 7 woud be available for Mac OS X too and that Apple users will receive Java as soon as other platforms dog. Also the four JSRs for Java SE 7, Java SE 8, Project Coin and Lambda Expressions.

Apache redirect 301 with non-english characters

I have a lot of http redirects in my .htaccess file because I'd like to keep links from my old blog alive. Today I found that this redirect works:

redirect 301 /blog/2007/08/15/InMemoriamLorkis.aspx https://mihail.stoynov.com/2007/08/15/in-memoriam-lorkis/

And that this doesn't:

redirect 301 /blog/2007/08/17/%d0%9b%d0%be%d1%80%d0%b0.aspx https://mihail.stoynov.com/2007/08/17/%d0%bb%d0%be%d1%80%d0%b0/

It should look like this:

redirect 301 "/blog/2007/08/17/Лора.aspx" "https://mihail.stoynov.com/2007/08/17/лора/"

Microsoft Excel max number of columns

The last column in Excel 2007 is XFD:

What number is that?

XFD =
X*26^2 + F*26^1 + D*26^0 =
24*26*26 + 6*26 + 4 =
16 224 + 156 + 4 =
16 384 = 2^14

So Excel uses 14 bits for columns which is odd, but I guess they use the other 2 bits for something else.

Also the base-26 numerical system (26 letters in English language) is pretty odd too, but I guess this is a legacy issue.

Tip: how to make Outlook reconnect faster to an Exchange server

I have a problem.

In our company we use MS Exchange as a mail server and we’re away from the company network we can connect to Exchange via a special VPN software. This software disconnects pretty often. When I reconnect it takes quite a while for Outlook to figure out there a working connection. It does eventually but I have to wait for that to happen since I want to make sure a mail is being sent correctly.

I found out that setting “Work offline” on and off quickly makes Outlook connect a lot faster:

outlook work offline mode

There’s this problem though – it’s tedious to go click on the menu and then on the menu item so many times per day. So a solution:

  1. Right click somewhere on the toolbar –> Customize:
    outlook 2007 customize toolbar
  2. Make a new toolbar:
    outlook 2007 new toolbar
  3. Then the most unnatural step – drag the menu item from the File menu to the new toolbar:
    outlook 2007 add a button to a toolbar
  4. Press Ctrl while dragging, this way the button will be copied, not moved.
  5. That’s pretty much it. Now pressing the button quickly is very easy:
    outlook 2007 the new toolbar on place

Курсът “Социални мрежи” във Факултет по математика и информатика на Софийски Университет

Участвам в избираем курс във ФМИ и днес мина първата ми лекция.

Курсът се казва “Социални мрежи” (официално “Теория на мрежите”) и основната му цел е да запознае студентите с Facebook, Twitter, LinkedIn и други от гледната точка на разработчиците на софтуер.

В него ще бъдат обяснени понятия като социални медии, семантични мрежи и други, но основната му цел е да покаже как се разработват приложения за основните социални мрежи.

Най-популярният програмен език в тази сфера е PHP, а база – MySQL.

Моята задача беше да запозная студентите с SQL като език и MySQL като сървър.

Сайтът на курса е http://socialnetworks.dev.bg/

Лекцията е тук: Databases 101 with MySQL.

Few extra commands (openssl, certificates)

This is an addendum to https://mihail.stoynov.com/blog/2009/03/12/CertificatesKeystoresJavaKeytoolUtilityAndOpenssl.aspx 

Key file is a format that keeps the private key in unencrypted format. It does not keep the certificate.

Converting pem –> key

openssl rsa –in mycompany.pem –out mycompany.key

Check out a certificate (pem, key)

openssl x509 –in mycompany.pem -text –noout
openssl x509 –in mycompany.key -text –noout

Output the private key

openssl rsa –in mycompany.key
openssl rsa –in mycompany.pem

(if they’re the sam certificate, they output the same thing).

Output the private key in readable format

openssl rsa –in mycompany.key –text
openssl rsa –in mycompany.key –text –noout (omit the binary part)
openssl rsa –in mycompany.pem –text
openssl rsa –in mycompany.pem –text –noout (omit the binary part)

Update:

Launch small https server to test a certificate

# on one host, set up the server (using default port 4433)
openssl s_server -cert mycert.pem –www

Check the speeds to that server

# on second host (or even the same one), run s_time
openssl s_time -connect myhost:4433 -www / -new -ssl3

How to have a Subversion Repository on a Windows Server (+ security), part 1

The article is written based on Windows Server, CollabNet Subversion 1.6.1, Apache 2.2. Windows XP or Vista would do as well.

Subversion comes with it’s own server – svnserve. By default there is no security. One can install svn+ssh, but on a windows server and windows client that is a bit stupid.

The other option is to setup an Apache server with mod_dav and mod_dav_svn. Fortunately the CollabNet Subversion binary comes with Apache pre-bundled with those modules. The binary even installs viewvc, which is rather nice.

Installation steps.

After installing the bundle, however, there are a lot of things to do. Most of them manually. I’ll try to describe most of them here.

Download Collabnet Subversion Server binary from CollabNet (no other place to download it from). Registration required.

So we decided to use Apache instead of svnserve, so while installing one doesn’t have to make it a service. Only Apache should be installed as a service. Another pro for Apache is that it can host multiple SVN repositories as opposed to only one by svnserve AFAIK.

Now is the time to suggest that one make the Apache server run with limited credentials. By default the service would be running with Local System account which has more privileges than God the users in the Administrators group. The concrete steps would be to create one user with compmgmt.msc. Remove it from the Users group (which removes all the default privileges) and give this user Modify right for the httpd directory (one will most probably find it in C:\Program files\Subversion\httpd) and all the repositories.

The configuration. When installing Apache asks where is the repositories basedir. Using a basedir means that all the repositories are subdirectories of the basedir:

Subversion/httpd/conf/httpd.conf:

<Location /svn>
  DAV svn
  SVNParentPath "D:/SVN Repositories/"    <— put the qoutes. installer does not do it
</Location>

Note: by default the installer does not put quotes around the dir, so if there are space characters, the server will not start. One should put the quotes himself/herself.

Now is the time to say that the Apache server is very verbose. Every error show up in the Event Viewer in the Applications tab. There are always pretty good descriptions of what is wrong. I definitely like this feature of Apache. Unfortutely one has to use Google to figure how to fix it.

Another place to look for errors is httpd/logs/errors.log. Pretty readable. I’m positively surprised.

I don’t like the basedir approach – repositories with me are in different dirs. I do it like this

<Location /svn/mycompany>

   DAV svn

   SVNPath "D:/My Company/Repository"                   <— put the qoutes

</Location>

Authentication. Very shortly – http basic and http digest. Http basic is very insecure (only base64). Http basic looks like this:

<Location /svn/mycompany>

   DAV svn

   SVNPath "D:/My Company/Repository"

   AuthType Basic

   AuthName "MyCompany subversion repository"

  
AuthUserFile "C:\Program Files\Subversion/httpd/conf/svn_auth_file"

   Require valid-user

</Location>

Now, how to make the user’s file (svn_auth_file). Use htpasswd (only for http basic):

C:\Program Files\Subversion\httpd\bin>htpasswd -cm ..\conf\svn_auth_file mihail

New password: ******

Re-type new password: ******

Adding password for user mihail

C:\Program Files\Subversion\httpd\bin>htpasswd -m ..\conf\svn_auth_file ivan

New password: *****

Re-type new password: *****

Updating password for user ivan

The first time –c is used to create the file. Any subsequent user is with –m only (which stands for MD5 as far as I remember).

svn_auth_file:

mihail:$apr1$AzWq5tu5$k554PODb79n9TZwBxBDh..

ivan:$apr1$hlr9s6gK$oFLP1WtwvOLczyUSiP10v/

For http digest the configuration first the module has to be uncommented in httpd.conf:

LoadModule auth_digest_module modules/mod_auth_digest.so    <—uncomment this line

the configuration for the location is the following:

<Location /svn/mycompany>

AuthType Digest

And users are made with htdigest:

C:\Program Files\Subversion\httpd\bin>htdigest.exe –c ../conf/svn_auth_file "MyCompany subversion repository" mihail

Adding user mihail in realm MyCompany subversion repository

New password: ******

Re-type new password: ******

C:\Program Files\Subversion\httpd\bin>htdigest.exe ../conf/svn_auth_file "MyCompany subversion repository" ivan

Adding user ivan in realm MyCompany subversion repository

New password: ******

Re-type new password: ******

The file svn_auth_file looks a bit different now:

mihail:MyCompany subversion repository:3d16aced3eac2fc74ce5663df86d145b

ivan:MyCompany subversion repository:3ff20546c01028d5008651445b62d2e0

Note: keep in mind that the realms in svn_auth_file and the <Location AuthName should match.

Note: do not confuse htpasswd and htdigest. They produce users for http basic and http digest respectively and are not interchangeable.

For now there is a pretty usable svn server that supports multiple repositories and digest auth. But the communication with the server is plain and unencrypted http.

The svnbook is available here (most up-to-date version 1.5): http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html. The chapter for servers is Chapter 6.

The next part is how to setup a SSL on top of Apache.

Good Night, and Good Luck.

I just watched the 2005 movie Good Night, and Good Luck. It basically depicts the communist witch-hunt that happened in the US just after the WWII. It's very moving and a bit sad (especially at the end with the faith of the main character).

The movie made me spend some time on Wikipedia reading about McCarthy, Murrow and Hollenbeck. Very interesting. Makes one think whether we have the same media now.

Directed by George Clooney. 6 Academy awards nominations. Highly recommended.

How to consolidate (add, gather) multiple private keys in one JKS file with keytool

Do the following multiple times:

keytool
  -importkeystore
    -srckeystore mycompany1.root.ca.jks
    -srcalias
mycompany1.ca
    -destalias
mycompany1.ca
    -srcstorepass
mycompany1.ca

    -destkeystore container.root.ca.jks
    -deststorepass container.root.ca

The first time you do it the container.root.ca.jks would be created. The subsequent times it will just be filled up with new and new keypairs (public and private keys).

How to set up networks and dhcp on vmware (on Mac and other OSs)

How to do networking with VMWare Workstation or VMWare Fusion?

For clarity, let's assume that the host (the machine running vmware fusion or vmware workstation) has the ip of 192.168.0.10.

On every virtual machine there are three options:
Bridged (VM becomes visible to other machines beside the host. It has an IP like 192.168.0.11).
Nat (VM is visible only to the host, there is internet).
Host only (VM is visible only to the host, but no internet).

Do ipconfig or ifconfig.
vmnet8 is for NAT.
vmnet1 is for host-only.
These are whole networks for virtual machines. If nat is chosen, then the VM would be supplied an IP from the vmnet8 pool.

DHCP.
If 'bridged' is chosen, then the administrator of 192.168.0.1 must assign an address to the VM.
if 'nat' or 'host-only' is chosen, then:
(I'll describe how to do this on a mac):

goto:

$cd /Library/Application Support/VMware Fusion

stop vmware networking:

$sudo ./boot.sh --stop

Let's suppose vmnet8 is 172.16.57.1 and vmnet1 is 172.16.163.1.

I would like to change the network from 172.16.57.1 to 172.16.16.1 and I would like to specify a virtual machine with a specific IP.

We're still in /Library/Application Support/VMware Fusion

Then:$ grep 172.16.57 *locations:answer VNET_8_HOSTONLY_HOSTADDR 172.16.57.1

Then all files in the list must be changed.Then we go into /Library/Application Support/VMware Fusion/vmnet8/

Then the same: 

$ grep 172.16.57 *dhcpd.conf:subnet 172.16.57.0 netmask 255.255.255.0 {dhcpd.conf:    range 172.16.57.128 172.16.57.254;dhcpd.conf:    option broadcast-address 172.16.57.255;dhcpd.conf:    option domain-name-servers 172.16.57.2;dhcpd.conf:    option netbios-name-servers 172.16.57.2;dhcpd.conf:    option routers 172.16.57.2;nat.conf:ip = 172.16.57.2nat.conf:# or ip = 172.16.57.2/24

All of them must be changed.

If a specific VM must have a specific IP we go to:/Library/Application Support/VMware Fusion/vmnet8/dhcpd.conf and we add the following:(get the mac from the VM (ipconfig, ifconfig eth0))

host myhost {    hardware ethernet 00:0C:29:B2:C9:69;    fixed-address 172.16.16.16;}

Then to renew the ip (ipconfig /release, ipconfig /renew for windows):sudo ifconfig vmnet downsudo ifconfig vmnet up

The last thing is to start the vmware networking:sudo ./boot.sh --start

Then to renew the ip inside the VM (ipconfig /release, ipconfig /renew for windows):sudo ifconfig vmnet downsudo ifconfig vmnet up

 

Certificates, keystores, java keytool utility and openssl

(Updated: four six typos fixed)

I)
From time to time I need a self-signed certificate. I use the java keytool utility to make one:

For a JKS (Java Key Store format):

keytool
-genkeypair
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-keysize 2048
-keyalg RSA
-sigalg sha1withrsa
-dname "cn=Mihail Stoynov,
ou=MyCompany Bulgaria, o=MyCompany, L=Sofia, S=Sofia, c=BG"
-validity 3650
-v

For a PKCS#12 keystore:

keytool
-genkeypair
-keystore mihail.stoynov.p12

-storetype pkcs12
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-keysize 2048
-keyalg RSA
-sigalg sha1withrsa
-dname "cn=Mihail Stoynov, ou=MyCompany Bulgaria, o=MyCompany, L=Sofia, S=Sofia, c=BG"
-validity 3650
-v

When the public certificate is needed separately, one can be exported in a file (mihail.stoynov.cer) like this:
(from a JKS)

keytool
-exportcert
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-file mihail.stoynov.cer
-v

 

(from a PKCS#12)

keytool
-exportcert
-keystore mihail.stoynov.p12

-storetype pkcs12
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-file mihail.stoynov.cer
-v

 

NOTE: keep storepass and keypass the same for easy importing into browsers

II)
Sometimes self-signed certificates are not enough and a CA root certificate must be made in order to sign a group of certificates.

First a Certificate signing request (CSR) must be made:
(from a JKS)

keytool
-certreq
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-v
>> mihail.stoynov.csr

(from a PKCS#12)

keytool
-certreq
-keystore mihail.stoynov.p12

-storetype pkcs12
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-v
>> mihail.stoynov.csr

(the output is directed to a file: mihail.stoynov.cer)

The file looks something like that:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCQkcxDjAMBgNVBAgTBVNvZmlhMQ4wDAYDVQQHEwVTb2Zp
YTEQMA4GA1UEChMHTWF0ZXJuYTEWMBQGA1UECxMNTWF0ZXJuYSBTb2ZpYTEXMBUGA1UEAxMOTWlo
YWlsIFN0b3lub3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ7XpdyHuF9ApZodSn
GS9/TiUtXqryPDD0elzlP2QreSkfYv8IaXnB1Xy1ZVmda/d+P4TZ/aHvAhDwQPcei4KaoRzJWX9I
Yz9hi4cmKksjg8ufDZzXUuMwtbVlricc5vWg1HcSsQJ8vpLCBIelliDJOxc4skDcT23LGQttiv0b
23pjMthEe2tJVp37Tnwr29SLz0AGziVwzb5cfAXU4PzpiASr8vF2A0c2DObS7zM5Wp7jXWIe71P5
BZgIMcUUGlCdfLQRoA7URWN2Yx2qH8gyiNaIaZYZB6o2ib8rH3UmDl/ErKJgWQyS7sr4bANY9WpA
m7H2nXfGs+X88xSbA0JRAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAIn81dCSpVbI7IDLO2L2p
MW1gnjvuRs9xm6M9rMV6Kwy0Nw05qL0H8tTsFaq4J7bLBXJeXmiREUbrtpbHxLUfjtaqs5q5Txxn
c7Cm5kj7t9PWeRTW0rbzRssgT+sHqUlMKMydB8E+gGEIMQdgwdurhjpD7aevOOeN5fvv9kV7Rszv
6nC8dixyrsiiWjLUGJRP7I9HrEAXKfk3JluSYKS/ZNhTIw5a7fKvhXbRPlN1lDSvdkJAtcaG/9dZ
3KlXL7ozL8sOQTjFxUhN6kS6QujJ1T7TlkWHu9/ivIAkuXBu8P/czyLyjf1JD9fnwGnxCO2FPmcX
9/2IpwG33mMpaAmXpA==
-----END NEW CERTIFICATE REQUEST-----

Did we forget something? Yes, there's no Root CA certificate. Let's make one:
(JKS)

keytool
-genkeypair
-keystore mycompany.root.ca.jks
-storepass "mycompany.root.ca"
-alias "mycompany.root.ca"
-keypass "mycompany.root.ca"
-keyalg RSA
-keysize 2048
-sigalg SHA1withRSA
-dname "cn=MyCompany Bulgaria, ou=Office No 5, o=MyCompany, L=Sofia, S=Sofia, c=BG"
-validity 3650
-v


(PKCS#12)

 

keytool
-genkeypair
-keystore mycompany.root.ca.p12

-storetype pkcs12
-storepass "mycompany.root.ca"
-alias "mycompany.root.ca"
-keypass "mycompany.root.ca"
-keyalg RSA
-keysize 2048
-sigalg SHA1withRSA
-dname "cn=MyCompany Bulgaria, ou=Office No 5, o=MyCompany, L=Sofia, S=Sofia, c=BG"
-validity 3650
-v

Problem No 1
Keytool cannot sign CSRs. Period.

Now what do we do?

I went to OpenSSL.

In order to sign with OpenSSL I needed the root certificate in the PEM format.
P12 (PKCS#12) -> PEM:

openssl
pkcs12
-in mycompany.root.ca.p12
-out mycompany.root.ca.pem

Sign the CSR with OpenSSL:

openssl
x509
-req
-in mihail.stoynov.csr
-CA mycompany.root.ca.pem
-out mihail.stoynov.signed.cer
-days 3650
-CAcreateserial

(I don't know what -CAcreateserial is but it works)

So now I have mihail.stoynov.signed.cer.

The last step is to import it to mihail.stoynov.p12 (or .jks) in order to override the self-signed certificate with the one signed by the MyCompany Root CA.

A Prerequisite step to that is to import mycompany.root.ca.cer into mihail.stoynov.p12 (or .jks) because every certificate in the chain must be contained in the certificate chain of mihail.stoynov.

Problem No 2
Importing mycompany.root.ca.cer into mihail.stoynov.p12 fails but importing it into mihail.stoynov.jks works?!

JKS:

keytool
-importcert
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mycompany.root.ca
-keypass
mycompany.root.ca
-file mycompany.root.ca.cer
-v

(this one works)

PKCS#12

keytool
-importcert
-keystore mihail.stoynov.p12

-storetype pkcs12
-storepass mihail.stoynov
-alias mycompany.root.ca
-keypass
mycompany.root.ca

-file mycompany.root.ca.cer
-v

this one fails with:

Owner: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: 49b8c365
Valid from: Thu Mar 12 08:12:13 GMT+00:02 2009 until: Sun Mar 10 08:12:13 GMT+00:02 2019
Certificate fingerprints:
MD5:  1C:0C:82:0D:35:C8:1E:48:74:9F:13:43:C9:AE:D0:F7
SHA1: DB:BB:D7:DB:8C:33:AA:06:6D:CF:D2:5C:EB:64:01:D5:AD:AB:94:38
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]:  y 

keytool error: java.security.KeyStoreException: TrustedCertEntry not supported
java.security.KeyStoreException: TrustedCertEntry not supported
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineSetCertificateEntry(PKCS12KeyStore.java:620)
at java.security.KeyStore.setCertificateEntry(KeyStore.java:941)
at sun.security.tools.KeyTool.addTrustedCert(KeyTool.java:1958)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:818)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)

Actually P12 format does not permit trusted certificates. It is inteded to contain key/pairs only. So importing mycompany.root.ca.cer into mihail.stoynov.p12 failed.

I tried several things:

1) Importing mihail.stoynov.signed.cer directly into mihail.stoynov.p12:

keytool
-importcert
-keystore mihail.stoynov.p12
-storetype pkcs12

-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-file mihail.stoynov.signed.cer
-v

and the response was:

keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2662)
at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)

2) Importing mycompany.root.ca.cer into cacerts:

keytool -importcert -trustcacerts -file mycompany.root.ca.cer

This again didn't fix the problem.

Solution to Problem No 2:
Transform P12 to JKS, import the root certificate and the signed certificate into JKS keystore, transform the modified JKS back to P12.

1) Transform P12 to JKS

keytool
-importkeystore
-srckeystore mihail.stoynov.p12
-destkeystore mihail.stoynov.jks
-srcstoretype pkcs12
-srcstorepass mihail.stoynov
-deststorepass mihail.stoynov

2) import the root certificate into the JKS keystore

keytool
-importcert
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mycompany.root.ca

-keypass
mycompany.root.ca

-file mycompany.root.ca.cer
-v

3) import signed certificate into JKS keystore

keytool
-importcert
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-file mihail.stoynov.signed.cer
-v

4) transform the modified JKS back to P12

keytool
-importkeystore
-srckeystore mihail.stoynov.jks
-destkeystore mihail.stoynov.p12
-deststoretype pkcs12
-srcstorepass mihail.stoynov
-deststorepass mihail.stoynov

it said something like:

Entry for alias mihail.stoynov successfully imported.
Problem importing entry for alias mycompany.root.ca: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias mycompany.root.ca not imported.
Do you want to quit the import process? [no]:  n
Import command completed:  1 entries successfully imported, 1 entries failed or cancelled

I clicked yes, and it worked.

Now let's see what's the difference between mihail.stoynov.jks and mihail.stoynov.p12:
JKS:

$ keytool -list -keystore mihail.stoynov.jks -storetype jks -storepass mihail.stoynov -v

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: mihail.stoynov
Creation date: Mar 12, 2009
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=Mihail Stoynov, OU=MyCompany Sofia, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: f0e465bb77420e30
Valid from: Thu Mar 12 09:29:19 GMT+00:02 2009 until: Sun Mar 10 09:29:19 GMT+00:02 2019
Certificate fingerprints:
MD5:  40:9D:C2:DE:AE:11:1E:01:92:F9:C8:01:C5:92:69:CB
SHA1: D2:D0:03:5C:50:BC:F8:6C:EB:C0:36:B6:B0:8D:A8:3B:9E:B6:7B:B4
Signature algorithm name: SHA1withRSA
Version: 1
Certificate[2]:
Owner: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: 49b8c365
Valid from: Thu Mar 12 08:12:13 GMT+00:02 2009 until: Sun Mar 10 08:12:13 GMT+00:02 2019
Certificate fingerprints:
MD5:  1C:0C:82:0D:35:C8:1E:48:74:9F:13:43:C9:AE:D0:F7
SHA1: DB:BB:D7:DB:8C:33:AA:06:6D:CF:D2:5C:EB:64:01:D5:AD:AB:94:38
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************
*******************************************

Alias name: mycompany.root.ca
Creation date: Mar 12, 2009
Entry type: trustedCertEntry

Owner: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: 49b8c365
Valid from: Thu Mar 12 08:12:13 GMT+00:02 2009 until: Sun Mar 10 08:12:13 GMT+00:02 2019
Certificate fingerprints:
MD5:  1C:0C:82:0D:35:C8:1E:48:74:9F:13:43:C9:AE:D0:F7
SHA1: DB:BB:D7:DB:8C:33:AA:06:6D:CF:D2:5C:EB:64:01:D5:AD:AB:94:38
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************
*******************************************

 

P12 (PKCS#12)

$ keytool -list -keystore mihail.stoynov.p12 -storetype pkcs12 -storepass mihail.stoynov -v

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: mihail.stoynov
Creation date: Mar 12, 2009
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=Mihail Stoynov, OU=MyCompany Sofia, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: f0e465bb77420e30
Valid from: Thu Mar 12 09:29:19 GMT+00:02 2009 until: Sun Mar 10 09:29:19 GMT+00:02 2019
Certificate fingerprints:
MD5:  40:9D:C2:DE:AE:11:1E:01:92:F9:C8:01:C5:92:69:CB
SHA1: D2:D0:03:5C:50:BC:F8:6C:EB:C0:36:B6:B0:8D:A8:3B:9E:B6:7B:B4
Signature algorithm name: SHA1withRSA
Version: 1
Certificate[2]:
Owner: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: 49b8c365
Valid from: Thu Mar 12 08:12:13 GMT+00:02 2009 until: Sun Mar 10 08:12:13 GMT+00:02 2019
Certificate fingerprints:
MD5:  1C:0C:82:0D:35:C8:1E:48:74:9F:13:43:C9:AE:D0:F7
SHA1: DB:BB:D7:DB:8C:33:AA:06:6D:CF:D2:5C:EB:64:01:D5:AD:AB:94:38
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************
*******************************************

 

Do you see the difference?
It's in italic - JKS format keeps an extra trusted certificate of MyCompany Root CA.

Anyway both mihail.stoynov.jks and mihail.stoynov.p12 work perfectly.

P.S.
Does someone know better solutions to Problem No 1 and Problem No 2?
Does someone know how to sign certificates but without the cumbersome CSR step?

Sniff TCP connections

In the world of windows there is no standard tool to see what's going on the network level.

I have been working quite a while with web services and encryption and signing, so it's vital to me to see what's going on when a web service is being called.

TCP proxies
The way I was doing it until recently was to use TCP proxies. TCP proxies open a TCP port and forward to some other host:port. In the process of doing so it dumps every connection on the screen or in a file.
For example if I want to listen what's going on a local (for the machine I'm working on) port 8080 the following had to be done: the software working on 8080 (a web service) is moved for example to 18080, then the proxy is opened at 8080 which forwards everything to localhost:18080.

There is one minor drawback to the whole story -  the clients have to be supplied with a port that is not the port where the service resides. So if the proxy is missing - the service is invisible.

I've used mostly tcpmon and wsmonitor. wsmonitor sucks a lot. tcpmon works, but cannot handle moderately heavy traffic and has a lot of quirks that are very annoying. Anyway until recently it was my primary way of doing things.

Reading direcly from the TCP/IP Stack
There has always been software that can plug something in the TCP/IP stack of the windows machine and thus sniff the traffic. The bad side is that the machine has to be tampered with some third-party software. And some machines cannot (should not) be tampered like that.

A third way
There seems to be a software that can sniff the traffic without plugging nasty stuff in the TCP/IP stack. On such example is SmartSniff. It has what they call a "Raw Sockets" way of sniffing and so far it's working great.

Tomcat under attack, manager password exploited, trojan deployed

There's an Apache Tomcat I'm managing that's in the wild (internet).

Saturday evening it was under attack.

I use Tomcat's manager console to drop applications from time to time and I had it's password pretty simple. Within this console a new java web application may be installed.
What's even worse is that that Tomcat instance was running with pretty high privileges.

It was a test machine, only a few guys knew the address.

So using this console a trojan was inserted. The admin password was changed. This trojan might have succeeded if it weren't for the antivirus that got the trojan on time (yes, it was a windows machine).
The trojan is called TROJ_DELF.BDG and it was deployed in webapps/fexshell/init.exe

Now the tomcat is running with pretty low privileges, the port is not so obvious, and the manager password is changed.

Importing a class from the 'default package' (no package) - impossible

Did you know that classes in the 'default package' (classes that don't have a package) cannot be imported from classes that do have a package?

I did not know that.

Try it:

This is what javac says:

>javac Class1.java

>javac package2\Clazz2.java -cp .

package2\Clazz2.java:3: '.' expected
import Class1;
             ^
package2\Clazz2.java:3: ';' expected
import Class1;
              ^
2 errors

How stupid is this?
Is this why omitting package is deprecated?

Javac bug, Eclipse innocent, bug in static imports

I had an issue compiling some java classes. Javac failed, Eclipse's compiler worked. The issue is described here.
I was blaming Eclipse, I was blaming java6's endorsing. I was thinking it was due to JAXB.

It comes out they all were innocent.

Here's my code:

package f;

 

import static f.ProblematicClass.E1.E2.VALUE;

 

import javax.annotation.Resource;

 

public class ProblematicClass {

 

    @Resource

    public static enum E1 {

        F(VALUE);

 

        private E1( E2
requiredBankAccounts ) {

        }

 

        public static enum E2 {

            VALUE;

        }

    }

}

The result with javac is:

>javac f\ProblematicClass.java

f\ProblematicClass.java:9: cannot find symbol
symbol  : class Resource
location: class f.CorrectClass1
        @Resource
         ^
1 error

After some research I think I simplified the problem:
(If I continue to simplify it would still fail to compile but at some
point it would start to compile which yesterday drove me crazy.
This is the most simplistic case that consistently fails to compile)

package f;

 

import static f.ProblematicClass.E1.VALUE;

import
javax.annotation.Resource;

 

public class ProblematicClass {

 

      @Resource

      public static enum E1 {

            VALUE;

      }

}

All of these changes fix the compilation error (from javac):

...

// Reverse the order of imports

import
javax.annotation.Resource;

import static f.ProblematicClass.E1.VALUE;

...

or

...
      // Use the FQN of the annotation

      @javax.annotation.Resource

      public static enum E1 {

            VALUE;

      }

...

This all makes me think that the static import fails the next one only if the next one is an annotation (I've tried with a java.util.Collection - it compiled).
I have tried this with jdk6u3 and jdk6u10.
I don't have jdk 1.5. Can someone test it on jdk 1.5?

Update: GRRRRRRRRRRRRRR, Somebody found it before me:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6391197
It was reported on 27th of June, 2006 :'(

Here's what they say:

Workarounds:
1) switching the order of the import statements works (although they often get changed back by our development tools).
2) Commenting out the static import statements, then compiling, then putting the import statements back and
compiling again with the old classes still there also works. This means that the compiler errors happen at the strangest
of times
, and in large programs it can be very difficult to work out how to workaround the problems.

Weird javac case - Eclipse's compiler is wrong again.

I have some code.
I have two classes. They both have inner enums.
The two inner enums have an annotation.

But one of them does not compile. The other one compiles just fine.

In eclipse there's no error, but when I build the code from ant I get a compilation error - the annotation class is not found:

[javac] ProblematicClass.java:147: cannot find symbol
[javac] symbol  : class XmlType
[javac] location: class package.ProblematicClass
[javac]     @XmlType(name="fff")
[javac]      ^
[javac] 1 error

I spent some time looking for it - I thought that the classpath is wrong, I endorsed an updated version of the API (java 6). The issue persisted.

Then I decided to use javac directly:

javac -verbose -classpath lib\X.jar;lib\X2.jar -d bin -sourcepath src -encoding UTF-8 src\package\ProblematicClass.java

Strangely enough I got the same error?! Then I did the same for the class that did compile successfully using ant - it worked.
So there was a difference between the two classes and I had to find it.

And I found it, can you find it?

-->


-->

//Does not compile

public class ProblematicClass

{

@XmlType( name = "fff1" )

public static enum InnerType {}

}

// Compiles

public class CompilableClass

{

@XmlType( name = "fff2" )

public enum InnerType {}

}

Yes, you're correct. The second enum is not static.
This only happens with inner static enums. The anomaly does not occur if it's an inner static class. I don't know why.

So I'm thinking that in the ProblematicClass the annotation is not visible because the import of XmlType is not visible.
I was correct - this one works:

-->


-->


-->

//Does not compile

public class ProblematicClass

{

@javax.xml.bind.annotation.XmlType( name = "fff1" )

public static enum InnerType {}

}

I just supplied the FQN of @XmlType.

So eclipse is working, javac is not. Now is the time to say that Eclipse is not using javac. I thought it was using jikes (made by IBM), but that's not correct. Eclipse is using its own incremental compiler part of JDT Core. JDT stands for Eclipse Java Development Tools.

http://www.eclipse.org/jdt/core/:

JDT Core is the Java infrastructure of the Java

IDE. It includes:

  • An incremental Java compiler. Implemented as an Eclipse

    builder, it is based on technology evolved from VisualAge for Java compiler.

    In particular, it allows to run and debug code which still contains unresolved

    errors.

  • ...

So either javac or Eclipse's compiler is wrong. I would bet that javac is following the spec more strictly.

This is the second time I'm catching Eclipse's compiler of misconduct. The first time was something related to a very complex case with generics - one of the compilers said it was a warning, the other - error.

Update: I was wrong. I was trying to report the problem. I was making a pretty simple case. I used a different annotation: @javax.annotation.Resource. It worked both on Eclipse and on javac.
So the problem is somehow linked with JAXB.

JAXB is an API bundled with Java 6 (an 'endorsed standard' a 'standalone technology'). The version bundled was JAXB 2.0. If one wants to use a newer version, say JAXB 2.1, an 'Endorsed Standards Override Mechanism' had to be used.

Info on JAXB here.
Info on endorsed mechanism here.

I'm currently with JDK 6 update 10. Somewhere I saw that 'endorsed standard override mechanism' was no longer necessary.

It looks like the problem is more on javac side than on Eclipse's compiler.

I will investigate further.

Update2: It comes out that 'Endorsed Standards Override Mechanism' was existing prior to java 6. Only the standalone technologies were added in Java 6.

Update3: It comes out that 'Endorsed Standards Override Mechanism' is still used.

Update4: It comes out that this bug is very hard to reproduce. My simple examples at some point just started compiling 🙁

Update5: I just created some code that consistently reproduces the bug. I'll write it in a new entry to be cleaner.

Update6: I fixed coloring and finished the new article on the bug.

Thumbs.db

Recently I had to move 200GB from one hard-drive to another.
It was imperative to make sure everything was copied successfully.

Using a binary comparison tool would take a really long time. So I only check the total file size of all files copied and the number of files.
I tried copying these 200GB files several times and never succeeded. I was too lazy or busy to investigate until today when I got really pissed off.

It comes out that the difference comes from thumbs.db files.

Thumbs.db is a thumbnail cache used by Windows XP and Windows 2k3 Server.

How to stop the creation of these files:

  1. Click Start
  2. Double-click Control Panel
  3. Double-click Folder Options
  4. Click on the View tab
  5. Check off the circle next to Do not cache thumbnails
  6. Click the Ok button

Google translating whole sites

I accentally went to http://www.gaijin.at/.
The weird part is that when one presses "English" (since it's in German) it goes to:
http://translate.google.com/translate?hl=de&langpair=de|en&u=http://www.gaijin.at/index.php
I didn't know that Google can translate whole web sites.

The translation seems to be pretty good.
The site look&feel is exactly the same.

Very good thing.

My eclipse shortcuts and tweaks

In a project where requirements change on a daily basis, refactoring is one's biggest friend.
I'm currently in such a project - not my kind of thing but reality sometimes sucks.
Anyhow, I've tried to look at it from the bright side.

I'm currently perfecting my refactoring skills in eclipse.

Here's what I can share.

Everybody knows about

Ctrl + Shift + R - find resource (file )
Ctrl + Shift + T - find type (class)

Alt+Shift+C - Change method signature

Alt+Shift+S - Context menu for source generation.


Alt+Shift+X, J
- Launch current focused code as Java Console App
Alt+Shift+D, J - Debug current focused code as Java Console App
Ctrl + L - go to line - when watching stack traces. NEW
Ctrl + O - find method in class.   NEW
Ctrl + T - Hierarchy of a class (subclasses + base classes).   NEW

But do you know these:
Alt+Shift+X, Q - Launch current focused script as an Ant Build Script (focused on a target in the 'Outline' window launches only that target, very handy)
Ctrl + >, Ctrl + < - Navigates through warnings and errors in a source file. Extremely handy.

Ctrl + 1 - launches the solution box or whatever that's called.
Ctrl + 3 - finds any window.
Middle button closes tabs as in browsers (only IE does not do that) - VERY, VERY COOL. Ganymede (Eclipse 3.4) only.
Ctrl + E - list of all the open windows (by Joke). NEW
Ctrl + J - incremental search (like Ctrl + F, F3 in browsers (real browsers, IE can't do that)), then arrow up/down to go to next previous, Enter to stop (by rado). NEW

Ctrl + Shift + / - collapse all. NEW2
Ctrl + Shift + * - expand all. These are very nice in long classes. NEW2

Debugging
Ctrl + Shift + I - inspect selected source code while debuging.
The 'Display' window is my biggest friend - inside it you can write code and evaluate it with Ctrl + Shift + D (print result in the box) and Ctrl + Shift + I ( inspect the code in a context window.

That's for now, I'll update this regularly. If someone uses something regularly that is not here, please tell.

My new favourite rapper.

He's like a parody version of Eminem.
The chosen topics.
The lack of delicacy discussing the topics.
The topics nobody wants to speak about.

I very well understand that this is a parody but it's an Eminem-styled parody. I connect because I recognize myself as the looser character in his Everyday Normal Guy 2.
Please, my one good reader, don't write nasty comments, please.

Some info on the guy:
http://en.wikipedia.org/wiki/Jon_Lajoie

Some songs:
Everyday normal guy (favourite)
Everyday normal guy 2 (favourite, part 2)

Stay At Home Dad

java.lang.Throwable, the "... 3 more" case, how to read it

We have the following:
(The code is taken from here http://java.sun.com/j2se/1.5.0/docs/api/java/lang/Throwable.html#printStackTrace())

HighLevelException: MidLevelException: LowLevelException
    at Junk.a(Junk.java:14)
    at Junk.main(Junk.java:4)
Caused by: MidLevelException: LowLevelException
    at Junk.c(Junk.java:24)
    at Junk.b(Junk.java:18)
    at Junk.a(Junk.java:12)
    ... 1 more
Caused by: LowLevelException
    at Junk.e(Junk.java:31)
    at Junk.d(Junk.java:28)
    at Junk.c(Junk.java:22)
    ... 3 more

What does ... 1 more or ... 3 more means?

This is what it means:

HighLevelException: MidLevelException: LowLevelException
    at Junk.a(Junk.java:14)
    at Junk.main(Junk.java:4)

Caused by: MidLevelException: LowLevelException
    at Junk.c(Junk.java:24)
    at Junk.b(Junk.java:18)
    at Junk.a(Junk.java:12)
    ... 1 more =
(take the last line from the upper stack)
=> at Junk.main(Junk.java:4)

Caused by: LowLevelException
    at Junk.e(Junk.java:31)
    at Junk.d(Junk.java:28)
    at Junk.c(Junk.java:22)
    ... 3 more
= (take the last 3 lines from the upper stack)
=>  at Junk.b(Junk.java:18)
    at Junk.a(Junk.java:12)
    at Junk.main(Junk.java:4) (taken from the upper upper stack)

Michael Moore

Michael Moore is a kind-of-a journalist, a filmmaker and a writer in the US. I have read and watched almost anything he did, going back even to "Roger and Me" (please search them up, I can't constantly write target="_blank"). He caught my attention with "Bowling for Columbine", a movie for some kids that armed themselves and killed some co-students and teachers in school. Especially the interview with Marylin Manson and the part where he mocks the locals claims that it was the bowling that put these kids to the idea.

Since then he got an Oscar, written a lot of stuff. He is not always absolutely objective, lets himself carried away sometimes but the personal touch makes him so likable.

He's in my blogroll now.

Did you know what 'Klaatu barada nikto' is?

I'm starting a new section "Did you know" where I'd share stuff I find interesting.

So, do you know what "Gort, Klaatu barada nikto" is?

It is considered the most famous science-fiction phrase ever. It has been quoted in almost all important science-fiction movies and not only.

It's from the 1951 movie called The Day the Earth Stood Still. It was said as a safe word to stop a robot from destroying the earth.
Gort was the name of the robot.

More on the subject: http://en.wikipedia.org/wiki/Klaatu_barada_nikto