Silviu-Marius Ardelean's blog

a software engineer's web log

openSSL vs. vcpkg – some strange experiences

One of the projects I was working in the last period uses CURL that uses OpenSSL version 1.1.1.1 in foreground. At some moment in time, for some technical reasons I was tempted to try using the CPPRESTSDK library. But because I had some local NuGet miss-configuration issues in order to have the CPPRESTSDK library build I realized I need to build it myself. But in order to achieve this, I needed the vcpkg tool.

And, because with a quick search I haven’t found the download and the Azure DevOps of this tool for built was down and no Artifacts available I said: what if I build it myself?

So, I did it… It lasted some time on my laptop but at the end was fine. I had a brand new vcpkg package and I built the cpprestsdk.

Later, returning to my project and integrating the new cpprestsdk library I realized I was started getting new linking errors.

Within the sample solution, the situation is even worth. I was able to find out even more compile errors while the vcpkg is installed.

Vcpkg uses OpenSSL to insure secure connection and googling I found out that starting with the OpenSSL 1.1.x Windows version the static LIB and DLL filenames have changed, so depending on local files, it may affect, the former DLL’s libeay32.dll and ssleay32.dll are no longer available.

I double-checked the environment variables, trying to identify paths containing the old libeay32.dll (that was renamed to openssl.dll) and to remove it. I did such investigation, but I found nothing “suspicions”.
The goal was to avoid the names collision in case the linker was looking to link “our” openSSL together with LIBEAY32.dll.

The salvation came from GauthamBanasandra’s suggestion. I just ran the next command within the vcpkg repository local folder.

After the execution of this command I was able to build back the project as before. And it was fine for me… I don’t need the vcpkg for other proposes right now.
By the way, this command has to be executed within the vcpkg cloning repository folder. Otherwise you’ll get an error Error: Could not detect vcpkg-root in case you don’t have an environment variable VCPKG_ROOT pointing to your vcpkg binary repository.

Off-course, in case you still need vcpkg.exe you can reinstall it temporary with vcpkg.exe integrate install. But then, until there is a fix for this situation or a better workaround you might face the initial problem I had within OpenSSL based projects. So, most probably you will have to call again vcpkg.exe integrate remove.

The issues are created by the fact the actual vcpkg.exe manager is still useing the old openSSL library, libeay32.dll.

Until the Vcpkg team didn’t upgrade to a newer OpenSSL library (1.1.x+), we will have to find such workarounds in order to compile different projects. If someone knows other workaround and is open to share I would not mind mentioning here her/his idea.

The good news is that an upgrade the OpenSSL 1.1.x is ongoing. The upgrade issue is already open and the pull request #8566 seems advanced in progress. Let’s stay tuned!

The First Hackathon Experience #HackTM2016

It has passed approximately two months from my first hackathon experience, the #HackTM2016 from Timisoara. This delay I’m publishing this article is mostly because of the release period to the job and other personal stuff I had to do.

This experience was a reminder of my high school programming competitions where I have attended with different applications written in the already ancient Turbo Pascal 7.0 or Borland C++ 3.1. At that moment, probably because of my high school informatics great teachers, the competitive spirit between colleagues was so intense and we have competed for each other in creating applications within the local competitions and in other cities from the country.

This year, the hackathon competition from Timisoara was between 20 – 22 May 2016 to the UPT Restaurant, Timisoara and from my point of view it was a great event. The event had categories such eHEALTH, Robots, Smart City, GameDev, IoT, Education, Fintech and Open but no Automotive category as I expected according to previous pitching sessions.

Before the effective event, I have attended in two pitching sessions seeing different challenging proposals in few domains. The most appealing were some ideas of the ADAS team from Continental, a team I was apart between 2006-2008 (Siemens VDO department, video camera projects at that time).

Even if I had no team, because of curiosity, I bought the ticket and I went to the hackathon pitching session, trying to figure a team and to decide a project to deal with.

The Continental ADAS team came with hardware and software support how to hack their platform.

We were able to find a small team, first by two persons and later for a period five persons. Unfortunately, those last three persons left us while realizing that the project is not what they have imagined initially, that other projects look more challenging or that their knowledge was not matching with what it was required for our project.
So, I installed on my laptop some software used internally by the ADAS team and we took a ride to record real traffic data. Once we had this data, the effective programming for grabbing it can be done in office conditions.

Driving to grab ADAS data

The idea

Having the radar and camera information, GPS data and vehicle dynamics, we were thinking is that in the near future, even before self-driving cars on the common roads, this information might be sent in the cloud to be used by the traffic management solutions in order to be optimized the traffic. Even these days, in my city, Timisoara, such traffic management solution is implemented but is not based on cars internal information. Maybe, this idea will not be applied.

What we have done – the effective experience

So, faced with this challenge, me and my teammate Nikola Kolevski, a Serbian nice guy, have started the work on Friday evening. We have met on that pitching meeting and we had a great cooperation. I was the back-end guy and he the man from the cloud. Because we “spoke” different languages, me C++ and he Python, we have decided to speak the REST way.

During our job, we have improvised the “project management” with a Trello board. Of course, we used GitHub for source control.

What I effectively had to do it was to inject some code within a .DLL that was loaded into a Continental application and sent the ADAS information in the cloud. Nicola was the guy that received and collected the data. Unfortunately, even if we tried few times, we found no front-end available teammate, just some with slices of time in terms of availability.

ADAS AE-RO HackTM concept

I decided to use the benefits of asynchronous programming and I used the Casablanca REST API. But because of the Continental’s Visual Studio 2012 project constraints (!!!), during the Friday evening, I faced up with the challenge to find and adapt a Casablanca library older version to the project. The latest Casablanca’s versions are available for VS 2013 and VS 2015 only. Thanks to NuGet tool, I finally managed to get and use the 1.10 version.

On Saturday we managed the effective work, faced with some challenges related to the TCP/IP communication between our applications because of some Python server configuration, but finally, our applications were able to talk each other via REST services, in the night and I have tweeted.

After a sleep break, next morning we did some last code adjustments and being time constrained we tried to improvise a frontend. Also, we had a second trip with the Continental’s Mercedes car to test what we did, using a 4G network.

As usual for a hackathon, everything was on the run with adrenaline, so quite nice! At the end of the hackathon, we had to prepare for the hackathon jury’s visit and later for presentation because we have qualified in the first three teams in the Robots section. Yeah, we were included there because the Automotive category did not exist, but it was fine. 🙂

The truth is that the Continental was the only automotive represented company even if there are many such companies in Timisoara, but it seems they are not interested in such events.

Other interesting things from #HackTM2016

Attending to #HackTM2016 was a great experience, I have seen many interesting projects but from far the most exciting one was the Symme 3D Printer, a local start-up.

Conclusions

In an internet of things world, our based idea might connect the cars ADAS information with intelligent management future systems to improve the traffic flow in big cities.

It is obvious but I want to underline: if you want to have success in a hackathon, try having a core team before the event. Otherwise, you might just have fun coding but not ending the prototype.  Strategies of being efficient would be a great asset.

Meeting new people and trying to do something from the scratch in a limited time is a very cool thing even if you don’t have time to write optimized and tested code. Also, you might learn a lot of new things.

Definitely, I will repeat this experience in the future!

Some experiences with the last world-wide WordPress brute force attack

As you most probably know, this website uses WordPress. Last Saturday, trying to access the site admin area I was faced with an error generated by too many redirects.
error_redirects
Having other things to do, I ignored it for that moment. Later a friend of mine published on his website some information about an existing world-wide brute force attack over WordPress websites and then I started reading more information about this issue.

My Firefox’s Web Console has thrown such messages:

[13:38:30.162] GET http://my_site.ro/wp-admin/ [HTTP/1.1 302 Moved Temporarily 834ms]
[13:38:30.998] GET http://my_site.ro/wp-admin/ [HTTP/1.1 302 Moved Temporarily 403ms]
[13:38:31.405] GET http://my_site.ro/wp-admin/ [HTTP/1.1 302 Moved Temporarily 580ms]
[13:38:31.990] GET http://my_site.ro/wp-admin/ [HTTP/1.1 302 Moved Temporarily 558ms]
[13:38:32.558] GET http://my_site.ro/wp-admin/ [HTTP/1.1 302 Moved Temporarily 553ms]

Most probably I was also one target for that attack.

Having a strong password and not using admin user the effective website was not affected otherwise than in wp-admin area. I contacted my website hosting provider and after some emails exchange, I was able to login into wp-admin area. First thing I did was to install and activate Limit Login Attempts plugin and the results didn’t expect too much to appear.
Today morning, this plugin sent me an interesting email.
results_of_limiting_login_attempts

So an attempt of brute force attack is cut.

In order to avoid any such unpleased issues it is strongly recommended following few basic steps:

  • Avoid using default users (ex. admin) having high privileges.
  • Use strong passwords that contain special characters also in order avoid dictionary attacks used by brute force methods. You can check if the password it’s strong enough using online free tools such passwordmeter.com or Password Checker.
  • Install and activate a tool such Limit Login Attempts.
  • Enjoy your life. 🙂