Skip to content

Instantly share code, notes, and snippets.

View AGWA's full-sized avatar

Andrew Ayer AGWA

314 followers · 0 following
View GitHub Profile
@AGWA
AGWA / openssl-rekey.sh
Last active April 4, 2024 15:16
Generate a new key and CSR for each of the SSL certificate files specified on the command line. Submit the new CSRs to your certificate authority for a free reissue. Useful for rekeying after a compromise such as Heartbleed. See https://www.agwa.name/blog/post/responding_to_heartbleed_a_script_to_regenerate_ssl_certs_en_masse
#!/bin/sh
#
# openssl-rekey -- generate a new key and CSR for each of the certificate
# files specified on the command line. Submit the new
# CSRs to your certificate authority for a free reissue.
# Useful for rekeying after a compromise such as Heartbleed.
#
# See https://www.agwa.name/blog/post/responding_to_heartbleed_a_script_to_regenerate_ssl_certs_en_masse
#
@AGWA
AGWA / rpi-hdmi.sh
Last active March 18, 2024 06:04
Enable and disable the HDMI port on the Raspberry Pi: `rpi-hdmi on` to turn on, `rpi-hdmi off` to turn off. X is properly reinitialized when re-enabling.
#!/bin/sh
# Enable and disable HDMI output on the Raspberry Pi
is_off ()
{
tvservice -s | grep "TV is off" >/dev/null
}
case $1 in
@AGWA
AGWA / gist:5b02c2bb07fc847733fa2a5c1931c4f1
Created June 23, 2023 09:49
DNS names affected by Let's Encrypt invalid SCT incident (https://www.agwa.name/blog/post/last_weeks_lets_encrypt_downtime)
*.123456.renweikg.workers.dev
*.140c7a89da27acd46ba233e1.mipop.mongodb.net
*.18b9f0b03b401b8154a8f3e2.keenetic.io
*.1a57980f78fab9567d7cd85d.ztpjy.mongodb.net
*.1d7f50e38419460b87407138f4feba52.plex.direct
*.23449e68b4d246e5b395fdbeb9789ee7.plex.direct
*.23b164dec49840139edde07467c27abc.plex.direct
*.28bdc692ec1cb5cc793dc6ff.idhf2.mongodb-dev.net
*.2db8efc0b7f84ddaa11459f5e9231280.plex.direct
*.2e51b5cf42a07ee2fca9ac6a.idhf2.mongodb-dev.net
@AGWA
AGWA / select.rs
Created April 14, 2017 03:34
Very simple Rust wrapper around pselect
/* Copyright (C) 2017 Andrew Ayer
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
@AGWA
AGWA / cook_rsa_key.go
Last active April 13, 2021 15:36
Demonstrates that an RSA signature does not uniquely identify a public key.
/*
* Demonstrates that an RSA signature does not uniquely identify a public key.
* Given a signature, s, and a message m, it's possible to construct a new RSA key
* pair such that s is a valid signature for m under the new key pair.
*
* Requires Go version >= 1.5. Go <= 1.4 doesn't work due to a bug in the bignum
* package: https://github.com/golang/go/issues/9826
*
* Written in 2015 by Andrew Ayer <agwa@andrewayer.name>
*
@AGWA
AGWA / isolated_openvpn_routes.md
Last active September 11, 2019 22:53
Isolated OpenVPN routing table on Linux

Save the route script to /usr/local/lib/openvpn/route on the client. Make it executable with chmod +x.

Remove the push redirect-gateway option from the OpenVPN server config.

Add these options to the OpenVPN client config:

setenv OPENVPN_ROUTE_TABLE 94
route-noexec
route-up /usr/local/lib/openvpn/route
route 0.0.0.0 128.0.0.0
@AGWA
AGWA / fork_rand.c
Last active October 11, 2018 08:00
Demonstrates that LibreSSL's PRNG is not fork-safe on Linux. See https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
/*
* Demonstrates that LibreSSL's PRNG is not fork-safe on Linux.
* See https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
* This code is in the public domain.
*/
#include <openssl/rand.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
@AGWA
AGWA / ocsp_stapling_robustness.md
Last active October 31, 2016 20:33
OCSP Stapling Robustness in Apache and nginx

Date: Mon, 5 Oct 2015 16:34:03 -0700

Apache caches an OCSP response for one hour by default. Unfortunately, once the hour is up, the response is purged from the cache, and Apache doesn't attempt to retrieve a new one until the next TLS handshake takes place. That means that if there's a problem contacting the OCSP responder at that moment, Apache is left without an OCSP response to staple. Furthermore, it caches the non-response for 10 minutes (by default), so for the next 10 minutes, no OCSP response will be stapled to your

@AGWA
AGWA / all_client_options
Last active January 14, 2016 16:04
Investigation into undocumented ssh_config and sshd_config options, as of https://github.com/openssh/openssh-portable/tree/e6c85f8889c5c9eb04796fdb76d2807636b9eef5 Scroll to bottom for the upshot
addkeystoagent
addressfamily
afstokenpassing
batchmode
bindaddress
canonicaldomains
canonicalizefallbacklocal
canonicalizehostname
canonicalizemaxdots
canonicalizepermittedcnames
@AGWA
AGWA / gist:bf0aad23c931f8e1063f
Created December 14, 2015 19:04
Email-only CAs trusted by Debian for TLS authentication
AC Ra\xC3\xADz Certic\xC3\xA1mara S.A. (server trust = CKT_NSS_MUST_VERIFY_TRUST)
ComSign CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure Global eBusiness CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure eBusiness CA 1 (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Business (Class B) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Express (Class C) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Qualified (Class QA) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
S-TRUST Authentication and Encryption Root CA 2005 PN (server trust = CKT_NSS_MUST_VERIFY_TRUST)
S-TRUST Universal Root CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)