Verify that a private key matches a certificate using PyOpenSSL and PyCrypto: The idea is to get the modulus from the two DER structures and compare them. They should be the same. Note: You can use the above under the MIT license. If it doesn’t fit your needs let me know. My intention is to …
Continue reading ‘Verify that a private key matches a certificate with PyOpenSSL’ »
This one took me a considered amount of time and had to figure some parts from scratch. Unfortunately there doesn’t seem to exist an easy (out-of-the-box) way for checking whether a certificate is signed by another certificate in python. After days of searching and despair, here is a solution without using M2Crypto: Note: You can …
Continue reading ‘Verifying an SSL certificate with python’ »
“X509v3 Authority Key Identifier” or “authorityKeyIdentifier” is an X509v3 extension that’s added to X509 certificates and identifies the CA that signed the Certificate. I suppose that this speeds up the certificate validation process by eliminating multiple checks. Short version Edit openssl.cnf and make sure that authorityKeyIdentifier does not include “issuer” Long version There’s an issue …
Continue reading ‘X509v3 Authority Key Identifier pains (authorityKeyIdentifier)’ »
It took me more than 6 months in order to sort all issues, so here are the experiences. Most of the trouble was because I didn’t knew or I didn’t had things clear in my mind. I wanted to have IPsec communication between a bunch of servers and a home network. I believe that this …
Continue reading ‘IPsec, Racoon, setkey, Linux, Mikrotik, tunnel, transport and everything’ »
This one took me a considerable amount of hours to figure out so here it is. While trying to automate DNS zone generation I had to calculate some of the values programmatically. Two of the auto-generated values had to do with DNSSEC entries: The key tag (or keyid) and the DS record’s signatures. The required …
Continue reading ‘DNSSEC key tag (keyid) and DS signature calculation in python’ »
Recently I was really annoyed by my ISP (TalkTalk @ UK). In short: They are intercepting traffic and doing deep packet inspection without any warning or approval. But wait, there’s more: In general they monitor web traffic (read: the data) and after intercepting an HTTP request the replay that (yes.. they replay the request). Here’s …
While performing some tests with a congested 10Mbps link, a strange thing happened: The link was congested only on one direction and both endpoint queues were RED queues. Based on the parameters and the queue size, the delay between those two links should be something near 170ms. However, the delay was much larger: >300ms (!). …
Cisco switches support CDP and use it to help us in a number of ways. One of them is to detect native VLAN mismatch between two connected ports. For 99% of the time this is a “good thing to do” ™ but there are some corner cases where this is not what you want. For …
Continue reading ‘How to disable CDP-4-NATIVE_VLAN_MISMATCH (native vlan mismatch)’ »
Great video! And don’t forget to visit the IPv4 address report. Plus a net-geeky video and how the three finger salute started.
Inside an Autonomous System, it is possible to move a machine inside a network, keeping its IP address even though it goes to a network segment that doesn’t serve the corresponding Network. Something like this: RouterA ——– Network Segment | Host A (10.1.0.2/24, GW: 10.1.0.1) It is possible to move Host A to another network …
Continue reading ‘Routes with greater prefix and Proxy ARP ~= IP Mobility’ »
Social Widgets powered by AB-WebLog.com.