Posts
Aurora Services on LineageOS
Unsure about installation instructions on https://gitlab.com/AuroraOSS/AuroraServices some searching found https://gitlab.com/AuroraOSS/AuroraServices/-/issues/5 so thought I’d try sideloading from LineageOS recovery.
Simple Client Cert Stunnel
Wanted to setup stunnel for client certificates and it took me longer than expected so noting here for future reference. Here’s the contents of the stunnel.conf I put in the current directory.
Batch Raw Photo White Balance
Had a few hundred old diving photos in raw format that I wanted white balance correct and convert to jpeg.
Installed the raw plugin in gimp with
Samsung 960 Evo Secure Erase
I’ve recently been trying to setup hardware encryption in Windows on a Samsung 960 Evo. Samsung Magician suggests to a secure erase as part of this process. However, I’ve been getting problems with a
Backporting Hplip Package
As I’m running Ubuntu LTS when I got a new HP OfficeJet I needed to backport the hplip package to get a newer version. Quick cheat sheet:
Simulating S3 Down
We can simulate AWS S3 being down by using iptables to drop traffic to the addresses it is hosted on, at least from an EC2 VPC host.
Selenium 3 And Firefox 45
Now selenium 3 is the default I’ve had some issues running tests on Centos 6 which use Firefox ESR. Selenium 3 will try and use geckodriver/marionette by default so you have to turn this off. Sample ruby code:
Vino With Ssh
This often comes in handy to enable and start vino via ssh (on Ubuntu 16.04)
Disable Mouse On Lock In Ubuntu
I like to have my monitors off to save power when the screen is locked. Unfortunately it seems like my mouse is rather sensitive so nearby movements cause the screens to come back on. I preferred to have only a keyboard press do this.
Empty A Directory In Ruby
I find this a useful one liner to empty a directory (but keep forgetting it!):
CNAMEs for apex domains
As outlined at heroku example.com style domains can be a pain to host as they must use A records. Numerous DNS providers provide a work around with the ALIAS/ANAME pseudo record type. The good news for open source users is this is now also supported by PowerDNS as an ALIAS record type.
Useful UK ADSL info
Some interesting links...PhantomJS with Ruby
I've just been experimenting with a couple of ways of using PhantomJS because of the speed benefits.pasaffe on fedora
Until a package is done I'm finding the easiest way to run pasaffe is
tar xf pasaffe-0.43.tar.gz cd pasaffe-0.43 glib-compile-schemas data/glib-2.0/schemas XDG_DATA_DIRS=$HOME/Downloads/pasaffe-0.43/data:/usr/share $HOME/Downloads/pasaffe-0.43/bin/pasaffe -f ~/password.psafe3
Is this good or bad python code?
A recursive generator:
#!/usr/bin/python3
import string
import itertools
different github deploy keys
This litte script set in GIT_SSH switches based on the repository name
#!/bin/sh
set -e
What SHA1withRSA actually does
I had some Java code generating a signature like this:
Signature signature = Signature.getInstance("SHA1withRSA");
signature.initSign(privateKey);
signature.update(plainText);
return signature.sign();
Natively I assumed that the reverse operation would simply be decrypting the returned data to reveal a hash. However the result was a 35 byte string rather than the 40 I was expecting. Turns out the the signature is also ASN encoded:
irb(main):041:0> key.public_decrypt(signature) => "0!0\t\x06\x05+\x0E\x03\x02\x1A\x05\x00\x04\x14\xF7\x1C\xB4o&\xCFA\xFFN\x14\xE9\xA4V\x89\xC5K\xC7\xB8\fg" irb(main):042:0> OpenSSL::ASN1.decode(key.public_decrypt(signature)) => #<OpenSSL::ASN1::Sequence:0x007f2c9937f718 @tag=16, @value=[#<OpenSSL::ASN1::Sequence:0x007f2c9937f920 @tag=16, @value=[#<OpenSSL::ASN1::ObjectId:0x007f2c9937f9c0 @tag=6, @value="SHA1", @tagging=nil, @tag_class=:UNIVERSAL, @infinite_length=false>, #<OpenSSL::ASN1::Null:0x007f2c9937f948 @tag=5, @value=nil, @tagging=nil, @tag_class=:UNIVERSAL, @infinite_length=false>], @tagging=nil, @tag_class=:UNIVERSAL, @infinite_length=false>, #<OpenSSL::ASN1::OctetString:0x007f2c9937f740 @tag=4, @value="\xF7\x1C\xB4o&\xCFA\xFFN\x14\xE9\xA4V\x89\xC5K\xC7\xB8\fg", @tagging=nil, @tag_class=:UNIVERSAL, @infinite_length=false>], @tagging=nil, @tag_class=:UNIVERSAL, @infinite_length=false>
PKCS #1 private key syntax vs PKCS #8
Recently I've been looking at a RSA private key embedded in a configuration file. Things weren't working as expected so I started looking at the key more closely. The string I had was a base64 encoded ASN structure. I came across 2 formats of these structures and . Luckily OpenSSL seemed to have no problem reading either so this wasn't actually an issue for me, just something I hadn't appreciated.
Ruby's Nokogiri serialize / to_s without whitespace
I have an app that I wish to verify a signature of the xml fragment. Therefore white space is important. Eventually found the way to do this:
xml_object.at_xpath('//Data').serialize(:save_with => Nokogiri::XML::Node::SaveOptions::AS_XML)
Keyboard shortcut for moving windows between monitors
Unity (as of Ubuntu 14.10) does not come with a keyboard shortcut to move windows between screens. There is a Compiz plugin that does though - put. To enable
sudo apt-get install compizconfig-settings-manager compiz-plugins
Then go into ccsm and set a shortcut for "Put to Next Output" (I used Super and N) in the Put options within the Window Management section.
Windows 7 installation :/
I'm reinstalling Windows on my laptop as part of selling it. Process turns out to be relatively easy:
- Download correct language iso - google for DigitalRiver Windows 7 iso
- Format a USB drive as NTFS with bootable flag set (possible in the Ubuntu Disks utility
- Copy content of ISO to the drive (sudo mount -o loop ~/Downloads/X17-59186.iso /mnt)
- Boot laptop off the USB drive
This may take a while on large repositories 2
Further to my previous post I've found the biggest win for the
This may take a while on large repositories
wait is
git svn fetch --log-window-size=10000
Lots quicker!
Musings on Docker and Open Source Software
I've been keen on containers, particularly over virtual machines, ever since experimenting with OpenVZ. No extra OS fits with a nothing left to take away philosophy. Now it seems to have taken over the virtual machine on the cloud buzz. About time. Still, is it where we want to head?
A Docker talk I recently saw (it was also interesting that he ran a Ubuntu VM on a Mac) had a nice comparison with the containerization of shipping in the 1950s. Nice. But how does it compare to the Open Source world where I have a distribution like Debian or Ubuntu which packages all its software and releases every so often. Aren't packages my container? Maybe not from a security perspective but then I have AppArmor to think about too. It appears Docker is better built for a heterogeneous environments since my packages aare distro specific. But I'm not sure I want to accept heterogeneity, if I have a choice?
Troubleshooting SSL connections
With openssl 1.0.2 the s_client command supports a --trace when built with enable-ssl-trace:
$ tar xf openssl-1.0.2-beta3.tar.gz
$ cd openssl-1.0.2-beta3
$ ./config enable-ssl-trace --prefix=$PWD/prefix --openssldir=$PWD/prefix
$ make dep
$ make
$ apps/openssl s_client -connect yum.dev.bbc.co.uk:443 -cert /home/stan/Downloads/hillt08.pem -CAfile /home/stan/Downloads/ca.pem -debug -state -trace
WARNING: can't open config file: /home/stan/Downloads/openssl-1.0.2-beta3/prefix/openssl.cnf
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x2387050 [0x23870d0] (361 bytes => 361 (0x169))
0000 - 16 03 01 01 64 01 00 01-60 03 03 ef c0 3d 48 78 ....d...`....=Hx
0010 - fa 79 79 e3 4a 7e 9d 96-86 92 d6 25 3e d8 7b 03 .yy.J~.....%>.{.
0020 - ee ff fb 7b 0e b4 e3 7f-df 11 83 00 00 c4 c0 30 ...{...........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43 .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-00 07 c0 11 c0 07 c0 0c .<./...A........
00c0 - c0 02 00 05 00 04 c0 12-c0 08 00 16 00 13 00 10 ................
00d0 - 00 0d c0 0d c0 03 00 0a-00 15 00 12 00 0f 00 0c ................
00e0 - 00 09 00 14 00 11 00 0e-00 0b 00 08 00 06 00 03 ................
00f0 - 00 ff 01 00 00 73 00 0b-00 04 03 00 01 02 00 0a .....s..........
0100 - 00 3a 00 38 00 0e 00 0d-00 19 00 1c 00 0b 00 0c .:.8............
0110 - 00 1b 00 18 00 09 00 0a-00 1a 00 16 00 17 00 08 ................
0120 - 00 06 00 07 00 14 00 15-00 04 00 05 00 12 00 13 ................
0130 - 00 01 00 02 00 03 00 0f-00 10 00 11 00 23 00 00 .............#..
0140 - 00 0d 00 20 00 1e 06 01-06 02 06 03 05 01 05 02 ... ............
0150 - 05 03 04 01 04 02 04 03-03 01 03 02 03 03 02 01 ................
0160 - 02 02 02 03 00 0f 00 01-01 .........
Sent Record
Header:
Version = TLS 1.0 (0x301)
Content Type = Handshake (22)
Length = 356
ClientHello, Length=352
client_version=0x303 (TLS 1.2)
Random:
gmt_unix_time=0xEFC03D48
random_bytes (len=28): 78FA7979E34A7E9D968692D6253ED87B03EEFFFB7B0EB4E37FDF1183
session_id (len=0):
cipher_suites (len=196)
{0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
{0xC0, 0x2C} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
{0xC0, 0x28} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
{0xC0, 0x24} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
{0xC0, 0x14} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
{0xC0, 0x0A} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
{0x00, 0xA5} TLS_DH_DSS_WITH_AES_256_GCM_SHA384
{0x00, 0xA3} TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
{0x00, 0xA1} TLS_DH_RSA_WITH_AES_256_GCM_SHA384
{0x00, 0x9F} TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
{0x00, 0x6B} TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
{0x00, 0x6A} TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
{0x00, 0x69} TLS_DH_RSA_WITH_AES_256_CBC_SHA256
{0x00, 0x68} TLS_DH_DSS_WITH_AES_256_CBC_SHA256
{0x00, 0x39} TLS_DHE_RSA_WITH_AES_256_CBC_SHA
{0x00, 0x38} TLS_DHE_DSS_WITH_AES_256_CBC_SHA
{0x00, 0x37} TLS_DH_RSA_WITH_AES_256_CBC_SHA
{0x00, 0x36} TLS_DH_DSS_WITH_AES_256_CBC_SHA
{0x00, 0x88} TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
{0x00, 0x87} TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
{0x00, 0x86} TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
{0x00, 0x85} TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
{0xC0, 0x32} TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
{0xC0, 0x2E} TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
{0xC0, 0x2A} TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
{0xC0, 0x26} TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
{0xC0, 0x0F} TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
{0xC0, 0x05} TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
{0x00, 0x9D} TLS_RSA_WITH_AES_256_GCM_SHA384
{0x00, 0x3D} TLS_RSA_WITH_AES_256_CBC_SHA256
{0x00, 0x35} TLS_RSA_WITH_AES_256_CBC_SHA
{0x00, 0x84} TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
{0xC0, 0x2F} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
{0xC0, 0x2B} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
{0xC0, 0x27} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
{0xC0, 0x23} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
{0xC0, 0x13} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
{0xC0, 0x09} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
{0x00, 0xA4} TLS_DH_DSS_WITH_AES_128_GCM_SHA256
{0x00, 0xA2} TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
{0x00, 0xA0} TLS_DH_RSA_WITH_AES_128_GCM_SHA256
{0x00, 0x9E} TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
{0x00, 0x67} TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
{0x00, 0x40} TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
{0x00, 0x3F} TLS_DH_RSA_WITH_AES_128_CBC_SHA256
{0x00, 0x3E} TLS_DH_DSS_WITH_AES_128_CBC_SHA256
{0x00, 0x33} TLS_DHE_RSA_WITH_AES_128_CBC_SHA
{0x00, 0x32} TLS_DHE_DSS_WITH_AES_128_CBC_SHA
{0x00, 0x31} TLS_DH_RSA_WITH_AES_128_CBC_SHA
{0x00, 0x30} TLS_DH_DSS_WITH_AES_128_CBC_SHA
{0x00, 0x9A} TLS_DHE_RSA_WITH_SEED_CBC_SHA
{0x00, 0x99} TLS_DHE_DSS_WITH_SEED_CBC_SHA
{0x00, 0x98} TLS_DH_RSA_WITH_SEED_CBC_SHA
{0x00, 0x97} TLS_DH_DSS_WITH_SEED_CBC_SHA
{0x00, 0x45} TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
{0x00, 0x44} TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
{0x00, 0x43} TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
{0x00, 0x42} TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
{0xC0, 0x31} TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
{0xC0, 0x2D} TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
{0xC0, 0x29} TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
{0xC0, 0x25} TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
{0xC0, 0x0E} TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
{0xC0, 0x04} TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
{0x00, 0x9C} TLS_RSA_WITH_AES_128_GCM_SHA256
{0x00, 0x3C} TLS_RSA_WITH_AES_128_CBC_SHA256
{0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA
{0x00, 0x96} TLS_RSA_WITH_SEED_CBC_SHA
{0x00, 0x41} TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
{0x00, 0x07} SSL_RSA_WITH_IDEA_CBC_SHA
{0xC0, 0x11} TLS_ECDHE_RSA_WITH_RC4_128_SHA
{0xC0, 0x07} TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
{0xC0, 0x0C} TLS_ECDH_RSA_WITH_RC4_128_SHA
{0xC0, 0x02} TLS_ECDH_ECDSA_WITH_RC4_128_SHA
{0x00, 0x05} SSL_RSA_WITH_RC4_128_SHA
{0x00, 0x04} SSL_RSA_WITH_RC4_128_MD5
{0xC0, 0x12} TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
{0xC0, 0x08} TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
{0x00, 0x16} SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
{0x00, 0x13} SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
{0x00, 0x10} SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA
{0x00, 0x0D} SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA
{0xC0, 0x0D} TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
{0xC0, 0x03} TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
{0x00, 0x0A} SSL_RSA_WITH_3DES_EDE_CBC_SHA
{0x00, 0x15} SSL_DHE_RSA_WITH_DES_CBC_SHA
{0x00, 0x12} SSL_DHE_DSS_WITH_DES_CBC_SHA
{0x00, 0x0F} SSL_DH_RSA_WITH_DES_CBC_SHA
{0x00, 0x0C} SSL_DH_DSS_WITH_DES_CBC_SHA
{0x00, 0x09} SSL_RSA_WITH_DES_CBC_SHA
{0x00, 0x14} SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
{0x00, 0x11} SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
{0x00, 0x0E} SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
{0x00, 0x0B} SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
{0x00, 0x08} SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
{0x00, 0x06} SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
{0x00, 0x03} SSL_RSA_EXPORT_WITH_RC4_40_MD5
{0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression_methods (len=1)
No Compression (0x00)
extensions, length = 115
extension_type=ec_point_formats(11), length=4
uncompressed (0)
ansiX962_compressed_prime (1)
ansiX962_compressed_char2 (2)
extension_type=elliptic_curves(10), length=58
sect571r1 (B-571) (14)
sect571k1 (K-571) (13)
secp521r1 (P-521) (25)
brainpoolP512r1 (28)
sect409k1 (K-409) (11)
sect409r1 (B-409) (12)
brainpoolP384r1 (27)
secp384r1 (P-384) (24)
sect283k1 (K-283) (9)
sect283r1 (B-283) (10)
brainpoolP256r1 (26)
secp256k1 (22)
secp256r1 (P-256) (23)
sect239k1 (8)
sect233k1 (K-233) (6)
sect233r1 (B-233) (7)
secp224k1 (20)
secp224r1 (P-224) (21)
sect193r1 (4)
sect193r2 (5)
secp192k1 (18)
secp192r1 (P-192) (19)
sect163k1 (K-163) (1)
sect163r1 (2)
sect163r2 (B-163) (3)
secp160k1 (15)
secp160r1 (16)
secp160r2 (17)
extension_type=session_ticket(35), length=0
extension_type=signature_algorithms(13), length=32
sha512+rsa (6+1)
sha512+dsa (6+2)
sha512+ecdsa (6+3)
sha384+rsa (5+1)
sha384+dsa (5+2)
sha384+ecdsa (5+3)
sha256+rsa (4+1)
sha256+dsa (4+2)
sha256+ecdsa (4+3)
sha224+rsa (3+1)
sha224+dsa (3+2)
sha224+ecdsa (3+3)
sha1+rsa (2+1)
sha1+dsa (2+2)
sha1+ecdsa (2+3)
extension_type=heartbeat(15), length=1
HeartbeatMode: peer_allowed_to_send
Speeding up git svn
For those of use unfortunate enough to use (large) svn repositories I found the following has improved things slightly when you get the occassional
W: Ignoring error from SVN, path probably does not exist: (160013): Filesystem has no item: '/!svn/bc/101' path not found: Additional errors:: File not found: revision 101, path '/services/jet/mami/trunk/branches/PSDR-1139' W: Do not be alarmed at the above message git-svn is just searching aggressively for old history. This may take a while on large repositories
message (and it starts going through the repository from revision 1)
$ git config svn.brokenSymlinkWorkaround false
Obviously beware if you have symlinks in your svn respository.
Restoring Gmail Takeout
Recently I wanted to merge an old gmail account with my main one. The best way to achieve this seems to be by taking a Takeout of the Gmail data and restoring into the other account. IMAP to IMAP seemed to be more time consuming and suffer from not dealing with Gmail labels properly.
After some while searching for options I can across the following tools
- https://github.com/gaubert/gmvault
- https://github.com/gburca/BaGoMa
- https://github.com/fxtentacle/gmail-imap-backup
- https://github.com/jay0lee/got-your-back/
From these only the last seemed capable of restoring the Takeout's mbox file. I extracted the Takeout's all.mbox to ~/Downloads/gmail and then ran the script.
python gyb.py --email my@gmail.com --action restore-mbox --local-folder ~/Downloads/gmail
subscribe via RSS