Tagged as: General

OpenSSL for!
April 18, 2014 by Noah

A while after the Heartbleed SSL vulnerability made headlines, ran an article titled "It's Time to Encrypt the Entire Internet" urging everyone to deploy SSL/TLS encryption on their sites.

SSL certificates tend to be pretty expensive, though, which is one reason I hadn't looked into it that closely in the past. In a Reddit comment thread about that Wired article some people mentioned Namecheap as a good option for simple SSL certs. So, I got a simple domain-level certificate for $9 for :) So all URLs are now running over https! This blog post is about the experience of setting up SSL and wrestling with various applications in the process.

Generating the Certificate

The simplest guide I found that I followed to make a certificate was Generate CSR - Apache OpenSSL. One command creates a passphrase-protected key file, the next one generates the signing request:

openssl genrsa –des3 –out kirsle.key 2048​
openssl req -new -key kirsle.key -out kirsle.csr

You apparently need a 2048-bit RSA key these days before a Certificate Authority will consider your signing request. I pasted in my CSR file and filled out some forms, got an e-mail verification sent to the address on my WHOIS record for my domain, and before I knew it I was e-mailed a zip file containing my certificate and the Comodo CA certificates.

Certificate Chain File

Various apps will need your Certificate Authority's chain to be in a single file. You can create this file by catting the certificates into one file in "reverse" order, with your site's certificate on top, and the root certificate on bottom. Comodo gave me these files (and this is also the order for the chain file):

  • certificate: www_kirsle_net.crt
  • Intermediate CA certificate: COMODORSADomainValidationSecureServerCA.crt
  • Intermediate CA certificate: COMODORSAAddTrustCA.crt
  • Root CA certificate: AddTrustExternalCARoot.crt

So I generated the chain as follows:

cat www_kirsle_net.crt COMODORSADomainValidationSecureServerCA.crt \
    COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > cacert.pem

Apache2 mod_ssl

I'm running a Debian server, so I just symlinked the ssl.load and ssl.conf files from my /etc/apache2/mods-available into my mods-enabled, and then edited the ssl.conf. All I changed in it was to uncomment the SSLHonorCipherOrder on line.

I removed the sites-enabled/default-ssl and then edited my config file to add a <VirtualHost *:443> version. I had to look at the default-ssl file to get an idea which options were needed (if I missed any, Apache would fail to start!)

Relevant SSL options for my VirtualHost:

    # SSL
    SSLEngine on
    SSLCertificateChainFile /etc/ssl/crt/cacert.pem
    SSLCertificateFile /etc/ssl/crt/www_kirsle_net.crt
    SSLCertificateKeyFile /etc/ssl/crt/kirsle.key
    SSLOptions +StdEnvVars
    BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Note: if you leave out the chain file, web browsers will still behave fine (because they're smart enough to download the intermediary certificates themselves), but other things will break. For example, the Python requests module will throw an SSL exception if the server doesn't give it the intermediary certificates!

After making sure was working, I made an update to my Rophako CMS to support SSL sites better and then made the switch-over. Any requests going to my HTTP are redirected to the SSL version and given a Strict Transport Security header.

As a fun side note, Apache supports Perfect Forward Secrecy by default (using the default SSLCipherSuite option of HIGH:MEDIUM:!aNULL:!MD5).

Starting or restarting Apache requires you to enter the SSL key's passphrase at the command line. For simple config updates, service apache2 graceful will reload them without needing a full restart, so you don't need to enter the passphrase then.

Dovecot IMAP

I use Dovecot for my IMAP mail server on, and I wanted it to use my shiny new SSL certificate. Before this, I was using a self-signed certificate, and apparently Thunderbird doesn't even warn you if that self-signed certificate changes at any point. After the Heartbleed vulnerability was fixed, I re-generated new self-signed certs and was shocked that Thunderbird happily accepted the new certificate without even telling me. It would've been extremely easy to Man-in-the-Middle my e-mail server. (I had since then installed an extension in Thunderbird to police SSL certificates for me as a workaround).

So, configuration is pretty simple, just edit /etc/dovecot/conf.d/10-ssl.conf and enter in the new paths to your chain file and private key. Note that if you use just your domain's certificate, clients like Thunderbird that support SSL properly will complain about the certificate being insecure, and unlike web browsers, Thunderbird doesn't bother downloading the intermediary certificates itself.

One catch with Dovecot is that if your private key file is encrypted with a passphrase like mine is, doing service dovecot restart won't work. Dovecot will start in a way where it won't support TLS but will otherwise appear to function normally.

To start Dovecot with a passphrase, you need to run dovecot -p (as root) to start the service. It will prompt for your passphrase at the command line and then start up. The service can be stopped normally using service dovecot stop.

Postfix SMTP Server

This one I'm a bit upset about. Postfix has absolutely NO support for using a passphrase protected TLS key file! Even their official documentation states that the key file must not be encrypted.

That is so full of wtf. Postfix is a widely deployed SMTP server for Linux, and it has to use insecure, unprotected TLS key files. So, I'm still using a self-signed certificate for Postfix (and my Thunderbird add-on will tell me if this certificate ever changes, so don't get any ideas!). I don't send outgoing mail very often, anyway, and if I care enough I'll PGP encrypt. But, I'll be looking into an alternative SMTP server sometime soon.

Tags: 4 comments | Permalink
Goodbye, PerlSiikir!
April 6, 2014 by Noah
As of a few minutes ago, is no longer powered by Perl. Instead, I've been working on a new content management system written in Python to replace it.

The reasons for the switch-over are numerous:

  1. The old Perl code was originally written for my previous version of my other project, Siikir, and the code was for an entire social networking type of site with lots of features, among which were Blogs, Photo Albums, and Comments (the three that made use of). didn't make use of the other features.
  2. The Perl code also had some memory leaks, which I tried for a while to eliminate but wasn't making much progress with. It was running as a FastCGI script, and the most notable side effects of the memory leaks were that my web server would randomly kill off unrelated processes, such as Minecraft servers or my XMPP server, because my index.cgi on was sucking up so much memory. ;)
  3. Setting up PerlSiikir on a brand new server was an hours-long task. It needed a recent version of Perl, which needed a perlbrew installation done, and then a lot of modules needed manual installation. Seriously, look at my install notes. The new Python web app takes only minutes to set up.
  4. I like Python better nowadays than Perl. :)
And the best news of all is that my new Python CMS is open source!

I named the new project Rophako, because I was sitting at the Github "new repository" screen for a half hour trying to think of a name, and ended up just making use of my Azulian Translator to come up with a name. So, Rophako is Azulian for "Website." I'm a clever genius, I know. ;)

You can check out Rophako on Github: The "default website" that comes with it isn't very polished yet; I literally just finished writing the code to support So, sometime later I'll tidy up the default website and have a working copy of it running on some subdomain like

Anyway, this is the new CMS. I ported over all my old blog posts, comments, comment subscriptions, and things of the sort. All the old URLs should work too, due to my module in Rophako. If anybody finds any broken links or issues with the site, let me know. :)

Update (4/9/14):

I've polished up Rophako's default site and have an example running here:

That's the site you'd get if you download and install Rophako (minus the blog posts and photos ;) ). So... the project is officially in "beta" status now and is usable!

Tags: 0 comments | Permalink
Skype and Windows Live Messenger
February 28, 2014 by Noah
Back in the day, I ran a couple of chatbots on Windows Live Messenger (although it was called MSN Messenger then), so I'm reasonably familiar with how the Microsoft Notification Protocol (MSNP) works. We had a Perl module called which works with the MSNP10 version of the protocol, and it probably still works today.

That's right, the Windows Live Messenger protocol is still perfectly alive and well today. A while back, I booted my Windows OS on my PC where I still had Pidgin set up to sign me into MSN, and surprisingly it still worked. One of my Skype contacts sent me a message over Pidgin, and their "MSN e-mail address" had an "@SkypeDomain.fakedomain" domain part. It seems that now, though, while the MSN servers are still up, they at least block non-Chinese users from authenticating (Pidgin says "invalid response from server").

The Skype/MSN merger was done in a pretty half-assed way by Microsoft:

  • If you sign in with your Skype username, you only see Skype contacts.
  • If you sign in with your MSN username, you see both MSN and Skype contacts.
  • Even though you can use your old MSN username, and chat with existing MSN contacts, there doesn't seem to be a way to add a new MSN contact through Skype.
It appears that the Skype client actually acts like a "mini Pidgin": when you sign in with your old MSN account, Skype actually signs you in separately to the Skype and MSN servers. And, on the MSN side of things, the "@SkypeDomain.fakedomain" extension was probably implemented similarly to what happened when MSN and Yahoo joined forces, and your Yahoo contacts on MSN would have "" domain extensions.

I don't get why Microsoft doesn't just pull the plug on MSNP completely, and force everyone to get a Skype name if they don't already have one linked with their MSN accounts.

Tags: 4 comments | Permalink
New Server
May 31, 2013 by Noah
I've migrated and all my other websites and MineCraft servers to a new home. They're now on a beefier dedicated server (8GB RAM instead of the old 4GB) which is actually 50% less expensive than the old server.

My Minecraft servers are being rearranged as well. This new machine has 5 IPv4 addresses, and each of my MC servers will get its own IP and hostname instead of having to juggle port numbers.

Tags: 2 comments | Permalink
Comment Subscriptions
June 9, 2012 by Noah
Because people frequently post comments on some of my blog posts asking for help with something the post was talking about, I've added a new feature! You can subscribe to future comments on a blog post now. :) When adding a comment, there is a new optional e-mail address field, and a checkbox to subscribe to future replies on that comment thread. So you can get an instant update whenever I (or anyone else) posts a comment on that page. All the notification e-mails contain links to unsubscribe your e-mail from the mailing list, and if you want to unsubscribe to all comment threads, there's a way to do that too. :)

See the comment privacy policy for details and a global unsubscribe form.

Tags: 0 comments | Permalink
Firefox Nightly
April 23, 2012 by Noah

If anyone's interested, I wrote a Perl script that downloads and installs Firefox Nightly on a Unix-like operating system.

By default, it installs the application into /opt/firefox-nightly, with a link to run it at /usr/bin/firefox-nightly. This way, it doesn't conflict with your already-installed version of Firefox. Furthermore, it will put a launcher item in your Applications/Internet menu.

You can get it from here:

$ mkdir ~/bin
$ wget -O bin/ffnightly
$ chmod +x bin/ffnightly
$ ffnightly

Tags: 0 comments | Permalink
Turn off monitor from Linux CLI
March 21, 2012 by Noah
I keep looking up this information and then losing track of it, so I'm posting it here for my own reference.

This command will turn off the monitor on a Linux box from the command line (sorta like what happens when you have your power saving options configured to do this automatically after a length of time):

xset dpms force off
The monitor turns off until you hit a keyboard button or move the mouse. With this info you could set up a keyboard shortcut to run this command and have something like a "lock screen button" on your netbook, to turn off the display on command and conserve battery life for a little bit longer than usual.

For a "lock screen button" that also locks the screen in addition to turning it off, a pair of commands like this may be handy:

xset dpms force off; xscreensaver-command --lock
Tags: 17 comments | Permalink
Kirsle CMS Upgrade
March 30, 2011 by Noah
I've upgraded the back-end Perl code that powers

It is now running on the same code that Siikir runs on. I did this for a few reasons:

  • URLs look cleaner now. Instead of /blog.html?u=kirsle&id=114 you get nicer looking URLs like /blog/kirsle/kirsle-cms-upgrade.
  • I want to partition off my blogging some more. I've had the "Channels" view where you can narrow posts by topic, but I want further partitioning: I'll have different usernames on, each with their own blogs. So, expect a user to pop up who will write about personal things that most of y'all probably don't care about anyway.
  • The new code is more efficient than the old code.
It only took me a couple days to port the site over. I had to go and program in web blog support, and commenting support (for blog posts, photos and my guestbook page). This means that these features are also going to be coming to Siikir in the near future, once I harden them against dumb users first.

All the old links to old pages on will now automatically redirect to their new locations.

Tags: 0 comments | Permalink
Where did all my free time go?
March 23, 2011 by Noah
After my recent move back to my hometown, a guy I apparently used to chat with all the time several years ago found me on Grindr. I had no recollection of who this guy is, and the only person I could think of who shared a name with him was a member of one of my super old social networking sites.

Back when I was about 16 or 17 years old, I created a gay social networking site named RainbowBoi. I later rebranded it to XYBois before losing interest in it entirely, and now it's called Siikir. Anyway, I decided to dig up my old backups of this site to dig up the picture of the guy I think I'm talking to. It was him.

But poking around at the user profile data for the old sites, I got the idea to try dusting the code off and get it running again on my local web server... just for nostalgia's sake. Get the site up, dos2unix convert all its data files so that I can log into it, and just click around and see how the site used to be back in its day, back from 2005-06.

Throughout this blog post, all the small screenshot thumbnails can be clicked to view the full size.

(the homepage. click for bigger screenshot)

This version of the site was in the middle of being rebranded. The Perl source code that powers the site is also the same code I had written for my old AiChaos site, which you can see here on my archive subdomain. The code is ugly to look at, because I was relatively new to programming.

But newbie as I was, I was apparently quite ambitious. This site was very featureful: it had social networking features (including photo comments and private messaging and search and friend lists), it had helpful articles to read about coming out of the closet and topics like that, it had some public photo albums which were surely pretty popular, it had a "straight-acting" quiz. It even had a chat room, where I had programmed my own chat protocol, client program and server from scratch.

It even had used Image::Magick to scale the user photos down, and calculated ages based on birthdates, and syndicated RSS feeds for display on the site. I definitely knew my stuff back then, even if I didn't have a good coding style down yet.

I miss the days when I used to have this kind of free time on my hands. Whenever I dust off my old projects and play around with them, I keep seeing really ambitious ideas. The code may not be pretty, but it is featureful. I don't create anything nearly this cool nowadays. I just don't have the free time or the motivation to do it.

Maybe this is the consequence of doing what you love as a job. As a software developer, I spend all day long writing code to get paid and by the time I'm done, I don't feel like writing any more code for the day. And then on the weekends I just wanna relax and try to have a social life, or else just watch TV and play videogames.


Here are 6 more screenshots of the old RainbowBoi/XYBois.

Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot

Tags: 1 comment | Permalink
Android Mini PC
October 12, 2010 by Noah
The device of my dreams: a no strings attached, open Android-powered device, which is like a smartphone (touch screen etc.), but which is not a phone, but can get a data plan from any cell carrier in the same way that laptops can use 3G cards and get internet anywhere from a cell phone carrier.

It would basically be a miniature PC that resembles an Android phone, but which isn't a phone, but which you can just install Skype on if you really need to make a phone call, since it could still get cellular data service.

And, being like a miniature PC, it would be as open to operating systems as a real PC; it would be just as easy to install and reinstall Android firmwares (or any compatible OS) to it as it would reinstalling your operating system on your laptop.

I imagine Dell would be a good manufacturer for such a device; they would market it just like they market netbooks, as being just a mini PC that happens to run Android (preferably the stock vanilla Android as Google intended it, but being open you could flash any version of Android you want).

If such a device existed I would buy it as soon as it came out. I'm quite sick of the way phone carriers abuse the Android OS and wish there could just be a seriously open device.

Tags: 3 comments | Permalink