On Twitter the other day, I was lamenting the state of OCSP stapling support on Linux servers, and got asked by several people to write-up what I think the requirements are for OCSP stapling support.
Support for keeping a long-lived (disk) cache of OCSP responses.
This should be fairly simple. Any restarting of the service shouldn't blow away previous responses that were obtained. This doesn't need to be disk, just stable - and disk is an easy stable storage for most server
| # https://gist.github.com/marcinantkiewicz/9ac20677145f246eb01cd1759cb03f35 | |
| # Author: Marcin Antkiewicz | |
| # [email protected] | |
| # @deciban | |
| # Use: | |
| #find_chrome_extensions -OutputDir "c:\" | |
| #idea ref: https://www.reddit.com/r/PowerShell/comments/5px71w/getting_chrome_extensions/ | |
| #PS 2.o has no convertfrom-json, 2.0 helper from http://stackoverflow.com/questions/28077854/powershell-2-0-convertfrom-json-and-convertto-json-implementation |
| 1) DHCP - iptables rules are not reuqired to make DHCP work. | |
| Linux kernel will not send traffic via ethernet interface untill it has an IP address assigned. DHCP client uses raw sockets to | |
| communicate with the DHCP server, which happens before Iptables have change to process the traffic. | |
| 2) iptables rule = classifier (iptable match) + action (iptables target) | |
| Chains in which rules are applied: | |
| - mangle - used to control TOS attributes, MARKs, TTL. Single table. | |
| - filter - policy decision take place here. Tables: forward (target behind firewall, input (traffic to firewall), output (return, or originating traffic). | |
| - nat - changes to src/dst IPs. Tables: |
| marcin@behemoth:~$ cd ~/src && git clone https://github.com/devttys0/binwalk.git | |
| Cloning into 'binwalk'... | |
| remote: Counting objects: 6364, done. | |
| remote: Total 6364 (delta 0), reused 0 (delta 0), pack-reused 6364 | |
| Receiving objects: 100% (6364/6364), 6.97 MiB | 3.40 MiB/s, done. | |
| Resolving deltas: 100% (3664/3664), done. | |
| Checking connectivity... done. | |
| marcin@behemoth:~$ mkvirtualenv binwalk | |
| New python executable in /home/marcin/.venvs/binwalk/bin/python |
| Download page: | |
| https://wiki.smartos.org/display/DOC/Download+SmartOS | |
| USB image - 2g uncompressed: | |
| Model: Lexar USB Flash Drive (scsi) | |
| Disk /dev/sdb: 16.0GB | |
| Sector size (logical/physical): 512B/512B | |
| Partition Table: msdos | |
| Disk Flags: |
| * cofnig origin ref: http://serverfault.com/questions/235669/how-do-i-make-rabbitmq-listen-only-to-localhost | |
| Bugs: | |
| * epmd stays up after rabbitmq-server is stopped. It's shared amond all Erlang instances, so maintainers feel not one packake should kill it. | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1104843 | |
| * Erlang has a bug requiring ERL_EPMD_ADDRESS to be specified as IPv6. It seems that, if epmd is built with ipv6, it looses ability to bind with ipv4. Fix traversing from upstream. | |
| https://bugs.launchpad.net/ubuntu/+source/erlang/+bug/1374109 | |
| https://github.com/erlang/otp/compare/maint...msantos:epmd-IPv6-node-reg | |
| We run R16B03-1/3.2.4-1 |
| Query - | |
| 200: // return 200 | |
| b@100: // generate 100 random chars in the body | |
| h@1k,ascii_letters=@10,digits: // 1k random chars in header name, | |
| //10 random digits in the value | |
| h"Transfer-Encoding"="chunked": // add T-E Chunked header | |
| // 100 chars in the body added the C-L header already | |
| l"data:text/html;base64,PHNjc..." // and a suspicious Location header | |
| HTTP/1.1 200 OK |