Certificate Lists Truncated

On February 9th, Microsoft released an update which updates the root certificates for XP, 2003 and Vista to include members in its root certificate program.

The update is intended to add the root certificate Authorities that support Extended Validation (EV) certificates in Windows Internet Explorer 7. EV is part of the Anti-Phishing feature of IE 7; IN a nutshell, when you access a website that is encrypted, (its URL starts with HTTPS and you see the lock icon), EV ensures the the Website operator has been identified and authenticated by a third party and the site is secure, as well as providing additional information regarding the website owner. For example, EV capable web browsers will show a Green background in the URL field while browsing an EV validated site while a know Phisher or Fraudulent website will show a Red background.


As a result of the certificate update, the number of trusted root certificates has grown dramatically (not sure of the exact number). For the most part, this is fairly benign and in fact beneficial for EV but you may experience problems setting up secure connections to your systems if you issue your own internal certificates from an internal Certificate Authority. For example, Live Communication Server users may not be able to logon using TLS encryption and your Unix/Linux systems may not be able to contact your Active Directory Domain Controllers for LDAP authentication.


You may see an error in the Server System log similar to the following:

Source: Schannel
Event ID: 36885
Description: When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

The reason for this is that when a client attempts a secure connection to a server, the server sends the list of trusted root certificates to the client for the client to choose certificate which they both trust. However, with the recent update, this list of certificates has grown too long and the server sends a truncated list of certificates back to the client. If the certificate the client intended to use did not make the cutoff in the truncated list, the secure connection will fail. I recently experienced this problem when my internal certificate authority's root certificate was truncated from the list sent to the clients.

You can definitely remove all "expired" root certificates and then move on to removing certificates which you determine are never likely to be used. However, ensure you keep all the well known Certificate Authority root certificates such as Thawte, Verisign and Microsoft.

Alternatively, you may be able to add a registry key to the server that disables the sending of the trusted root certificates to the client. This forces the client to utilize its own list.

Note: Although I have not seen any side-effects to making this change, there may be some other ramifications of making this change but I have yet to see any.

Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
DWORD: SendTrustedIssuerList

For more information, See: TLS/SSL Tools and Settings on Microsoft's Site.

Energy Bar / Power Bar Recipe

After much searching online for a healthy power bar or engery bar recipe, I finally decided to make my own without the butter and sugar called for in most recipes. Although I used http://www.rwood.com/Recipes/Energy_Bar.htm as the basis for my energy bars, I really don't like raisins. So modified the recipe and improvised heavily as I was cooking. The result was a very tasty and moist energy bar, almost like a brownie. The next time, I think I will cook it for a bit longer to dry it out more so it will hold up better and be a bit lighter for the trail and possibly add a bit more cocoa and stevia:

4 Tablespoons Coconut oil, plus a little more for greasing the pan
1/4 Cup Milk
1 Teaspoon pure vanilla extract
2 1/4 Cups oat or rye flakes (or a combination of both)
1Cup chopped nuts (Almonds, Walnuts, Pecans, etc)
1/4 Cup unsweetened cocoa powder
1/2 Teaspoon sea salt
2 Eggs, lightly whisked
1 Cup cooked quinoa
2 Tablespoons agave nectar
2 Teaspoons (more or less to taste) of pure Stevia extract (Increased Sweetness)
1 Cup dried coconut flakes
2 Tablespoons Chia Seed (Chia Gel formed by the seeds will keep you satiated longer)

Preheat oven to 350 F. Lightly coat a baking pan with cocounut oil
Melt the Coconut Oil and cocoa in a large pot over medium to low heat. Add the flakes and nuts and saute, stirring constantly, for 3 o 4 minutes, or until aromatica nd a shade darker. Stir in the salte and chia seed and saute for another minute. Pour into a large bowl.
Stir in the eggs and then the rest of the ingredients into the dry and stir until blended uniformly.
Spread the mixture in the the prepared pan and bake for 45 minutes, or until pulling away from the pan's edge. Invert onto a rack to cool. Cut into bars. The energy bars will keep for a week but best to store in freezer until they are needed.

Awesome and Free Remote Control Software

I recently stumbled across a piece of software that makes remote user support extremely easy. Best of all, it is completely free. The software is called Crossloop which is based on VNC technology. VNC is open source software that has been around for some time but can be difficult to configure, especially on the fly when you are attempting to help somebody with their PC issues from a remote location. In fact, crossloop is VERY much like Ecogent's Echo VNC but without all the configuration steps required to set up your own reflector server or to pay for a VNC reflector service. According to crossloop:

CrossLoop is a FREE secure screen sharing utility designed for people of all technical skill levels. CrossLoop extends the boundaries of VNC's traditional screen sharing by enabling non-technical users to get connected from anywhere on the Internet in seconds without changing any firewall or router settings. It only takes a few minutes to setup and no signup is required.

For hardcore techies, crossloop is pretty basic but I can say that it is (or will) be extremely helpful, even for geeks when helping out someone with little computer experience. The only drawback is that it does require a download and installation at both ends which means you will have to convice your Mom & Dad that the software is safe and free of virus and spyware, not to mention walking them through the download and install process. However, compared to some of the other alternatives out there which usually have a fairly high cost, it is definitely worth taking a look at.