1. OCSP Stapling on Apache

    Excerpt from Remy van Elsts tutorial: OCSP stapling is an enhancement to the standard OCSP protocol that delivers OCSP responses from the server with the certificate, eliminating the need for relying parties (web users) to check OCSP responses with the issuing CA. This has the effect of reducing bandwidth, improving perceived site performance, and increasing security for everyone involved in establishing the secure session. This tutorial shows you how to set it up with Apache.


    Create OCSP stapling configuration for Apache.

    cat <<EOF > /etc/apache2/conf-available/sslstapeling.conf
    SSLUseStapling on
    SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
    SSLStaplingResponseMaxAge 900

    Enable configuration, test it and do a restart of Apache if all is OK.

    a2enconf sslstapeling
    apache2ctl configtest
    apache2ctl restart

    Check OCSP with OpenSSL.

    openssl s_client -connect «yoursite»:443 -tls1 -tlsextdebug -status


  2. How to get A+ on SSL Labs

    This will show how to get A+ on SSL Server Test from Qualys SSL Labs.

    Enable SSL and headers module in Apache2.

    a2enmod ssl 
    a2enmod headers

    Edit Apache configuration.

    SSLCertificateFile /etc/ssl/crt/«yourcert».pem
    SSLCertificateKeyFile /etc/ssl/crt/«yourkey».pem
    SSLCertificateChainFile /etc/ssl/crt/«intermediatechain».pem
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder On

    The ! preceding the cipher means that Apache will not use that cipher.

    View ciphers

    List the ciphers openssl supports with the current configuration.

    openssl ciphers -v -ssl3 -tls1 'EECDH:EDH:AES:!aNULL:!eNULL:!LOW:!RC4:!3DES:!DES:!MD5:!EXP:!PSK:!SRP:!DSS'


    With this configuration Apache will prefer Perfect forward secrecy. If Perfect forward secrecy can't be negotiated it will default to AES cipher. This configuration will work on all newer browser. Exceptions are older IE, older Java and a few bots.

    Where there are no links to the information source it's taken from the documentation on openssl.org.

    Header always set Strict-Transport-Security

    Force browser to use HTTPS even if the user enters HTTP. The browser should remember this setting for a really long time, example a year.

    SSLHonorCipherOrder On

    Use the servers preferred encryption not the browsers which may be a weaker cipher.


    Ephemeral elliptic-curve Diffie-Hellman, see ECDH.


    Ephemeral Diffie-Hellman, see Diffie–Hellman key exchange.


    Advanced Encryption Standard.


    The cipher suites offering no authentication. This is currently …


  3. Auto generate Pelican blog from Dropbox

    This is my notes for how to update my Pelican blog automaticlly when I write new posts. See Creating a blog based on Pelican for getting started with Pelican blog engine.

    A way to be able to blog from anywhere is to use Dropbox as repository for the your blog. Then let Pelican auto regenerate the blog on changes in the Dropbox folder.

    A prerequest for this recipe is that /var/www is not directly exposed to the web.

    Preparing Dropbox

    First create a new Dropbox account and create a Pelican folder. Share this folder with your main Dropbox account. Now copy the sources for your Pelican blog into the the shared folder.

    On your web server, install Dropbox under the www-data user.

    cd ~ && wget -O - "https://www.dropbox.com/download?plat=lnx.x86_64" | tar xzf -

    Then link up the new Dropbox account to the web server by accessing the link you get from starting the Dropbox daemon.


    Edit crontab for www-data, crontab -e, to start Dropbox daemon if it's not running. useful when the server reboots.

    */5 * * * * pgrep -F ~/.dropbox/dropbox.pid >/dev/null || (~/.dropbox-dist/dropboxd &)

    Now Dropbox should be in sync and have your latest source for the blog.

    Autogenerate blog on change

    We need to install Pelican blog engine and incron to trigger auto generation of the blog on changes in the ~/Dropbox/Pelican/content folder.

    sudo apt-get install python-pelican python-markdown incron

    Edit DROPBOX_DIR the the Pelican Makefile to point to the VirtualHost which stores …


  4. Configuring OpenVPN server on RTN66U

    The router firmware Tomato, see previous post RT-N66u with Tomato by Shibby firmware, can act as an OpenVPN server.

    Using open Wi-Fi access points can be very useful and necessary, but it is inherently insecure. Using the router as an OpenVPN server can increase your privacy and security when you are on the go. By creating an encrypted VPN connection back home to the router, you don't only get protection from nosy eavesdroppers but you get access to all your equipment behind the router at home as well.

    For OpenVPN to work we need to create our own CA for signing both server, the router, and optionally client certificates. This notes will only show how to create a server certificate and configure the router with user name and password authentication.

    Preparations, create CA

    Install necessary software. Although haveged, is not required, see Better entropy with haveged.

    sudo apt-get install easy-rsa haveged

    Create a work directory for OpenVPN. Take care to protect this directory and the files under it.

    make-cadir «yourdomain»

    Enter your CA directory.

    cd «yourdomain»

    Edit the vars file and change the following variables to something more sensible for you.

    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="SanFrancisco"
    export KEY_ORG="Funston-Fort"
    export KEY_EMAIL="me@myhost.mydomain"

    Source the variables into current bash session.

    source ./vars

    Do a initial clean.


    Create your CA public and private key.


    Generate your Diffie–Hellman parameters.


    Create your routers public and private key.

    ./build-key-server «yourrouter»

    Listing of folder keys should …


  5. Better entropy with haveged

    Entropy is important for generating good encryption keys. Do you have a busy server relying on crypto, generating keys, you need lot of good entropy. Or if you have a disk less system you don't get as much entropy from the kernel that you may wish. One way to get a lot of good entropy is to use haveged. Haveged is closer to a TRNG than a PRNG.

    Excerpt from havegeds homepage: The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers. Current development of haveged is directed towards improving overall reliablity and adaptability while minimizing the barriers to using haveged for other tasks.

    How to install

    Install haveged from the repository - and that's it.

    sudo apt-get install haveged

    Enjoy fast good entropy. Check your entropy

    cat /proc/sys/kernel/random/entropy_avail


  6. RT-N66u with Tomato by Shibby firmware

    This is a part of my personal notes. Use this information at your own risk. If you are uncertain or don't know what you are doing. Do not proceed.

    Asus RT-N66U is a Linux based wireless router. The stock firmware can be a bit limiting for the more advanced user. If you want better QoS, OpenVPN or just more control over the network I recommend installing Tomato by Shibby firmware.

    Download the latest version of the firmware from Tomato by Shibby. Look for Asus RT-N66u 64k in the version folder in K26RT-N repository.

    I use the all in one, AIO, i.e. tomato-K26USB-1.28.RT-N5x-MIPSR2-117-AIO-64K.trx.

    Flash RT-N66u

    1. Download latest Tomato by Shibby, e.g. tomato-K26USB-1.28.RT-N5x-MIPSR2-117-AIO-64K.trx.
    2. Connect the router to a computer with cable.
    3. Turn off router.e
    4. Turn on route while holding in reset button. Wait until the power LED starts blinking. The router is in flash mode.
    5. Configure the network opn the computer to
    6. Browse to, erase NVRAM and upload the new firmware.
    7. This takes some time.
    8. Configure network on computer to DHCP and wait until it receives a address.
    9. Browse to and start configuring the router.


    Problems booting. Try to reset NVRAM again. Resetting NVRAM can also be done by holding in WPS button while powering on. Don't release WPS button before 30 seconds.


  7. Find duplicate files

    Find all duplicate files in current and sub-directories with bash.

    find -not -empty -type f -printf '%s\n' | sort -rn | uniq -d | xargs -I{} -n1 find -type f -size {}c -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate


    1. Find all non empty files and print out size.
    2. Do a numeric sort on size list.
    3. Print out only duplicate sizes.
    4. One at a time run find on size and print file names.
    5. Find md5sum of all files.
    6. Alphabetical sort md5sums and file names.
    7. Find all md5sums which repeats and print them in groups.


    Or do it the easy way and install a tool for finding duplicates files. This tool is much faster than the oneliner above.

    apt-get install fdupes

    This does more or less the same thing as the oneliner.

    fdupes -r .


« Page 2 / 3 »