Makura no Soshi

Just did some housekeeping of my server I want to document.

Most importantly I got myself a Let’s Encrypt TLS certificate for this blog (and my mailserver), so you no longer have to deal with my self-signed cert to use HTTPS. There has been some discussion about their official client tool, but for a first release it does not seem to be too bad; at least it is written in Python and not in Java or Scala etc. The ACME protocol itself looks sensible and I look forward to more lightweight implementations in the future.

Having a public CA also gave me the opportunity to add an HTTP Strict Transport Security header. Now the next step would be HTTP Public Key Pinning, but that is still out of range for a non-professional website; because Let’s Encrypt may still change their intermediary CA certificate and I also do not have a backup CA that I could use in case of a problem. (BTW, nice HPKP advice on the Let’s Encrypt community site.)

Somewhat related I also expired my old 1024 bit PGP key from  as well as the PGP key of my former work address at DECK36. (BTW, here is a nice description how-to edit gpg key expiration dates by George Notaras.) In order to reach me securely please use my current PGP key (0x4dc5e2280a327754, also on my Contact page).

One personal goal this winter is to do more programming in beautiful languages.

At this moment I am quite excited about Python 3, Perl 6, and Go. Read the rest of this entry »

Ganz ohne Ankündigung hat mein DNS-Provider irgendwann in letzter Zeit seinen Nameservern endlich auchIPv6-Adressen gegeben.

Das war der letzte Schritt um meine Website aus einem IPv6-only-Netz heraus erreichen zu können. Und gleichzeitig der letzte Schritt für mich um ein schönes T-Shirt von HE.net zu bekommen  ;-)

A nice surprise last week: textproc/libcrm114 became my first official FreeBSD port.  :-)

Read the rest of this entry »

One subsystem of a PHP server is its session handling. In multi user systems the choice of handlers requires a tradeoff between performance, persistence, and security/user isolation. Because my setup does not seem to be common I document it here. Read the rest of this entry »

Ich möchte certutil für Unix haben… Dieses Windows-Tool dekodiert und verarbeitet ASN.1-Dateien für kryptographische Protokolle. Dabei kann es mehr als nur X.509-Zertifikate lesen (das geht auch mit den openssl-Tools gut) – ich brauchte es konkret um mir eine PKCS#7 Signatur anzeigen zu lassen.

(Ein Programm gleichen Namens ist übrigens Teil der Mozilla Network Security Services; aber auch das arbeitet „nur“ mit X.509 Zertifikaten.)

Da hat der IPv6 Launch Day noch nicht ganz begonnen und das Datenschutztheater um die IP-Adressen fängt schon wieder an.

Wer „anonyme IP-Adressen“ haben möchte darf sich welche aus dem Netz fe80::/10 (für legacy IP 169.254.0.0/16) nehmen. Aber die dann auch niemandem verraten, denn sonst kennen sie deine IP-Adresse und haben damit Macht über dich… :->

Read the rest of this entry »