Skip to content

Instantly share code, notes, and snippets.


Andrew Ayer AGWA

View GitHub Profile
Last active Feb 19, 2021
Enable and disable the HDMI port on the Raspberry Pi: `rpi-hdmi on` to turn on, `rpi-hdmi off` to turn off. X is properly reinitialized when re-enabling.
# Enable and disable HDMI output on the Raspberry Pi
is_off ()
tvservice -s | grep "TV is off" >/dev/null
case $1 in
Created Apr 14, 2017
Very simple Rust wrapper around pselect
/* Copyright (C) 2017 Andrew Ayer
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
* The above copyright notice and this permission notice shall be included
Last active Sep 11, 2019
Isolated OpenVPN routing table on Linux

Save the route script to /usr/local/lib/openvpn/route on the client. Make it executable with chmod +x.

Remove the push redirect-gateway option from the OpenVPN server config.

Add these options to the OpenVPN client config:

route-up /usr/local/lib/openvpn/route
AGWA / fork_rand.c
Last active Oct 11, 2018
Demonstrates that LibreSSL's PRNG is not fork-safe on Linux. See
View fork_rand.c
* Demonstrates that LibreSSL's PRNG is not fork-safe on Linux.
* See
* This code is in the public domain.
#include <openssl/rand.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
AGWA / cook_rsa_key.go
Last active Oct 11, 2018
Demonstrates that an RSA signature does not uniquely identify a public key.
View cook_rsa_key.go
* Demonstrates that an RSA signature does not uniquely identify a public key.
* Given a signature, s, and a message m, it's possible to construct a new RSA key
* pair such that s is a valid signature for m under the new key pair.
* Requires Go version >= 1.5. Go <= 1.4 doesn't work due to a bug in the bignum
* package:
* Written in 2015 by Andrew Ayer <>
Last active Oct 31, 2016
OCSP Stapling Robustness in Apache and nginx

Date: Mon, 5 Oct 2015 16:34:03 -0700

Apache caches an OCSP response for one hour by default. Unfortunately, once the hour is up, the response is purged from the cache, and Apache doesn't attempt to retrieve a new one until the next TLS handshake takes place. That means that if there's a problem contacting the OCSP responder at that moment, Apache is left without an OCSP response to staple. Furthermore, it caches the non-response for 10 minutes (by default), so for the next 10 minutes, no OCSP response will be stapled to your

AGWA / all_client_options
Last active Jan 14, 2016
Investigation into undocumented ssh_config and sshd_config options, as of Scroll to bottom for the upshot
View all_client_options
AGWA / gist:bf0aad23c931f8e1063f
Created Dec 14, 2015
Email-only CAs trusted by Debian for TLS authentication
View gist:bf0aad23c931f8e1063f
AC Ra\xC3\xADz Certic\xC3\xA1mara S.A. (server trust = CKT_NSS_MUST_VERIFY_TRUST)
ComSign CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure Global eBusiness CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure eBusiness CA 1 (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Business (Class B) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Express (Class C) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Qualified (Class QA) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
S-TRUST Authentication and Encryption Root CA 2005 PN (server trust = CKT_NSS_MUST_VERIFY_TRUST)
S-TRUST Universal Root CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
AGWA / name_constrain.go
Last active Dec 3, 2015
Go program to add name constraints to a certificate
View name_constrain.go
* Adds name constraints to a certificate. Useful if you need to
* import your organization's private CA into your web browser, but
* you only want to trust it for your organization's domains and not
* the Internet at large.
* The certificate is re-signed by an ephemeral issuer with a random
* key so you don't need access to the private key. A random serial number
* is placed in the Issuer DN so browsers don't attempt to verify the
* signature when you import the certificate.
AGWA / readlink.cpp
Last active Oct 8, 2015
C++ readlink wrapper
View readlink.cpp