Feed on
Posts
Comments

Hello flying and new job

Oct 16th, 2019 by

A couple of big things have happened the past few months. Most recently, I rejoined the tech workforce a couple of weeks ago after my two year hiatus. A good friend of mine that I used to work with hit me up out of the blue and sold me on this new awesome place he joined recently.  It’s been fun so far, there is so much interesting stuff to do, it’ll keep us busy for a while. Truth be told I was kind of getting bored, I was only going on a big roadtrip every couple of months and not really doing anything terribly interesting. I figured out I’m not as rusty at the Linux stuff as I thought I’d be, but my body sure is still getting used to waking up to an alarm in the mornings.

The other thing is that I started taking up flying lessons over in Palo Alto in June. A long time ago in April of 2001 I finished a ground school class hosted at an FBO at Riverside airport (KRVS) in Tulsa, anticipating I’d start flying after. I don’t even remember how I got into taking the class, I hadn’t even yet met my current flying friends. I didn’t even get into skydiving until October 2002. I guess I thought it would be a fun thing to do. In any event, I had just gotten accepted at the University of Tulsa when my CFI called up to schedule time on a Cessna 152 for training. I called things off, started going to university, ultimately dropping out, business and life happened. I had my E6B and could do crosswind calculations without a computer, 152 dip stick, sampler cup, textbooks, log book, plotter, all ready to go. Most interestingly, 9/11 happened later that year. I still had my scanner to listen to KRVS frequencies and it was a constant loop about the full ground stop advisory for 2-3 days. I wish I had a recording of that.

Fast forward to February 2019. My friend Alex decided he was finally going to go for his private pilot certificate and he started to talk me into doing it at the same time. Like most things I was hesitant about it, I hadn’t thought about it in nearly two decades. By March I was thinking about the “what could’ve been”. April I was re-reading the FAA material and regulations, and hand wavily considering where to go learn how to fly. Alex had finally convinced me that my current funemployment time was the most important asset I had, I could go bang out multiple lessons during the week and probably save a ton of money by not repeating skill lessons over a long time. In May I was getting really excited about the idea, churning through the FAA reading material, but in June it started to sink in just how much money it was going to cost me and I nearly backed out completely.

Finally I just said fuck it, and drove over to Palo Alto on the weekend to schedule a discovery flight to see what it was like. I got matched up with my current CFI that Monday and we went flying over Half Moon Bay. I don’t know what I was expecting, I didn’t know I’d be the one doing the takeoff. After we got near the coast he asked what I wanted to do, and I said I didn’t know, so we did some commercial-grade steep turns that were really whoa, a couple of passes up and down the coast, and coming back a couple of touch-n-goes at Palo Alto. There were some gorgeous views over the coast that I got a couple of photos of, and also of the peninsula, but I was still at the controls and had a plane to fly.

I guess that finally put the bug in me. The CFI texted me not too long after saying he had slots open so I said sure, why not, and that’s how it started. I started flying regularly in July and beyond. The first dozen or so flights were so disappointing, I was so nervous on takeoffs I’d wander way off center line, pitch up way too high during takeoff, nor get on right rudder, or whatever; my CFI said he’d look over and my hand would be shaking on the yoke.

Eventually after a dozen or so hours I think I finally became really aware what to do, finally staying mostly on the center line during takeoff, take in instruments, not pulling back, just gradual up over and away. Landings are another story, those took a lot more hours to get even the basic feel for. At least now I’m finally starting to make somewhat reasonable radio calls!

Today I’m around 18 hours into things and while gaining a lot of confidence still dreading things. Stall recoveries still scare me to think about, but I know I need to get used to them. I hear upset recoveries is a gut-wrenching fest to look forward to. I feel like a granny flying a 172 yet it’s capable of far much more of what I want to put into it. 20 year old me may have been yee-haw eventually, but older me isn’t so ready for it.

So here I am at least with a new hobby on the weekend that really tests the mind and doesn’t involve sitting inside and computers (well except iPads) for once.

Posted in flying, Uncategorized | No Comments »

Yellowstone and misadventure

Aug 17th, 2019 by

Old Faithful

[photos: flickr – Grand Teton NP]

[photos: flickr – Yellowstone NP]

I’ve wanted to visit Yellowstone (Yellastone) for a while. I know of at least two people that have been this summer so I finally decided to go for it. Watching the Yellowstone TV show also inspired me, despite it being filmed nowhere near the park. It’s about 950 miles away, so at least a solid day of driving. I took off on a Friday, thinking I’d drive over the weekend and avoid a weekend crowd at the park. I didn’t have a reserved campsite and lodging was $400-$500 night in the park, yikes. I planned to stay on forestry land somewhere outside of West Yellowstone.

The first night I made it all the way up into Idaho on I-84 and slept at a rest stop. I decided to hit up Jackson Hole, Wyoming first, I went up through Idaho Falls and cut over through Teton Pass. I rolled into Jackson around 1 PM on Saturday, and downtown was crazy busy. A sign said Yellowstone was “only” 66 miles away, not great, not terrible. I wasn’t sure yet where I was going to camp, so I decided to stay in Jackson at the world’s most expensive Motel 6 for the night.

Having secured lodging I continued up through Grand Teton. The last time I was here was in May 2010 during my great road trip from Austin. This time things were much greener and less snow on the mountains. I worked my way up to Yellowstone when I realized my grave mistake of not paying close attention to the map: it was 66 miles from Jackson to the south entrance of Yellowstone, then another 30 miles to the first “thing” which was West Thumb. Then another 20 miles to Old Faithful. Another 30 miles or so out to West Yellowstone.

I wasn’t really impressed with the southern approach to Yellowstone, it was 60 miles of solid forest, two lanes and slow drivers. There wasn’t anything to see here, I was beginning to wonder why this place was so famous. Some people may think the solid forest was quaint, I found it monotonous after driving all day.

I got to Old Faithful around 5 PM. Coming over the hill I saw the geyser blow, missed it by about 15 minutes. I was tired and didn’t feel like waiting around for the next eruption, plus I was over 100 miles from my room.

I had looked at options for staying in the park, most of the campsites were filled by 8 AM according to NPS’s website and the visitor center charts. I debated getting a few hours sleep in Jackson and making the haul back up to get in like at 7 AM. Unfortunately that meant leaving at 5 AM. I was tired and decided to get at least one good night of sleep, figure it out later.

Sunday

I had been noticing my ammeter wobbling a couple of volts and thought that was curious. When I started the truck for the first time for the day, it sharply deflected down to 10 volts before coming back up to 13 V, but still wobbling. uh oh. I knew the battery was reasonably new. I was afraid it was my alternator trying to die again, I had just replaced it in 2009, not too long before my last Wyoming trip.

I sure didn’t want to get in the middle of Yellowstone with a dead alternator, no cell service, and be stranded. I found the only auto parts store open in Jackson on a Sunday and bought an alternator as a precaution. I had intended to replace it with a high output unit eventually, I didn’t want to replace it here now, but could if I had to. In the process of checking under the hood I noticed a battery cable was loose. I tightened that and after a bit of hard driving it seemed to fix the wobbling ammeter, yay.

A moose once bit my sister

Working my way back up through Grand Teton, I stopped and took a lot of photos. Somebody tipped me off to a moose at the end of a road, I drove down to find a mama moose in a stream and a baby moose hiding in the grass. NPS peeps were there watching them and keeping people away, and told us quite a bit about them.

There was a big swath of Grand Teton that I apparently had not even driven through back in 2009. I went up to Signal Mountain and got a great view over the valley. Somebody had spotted a herd of buffalo miles away oven in a field that I eventually spotted, too far away to go drive back over to get closer photos. Somebody else spotted an elk on the road up to Signal Mountain, but I didn’t see it on the way back down.

Back inside Yellowstone I headed back to West Thumb along the way to turn around, some dude on the side of the road flagged me down and asked if I had jumper cables. He had his F350 pulled up behind an RV, trying to jump start it. I put my cables and booster pack on, and the engine wouldn’t crank. Oddly enough the guy in the RV had these foam replica dinosaur bones he wanted me to see while we waited between attempts, weird flex but okay. Eventually we gave up, and he’s “here, have this book as thanks” to me and another person … oookay? Turns out the book was “A Closer Look at The Evidence”, about the evidence of God. Thanks guy, did you just fake RV trouble to pass out your book? Was F350 guy his partner in this scheme? (The book was pretty awful and full of handwavy “facts”, btw)

I made it back to Old Faithful. This time I hung around long enough to see it blow twice. There was a huge number of people there, it was totally a zoo. After each time it would erupt, there would be a huge exodus of people leaving the area. Unfortunately a couple of hours after I got there, it started pouring down rain. This put off wandering around the other geysers in the area.

I headed out to West Yellowstone to find a place to stay around there. Apparently everyone else had the same idea to leave after the rain, the highway to West Yellowstone was bumper-to-bumper for several miles. I caught a great double rainbow over the highway and it was magnificent. I finally got to see more of the park before sunset, there was considerably more to see than the drive from the south. Maybe this wasn’t such a bad park after all!

Rooms at West Yellowstone were well over $200. I saw other RVs parked at the visitor center and tried staying there for the night. Shortly after the police showed up and knocking on doors, telling people they couldn’t stay overnight and had to leave. However the cop that talked to me said there was a truck turnout about a mile outside of town where people could stay, so that’s where I went.

Ironically the Norris campground filled at 11 AM, so had I left Jackson at a normal time I could’ve made it in time to snag a spot.

Monday

I ventured back into the park, people, people, everywhere!  I think the weekday crowd was worse than the weekend crowd, maybe the rain forecast put people off. I stopped at several geyser spots and the Grand Prismatic Spring. That thing was huge, and had so many people queued up for it. The size and color and spectacle of it all made this trip worthwhile. I took what photos I could, as NPS showed up trying to shoo people along.

The surprising thing about the people were how clueless they were. Here are these geysers and hot springs with ~200 F / 100 C water gurgling out of them. More than a few times I heard somebody say “I wonder how hot the water is?” and immediately stick their hand into the water! Fortunately nobody got scalded that I saw, but I was sure waiting for it.

I spent a while at Old Faithful taking photos of the geysers around there, pretty much all afternoon. I had dinner there and headed back out to West Yellowstone for the night. On the way out I hiked up to the overlook at Grand Prismatic Spring, got decimated by mosquitos, but got some photos above the spring. I highly recommend the overlook, you can actually see the entirety of the spring which is difficult to appreciate from the ground.

Tuesday

Finally decided I had seen enough and it was time to head home. But first I wanted to head up to Bozeman, Montana for giggles, partially because the Yellowstone show was set there, and I wanted to see the area again. I was also last there in 2010 during the migration of Jordan from Boston to Seattle, we passed through there on I-90. Big Sky was a lie, it’s in a valley between mountains, Bozeman totally had bigger skies. I got there, visited some stores, and turned around for the long drive home.

Coming down through Idaho Falls, then Blackfoot on the interstate I felt my truck suddenly lose power. I smashed on the gas and it barely accelerated, and after a minute of losing speed, the engine died. It felt like when my catalytic converter burned up, huh. I coasted to a stop on the shoulder. I still had battery and could crank the engine, so I felt like it wasn’t the battery or alternator. I suspected a fuel pump, as that’s how it behaved when it died before.  So at 4 PM I called up AAA for a tow, just in time to make it to a mechanic before they closed for the night.  I asked the tow driver where to go, he suggested a place down in Pocatello.

We dropped off the truck at the mechanic right as they were closing. Funnily one of the mechanics had lived in Fremont and Hayward back in the 80s. He took me over to a Motel 6 where I spent the night.

Wednesday

I waited around all day at the motel, mostly sleeping. The shop said it was indeed the fuel pump, it’d be about $700 to fix, and should have it done by end of day.

Finally at 5 PM they called to say it was done, so I picked it up and got back on the road. This time I wasn’t so gung ho to get home, I was tired and just wanted to get it over with. I drove the remaining 770 miles home in one shot, finally getting home around 5 AM Thursday morning.

Epilogue

It was a long trip and tiring trip, but I got over 600 photos and an hour of video out of it and filled in some of my US “places travelled” map. I highly recommend reserving a campsite in the park, I underestimated just how huge the park it is and it was a lot of unnecessary driving in/out. I certainly don’t recommend driving up from Jackson, start from West Yellowstone, it’s a lot closer to the main attractions of the park.

Posted in Travel | No Comments »

That time I got mentioned by the Russian media…

Apr 18th, 2019 by

I feel remiss if I didn’t mention something that was brought to my attention in a comment on my last post.  Back in February I drove down to Vandenberg Air Force Base to photograph the launch of a test Minuteman III ICBM. This was the second one I’ve done, the last being in July last summer.  These happen 3-4 times a year on just a couple of days notice, with a very long launch window, so you have to be ready to drive down and sit it out for however many hours it could take. There was one in the fall that I missed, I think I didn’t see the press release until it was already done.

So I took a long exposure photograph of the missile launching and heading out over the Pacific. I posted the photos to Twitter because there’s a lot of space nerds on there.  I drove home and didn’t think much about it.  Later I get a heads up that my photos got linked from an RT.com (f/k/a Russia Today) article.

The article was about the missile test, and goes on talking about increased missile tension, accusations being thrown around, and missile treaties between the US and Russia. There was my Twitter post, right in the middle of it all.


Well then!  That was unexpected.  The main photo at the top of the article from Reuters looked very similar to mine, and for a minute I thought they had ripped my photo off without credit.  Looking closer, it’s taken at exactly the same location but shows a different launch.

Fortunately my post didn’t get any crazy attention beyond a few likes and extra followers. I didn’t have any visitors and haven’t had any new shady people try to be my friends. It makes for a good story and gets people to say “wait, what?” until I show them the article.

Posted in Uncategorized | No Comments »

Welcome 2019

Jan 13th, 2019 by

I feel like I haven’t done much that’s post-worthy the past couple of months. Maybe I have. Oh well, just checking to make sure the website still works. It does!

Posted in Uncategorized | 2 Comments »

Thefted firewood and rope

Sep 28th, 2018 by

After my last camping trip, I was hauling around three boxes of leftover firewood, a 20 L water jug, and my camping chair in the back of my truck for a couple of weeks. After I left the Sharks game at SAP Center last night, I noticed it was all gone. It was a lot of stuff to move, I suspect somebody just lifted it out of my truck into theirs. They at least left the big jug of cat litter I had just bought.

Sure, leaving it back there it was bound to happen. It’s way better than having the truck itself broken into. I’m mostly annoyed that they got my water can, but oddly I’m more annoyed they stole my 20′ rope that was used to tie it all down with. I realized this morning they also got the 5′ of chain used for my rifle gong too. Who steals rope and chain?

Posted in Uncategorized | No Comments »

Kinta Public Schools yearbooks

Sep 21st, 2018 by

https://www.flickr.com/photos/kintayearbooks/albums

Earlier this year I came across some yearbooks from my school (Kinta High School) in the 1930s. Some belonged to my grandma, a couple from her brother that was killed right out of high school in WWII, and others loaned from family friends. I learned a few things in the process, such as the location and look of the old school buildings, the tea socials, the integration of the Lewisville school, and the impact of the war that crept into their pages. Earlier books had photos glued to the pages, hand colored title pages, and hand drawn ads!

I decided to scan them in so there were good electronic copies available for people to view. Dad also had quite a collection from the 50s, 60s, and beyond, so I started scanning those in too. In some years a yearbook was not published, usually to lack of budget; often the next year’s book will have a page devoted to the seniors that graduated the year no book was published. As I get time when I go home I’ll scan more.

What I have scanned so far is up on Flickr

I’ve tried to be complete and scan every page at least at 300 dpi, and I have only done little, if any, touch up work to them. The more recent ones aren’t as high a quality that I wanted (at least toward the inner edge), it was difficult to put them on a flatbed scanner without destroying the binding. I want these to be available to anyone without restraint. If they’re taken down from Flickr, I will host them on my own or find some other place for them. Tagging names on all the pages would be a nice to-do item!

Kinta Public Schools, Kinta High School, Kinta, Oklahoma

Posted in Uncategorized | No Comments »

Fixing WPA2-Enterprise on OS X

Sep 18th, 2018 by

Throwing another tidbit of recently found knowledge out here. Along the way with playing different certs on my EAP-TLS I wound up removing the 802.1x password entry from the OS X Keychain (at the time thinking it would help my problem). What I discovered after that, even after reverting my RADIUS server config, I couldn’t connect back to my test SSID. OS X just threw a “unable to join network” message immediately and gave up. I couldn’t figure out why I couldn’t connect back, what would be keeping state about this network.

802.1x entry

The TL;DR is I went into System Preferences > Network > Wi-Fi and told it to forget about my test SSID. After this I was prompted for the username/password on my network when I retried it.

(Actually I’m not even sure how I got in this situation. I just deleted this again and I was able to rejoin the network?)

Along the way I found out the Wireless Diagnostic tool on OS X is actually nice and useful, you wouldn’t think it from the surface. It collects a ton of logs and even packet captures to review. From what I gathered from the internets I needed to look for “eapolclient” logging. In this case eapolclient was reporting “Acquired: cannot prompt for missing user name”. I didn’t get many leads hunting for this message. It wasn’t until I thought about the forgetting thing that fixed my problem.

eapolclient “cannot prompt for missing user name”

Yay, fixed.

Fixed!

Posted in Uncategorized | No Comments »

Revisiting OpenSSL and private CAs

Sep 16th, 2018 by

Not really relevant to the post, but I found it amusing

You think you know something just enough to get by, until you have something that challenges your workflow and tools. Then you have to brush away the cobwebs, learn a few things, and work on some scripts. Based upon my recent adventures in dealing with EAP-TLS for wireless, I realized I was doing several things wrong with OpenSSL and my private certificate authority (CA) over the years. I never really spent any time reading good docs beyond creating cert requests and converting certificates, nor learning what all the options and extensions do.

I found a great instruction guide on how to properly set up not only a CA with OpenSSL, but an intermediate CA, revocation lists, and certificates for servers and users: https://jamielinux.com/docs/openssl-certificate-authority/. It goes a good job of explaining just the options you need and why.

Based on this guide and copious amounts of Googling to fix other problems I set about putting my CA house in order. Among other things, I wanted to make sure I was generating appropriate certs and finally get around to stop doing some things by hand. (And insert an intermediate CA to my setup for giggles because my home lab isn’t complicated enough Never mind, dealing with certificate chains and applications are annoying.)

 

Things I learned while yak shaving certificates, all in one place so hopefully other people can avoid my folly:

(disclaimer: I’m possibly wrong about some of this)

iOS needs a common name on certs to trust them: This is what started it all. On Apple iOS devices (unsure when this started, iOS 11?) if your private root CA certificate does not have a Common Name (CN) value set, you will not be able to trust the certificate on the device. Without a CN, the certificate just does not show up under General > About > Certificate Trust Settings > Enable Full Trust For Root Certificates. You can install the root certificate all day long, but you can’t get device-level trust without this.

Certificate Trust Settings: No CN on root cert

 

Certificate Trust Settings: root cert has CN

Can’t just casually add a CN: Based on what I read for regenerating a root certificate with the same key, I thought I might be able to issue a new root cert and fix the CN. Turns out you can’t just add the CN on your existing root CA certificate because this breaks the chain of trust of any certificates you’ve signed with it. In particular, OpenSSL is going to throw an “unable to get local issuer certificate” when it tries to verify a signed certificate against your newly altered root certificate:

# Existing cert, newly modified root, verification fails:
# openssl verify -CAfile /opt/pki/CA/certs/wannnet-ca-20180913-cert.pem \
  certs/raptor.wann.net-20170624-cert.pem
certs/raptor.wann.net-20170624-cert.pem: C = US, ST = California, L = Fremont, O = wann.net, CN = raptor.wann.net, emailAddress = pki@wann.net
error 20 at 0 depth lookup:unable to get local issuer certificate

# Existing cert, original root, verification is OK:
# openssl verify -CAfile /opt/pki/CA/certs/wannnet-ca-20170624-cert.pem \
  certs/raptor.wann.net-20170624-cert.pem
certs/raptor.wann.net-20170624-cert.pem: OK

This is because the Issuer: of our root certificates has changed and mismatched what the cert expects:

# Existing server certificate, signed with original root CA (without a CN):
# openssl x509 -in certs/raptor.wann.net-20170624-cert.pem -text | grep Issuer
        Issuer: C=US, ST=California, L=Fremont, O=wann.net, OU=wann.net CA/emailAddress=pki@wann.net

# Issuer: of original root CA certificate:
# openssl x509 -in wannnet-ca-20170624-cert.pem -text | grep Issue
        Issuer: C=US, ST=California, L=Fremont, O=wann.net, OU=wann.net CA/emailAddress=pki@wann.net

# Issuer: of new root CA certificate with a proper CN added:
# openssl x509 -in wannnet-ca-20180913-cert.pem -text | grep Issue
        Issuer: C=US, ST=California, L=Fremont, O=wann.net, OU=wann.net CA, CN=wann.net Root CA/emailAddress=pki@wann.net

This means unless you re-issue every single certificate you have to reflect the new CN on the root cert, you’re going to be carrying around both root CA certificates in your devices’ trust stores until the child certificates eventually expire and you re-issue/re-sign them with the new root certificate. (2 years for me).

Upgrading signature algorithm on the root: However! Allegedly you can regenerate the root CA certificate with different signatures (the SHA1 -> SHA256 signature fracas recently) or new validity periods as long as you use the same key file you originally created the self signed cert with. You just can’t change the subject or CN details. (I wish I had known this before reissuing all of my client certs last year when I needed SHA256 signatures)

Adding subjectAltNames is messy: Somewhere along the way browsers such as Chrome started requiring valid Subject Alternative Name (SAN) on TLS certificates. For our purposes this is a list of DNS names (e.g. CNAMEs) that the certificate is valid with.

There’s not an easy way to add this to certificate requests (yet*), and every example on the Internet has you cracking open openssl.cnf in a text editor every time you want a new cert (what could go wrong?!). For a while I did this, I couldn’t be bothered learning a better way and hated myself each time I made a cert.  There’s also some convoluted bash “one-line” scripts out there that attempt to remedy this, but they’re hard to follow what they’re doing until you understand what they’re doing.

Of course my script is better than everyone else’s script: https://github.com/bwann/pki-tools/blob/master/make-wannnet-csrkey.sh. I’ve tried to simplify the bash and make it a little easier to understand. For the skeptical, here’s some sample output.

This script generates an RSA key and certificate request with the server name/common name as the first argument to the script, and any further arguments adds them to the request as Subject Alternative Names.

[1] As of OpenSSL 1.1.1 just released in September 2018, they’ve tweaked the req -extension option to make this a bit easier: https://github.com/openssl/openssl/commit/bfa470a4f64313651a35571883e235d3335054eb

CAs drop subjectAltNames when signing: By default OpenSSL will drop any user-submitted extensions (such as subjectAltNames) from a certificate request when it comes time to sign the certificate with your CA. This means when you sign a certificate request that includes your alternative names, this undoes all the work you just did to add them. Now you’ve got to re-supply the subjectAltNames via the OpenSSL config somehow as seen above for the signing process. There’s a good reason for this behavior, preventing unwanted user input: a rogue user could submit a certificate request with an extension something like basicConstraints=CA:TRUE, and unless it’s caught at signing time, the root has just issued a CA certificate.

You can get around this in your own CA environment by configuring copy_extensions in your openssl.cnf under the CA_default section. There’s a couple of options for this and the man page (man ca) has clear warnings about the implications. By setting this to copy_extensions=copy, this will copy the subjectAltNames from the certificate request; however you will want to make sure whichever extensions you’re using to sign a certificate, you’ve already nailed down basicConstraints and keyUsage in them so the extensions from the request don’t try to overwrite them.

Key extensions for servers and clients: This is what I first learned while setting up certificates for EAP-TLS. There’s extensions you can add to the X509 certificate that tell what the intended purpose of the certificate is (man x509v3_config). I haven’t ever had to use these because Linux has always been pretty happy (blissfully ignorant?) with what I was using before. Apparently things like Windows and Android cares about these extensions, i.e. they expect a server cert on the server, a client cert on the client app.

Ideally in your openssl.cnf you’d have a section defining options to use while signing a certificate for servers (e.g. [ server_cert ], and another section for client/user certificates (e.g. [ user_cert ], each containing the appropriate extendedKeyUsage settings for each type. Then when it comes time to sign a cert, tell OpenSSL which extension to use.

Android needs magic to install a root CA with system level trust. I haven’t gone through the effort to figure this one out yet, every time I install my root CA certificate on my Nexus it only winds up as a user-level cert, and displays a fabulous “warning third parties are snooping on your network” notification. From what I gather some root-level muckery needs to happen. Surely some MDM software has figured this out already.

Links

https://github.com/bwann/pki-tools/ : Some of my own scripts for generating cert requests, keys, signing them with an OpenSSL CA. Server-centric for now, still ironing out the kinks in user certificates for now and will post whenever they’re decent.

https://www.phildev.net/ssl/ : A friend’s guide to X509 certs that I had forgotten about until I posted this

https://jamielinux.com/docs/openssl-certificate-authority/ : The other CA setup guide I mentioned at the beginning of this post

Posted in Uncategorized | No Comments »

FreeRADIUS and TLS Web Server Authentication

Sep 1st, 2018 by

If you’ve ever tried setting up FreeRADIUS and WPA2-Enterprise, and wondered how the example certs wind up with the X509v3 extended key “TLS Web Server Authentication” on it, the trick here is a config file specifying a numerical OID for the key instead of a text description. (Apparently Windows expects to see these TLS extended keys when connecting to a wireless network with EAP/TLS).

This puzzled me for a while, I’ve never seen this key and couldn’t figure out how they were getting it on their certs. It’s obvious now, but I spent way longer than I care to admit carefully combing over the example *.cnf files that came with the package, my system’s openssl.cnf, another system’s pristine openssl.cnf for any missing extendedKeyUsage or nsCertType directives, and the OpenSSL manual page for x509 looking for any missed defaults. It wasn’t until I carefully followed the Makefile in the example that they were pulling in an extension file via -extfile xpextensions and using an section with -extensions xpserver_ext that were specifying the options as OIDs. I had overlooked this file in earlier spelunking. Mystery solved.

 

P.S. this dude wrote an incredibly detailed instruction guide on a home lab setup using a Raspberry Pi as a UniFi wireless controller, private CA, FreeRADIUS, and WPA2-Enterprise.  It’s got more screenshots and explanations than most of the internet deserves.  https://dot11zen.blogspot.com/2018/04/wpa2-entreprise-using-unifi-access.html

P.P.S. FreeRADIUS has been incredibly annoying to write an attribute-API-driven Chef cookbook for.

users file? Easy, we’ll just iterate over a loop and dump out the values — not so fast, the last entry on a user can’t have a trailing comma, oh and we use tabs in some spots.

Config file? We’ll define convenience variables in it, using them all over the place and then use them to create more convenience variables in other config files we include. (I get it, for human maintainers this makes it easy) Without writing templates for each and every config file to get rid of them all, it took a while to locate the major ones to maintain compatibility.

Ubuntu? We’ll use completely different paths to store our RADDB, daemon names, TLS certs, system users and groups than CentOS, because we’re Ubuntu. And amazingly CentOS 7.x has FreeRADIUS v3, whereas Ubuntu 16.x has v2, which uses slightly different syntax.

The majority of the work is done now so hopefully I can post the cookbook on Github soon.

Posted in Uncategorized | No Comments »

Yosemite trip: August

Aug 26th, 2018 by

[photos: flickr – Yosemite]

A couple of weeks ago a friend passing through Yosemite informed me the smoke had cleared up, highways and campgrounds were open again. In theory this meant there should be a lot of campsites available from to all the recent cancellations due to the park closure. I sat on this for a few days and by the weekend I was itching to go. I checked the reservation.gov website, all the campgrounds in the valley were still booked solid, but there were three nights available in the middle of the week at Tuolumne Meadows Campground. I grabbed them and left home on Tuesday afternoon.

I arrived at the campground around 7 PM. The late list was posted with my assigned campsite, along with several warnings about bears in the area. The good news was that despite the recent Ferguson fires, camp fires were allowed above 8,000 feet. I pitched camp, wandered over to the store for firewood, started a fire and set in for the night. I had just received Chris Hadfield’s book An Astronaut’s Guide to Life on Earth from Amazon before I left, so that was my evening reading material under red headlamp light.

Coming from sea level, the altitude was not my friend. Moving around setting up my gear I was starting to get slightly lightheaded. It was cold at night and I tossed and turned many times trying to sleep. Before my last Death Valley trip I had given trying to find the slow leak in my Thermarest EvoLite (I even submerged it in the swimming pool) and bought a NeoAir on clearance from REI. For truck camping I didn’t really care about the weight or bulk of a pad very much. The NeoAir worked perfectly to keep me insulated from the cold ground, gave me cushion to sleep on my side, and best of all it wasn’t fucking deflated by the time I woke up!

Wednesday I had a bit of a headache and decided to take it easy until I acclimated a bit. I drove out to Lee Vining and back to scope out what was around me and what I had missed on the last trip. I had considered hiking up Lembert Dome or up to Elizabeth Lake, but not today. Instead I went over to Soda Springs and wandered around the meadows. It was nearly a full moon at night which did a great job of illuminating the mountains so I spent some time photographing around Tenaya Lake.

Bear!

Thursday I drove over to Yosemite Valley, where I had wanted to hike the Valley Loop Trail. I found parking near Camp 4 and picked up the trail from there. Not too long after, I spotted a bear walking along the opposite bank of the Merced River before it disappeared back into the trees.

I intended to do the half loop, so I crossed over the river near El Capitan. In the meadow I spotted a pretty good spot to photograph the whole southern face of El Capitan. Using my long lens I was able to pick out a couple of climbers on the face of the rock. I still don’t know how they do it, even with bolts and rope.

Right after I passed Swinging Bridge on the south side, I sucked my Camelback dry. It was after 6 PM, I was annoyed by the flies, so I called it quits and cut back over to Camp 4. I drove up to Tunnel View after sunset to check it out, and wished I had gotten there about 30 minutes sooner for better light. I headed back to camp at Tuolumne Meadows for the night. Sitting by the campfire reading, a deer wandered by, completely undisturbed by my presence.

Friday morning I packed up camp, it was the last of my reservation. I got a bit of an earlier start, grabbed breakfast at the store, and returned to the valley. I was expecting it to be crazytown on a Friday afternoon, I got there right before noon and managed to beat most of the crowd. I wanted to finish off the half Valley Loop, I picked it up again at Camp 4 and headed east. I passed by Lower Yosemite Falls, it was bone dry. It turns out the Valley Loop Trail is considerably longer than the prescribed hiking guide tells you, not only does it go west toward Bridalveil Fall, it goes allllll the way east past Mirror Lake. I wasn’t about to go that far out, so I looped around Upper Pines and Half Dome village on the way back.

It was sometime around 4 PM when I made it back to where I left off Thursday at Swinging Bridge. I grabbed dinner and coffee, hung around for a while and headed back up to Tunnel View again before sunset. The light was great, but still smokey looking off down the valley. While I was there a bride and groom showed up with their photographers and took wedding photos.

After nightfall I stayed in the valley for a few more hours taking night shots. It was a full moon and it did a great job of illuminating the rock and trees. I was reluctant to wander back into the meadow at night by myself, but I did while making a bunch of racket along the way. I got my shots and bugged out!

I drove home after this and got in around 2 AM. I keep forgetting Yosemite is only about a 3 hour drive, I need to go out there more. I had wanted to go up to Glacier Point at night, but from reading the info signs I got the impression that you could only hike up or had to buy a bus ticket to get to the top. Only after I got home and looked at the maps I realized not only can you drive up there, there’s a snack shop up there. It wouldn’t have mattered though, I saw where the road was still closed due to the fires.

Tags:

Posted in Travel | No Comments »

« Newer Posts - Older Posts »