Matthew Bendford

Ranch Foreman
+ Follow
since Dec 01, 2020
Cows and Likes
Cows
Total received
5
In last 30 days
0
Total given
0
Likes
Total received
36
Received in last 30 days
8
Total given
9
Given in last 30 days
2
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Matthew Bendford

Sergei Prosvirnin wrote:such a long time is a consequence of network latency


That's why Tim sugested this:

Tim Holloway wrote:A simple "Add 1 to X" can be done entirely within the database server in a single SQL command and that shouldn't take nearly so long.


So the reason for that 2 hour processing seems to be you fetch a record from the database - update it - and store it back to the database - one-by-one. Although I don't like to phrase it this way, but: "Your approach is wrong." - or at least it seems so. This simple update should be done by the database server itself. Otherwise you have to transfer at least the data you want to update twice over the network - once to fetch them and a second time to store the updated result back. Even using 10GBit networking and a fast client - there're still several bottlenecks. Have the database server do the job on its own removes all of them - and makes the update quite more efficient.
Well, beware of what algorithm you choose:
Take a look at Vector vs ArrayList as an example: Vector was designed very conservative - on every enlargement its size doubled - starting with a vector with its size equal to a power of two you can see this gets really big rather quick. ArrayList on the other hand was done more smarter: It only increases the backing array only by half its current size. A list with an initial size of 8 would go 12, then 18, then 27 and so on - a vector would already at 32 or even at 64.

Sure, you can go "+1" each step - but that's not really an algorithm - but rather a very compilcated way of implementing a LinkedList - which doesn't follow any enlargement algorithm but just chains the next element after the last one and hence also only growing by +1 each time.
3 weeks ago
To add on what's already mentioned: A possible name for your calculator be RpmCalculator.
Note: It does omit the phrase "parameters" altogether. Why? Cause you want to calculate a RPM object by whatever input.

Side-note to RPM vs Rpm: There's no fixed rule and inconsistant within the SE API itself: URL is a good example: URL.openConnection returns an URLConnection. But its implementations are HttpURLConnection and JarURLConnection - although both HTTP and JAR are abreviations as URL - but only URL is kept all-capital.
There're a few others throughout the SE API all since early on 1.0 or 1.1 - so around late 80s / early 90s. We wont change them today even if someone would come up with a ruleset how to handle them.

On the other site ... well - if you call it RpmCalculator why not call it Rpm instead of all-capital RPM?
You see: This gets philosophical right away ... it comes down to personal preference. So, you maybe come up with yozr own style, you may copy someone else, but whatever way you go: stick to it! Hence: choose wisely.
3 weeks ago
It's not me judging about the use of java exams or the certifcates one gets from them - or about you - but: You take this example project to learn - that's good, but a JCP, JCA or what's it called these days, is meant to certify your knowledge about the java language - and often about weird edge cases far from reality as many of the trick questions are avoided in common practice alltogether. TLDR: It's not meant to sound mean, but at your current level I wouldn't suggest an java exam anyway - no matter you already failed one and by this at least know what to expect.
It's not helpful if you present a java cert but then fail to complete a simple tasks cause lack of knowledge. But that's just a personal suggestion.
3 weeks ago
Well, I would had suggested using one file per card + back cover than stuffing them in one big texture file.
Why? Because it's actually not part of the Card class to handle the texture loading but you should use a separate TextureLoader class which has logic to account for different types and sizes of the textures and just provide those to the Card class, maybe even using an additional Texture class.

Also: I don't see how a simple card game would help in improving your cert score - as cert exams usually target different subjects of the java language - often going deeply into VM implementation or JLS level.
3 weeks ago
Well, although you seem to have fixed the problem let me address your questions one by one so you can figure where you took the wrong turn:

I didn't try to make it work with AdoptOpenJDK-11,


Well, as mentioned: The example makes use of internal classes not part of the public SE API - hence it does matter what compiler and runtime is used. As this example is within the AdoptOpenJDK-11 repo it's meant to be used with the AdoptOpenJDK-11 compiler and runtime. If you try to use ANY other environment it's pretty much doomed to fail or produce some different output than what's expected.

[...] about Wireshark [...] so even if the certificateStatusMessage packet was lost [...]


IF some packet was lost TLS demands the connection to be terminated right away with a SSL_ERROR as one of the key features is not just encryption but also authenticity: Each packet goes through a continuous hash to ensure that both sides send and receive the same byte-stream. If one side detects a mismatch it has to terminate the connection right away with just a general error. So, it's not about "losing some packets" or "not correctly capturing them" - as if this would be caused by packet drop the connection wouldn't get to the CHANGE_CIPHER_SUITE message but would be terminated way before reaching that part of the handshake.

Running AdoptOpenjdk 11 did not work.


Please post code and error messages as text, not images. And if you do use images please use the attachment function of this forum instead of linking in from external sources. Reason: Image-Hosters such as Imgur are only host the content for a limited amount of time. They get delted pretty fast and all we end up with are broken links. Please don't do that. If there really is something you can't get as a text-only output use this sites attachement function to upload your images right to this thread. I tried my best to "translate" your images into text ...

Someone knows how to get the hole sun.security package downloaded??
Should I compile openjdk myself?


You don't "download a whole package", and surely no internal stuff. It's part of the environment this code was written for. In order to have access to it you have to use the same environment: an AdoptOpenJDK-11 package

ITS WORKING!!!


// followed by some wireshark packet capture, followed by some packet analysis, followed by some more deeper analysis
TLDR: As the one comment on SO already mentioned: These screenshots only show "wireshark thinks there's something wrong according to its own standards" - but for the actual question they contain no value at all. Instead of using those cut down shots the short command like mine has the same information value: ZERO

Certificate Hierarchy:



note: this could had been done by some openssl textoutput (see example below)

solution


And from here on it's just text again. So, end of "transcribing images to text" by me.

Let me address a few important key aspects here:

! RFC 3280 ! - although it's updated by some newer ones - THIS is the RFC to build your CA by ... it lists what extensions has to be part of a X.509v3 CA and cert chain and what values they should contain - Section 4.2 starting lower half of page 24.

And make sure too that your ssl certificate is chained with the CA or CA and intermediate certificates, depending how your setup is.


THIS line is not fully correct. A ROOT CA is NEVER bundled with anything - as it HAS to be in the clients TrustStore for the connection to actually work. If, for some reason, your setup is that simple to not include an intermediate level all you send is your sole certificate. The ROOT CA cert is NOT sent along with it.
One only sends additional certs along if and only if there's at least one or maybe even more intermediate certificates between the end entity cert and the root ca cert.
As an example: Using a Let's encrypt cert you have the chain: LE ROOT > LE intermediate > your cert - the chain the server sends to the client only consists of your cert + the intermediate cert - but not the root cert as this has to be already in the clients trust store. In fact, test sites like ssllabs.com mark it as error if they detect the root cert is sent along and give a warning regarding fixing it.
So, the correct answer would be: Send along any intermediate certs if there're any - otherwise if the end entity cert is directly one level down from the root cert don't send the root cert along.

So, you see: Aside from the rather complicated example code specific to the AdoptOpenJdk-11 environment your cert chain was messed up. That's the reason why I suggested to try and test the provided original example as is - as if this would contain any error it would most like be fixed already by now.

example how to use openssl x509 to get a text output of your certificate:
Although this is already a rather old thread a reply seems fit as the given response doesn't cover the base "issue" with OPs setup: The one-way IPv6 tunnel broker service.

To summerize: OP had a server set up at his home and tried to connect to it from the outside world via IPv6. The issue: As indicated by the IPv6 test OPs line back then does not support IPv6 natively but either the router or the OS uses a IPv6 tunnel broker to connect to IPv6 sites in the web. Such tunnel broker services are usually one-way services: They allow your computer to connect to the ipv6 internet - but in turn only allow responses as incoming traffic. Open an unrelated connection from the outside is usually blocked by the tunnel brokers firewall.

To put the answer simple: Same as with IPv4 for IPv6 also you need your connection to have its own public roueable one. If your connection is a IPv4 only and you use something as a IPv6 tunnel broker service for outbound traffic you can't accept incoming IPv6 traffic as easy as IPv4 traffic.

In fact, as IPv4 is to phase out there're already a lot of new connections using IPv6 only and tunnel any IPv4 traffic trough carrier grade NAT. This way such connections maybe can accept incoming IPv6 traffic without issues but no IPv4 traffic as the connection doesn't have a public routeable IPv4 but only a local IPv4 within the ISPs network up to its router (often a CLASS-A 10.x.x.x or CLASS-B 172.16-31.x.x).

Receiving inbound traffic from the internet requires two things:

1) a public routeable IP (no matter if IPv4 or IPv6 or both)
2) an ISP which allows incoming traffic in the first place - if it's already blocked by your ISP it doesn't matter on your end

Unless you meet BOTH of these you most likely can't accept incoming traffic. There're several possible solutions like STUN or Firewall HolePunching - but these techniques heavily rely on the actually setup and have to be solved in a case-by-case fashion. There's no universal "one fits it all" solution. And on some very restrictive connections, like a campus lan, it's often not possible at all as it's blocked by the admins for security reasons.
Well, from as far as I understand OCSP stapling it's to take away some of the load to the OCSP reply URI by having the server do it once periodically and add the reply within its reply to the client so the client itself doesn't have to do the OCSP checking. A nice feature to take some load off of the CAs and their servers. Unfortunately as I only played around with CRLs for my own CA I can't really help with the OCSP much.
As far as I can tell the code you posted over on SO is a stripped down version of some openjdk example from github: https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/test/jdk/javax/net/ssl/Stapling/SSLSocketWithStapling.java
As this is using classes within the jdk.* packages this is specific to the VM/runtime.

So, question comes up: As it's an example for AdoptOpenJDK-11 - do you run this example with a AdoptOpenJDK-11 runtime?
Also: Does the provided example from github work as is with the code setting up its own example CA during runtime? If so: Does your own external CA follow the same requirements in the cert chain with all the extensions?

It's too much code I would have to crunch through (and would have to auto-refactor first by an IDE to get it all sorted into own classes) to give an answer - but a wild guess in the blue: If the client's requesting the OCSP but the server not reply with one it's either in the server code or something's wrong with the certificates. I would start by only slightly modyfing the code so instead of the CA is re-generated every time this code is run it's only generated once and then stored to disk. This way you can inspect the certs and all what's in them to see if your CA differs not just in the values but the overall extensions themself.
IF possible: try to set up the stuff across two different machines (maybe even just VMs) as capture loopback with wireshark sometimes can get a bit tricky (althoughg it seems you do get the packets captured) - this way you ensure to use different IPs and by this avoiding localhost (I experienced some quirks with this in the past which solved magically just by using two physical differnt machines connected with a lan cable).

Sorry I can't help any further - but that's quite some specialized questions with quite a lot than go wrong. It's the reason I just stuck to CRL for my CA as I not wanted to even bother with all that OCSP stuff.
Well, I can see your point - and I agree with it quite a lot, although I still don't like this style myself. Sure, if one has a specific "problem" with "one correct answer" (or maybe only very few alternatives to achieve the same or similar result) the style of StackExchange might fit these questions quite well. On the other side: As I'm in the customer service businesss I know the pressure one gets "from above" to meet target numbers. And as it's a rather competitive business there'Re often several service centers for the same company competing each other to get the best results (basically most profit for the company with least cost) - but I also do experience some employees seem to have way to much time cause they report others for simple spelling errors. To me looks like: "Don't you have your own business to mind?". Same goes for StackExchange: There're several editors running around and "correcting" questions and answers. I'm fine with it as long as it's just spell checking as my english is rather bad. But I also once encountered an edit which changed the baseline of my question and hence shifted the answers I got in a direction not useful to my initial issue. I first politely asked the editor to revert the question to its original state and maybe only do the spell checking - as the s/he clearly misunderstood what I was initially asking and changed the question in a way that it no longer fit my problem. As this polite request was denied I then forced the restore by denying the edit with a rather clear refusal reason pointing out that the edit had changed the question too much. Then a third user took over (most likely a mod or something like this) and changed my question yet again - but in a even worse way so it not just "shifted a bit away" but suddenly to me it was quite a different reason. And then as I wanted to edit in a line like "edited by mods - no longer initial question" my rights to edit (correct) my own question messed up by others TWICE was revoked - I had to sign up for a new account just to post the information the question was invalidated by the edits to get some mod to lock it down for gogod.
Yea, maybe this is a very personal opinion about a situation that gone not so well - but it's quite about the same like: "Don't you have something else more important do to so you have free time spare to mess up my stuff?". And hence I don't really like this platform. If someone would had suggested edits or asked about not so clear lines - ok, fine. But changing a question without fully understanding it in the first place? Why? Why is this even a thing that other non-moderators can edit your posts? No, sorry, this is not my style.
1 month ago
Well, there's nothin wrong with cross-postin in iteself per-se - but from experience it often ends up in the following two "issues":

1) as already mentoined: no information about cross-posting: this leads to a) users of one site not knowing the progression on other sites - mostly often only the OP (original poster / TO - thread opener / TS - thread starter) keeps track on the various sites
2) "abandoning" - once an answer is supplied on one site the OP often not re-post it on the other sites but often "abandons" the thread (or sometimes even the whole site) - so others finding thread maybe years later by google don't get any answer and are left with no clue where to maybe look for one (which sometimes lead to what's known as "thread necromancing")


Also: it depends on what type of question is asked on which site/network.

spoiler - personal opinion ahead:

Just as an example I personal don't like the StackExchange network and its various sites (too many even wikipedia don'T list them all). Questions require personal opinions ins answeres are often shut down by the mods as it's the style of questions they expect. A question like: "acoustic or electric guitar?" or "western digital or seagate?" are not appreciated over there and I often read this "closed by mod as question is opinion based". Well, although that's maybe right for most of such questions - often there're in fact some technical aspects to be discussed and explained - from which the user asking has to make its own decisions.
Other communities, like CodeRanch, are more open to such style of question and often end up users improving upon eachother (as for me: I'm not good with GUIs - so I only can provide rather basic codes - others are more advanced in that topic so they can improve upon me).

In addition to modern day forums there're still lots of mailing lists around - mostly in the unix dev domain - and there's still usenet around, or IRC. People even abused crypto-currency blockchains to distribute illegal content which will be part of it for pretty much ever. And I guess diving into the "dark net" there're even more ways of communicating.


So, don'T hesitate to ask your question where you want to and how often you want to - but, as explained: if you do ask the same question on more than one platform please make sure to a) inform that the question is cross-posted and b) if you get to an answer please spread it around so others know it's done and maybe can profit from the answer.
I'm not sure if OP will read this, but I reply anyway:

There's no issue with crossposting a question across multiple sites. But, if you do, all members of any of those sites appreciate it if you at least note that the question is corss-posted and maybe even put in links - this way it's easy for those who want to help to check the status of the question across the sites to see if it's already solved.

Also: IF your question gets solved please make sure to also re-post the solution across all sites the question was posted on so anybody knows a) that the question is already solved and b) have the solution which may help others.

Also also: There's a reason why only editing is allowed in most forum software but deleting posts or whole threads is usually restricted to moderators and administrators.

Also also also: Posting a question and later modify or remove it is not appreciated here - and most likely not on other sites also. Hope this will help you in the future - in case you read this.
1 month ago

Tim Holloway wrote:And definitely don't leave keys in RAM!


Impossible with Windows unless using a hardware keystore like a TPM or HSM - as even when "unloading" encrypted drives (assuming BitLocker is used) it's known that windows is vulnerable to not clean keys properly.
Also: As long as an encrypted storage is mounted the key has to be in memory unless the operation is done outside the main cpu/ram like in a TPM or HSM.
1 month ago
It depends on how the class is declared: if your <root>/pkgA/A1.java starts with

you have to call it
java -cp <path/to/root> pkgA.A1
or in your case:
java -cp C:\Users\Documents\Desktop\Learning\Java pkg0.A1

As an answer to the topic:
If you want to compile pkg0\A1.java from the learning\java directory:
C:\Users\Documents\Desktop\Learning\Java>javac pkg0\A1.java
1 month ago
@OP
It seems you missed what CLASSPATH is.
What you maybe think you try: Have the classpath point to some source files.
What you actually miss: CLASSPATH does NOT point to any SOURCE files but rather to already compiled CLASS files.
If you want to compile classes in a different directories have a look at other compiler options, but classpath is the wrong one.
1 month ago

Tim Holloway wrote:I never buy extended warranties on electronics. I figure it's either going to die quickly or be obsolete by the time it does fail.


THAT! At least for me electronics die either quick so it's still within the standard warranty - or it's so long over it's even outside the extended warranty. You know, this famous "It's over by just a week.".

Just as a short afterword: After another week of testing the two drives which not failed during the first test they held up pretty well. On the machine I tested on a full badblocks check took around 42h each. Smooth linear performance curve, no noises, max heat within reasonable limits with not-so-great-cooling.
As said, they were used within my raid and were marked as failed before. So, all I can come with is that faulty RAM and a weird coincidence caused it, at least for the two still working drives. The failed drive has obvious issues: It made clicking noises during the test, was extremely slow, caused some errors into the logs - I already discarded it. So, it seems my once failed drives either came back to live - or never really failed in the first place ... who knows.
1 month ago