From 76aaaef0ec640c70d4359272816ee755b6d65379 Mon Sep 17 00:00:00 2001 From: bnewbold Date: Mon, 12 May 2014 21:06:53 -0400 Subject: films to watch: many additions, notes --- film/to-watch.page | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/film/to-watch.page b/film/to-watch.page index 689ebef..1852721 100644 --- a/film/to-watch.page +++ b/film/to-watch.page @@ -53,6 +53,19 @@ Films To Watch * Hunger (2008, McQueen) * True Grit * Cinema Paradiso + * The Man from Earth + * 500 Days of Summer + * God Bless America + * The Game + * American Psycho + * Chinatown + * Before Sunrise + * Network + * The Tree of Life + * Glengarry Glen Ross + * The Man Who Wasn't There (2001, Coen Brothers) + * House of Games + * Christiane F. – We Children from Bahnhof Zoo * Flash Gordon Documentaries: @@ -72,3 +85,8 @@ Documentaries: * The Pervert's Guide to Cinema * All In This Tea +Ref: + + * "15 Great Films That You Never Hear About on r/movies" + http://imgur.com/a/BwuZY + * http://www.reddit.com/r/fullmoviesonyoutube -- cgit v1.2.3 From 34fcde9f9aacbe9c768420bed5ab10c085699700 Mon Sep 17 00:00:00 2001 From: bnewbold Date: Mon, 2 Jun 2014 00:54:59 -0400 Subject: SSL notes --- software/ssl.page | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 software/ssl.page diff --git a/software/ssl.page b/software/ssl.page new file mode 100644 index 0000000..fc8d0cb --- /dev/null +++ b/software/ssl.page @@ -0,0 +1,112 @@ + +SSL Notes +============= + +You can generate stong random strings with, eg: openssl rand -base64 24 + +Warning: as context, you generally need to go through an identity verification +procedure before being issued SSL certificates other than the most trivial +single-virtual-host kind. This process can take weeks, so start early! + +Warning: the whole crypto thing is obviously pedantic and way more of a pain in +the ass than needs to be. + +Note: read this entire file before starting. In particular see the listing of +host names towards the bottom, which should be kept up to date. + +### HOWTO: Get a new certificate and have it signed by StartSSL + +Following the union of directions (dated Nov 16, 2009) at both: +https://library.linode.com/security/ssl-certificates/subject-alternate-names +https://library.linode.com/security/ssl-certificates/commercial + +Run this (mostly) on the remote machine. + +NB: it may or may not be necessary to do much of this because StartSSL will +re-generate most fields? Ugh. + +NB: if you are replacing an existing cert you need to revoke the old one first. +This costs $25. "deal with it". + +Create, eg, /etc/ssl/localcerts/server_20140429.cnf, copying from +/usr/lib/ssl/openssl.cnf. In that file, set the following at the top: + + SAN="email:webmaster@example.com" + +and after the '[ v3_ca ]' line add: + + subjectAltName=${ENV::SAN} + +On the command line (edit these for the specific cert): + + export SAN="DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:static.example.com, DNS:git.example.com, DNS:docs.example.com" + openssl req -new -newkey rsa:4096 -sha256 -days 729 -nodes -config /etc/ssl/localcerts/server_20140429.cnf -keyout /etc/ssl/localcerts/server_20140429.key -out /etc/ssl/localcerts/server_20140429.csr + +fill in options *exactly* like on your startcom profile: + + Country: US + State: Massachusetts + Locality: Cambridge + Organization Name: + Organization Unit: + Common Name: + Email: webmaster@example.com + Challenge password: + Company name: + +When done, remove most permissions on all the resulting files: + + chmod 400 * + +Ok, now snarf down the resulting .csr to your local machine (it's short, just +'cat' it). + +On the StartSSL website, figure out how to use the toolbox and validations and +all that jazz (come back in an hour), then once all that is configured start a +certificate generation process. You get, eg, "example.com" automatically, even +though this isn't indicated anywhere. The user inteface sucks, "deal with it". +Save the resulting .crt to, eg, /etc/ssl/localcerts/server_20140429.crt. chmod +it 400, root:root. + +We need to create a "combined" certificate. Fetch the startssl intermediate and +CA certs (WARNING: over https!), and combine a la: + + wget https://startssl.com/certs/sub.class2.server.ca.pem + wget https://www.startssl.com/certs/ca.pem + mv ca.pem startssl_ca.pem + cat server_20140429.crt >> server_20140429.combined.crt + cat sub.class2.server.ca.pem >> server_20140429.combined.crt + cat startssl_ca.pem >> server_20140429.combined.crt + +Now copy the .key to /etc/ssl/private, give it group "ssl-cert", and give it +chmod 440. Put the .combined.crt and .crt (for, eg, postfix) in /etc/ssl/certs +and chmod it 444 (no group change). + +Now edit nginx, prosody, postfix, dovecot, etc config and reboot and check logs +and test everything to use the new keys. Whew! + +Before you celebrate, add a calendar entry for N days before the expiration of +the certificates you just created, so you have plenty of time to replace them +before they expire. + +### example infrastructure needs + +server: + example.com + www.example.com + mail.example.com + static.example.com + git.example.com + docs.example.com + +### References + +https://library.linode.com/security/ssl-certificates +https://www.ssllabs.com/ssltest/ +https://www.ssllabs.com/projects/best-practices/ + +### StartCom Alternatives + +gandi.net: used by debian.org + https://www.gandi.net/ssl/grid + http://wiki.gandi.net/en/ssl/regenerate -- cgit v1.2.3 From a78f7f6752f75659d4e3ff3657eb2f4db08c9ecc Mon Sep 17 00:00:00 2001 From: bnewbold Date: Mon, 2 Jun 2014 00:55:53 -0400 Subject: sigh, more films --- film/to-watch.page | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/film/to-watch.page b/film/to-watch.page index 1852721..4d1a0ff 100644 --- a/film/to-watch.page +++ b/film/to-watch.page @@ -67,6 +67,7 @@ Films To Watch * House of Games * Christiane F. – We Children from Bahnhof Zoo * Flash Gordon + * Terminator Salvation Documentaries: @@ -84,6 +85,12 @@ Documentaries: * Aatsinki: The Story of Arctic Cowboys * The Pervert's Guide to Cinema * All In This Tea + * The Third Wave (2007, tsunami) + +Maybes: + * Diving Bell and the Butterfly + * Yi Yi + * 25th Hour Ref: -- cgit v1.2.3