François
-
New blog post: figuring out, and updating upstream bug reports on how to get OpenVPN+DCO (in-kernel encryption/decryption) working on upcoming Ubuntu 26.04 LTS and Fedora 44.
https://www.tuxed.net/fkooman/blog/openvpn-dco.html
Hopefully this can all be fixed before the release, so it works out of the box!
-
GitHub is unusable without account. This is what you get by simply browsing to a repository on GitHub and clicking on the link to view the commits.
-
The systemd project was and is a *huge* leap forward for Linux. I can't imagine doing sysops without it.
https://blog.tjll.net/the-systemd-revolution-has-been-a-success/
Update: suspected "AI" usage for the images in the post, in case you want to avoid this.
-
What are we (NRENs deploying SAML) gonna do about libxml2? It is now sort of unmaintained and reading the announcement for it, I can totally understand why the maintainer wants to step away.
-
It seems Red Hat Enterprise Linux 10 has been released. But what is new? The "release notes" ramble about "AI" and PQC, but... where are the actual release notes?!
https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux-10
-
Seems we'll be getting "Post Quantum Crypto" for free with #eduVPN 4.x on Debian 13 which comes with OpenSSL 3.5. The TLSv1.3 handshake will use X25519MLKEM768 and the 4.x server introduces `PresharedKey` support as well. We just need to recompile the eduVPN clients with Go 1.24 and we are good to go.
-
Finally working on "Static IP address assignments" for the new #eduVPN 4.x server. An often requested feature. It is a bit tricky to implement cleanly due to how well eduVPN scales up (and down) 😄
-
This is... interesting. Apparently bcrypt truncates user provided passwords at 72 byte marker. I guess one way can be to "prehash" the password with a HMAC as suggested here:
https://soatok.blog/2024/11/27/beyond-bcrypt/
The other (simpler) approach would be to, like Go's x/crypto/bcrypt, just reject all user provided passwords > 72 bytes. It is not *great*, but it works and fails "safe". Now one wonders *why* this is not the default behavior of PHP's password_hash function...
-
"Bug fixes."
Not sure exactly when this was done and enabled by default, but in case you use Firefox Focus/Klar, be aware.
*Update*: since version 136, see https://support.mozilla.org/en-US/kb/usage-ping-settings
-
Considering writing a small daemon that stores encryption/signing keys encrypted on disk using TPM2 (systemd-credentials) with a simple encryption/signing API that (web) apps can use either over HTTP or filesystem socket without risk of key exfiltration if said app is compromised. Poor person's HSM. Does anyone know any free software prior art here? It seems impossible to find among AWS KMS and Google Cloud KMS and various non-free solutions...
-
Spent the last ~week debugging and trying to understand MTU issues with WireGuard on DS-Lite and PPPoE connections with ICMP "black holes", MSS clamping and nftables. Quite the ride! Think I managed to sort of understand things now...