Gnome `Alt+Shift` and `Alt+Shift+Tab`

After installing Debian Jessie with Gnome 3.14, I noticed an annoying bug: When I tried to switch windows using Alt+Tab it worked as it should, but when I tried to switch in reverse order, using Alt+shit+Tab it did not work. I quickly figured out that the problem lies in the frequently used shortcut, Alt+Shift for switching keyboard layouts. Indeed, when I tried cycling through windows, I switched keyboard layouts instead.

The gist of the solution was found after some searching in Stack Exchange albeit it needs some adjustment for newer version of Gnome: Start the Gnome’s Tweak Tool and select Typing from the Tweaks menu. Under “Miscellaneous compatibility options” select “Shift cancels Caps Lock”.


This fixed the issue for me, without any side-effects. I don’t need to use Shift-Alt instead of Alt-Shift as suggested in the original solution and neither the Shift key cancels the Caps Lock as may be suggested by this option.

Securing Access using TLS/SSL Client Certificates

This tutorial will guide you in setting up authentication using TLS/SSL Client Certificates. It is a simple one as it would not delve into details about integration with server-side apps. Instead, it simply gives you instructions on how to set up Client Certificate as means to prevent unwanted parties from accessing your website.

For example, one such scenario where it may come useful, is limiting access to sensitive things on the server, like phpMyAdmin. phpMyAdmin for example handles sensitive data (such as database authentication) and does in plain HTTP, which may pose several security risks. Even if the data would be encrypted, someone with access to the application, might find vulnerabilities in it and exploit the relatively high-privileges it got to compromise the server. The solution to this, is also limit who has access to the application at all. A possible solution, which I’ve used, is to limit access to only to the local machine and using SSH or a VPN Tunnel to access phpMyAdmin. A better solution would be to use TLS/SSL Client Certificates. They operate on the connection level and provide both encryption and authentication. They are easier to setup than VPN tunnels and easier to use.

Note that limiting access based on TLS/SSL Client Certificate can only be done on the sub-domain level, because it happens as part of the connection, before any specific HTTP request can be made.

Most of the tutorial is not HTTP server-specific, however the server configuration part relates to Nginx. As other servers (such as Lighttpd) use a very similar configuration for Client Certificates, adapting the instruction should be straightforward.

Creating a CA

The two commands below will create CA private key and a corresponding self-signed certificate for you to sign the TLS client certificates with.

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out ca.key
openssl req -new -x509 -days 365 -sha256 -key ca.key -out ca.pem

The first command will ask you for a pass phrase for the key. It is used to protect access to the private key. You can decide to not use one by dropping the -aes-128-cbc option from the command.

The second command will ask you to provide some details to be included in the certificate. Those details will be sent to the browser by the web-server to let it know which client certificate to send back when authenticating.

Server Configuration

Upload the ca.pem that was just generated to your server. You should not upload the private key (ca.key).

The following instructions are for Nginx

ssl_client_certificate /path/to/ca.pem;
ssl_verify_client on; # we require client certificates to access

Assuming you already enabled TLS/SSL for the specific sub-domain, your configuration should look something like this:

server {

        # SSL configuration
        listen 443 ssl;
        listen [::]:443 ssl;

        ssl_certificate /etc/nginx/example.pem;
        ssl_certificate_key /etc/nginx/example.key;

        ssl_client_certificate /etc/ngingx/ca.pem;
        ssl_verify_client on;

After reloading the server, check that everything is configured correctly by trying to access your site via HTTPS. It should report “400 Bad Request” and say that “No required SSL certificate was sent”.

Creating a Client Certificate

The following commands will create the private key used for the client certificate (client.key) and a corresponding Certificate Signing Request (client.csr) which the owner of the CA certificate can sign (which in the case of this tutorial will be you.

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out client.key
openssl req -new -key client.key -sha256 -out client.csr

You will be asked again to provide some details, this time about you. Those details will be available to server once your browser sends it the client certificate. You can safely leave the “challenge password” empty1.

You can add the flag -aes-128-cbc to the first command if you want the private key for the client certificate to be encrypted. If you opt for it, you will be prompted for a pass phrase just like before.

Signing a Client Certificate

The next step is to sign the certificate signing request from the last step. It is a good practice to overview it and make sure all the details are as expected, so you do not sign anything you would not intend to.

openssl req -in client.csr -text -verify -noout | less

If everything looks just fine, you can sign it with the following command.

openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca.key \
    -set_serial 0x`openssl rand 16 -hex` -sha256 -out client.pem

You will be prompted for your pass phrase for ca.key if you chose one in the first step.

Installing Client Key

Now comes the final part, where we take the signed client certificate, client.pem and combine it with the private key so in can be installed in our browser.

openssl pkcs12 -export -in client.pem -inkey client.key -name "Sub-domain certificate for some name" -out client.p12

Adjust the -name parameter to your liking. It will be used to identify the certificate in various places such as the browser. If your private key was encrypted, you will be prompted to enter a pass phrase for it. Encrytion for certificates in p12 format is mandatory, so you will be prompted to enter a password for the generated file as well. It is OK to reuse the same password here, as those files are practically equivalent. Once imported to you browser, you would not need the password for normal usage, until you would like to import it to another browser.

GlobalSign provides instruction on how to actually install the p12 client certificate for browsers in Linux and Windows.


  1. It is used to “enhance” the security of certificate revocation request, by requiring not only knowledge of the private key, but also the challenge password. Thus, someone who got hold of your private key cannot revoke the certificate by himself. However, this is also the reason why this option is not used more often: When someone steals your private key, usually they will prefer the certificate not to be revoked. 

Default PBKDF2 Iteration Count for Encrypted Keys Generated by OpenSSL

When generating keys with openssl you have the option to encrypt them. It is done by specifying a cipher alogrithm, for example

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out key.pem 

generates a 2048 bit RSA key and encrypts it with AES in CBC mode. OpenSSL will prompt you to provide a pass-phrase for the encryption. It is important to understand how that pass-phrase/password will be used to derive a key for the AES encryption. The whole encryption scheme is defined by something called PBES2 1, which in turn uses PBKDF2. The important factor on the computation complexity of PBKDF2, is the number of hash-iterations used.

OpenSSL doesn’t have an option in its command-line utilities to control that number of iterations. However, that number is allowed to change pretty much arbitrarly by the standard, so it is part of the ASN1 representation of the generated encrypted key.

$ openssl asn1parse -i -in key.pem  | head
    0:d=0  hl=4 l=1311 cons: SEQUENCE          
    4:d=1  hl=2 l=  73 cons:  SEQUENCE          
    6:d=2  hl=2 l=   9 prim:   OBJECT            :PBES2
   17:d=2  hl=2 l=  60 cons:   SEQUENCE          
   19:d=3  hl=2 l=  27 cons:    SEQUENCE          
   21:d=4  hl=2 l=   9 prim:     OBJECT            :PBKDF2
   32:d=4  hl=2 l=  14 cons:     SEQUENCE          
   34:d=5  hl=2 l=   8 prim:      OCTET STRING      [HEX DUMP]:F3098873E5AB1A81
   44:d=5  hl=2 l=   2 prim:      INTEGER           :0800
   48:d=3  hl=2 l=  29 cons:    SEQUENCE       

The line saying INTEGER :0800 states the number of iteration used (in hex notation) for the generated key.pem. It means that at least for OpenSSL 1.0.1, the default number of iterations is 0x800=2048. This number is relatively low in modern standards2.

  1. As the name suggest there is also PBES1, which is now obsolete. The main difference is that PBES1 only allowed DES and RC2 to be used as cipers. See RFC 2898 for more details. 
  2. Apple uses 10,000 iterations for iTunes passwords, and LastPass defaults to 5,000 

Setting Up Lighttpd with PHP-FPM

PHP-FPM can provide an alternative to spawn-fcgi when setting up Lighttpd with PHP. It has several advantages over using spawn-fcgi among them:

  • It can dynamically scale and spawn new processes as needed.
  • Gracefully respawn PHP processes after configuration change.
  • Comes with init.d script so no need write your own.
  • Ability to log slow PHP script execution (similar to MySQL’s slow query log).


PHP-FPM is available from the Ubuntu (since 12.04) and Debian’s repositories, so all you need to do is:

$ sudo apt-get install php5-fpm


PHP-FPM works with process pools. Each pool spawns processes independently and have different configurations. This can be useful to separate the PHP process of each user or major site on the server. PHP-FPM comes with a default pool configuration in /etc/php5/fpm/pool.d/www.conf. To create new pools, simply copy the default pool configuration and edit it. At least you will need to set the following:

  • Pool name – [www]. I name mine according to the user which the pool serves.
  • user – I set the user to the appropriate user, and leave group as www-data.
  • listen = /var/run/php.$pool.sock – Unix sockets have lower overhead than tcp sockets, so if both Lighttpd and PHP run on the same server they are preferable. $pool will be expanded to your pool name. Also, it is more secure to create the sockets in a directory not writable globally (such as /tmp/) so /var/run is a good choice.
  • listen.owner should match the PHP user, while should match the group Lighttpd runs in, so both have access to the socket.

If you copied www.conf to create new configuration, you will need to rename it to something like www.conf.default in order to disable it.

In the Lighttpd configuration you need to add the following to each vhost that uses PHP:

fastcgi.server    = ( ".php" => 
                "disable-time" => 0,
                "socket" => "/var/run/php.pool.sock",

Where pool in the socket configuration is replaced by the matching pool name in the PHP-FPM configuration. Overriding disable-time and setting it to 0, is suitable in the case you have only one PHP backend and it’s local. In this scenario, attempting to connect to the backend is cheap, and if it gets disabled no requests will get through any way.

Useful Files

  • /etc/php5/fpm/pool.d – The PHP-FPM pool configuration directory.
  • /var/log/php5-fpm.log – The PHP-FPM error log. It will display error and warning notifying you when pm.max_children has been reached, when processes die unexpectedly, etc.

Creating a Hebrew Document in LyX 2.1 with XeTeX

This post complements the basic LaTeX template I gave yesterday for typesetting Hebrew with XeTeX. I’ll walk through the (short) list of steps needed to configure LyX with XeTeX.


  • LyX 2.1 or later (I’ve also tested with the development version of 2.2). I had very limited success with LyX 2.0, so you should probably avoid it.
  • XeTeX – I’ve tested with version 3.1415926-2.4-0.9998 which comes with TeXLive 2012, but I guess any recent version will do.
  • The polyglossia and bidi packages. Again I’ve used those which come with TeXLive 2012.
  • Good TrueType Hebrew fonts. I recommend Culmus 0.121 or newer. You may also try and use the fonts that come with your operating system, they might work as well.

Setting up the document

Create a new document and open the settings dialog (Document -> Settings...).

  1. Pick a suitable Document class. I recommend “KOMA-Script Article” but “Article” works just as fine. Avoid “Hebrew Article”, as it is broken under XeTeX.
  2. Under Fonts check the box next to `Use non-TeX fonts (via XeTeX/LuaTeX) and select suitable fonts:
    • Roman: Frank Ruehl CLM. David CLM is also a good choice with somewhat better italics variant.
    • Sans Serif: Simple CLM.
    • Typewriter: Miriam Mono CLM.
    • There is no need to change the Math font.
  3. Under Language select Hebrew as the document’s language.

That’s basically it. You can now write your document and compile it. I would suggest saving these settings as default (via “Save as Document Defaults”) or saving it as a template so you won’t need to repeat those steps.

Writing in English

To insert English text in your Hebrew document, you need to change the current language. The easiest way to do so is to create a keyboard shortcut for it:

  1. Go to Tools -> Preferences -> Editing -> Shortcuts
  2. Write “language” under “Show key-bindings containing:”.
  3. Select “language” under “Cursor, Mouse and Editing Functions” and click “Modify” to set a keyboard shortcut (F12 is traditionally used for this).

Now you can toggle the current language between English and Hebrew by simply pressing F12.

Remark about Fonts

It is preferable to use fonts that provide both Hebrew and Latin scripts, as otherwise there might be significant style differences which make the document look weird. It is possible to set a different font for Hebrew and Latin, but care needs to be taken to match styles. To do so, add the following lines to the Preamble:

\newfontfamily\hebrewfont[Script=Hebrew]{David CLM}
\newfontfamily\hebrewfonttt[Script=Hebrew]{Miriam Mono CLM}
\newfontfamily\hebrewfontsf[Script=Hebrew]{Simple CLM}

Hebrew with XeTeX Example

This is an example of a document in XeTeX (Actually XeLaTeX). I’ve used The fonts from the Culmus Project. Note that you’ll need Culmus 0.121 or newer in order to get the Frank Ruehl font in TrueType. As you can see, Nikud are placed correctly. The cantillation marks (טעמי המקרא) are in a small offset compared to the ideal position.

Overall, XeTeX works much better with Hebrew (and easier to use) than pdfTeX.


\setmainfont{Frank Ruehl CLM}
\setmonofont{Miriam Mono CLM}
\setsansfont{Simple CLM}
% Use the following if you only want to change the font for Hebrew
%\newfontfamily\hebrewfont[Script=Hebrew]{David CLM}
%\newfontfamily\hebrewfonttt[Script=Hebrew]{Miriam Mono CLM}
%\newfontfamily\hebrewfontsf[Script=Hebrew]{Simple CLM}
טקסט רגיל
\textbf{טקסט מודגש}
\textit{טקסט נטוי}
\textit{\textbf{טקסט מודגש ונטוי}}
בְּרֵאשִׁ֖ית בָּרָ֣א אֱלֹהִ֑ים אֵ֥ת הַשָּׁמַ֖יִם וְאֵ֥ת הָאָֽרֶץ:
In the beginning God created the heaven and the earth.
טקסט רגיל
\textbf{טקסט מודגש}
\textit{טקסט נטוי}
\textit{\textbf{טקסט מודגש ונטוי}}
בְּרֵאשִׁ֖ית בָּרָ֣א אֱלֹהִ֑ים אֵ֥ת הַשָּׁמַ֖יִם וְאֵ֥ת הָאָֽרֶץ:
In the beginning God created the heaven and the earth.
טקסט רגיל
\textbf{טקסט מודגש}
\textit{טקסט נטוי}
\textit{\textbf{טקסט מודגש ונטוי}}
בְּרֵאשִׁ֖ית בָּרָ֣א אֱלֹהִ֑ים אֵ֥ת הַשָּׁמַ֖יִם וְאֵ֥ת הָאָֽרֶץ:
In the beginning God created the heaven and the earth.

Creating Menu Entries for Calibre

I recently installed Calibre using their binary installer for linux, and found out that it doesn’t come with .desktop files, so Calibre doesn’t appear in the GNOME menu. To remedy this I installed the following desktop files in ~/.local/share/applications/ (modified from the Debian Sid package):

[Desktop Entry]
Name=E-Book Viewer
Comment=E-Book Viewer
Exec=/home/user/.local/calibre/ebook-viewer %F


[Desktop Entry]
GenericName=E-book library management
GenericName[de]=E-Book Bibliotheksverwaltung
Comment=E-book library management
Comment[es]=aplicación para la gestión de libros electrónicos
Comment[de]=E-Book Bibliotheksverwaltung
Exec=/home/user/.local/calibre/calibre %f

You may need to adjust the paths for TryExec, Exec and Icon to match where you installed Calibre.

RTL Tiddlers in TiddlyWiki 5

Few years ago I wrote about how to create RTL (right-to-left) tiddlers in TiddlyWiki. Creating RTL tiddlers is almost a necessity if you want to create tiddlers in a right-to-left language such as Hebrew or Arabic. TiddlyWiki5, the new version of TiddlyWiki, broke the old solution, but a similar one is can be made. In order to be able to add RTL tiddlers to your TiddlyWiki follow these steps:
Continue reading

Kindle Paperwhite “Unable to Open Item”

Recently, I tried transfering some new ebook to my Kindle Paperwhite (first generation), the books were listed properly. However, when I tried to open them I got
“Unable to Open Item” error, suggesting I re-download the books from Amazon. I tried transferring the files again and again, but it didnt’ help. Some of the books were mobi files while others were “AZW` (which I got from אינדיבוק) and all of them opened fine on my computer.

Finally, I followed an advice from a comment in the KindledFans blog, and converted the files to AZW3 (the original comment suggested mobi but AZW3 works better with Hebrew). After converting, I moved the files to my Kindle and they opened just fine.

Enabling Compose-Key in GNOME 3.4

For some reason I couldn’t easily find how to enable the compose-key in Gnome 3.4. All the references I’ve found did not match the actual menus and dialogs that I saw on my system. That is including the official GNOME help pages. So I’ve decided to document it here for my future reference.

  1. Go to System Settings->Keyboard Layout.
  2. Select the Layouts tab and click Options.
  3. Under Compose key position, select the key you want to use as the compose-key.

Wikipedia has a nice table summarizing the compose-key sequences.