Static IPv6 subnetting at home with dynamic prefix delegation

The problem How to have IPv6 subnetting on a non-flat network at home when you are receiving a dynamic IPv6 prefix via DHCP6-PD (prefix delegation) via an ISP. This is about a setup where you have (e.g.) a DSL line and a router that receives a prefix (e.g. a /56 prefix) via DHCP6-PD. Since the prefix is …

Continue reading ‘Static IPv6 subnetting at home with dynamic prefix delegation’ »

Using TCP-LP with pycurl in Python

Intro TCP-LP (low priority) is a TCP congestion control algorithm that is meant to be used by TCP connections that don’t want to compete with other connections for bandwidth. Its goal is to use the idle bandwidth for file transfers. The details of TCP-LP are here. With Linux’ plugable congestion control algorithms, it is possible …

Continue reading ‘Using TCP-LP with pycurl in Python’ »

Multiple relay configuration based on sender address with sendmail

One of the needs that came up was to be able to use separate relay configurations based on the sender email address, using sendmail. The problem is that sendmail is missing support for most parts of that sentence. At the end the solution involved a combination of sendmail, smarttable, procmail and msmtp The idea is …

Continue reading ‘Multiple relay configuration based on sender address with sendmail’ »

OpenVPN and remote-cert-tls server

This required a bit of digging into OpenVPN’s and OpenSSL’s code to figure out. The problem This error: Thu Sep 11 00:12:05 2014 Validating certificate key usage Thu Sep 11 00:12:05 2014 ++ Certificate has key usage  00f8, expects 00a0 Thu Sep 11 00:12:05 2014 ++ Certificate has key usage  00f8, expects 0088 The condition …

Continue reading ‘OpenVPN and remote-cert-tls server’ »

Linux, multicast, bridging and IPv6 troubles (i.e. why my IPv6 connectivity goes missing)

For a long time now I had a very annoying problem with IPv6 under Linux. My setup is as follows: Linux box <-> Switch <-> Router The Linux box uses a bridge interface (br0) and usually only has one physical interface attached to it (eth0). That’s a very convenient setup. The problem is that after …

Continue reading ‘Linux, multicast, bridging and IPv6 troubles (i.e. why my IPv6 connectivity goes missing)’ »

Verify that a private key matches a certificate with PyOpenSSL

Verify that a private key matches a certificate using PyOpenSSL and PyCrypto: The idea is to get the modulus from the two DER structures and compare them. They should be the same. Note: You can use the above under the MIT license. If it doesn’t fit your needs let me know. My intention is to …

Continue reading ‘Verify that a private key matches a certificate with PyOpenSSL’ »

Verifying an SSL certificate with python

This one took me a considerable amount of time and had to figure some parts from scratch. Unfortunately there doesn’t seem to exist an easy (out-of-the-box) way for checking whether a certificate is signed by another certificate in python. After days of searching and despair, here is a solution without using M2Crypto: Note: You can …

Continue reading ‘Verifying an SSL certificate with python’ »

X509v3 Authority Key Identifier pains (authorityKeyIdentifier)

“X509v3 Authority Key Identifier” or “authorityKeyIdentifier” is an X509v3 extension that’s added to X509 certificates and identifies the CA that signed the Certificate. I suppose that this speeds up the certificate validation process by eliminating multiple checks. Short version Edit openssl.cnf and make sure that authorityKeyIdentifier does not include “issuer” Long version There’s an issue …

Continue reading ‘X509v3 Authority Key Identifier pains (authorityKeyIdentifier)’ »

IPsec, Racoon, setkey, Linux, Mikrotik, tunnel, transport and everything

It took me more than 6 months in order to sort all issues, so here are the experiences. Most of the trouble was because I didn’t knew or I didn’t had things clear in my mind. I wanted to have IPsec communication between a bunch of servers and a home network. I believe that this …

Continue reading ‘IPsec, Racoon, setkey, Linux, Mikrotik, tunnel, transport and everything’ »

DNSSEC key tag (keyid) and DS signature calculation in python

This one took me a considerable amount of hours to figure out so here it is. While trying to automate DNS zone generation I had to calculate some of the values programmatically. Two of the auto-generated values had to do with DNSSEC entries: The key tag (or keyid) and the DS record’s signatures. The required …

Continue reading ‘DNSSEC key tag (keyid) and DS signature calculation in python’ »