What?!? Too many certificates?

AngryCerts

Update: There’s a Microsoft KB Article on this subject: TLS client authentication fails between Unified Communications peers with a logged Schannel warning

So when running an SSL WCF (Windows Communication Foundation) web service you may run into this error when connection with your client:

The HTTP request was forbidden with client authentication scheme 'Anonymous'.

But you’ve checked everything and the certificates are correct, everything looks good it even works when you publish the code on other machines. So what’s wrong? Well have you checked your event log? You might have too many trusted root certificates!

So filter your System logs to only include Schannel entries:

SChannel Filter

 

And look for entries that mention this:

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

TooManyCerts

 

Notice this part:

This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

That means you have too many certificates in your “Trusted Root Certification Authorities” and the one you are using is relying on a root certificate that is in the truncated portion of the list. Delete the root certificates you don’t need and your client should work again!

Asterisk on Azure IaaS with Google Voice!

Google Voice Loves Azure and Asterisk!

Asterisk can work pretty well on Microsoft Windows Azure even with Google Voice, you don’t even need to be a Linux genius; so here are the simple steps to get it working!

Create the virtual machine

Create an Azure Virtual Machine

If you don’t have Virtual Machine (IaaS) you will need to sign up for the preview. It’s pretty quick, so go do it already. For just connecting one SIP phone to one Google Voice account an Extra Small ($10/month or free with an MSDN subscription) will be plenty big enough, so choose Ubuntu Server 12 as the image and Extra Small as the size. Key in your password and pick a location close to you. The DNS name is important, because you will use it to connect via SSH and from your SIP device.

Now Azure will build a virtual machine for you, so let’s learn how to connect to it. I assume you are awesome, and hence are using Google Chrome so we can jump straight to the Chrome Web Store and pick up a free copy of Secure Shell which will let you access the command line of your virtual machine form any operating system that supports Chrome. Got it? Good. Click it.

Secure Shell App Icon

Setup a new connection with the user name as azureuser@<your DNS here>.cloudapp.net similar to this:

Secure Shell Settings

If you can’t connect then it’s likely because you haven’t started your virtual machine (I’m not sure why Microsoft doesn’t do this for you but whatever,) just click into your virtual machine on Azure and click the start button.

Upon successful connection you will be prompted for your password, which is the same password you entered when creating the virtual machine. Simple!

Now let’s check for updates by entering the following command line:

sudo apt-get update

What does this do? Sudo is a command that temporarily give super user permissions to the current user. The best way to understand it is with the xkcd comic:

Sudo give you super-powers! But use it responsibly. Think of apt-get as a way of getting things your computer doesn’t have. Linux distributions are famous for coming with not enough stuff or conversely too much stuff, since this is a server we start with not enough stuff and just add what we need. As for update, well I’d let you use your imagination but it just updates the packages from the internet so we always get the latest and greatest stuff.

Okay, so let’s install Asterisk 11 which if you build it correctly has built in support for google voice! Huzzah! So unfortunately we will need to build from source since Ubuntu hasn’t seen fit to put Asterisk 11 prebuilt binaries into the apt-get (Aptitude) repository for easy getting. No Problem! “Building from sources,” sounds scary but is down-right brain-dead easy, I mean a monkey could get this right and you are way smarter than a monkey, right? RIght?!? Okay, let’s do it. First we need a “build environment,” which is fancy-talk for the programs that we need to build Asterisk from its sources. It’s easy to get so copy from below (windows: control + c // mac: command + c) and paste into your Secure Shell window (windows: shift + control + v // mac: command + shift + v).

sudo apt-get install build-essential wget libssl-dev libncurses5-dev libnewt-dev  libxml2-dev inux-headers-$(uname -r) libsqlite3-dev libiksemel-dev libssl-dev

This part will take a little time as Ubuntu goes out and gets all the software it needs to make Asterisk. So get yourself a lovely beverage or something. When it’s done we are going to need to have super-powers for real, so we are going to go into superuser mode by running this command:

sudo su -

Next we will need to download the Asterisk source code:

cd /usr/src/
wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/dahdi-linux-complete-current.tar.gz
wget http://downloads.asterisk.org/pub/telephony/libpri/libpri-1.4-current.tar.gz
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz

And extract it:

tar zxf dahdi-linux-complete*
tar zxf libpri*
tar zxf asterisk*

Now we will build and install the DAHDI module (which is required by Asterisk):

cd /usr/src/dahdi-linux-complete*
make && make install && make config

As for PRI, we need to do a little extra work, but it too will build just fine:

cd ../libpri*
curl https://issues.asterisk.org/jira/secure/attachment/44869/fix_unused_write.patch > fix.patch
patch -i fix.patch
make && make install

Now we can finally build Asterisk!

cd /usr/src/asterisk*
./configure && make menuselect && make && make install && make config && make samples

This will flash some scrolling text and then display a menu which you can just for F12 or press TAB until you get to Save and Exit. Asterisk will continue building and installing and whatnot and you should get a prompt at the end of it all. Congratulations, you are almost done! There’s just a couple configuration files and settings we will need to make before the whole thing is working.

Note: You will need to edit some of these files I’m giving you to fill in your real Google Voice credentials, and then paste them into the console.

First we will create the sip.conf file:

cat > /etc/asterisk/sip.conf

Now you will see a new blank line and a blinking cursor, paste the following text into here:

[general]
allowguest=no
allowoverlap=no
udpbindaddr=0.0.0.0
srvlookup=yes
nat=yes
externip=[Get this from your Azure dashboard "PUBLIC VIRTUAL IP ADDRESS (VIP)"]
localnet=[Get this form your Azure dashboard "INTERNAL IP ADDRESS"]/255.255.254.0
bindaddr=0.0.0.0
qualify=yes

[gvgw](!)
type=peer
host=dynamic
context=local
disallow=all
allow=ulaw

[sipphone](gvgw)
secret=[Put in the password you want here]

And press Control + c to exit and save the file.

cat > /etc/asterisk/xmpp.conf
[general]
[google]
type=client
serverhost=talk.google.com
username=[Your gmail address]
secret=[Your gmail password]
priority=1
port=5222
usetls=yes
usesasl=yes
status=dnd
statusmessage="Phone Gateway!"
timeout=5
cat > /etc/asterisk/motif.conf
[default](!)
disallow=all
allow=ulaw
allow=h264
transport=google-v1

[google](default)
transport=google
connection=google
context=incoming-google
cat > /etc/asterisk/extensions.conf
[default]
exten => 411,1,Answer()
same => n,Dial(Motif/google/${EXTEN}@voice.google.com)

[incoming-google]
exten => s,1,Set(CALLERID(name)=${CALLERID(num)})
same => n,Dial(SIP/sipphone,20,D(:1))

[local]
include => default
exten => _NXXNXXXXXX,1,Dial(Motif/google/${EXTEN}@voice.google.com,,r)
exten => _NXXXXXX,1,Dial(Motif/google/[Your 3 digit area code here]${EXTEN}@voice.google.com,,r)

Now that’s done we can start Asterisk!

/etc/init.d/dahdi start
/etc/init.d/asterisk start
asterisk -rvvv

Now you will be in an Asterisk shell and it will show you everything that’s going on under the hood. Probably a lot of errors and Google will be sending you a freaked out email that some application is trying to access your account! Yes, that’s your new Asterisk box, and let it do its thing. One you have let Google know not to freak out you’ll be close to done, you just need to go to your Azure dashboard and click on Endpoints and add the following endpoints:

UDP 10000
UDP 10001
UDP 10002
UDP 10003
UDP 10004
UDP 10005
UDP 10006
UDP 5060
TCP 5269

I’m sorry but as of the time of this writing there’s no easier way to add these endpoints without using PowerShell and that’s a whole other conversation. This way is tiresome but easy.

Yay! Time to use the system!

If you call your Google Voice number at this point you should see Asterisk spitting out all kinds of things are generally freaking out because there’s nowhere to send the call to. In order to fix this, all you have to do is download a SIP client like Telephone for Mac OS X or X-Lite for Windows or use a little device that hooks up to your internet and a telephone. Just configure it to point at your DNS name (xxx.cloudapp.net) and the extension name (in my scripts it’s sipphone) and the password (which is something you should have put in my script). Once it’s connected you should be able to make and receive calls on your Google Voice account!

Mighy Guy / Rock Lee

 

Now enjoy your system and go add compiling Linux applications and administering Azure IaaS to your resume!

The Seven Layer Cake of Web Development

SevenLayerWebCake

Modern web development (especially for businesses) can be quite challenging and exciting! But to build a scalable  and maintainable complex web application can be a challenge. Lo and behold that it can be as simple as making a seven layer cake (yes, I know the picture has six layers, but stick with me).

Persistent Storage Layer

These days pretty much everything in a website is dictated by or stored in a persistent data storage device (SQL, NoSql, File, etc…) and the data within ranges from simple key-value pairs to (in some cases) entire web pages. It’s an important aspect of web development and shouldn’t be overlooked and glossed over.

SQL (RDBMS)

Choose a relational database management system (T-SQL, MySQL, etc…) when you have data that needs to be related but stored separately. This is the first (and only) stop for many folks since there is a lot of expertise in the field available and RDBMS’s are pretty easily understood. Additionally there are some great tools for managing them, and the ones that are out there are generally well-supported and mature products.

NoSql

Use NoSql when you require speed and simplicity. There are a tremendous number of these and they vary from simple key-value engines that run in memory with a persistent backing such as Redis to document stores like MongoDB to almost RDBMS offerings like Cassandra. Check out the Wikipedia article for more information on what’s out there.

Object Model / Data Abstraction Layer

Although many would argue against an object model, having some layer that abstracts the model of the database away from the actual usage of it is extremely useful later in the product life cycle if you discover that your chosen persistent storage provider is unable to keep up with your exploding business! Keep this layer thin and you’ll rarely need to touch it, and later if you need to swap it out you can do so quickly.

Data abstraction is another “nice to have” the idea being to keep your work atomic (simple calls that have reliable results) which can be pieced together by your business logic or controller to have the desired effect.

Business Logic Layer

Some web sites choose to combine the business logic layer with the controller which can be a mistake that later leads to large files full of spaghetti code. The business logic layer is the one that “the suits” care about the most, here is where they will tweak the rules and make crazy changes. Keep those crazy changes away from the rest of your code and you will be a very happy person.

Controller Layer

This is where it all comes together, the business logic layer uses data provided by the ORM / DAL (which in turn gets its data from the persistent storage) to deliver data to a hungry view layer. At this point it becomes easy to see how building these layers nice and separate from each other reduces code, bugs, and time spent debugging.

View Layer

In the view layer all the structure of how the data is displayed is defined. Remember to keep this layer mostly free of code, you are focusing on one thing here: interacting with the user. Ask yourself this question: “does what I’m writing affect the user’s experience with my application?” Does it have to do with colors, boxes, lines, pictures? That’s the view layer! Does it have to do with how something is stored in a database? Wrong spot! There’s some ambiguity when thinking about input validation, the simple rule is: do input validation as best you can, but if it degrades the user experience then change your approach!

Presentation Layer

The presentation layer is all about how everything comes together, the visual appeal of your software and how it interacts with the user. This is distinct from the view layer because there is no code here at all. That’s right, no HTML CSS JS or any other letters put together. How does it look, feel, smell, taste, whatever you are trying to present to the user give it good attention because I’m sure Myspace had some great code behind it, but it was severely lacking in presentation.

 Client Layer

Okay, we’re back from touch-y feel-y presentation layer back to hard code. The client layer is the stuff that’s running on the actual client machine. We’re talking HTTP headers, cookies, JavaScript, ajax, the works! Many modern browsers like Google Chrome will actually analyse your page and give advise on how to better optimize the client experience.  This includes potentially using a static content server to serve out files that rarely change (JavaScript, CSS, etc…) and handling cookies correctly. The client layer is big and stretches from network performance to JavaScript optimization to CSS fixes for the major browsers and which version they are at. Do not underestimate this as a layer and consider  methods for segregating it from the view layer both during development and deployment.

Have Fun!

In conclusion web development when done correctly can be a tremendous amount of fun, so enjoy yourself! Remember that there are many paths to the same end, but some planning ahead of time can really make you life much easier!