Skip to content

Instantly share code, notes, and snippets.

Andrew Ayer AGWA

Block or report user

Report or block AGWA

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
Last active Feb 17, 2020
Enable and disable the HDMI port on the Raspberry Pi: `rpi-hdmi on` to turn on, `rpi-hdmi off` to turn off. X is properly reinitialized when re-enabling.
# Enable and disable HDMI output on the Raspberry Pi
is_off ()
tvservice -s | grep "TV is off" >/dev/null
case $1 in
Created Apr 14, 2017
Very simple Rust wrapper around pselect
/* Copyright (C) 2017 Andrew Ayer
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
* The above copyright notice and this permission notice shall be included
Last active Sep 11, 2019
Isolated OpenVPN routing table on Linux

Save the route script to /usr/local/lib/openvpn/route on the client. Make it executable with chmod +x.

Remove the push redirect-gateway option from the OpenVPN server config.

Add these options to the OpenVPN client config:

route-up /usr/local/lib/openvpn/route
AGWA / fork_rand.c
Last active Oct 11, 2018
Demonstrates that LibreSSL's PRNG is not fork-safe on Linux. See
View fork_rand.c
* Demonstrates that LibreSSL's PRNG is not fork-safe on Linux.
* See
* This code is in the public domain.
#include <openssl/rand.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
AGWA / cook_rsa_key.go
Last active Oct 11, 2018
Demonstrates that an RSA signature does not uniquely identify a public key.
View cook_rsa_key.go
* Demonstrates that an RSA signature does not uniquely identify a public key.
* Given a signature, s, and a message m, it's possible to construct a new RSA key
* pair such that s is a valid signature for m under the new key pair.
* Requires Go version >= 1.5. Go <= 1.4 doesn't work due to a bug in the bignum
* package:
* Written in 2015 by Andrew Ayer <>
Last active Oct 31, 2016
OCSP Stapling Robustness in Apache and nginx

Date: Mon, 5 Oct 2015 16:34:03 -0700

Apache caches an OCSP response for one hour by default. Unfortunately, once the hour is up, the response is purged from the cache, and Apache doesn't attempt to retrieve a new one until the next TLS handshake takes place. That means that if there's a problem contacting the OCSP responder at that moment, Apache is left without an OCSP response to staple. Furthermore, it caches the non-response for 10 minutes (by default), so for the next 10 minutes, no OCSP response will be stapled to your

AGWA / all_client_options
Last active Jan 14, 2016
Investigation into undocumented ssh_config and sshd_config options, as of Scroll to bottom for the upshot
View all_client_options
AGWA / gist:bf0aad23c931f8e1063f
Created Dec 14, 2015
Email-only CAs trusted by Debian for TLS authentication
View gist:bf0aad23c931f8e1063f
AC Ra\xC3\xADz Certic\xC3\xA1mara S.A. (server trust = CKT_NSS_MUST_VERIFY_TRUST)
ComSign CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure Global eBusiness CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure eBusiness CA 1 (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Business (Class B) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Express (Class C) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Qualified (Class QA) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
S-TRUST Authentication and Encryption Root CA 2005 PN (server trust = CKT_NSS_MUST_VERIFY_TRUST)
S-TRUST Universal Root CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
AGWA / name_constrain.go
Last active Dec 3, 2015
Go program to add name constraints to a certificate
View name_constrain.go
* Adds name constraints to a certificate. Useful if you need to
* import your organization's private CA into your web browser, but
* you only want to trust it for your organization's domains and not
* the Internet at large.
* The certificate is re-signed by an ephemeral issuer with a random
* key so you don't need access to the private key. A random serial number
* is placed in the Issuer DN so browsers don't attempt to verify the
* signature when you import the certificate.
AGWA / readlink.cpp
Last active Oct 8, 2015
C++ readlink wrapper
View readlink.cpp
You can’t perform that action at this time.