Installing the Latest Version of Iceweasel (Firefox) on Debian Jessie

The jessie-backports repository does not have the latest Iceweasel builds. However, the Debian Mozilla team releases its own backports. To use their backports, follow the steps below:

# apt-get install pkg-mozilla-archive-keyring
# echo "deb http://mozilla.debian.net/ jessie-backports iceweasel-release" >> /etc/apt/sources.list
# apt-get install -t jessie-backports iceweasel

At the time of writing this post, the Mozilla team’s repository provides Iceweasel 42, compared with 38.4 in the regular Jessie repository.

Getting Started with Let’s Encrypt – Tutorial

A few days ago, I got my invitation to Let’s Encrypt Beta Program. For those of you who are not familiar with Let’s Encrypt:

Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.

This short tutorial is intended to get you up and running with your own Let’s Encrypt-signed certificates.

The first thing is to get the Let’s Encrypt client:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

The main command we will be working with is ./letsencrypt-auto. The first time you run it, it will also ask for sudo, install various dependencies using your package manager, and set up a virtualenv environment.

The next step is to issue the certificate and prove to Let’s Encrypt that you have some control over the domain. The client supports two methods to perform the validation. The first one is the standalone server. It works by setting up a web server on port 443 and responding to a challenge from the Let’s Encrypt servers. However, if you already have your own web server running on port 443 (the default for TLS/SSL), you would have to temporarily shut it down. To use the standalone method, run:

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly

The second method is called Webroot authentication. It works by placing a folder (.well-known/acme-challenge) in the document root of your server with files corresponding to responses for challenges.

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path /var/www/html/ certonly

Whichever method you choose, it will ask for a list of domains you want to validate and your email address. You can enter multiple domains. The first one will be the Common Name (CN), and the rest will appear in the Subject Alt Name field.

This slideshow requires JavaScript.

The newly generated certificates will be placed in

/etc/letsencrypt/live/yourdomain.com/

The important files in this directory are fullchain.pem, which contains the full certificate chain to be served to the browser, and privkey.pem, which is the private key.

An example Nginx configuration will now look like:

        listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/guyrutenberg.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/guyrutenberg.com/privkey.pem;

Just don’t forget to reload the web server so configuration changes take effect. No more government snooping on my blog 😉 .

certificate

GNOME `Alt+Shift` and `Alt+Shift+Tab`

After installing Debian Jessie with GNOME 3.14, I noticed an annoying bug: when I tried to switch windows using Alt+Tab, it worked as it should, but when I tried to switch in reverse order using Alt+Shift+Tab, it did not work. I quickly figured out that the problem lies in the frequently used shortcut Alt+Shift for switching keyboard layouts. Indeed, when I tried cycling through windows, I switched keyboard layouts instead.

The gist of the solution was found after some searching on Stack Exchange, albeit it needs some adjustment for newer versions of GNOME: start GNOME Tweak Tool and select Typing from the Tweaks menu. Under “Miscellaneous compatibility options,” select “Shift cancels Caps Lock.”

alt-shift

This fixed the issue for me, without any side effects. I don’t need to use Shift-Alt instead of Alt-Shift as suggested in the original solution, and the Shift key does not cancel Caps Lock, as may be suggested by this option.

Update 2020-06-08: In GNOME 3.36, the relevant setting appears under Keyboard & Mouse -> Additional Layout Options -> Miscellaneous compatibility options.

Securing Access using TLS/SSL Client Certificates

This tutorial will guide you in setting up authentication using TLS/SSL Client Certificates. It is a simple one, as it does not delve into details about integration with server-side apps. Instead, it simply gives you instructions on how to set up Client Certificates as a means to prevent unwanted parties from accessing your website.

For example, one scenario where it may come in useful is limiting access to sensitive things on the server, like phpMyAdmin. phpMyAdmin, for example, handles sensitive data (such as database authentication) and does so in plain HTTP, which may pose several security risks. Even if the data were encrypted, someone with access to the application might find vulnerabilities in it and exploit the relatively high privileges it has to compromise the server. The solution to this is to also limit who has access to the application at all. A possible solution, which I’ve used, is to limit access only to the local machine and use SSH or a VPN tunnel to access phpMyAdmin. A better solution would be to use TLS/SSL Client Certificates. They operate on the connection level and provide both encryption and authentication. They are easier to set up than VPN tunnels and easier to use.

Note that limiting access based on a TLS/SSL Client Certificate can only be done on the subdomain level, because it happens as part of the connection, before any specific HTTP request can be made.

Most of the tutorial is not HTTP server-specific; however, the server configuration part relates to Nginx. As other servers (such as Lighttpd) use a very similar configuration for Client Certificates, adapting the instructions should be straightforward.

Creating a CA

The two commands below will create a CA private key and a corresponding self-signed certificate for you to sign the TLS client certificates with.

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out ca.key
openssl req -new -x509 -days 365 -sha256 -key ca.key -out ca.pem

The first command will ask you for a passphrase for the key. It is used to protect access to the private key. You can decide not to use one by dropping the -aes-128-cbc option from the command.

The second command will ask you to provide some details to be included in the certificate. Those details will be sent to the browser by the web server to let it know which client certificate to send back when authenticating.

Server Configuration

Upload the ca.pem that was just generated to your server. You should not upload the private key (ca.key).

The following instructions are for Nginx.

ssl_client_certificate /path/to/ca.pem;
ssl_verify_client on; # we require client certificates to access

Assuming you already enabled TLS/SSL for the specific subdomain, your configuration should look something like this:

server {
        server_name subdomain.example.com;

        # SSL configuration
        #
        listen 443 ssl;
        listen [::]:443 ssl;

        ssl_certificate /etc/nginx/example.pem;
        ssl_certificate_key /etc/nginx/example.key;

        ssl_client_certificate /etc/nginx/ca.pem;
        ssl_verify_client on;

After reloading the server, check that everything is configured correctly by trying to access your site via HTTPS. It should report “400 Bad Request” and say that “No required SSL certificate was sent”.

Creating a Client Certificate

The following commands will create the private key used for the client certificate (client.key) and a corresponding Certificate Signing Request (client.csr), which the owner of the CA certificate can sign (which, in the case of this tutorial, will be you).

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out client.key
openssl req -new -key client.key -sha256 -out client.csr

You will be asked again to provide some details, this time about you. Those details will be available to the server once your browser sends it the client certificate. You can safely leave the “challenge password” empty1.

You can add the flag -aes-128-cbc to the first command if you want the private key for the client certificate to be encrypted. If you opt for it, you will be prompted for a passphrase just like before.

Signing a Client Certificate

The next step is to sign the certificate signing request from the last step. It is a good practice to review it and make sure all the details are as expected, so you do not sign anything you would not intend to.

openssl req -in client.csr -text -verify -noout | less

If everything looks just fine, you can sign it with the following command.

openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca.key 
    -set_serial 0x`openssl rand 16 -hex` -sha256 -out client.pem

You will be prompted for the passphrase for ca.key if you chose one in the first step.

Installing Client Key

Now comes the final part, where we take the signed client certificate, client.pem, and combine it with the private key so it can be installed in our browser.

openssl pkcs12 -export -in client.pem -inkey client.key -name "Sub-domain certificate for some name" -out client.p12

Adjust the -name parameter to your liking. It will be used to identify the certificate in various places, such as the browser. If your private key was encrypted, you will be prompted to enter a passphrase for it. Encryption for certificates in p12 format is mandatory, so you will be prompted to enter a password for the generated file as well. It is OK to reuse the same password here, as those files are practically equivalent. Once imported to your browser, you will not need the password for normal usage, until you would like to import it to another browser.

GlobalSign provides instructions on how to actually install the p12 client certificate for browsers in Linux and Windows.

References

  1. It is used to “enhance” the security of a certificate revocation request, by requiring not only knowledge of the private key, but also the challenge password. Thus, someone who got hold of your private key cannot revoke the certificate by himself. However, this is also the reason why this option is not used more often: When someone steals your private key, usually they will prefer the certificate not to be revoked. 

Default PBKDF2 Iteration Count for Encrypted Keys Generated by OpenSSL

When generating keys with openssl, you have the option to encrypt them. It is done by specifying a cipher algorithm, for example:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out key.pem

generates a 2048-bit RSA key and encrypts it with AES in CBC mode. OpenSSL will prompt you to provide a passphrase for the encryption. It is important to understand how that passphrase/password will be used to derive a key for the AES encryption. The whole encryption scheme is defined by something called PBES2 1, which in turn uses PBKDF2. The important factor in the computational complexity of PBKDF2 is the number of hash iterations used.

OpenSSL doesn’t have an option in its command-line utilities to control that number of iterations. However, that number is allowed to change pretty much arbitrarily by the standard, so it is part of the ASN.1 representation of the generated encrypted key.

$ openssl asn1parse -i -in key.pem  | head
    0:d=0  hl=4 l=1311 cons: SEQUENCE          
    4:d=1  hl=2 l=  73 cons:  SEQUENCE          
    6:d=2  hl=2 l=   9 prim:   OBJECT            :PBES2
   17:d=2  hl=2 l=  60 cons:   SEQUENCE          
   19:d=3  hl=2 l=  27 cons:    SEQUENCE          
   21:d=4  hl=2 l=   9 prim:     OBJECT            :PBKDF2
   32:d=4  hl=2 l=  14 cons:     SEQUENCE          
   34:d=5  hl=2 l=   8 prim:      OCTET STRING      [HEX DUMP]:F3098873E5AB1A81
   44:d=5  hl=2 l=   2 prim:      INTEGER           :0800
   48:d=3  hl=2 l=  29 cons:    SEQUENCE

The line saying INTEGER :0800 states the number of iterations used (in hex notation) for the generated key.pem. It means that at least for OpenSSL 1.0.1, the default number of iterations is 0x800=2048. This number is relatively low by modern standards2.

  1. As the name suggests, there is also PBES1, which is now obsolete. The main difference is that PBES1 only allowed DES and RC2 to be used as ciphers. See RFC 2898 for more details. 
  2. Apple uses 10,000 iterations for iTunes passwords, and LastPass defaults to 5,000 

Setting Up Lighttpd with PHP-FPM

PHP-FPM can provide an alternative to spawn-fcgi when setting up Lighttpd with PHP. It has several advantages over using spawn-fcgi, among them:

  • It can dynamically scale and spawn new processes as needed.
  • It can gracefully respawn PHP processes after a configuration change.
  • It comes with an init.d script, so there is no need to write your own.
  • It can log slow PHP script execution (similar to MySQL’s slow query log).

Installation

PHP-FPM is available from the Ubuntu (since 12.04) and Debian repositories, so all you need to do is:

$ sudo apt-get install php5-fpm

Configuration

PHP-FPM works with process pools. Each pool spawns processes independently and has different configurations. This can be useful to separate the PHP processes of each user or major site on the server. PHP-FPM comes with a default pool configuration in /etc/php5/fpm/pool.d/www.conf. To create new pools, simply copy the default pool configuration and edit it. At a minimum, you will need to set the following:

  • Pool name – [www]. I name mine according to the user the pool serves.
  • user – I set the user to the appropriate user, and leave group as www-data.
  • listen = /var/run/php.$pool.sock – Unix sockets have lower overhead than TCP sockets, so if both Lighttpd and PHP run on the same server, they are preferable. $pool will be expanded to your pool name. Also, it is more secure to create the sockets in a directory that is not globally writable (such as /tmp/), so /var/run is a good choice.
  • listen.owner should match the PHP user, while listen.group should match the group Lighttpd runs in, so both have access to the socket.

If you copied www.conf to create a new configuration, you will need to rename it to something like www.conf.default in order to disable it.

In the Lighttpd configuration, you need to add the following to each vhost that uses PHP:

fastcgi.server    = ( ".php" => 
        ((
                "disable-time" => 0,
                "socket" => "/var/run/php.pool.sock",
        ))
)

Here, pool in the socket configuration is replaced by the matching pool name in the PHP-FPM configuration. Overriding disable-time and setting it to 0 is suitable in the case where you have only one PHP backend and it’s local. In this scenario, attempting to connect to the backend is cheap, and if it gets disabled, no requests will get through anyway.

Useful Files

  • /etc/php5/fpm/pool.d – The PHP-FPM pool configuration directory.
  • /var/log/php5-fpm.log – The PHP-FPM error log. It will display errors and warnings notifying you when pm.max_children has been reached, when processes die unexpectedly, etc.

Creating a Hebrew Document in LyX 2.1 with XeTeX

This post complements the basic LaTeX template I gave yesterday for typesetting Hebrew with XeTeX. I’ll walk through the (short) list of steps needed to configure LyX for XeTeX.

Prerequisites

  • LyX 2.1 or later (I’ve also tested the development version of 2.2). I had very limited success with LyX 2.0, so you should probably avoid it.
  • XeTeX – I’ve tested with version 3.1415926-2.4-0.9998, which comes with TeXLive 2012, but I guess any recent version will do.
  • The polyglossia and bidi packages. Again, I’ve used the versions that come with TeXLive 2012.
  • Good TrueType Hebrew fonts. I recommend Culmus 0.121 or newer. You may also try using the fonts that come with your operating system; they might work as well.

Setting up the document

Create a new document and open the settings dialog (Document -> Settings...).

  1. Pick a suitable Document class. I recommend “KOMA-Script Article,” but “Article” works just as well. Avoid “Hebrew Article,” as it is broken under XeTeX.
  2. Under Fonts, check the box next to `Use non-TeX fonts (via XeTeX/LuaTeX)` and select suitable fonts:
    • Roman: Frank Ruehl CLM. David CLM is also a good choice, with a somewhat better italic variant.
    • Sans Serif: Simple CLM.
    • Typewriter: Miriam Mono CLM.
    • There is no need to change the Math font.
  3. Under Language, select Hebrew as the document’s language.

That’s basically it. You can now write your document and compile it. I would suggest saving these settings as defaults (via “Save as Document Defaults”) or saving the document as a template so you won’t need to repeat these steps.

Writing in English

To insert English text into your Hebrew document, you need to change the current language. The easiest way to do so is to create a keyboard shortcut for it:

  1. Go to Tools -> Preferences -> Editing -> Shortcuts
  2. Type “language” under “Show key-bindings containing:”.
  3. Select “language” under “Cursor, Mouse and Editing Functions” and click “Modify” to set a keyboard shortcut (F12 is traditionally used for this).

Now you can toggle the current language between English and Hebrew by simply pressing F12.

Remark about Fonts

It is preferable to use fonts that provide both Hebrew and Latin scripts, as otherwise there might be significant style differences that make the document look weird. It is possible to set a different font for Hebrew and Latin, but care needs to be taken to match styles. To do so, add the following lines to the Preamble:

newfontfamilyhebrewfont[Script=Hebrew]{David CLM}
newfontfamilyhebrewfonttt[Script=Hebrew]{Miriam Mono CLM}
newfontfamilyhebrewfontsf[Script=Hebrew]{Simple CLM}

Hebrew with XeTeX Example

This is an example of a document in XeTeX (actually XeLaTeX). I’ve used the fonts from the Culmus Project. Note that you’ll need Culmus 0.121 or newer in order to get the Frank Ruehl font in TrueType. As you can see, nikud are placed correctly. The cantillation marks (טעמי המקרא) are slightly offset compared to the ideal position.

Overall, XeTeX works much better with Hebrew (and is easier to use) than pdfTeX.

heb-test

documentclass{minimal}
usepackage{polyglossia}
setdefaultlanguage{hebrew}
setotherlanguage{english}
usepackage{fontspec}
setmainfont{Frank Ruehl CLM}
setmonofont{Miriam Mono CLM}
setsansfont{Simple CLM}
% Use the following if you only want to change the font for Hebrew
%newfontfamilyhebrewfont[Script=Hebrew]{David CLM}
%newfontfamilyhebrewfonttt[Script=Hebrew]{Miriam Mono CLM}
%newfontfamilyhebrewfontsf[Script=Hebrew]{Simple CLM}



makeatletter
makeatother
usepackage{bidi}
begin{document}
טקסט רגיל
textbf{טקסט מודגש}
textit{טקסט נטוי}
textit{textbf{טקסט מודגש ונטוי}}
בְּרֵאשִׁ֖ית בָּרָ֣א אֱלֹהִ֑ים אֵ֥ת הַשָּׁמַ֖יִם וְאֵ֥ת הָאָֽרֶץ:

begin{english}
In the beginning God created the heaven and the earth.
end{english}

sffamily
טקסט רגיל
textbf{טקסט מודגש}
textit{טקסט נטוי}
textit{textbf{טקסט מודגש ונטוי}}
בְּרֵאשִׁ֖ית בָּרָ֣א אֱלֹהִ֑ים אֵ֥ת הַשָּׁמַ֖יִם וְאֵ֥ת הָאָֽרֶץ:

begin{english}
In the beginning God created the heaven and the earth.
end{english}


ttfamily
טקסט רגיל
textbf{טקסט מודגש}
textit{טקסט נטוי}
textit{textbf{טקסט מודגש ונטוי}}
בְּרֵאשִׁ֖ית בָּרָ֣א אֱלֹהִ֑ים אֵ֥ת הַשָּׁמַ֖יִם וְאֵ֥ת הָאָֽרֶץ:

begin{english}
In the beginning God created the heaven and the earth.
end{english}
end{document}

Creating Menu Entries for Calibre

I recently installed Calibre using their binary installer for Linux and found that it doesn’t come with .desktop files, so Calibre doesn’t appear in the GNOME menu. To remedy this, I installed the following desktop files in ~/.local/share/applications/ (modified from the Debian Sid package):

[Desktop Entry]
Type=Application
Name=E-Book Viewer
Comment=E-Book Viewer
TryExec=/home/user/.local/calibre/ebook-viewer
Exec=/home/user/.local/calibre/ebook-viewer %F
Icon=/home/user/.local/calibre/resources/images/viewer.png
MimeType=application/x-mobipocket-ebook;application/epub+zip;
Categories=Office;Graphics;Viewer;

and

[Desktop Entry]
Type=Application
Name=Calibre
GenericName=E-book library management
GenericName[de]=E-Book Bibliotheksverwaltung
Comment=E-book library management
Comment[es]=aplicación para la gestión de libros electrónicos
Comment[de]=E-Book Bibliotheksverwaltung
TryExec=/home/user/.local/calibre/calibre
Exec=/home/user/.local/calibre/calibre %f
Icon=/home/user/.local/calibre/resources/images/lt.png
Categories=Office;Database;FileTools;Viewer;Qt;
MimeType=x-content/ebook-reader;

You may need to adjust the paths for TryExec, Exec, and Icon to match where you installed Calibre.

RTL Tiddlers in TiddlyWiki 5

A few years ago, I wrote about how to create RTL (right-to-left) tiddlers in TiddlyWiki. Creating RTL tiddlers is almost a necessity if you want to create tiddlers in a right-to-left language such as Hebrew or Arabic. TiddlyWiki5, the new version of TiddlyWiki, broke the old solution, but a similar one can be made. In order to be able to add RTL tiddlers to your TiddlyWiki, follow these steps:
Continue reading RTL Tiddlers in TiddlyWiki 5