firefox 31 + self-signed certificate = sec_error_ca_cert_invalid

If you are trying to access site with self-signed certificate with Firefox 31 (or later) and get Issuer certificate is invalid error (sec_error_ca_cert_invalid), you have to disable new mozilla::pkix certificate verification.

In about:config set

security.use_mozillapkix_verification = false

To find out more about mozilla::pkix and why your firefox just got so super secure and paranoid, that it doesn’t allows you to access you own site without googling – see https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification. I’m only wondering, why did they renamed it from insanity::pkix to mozilla::pkix – do they confess that ‘mozilla’ is slowly becoming a synonym for ‘insane’ ?-) Throwing such an error without any hint or possiblity to add an exception (as usual) is IMHO insane – but, who cares about power users today…

Update: As noted in comments, this should not work in Firefox 33 (or later).

Update2: As noted by #29 and referenced bugs, there seem to be (at least) 2 major cases, where new insane::pkix will refuse to accept a https site.

  1. Your internal CA certificate doesn’t specifies CA:TRUE in X509v3 Basic Constraints section
  2. You self-signed server certificate (the last one in certificate chain) specifies CA:TRUE – what is default for certificates generated by pkitool script from easy-rsa suite – and you have your CA certificate installed in FF.

See also FF bug #1042889.

Update3: Thanks to the work of Kai Engert, there is a fix for this in Firefox 31 ESR (download from https://www.mozilla.org/en-US/firefox/organizations/) and hopefully the same comes also with Firefox 33.1.

 

Simple XSLT ifnull for numbers

Answer to question how to display zero instead of NaN in XSLT for non existing node containing number values (kind of ifnull or coallesce functions that are available in SQL).

You can do it by standard expressive XSLT way, with using variable and <xsl:choose>, or abuse built-in sum() function and do whole thing in one line.

Standard way:

<!– read the value –>
<xsl:variable name=”val”>
<xsl:choose>
<xsl:when test=”//number[1]”><xsl:value-of select=”//number[1]”/></xsl:when>
<xsl:otherwise>0</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<!– print the value out –>
<xsl:value-of select=”$val“/>

 

Quick way:

<!– read and printout –>
<xsl:value-of select=”sum(//number[1])“/>

 

Both codes will print value of first node named number or zero if the node is not present.¬† Because it is a sum() function, it’s a good idea to limit nodeset only to first one, otherwise you will get a sum of all existing number nodes.

Btw. do you know the best XSLT reference out there ? No ? Look at ZVON XSLT reference.

 

Disable Windows 7 hotkeys

This little script disables Windows 7 hotkeys if you have no local admin rights and registry editor (regedit) is also disabled.  Simply save it as hkey.vbs and execute.

Option Explicit
'Declare variables
Dim WSHShell, rr, MyBox, val, ttl
Dim jobfunc, itemtype
On Error Resume Next
Set WSHShell = WScript.CreateObject("WScript.Shell")
val = "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DisabledHotkeys"
itemtype = "REG_EXPAND_SZ"
ttl = "Result"
jobfunc = "Value: "
'write the registry key value.
WSHShell.RegWrite val, "1234567890", itemtype
rr = WSHShell.RegRead(val)
MyBox = MsgBox(jobfunc & rr, 4096, ttl)

This example disabled WIN+0 – WIN+9 keys. To disable other keys simply modify second RegWrite parameter.
For more technical info on windows hotkey codes see http://www.geoffchappell.com/notes/windows/shell/explorer/globalhotkeys.htm

OpenVPN OCC ping patch

Hello,

i’ve created simple patch for OpenVPN implementing OCC ping. Main difference of OCC ping and existing OpenVPN ping is that OCC ping is being actively replied on other side of the communication channel. This way you can configure various per-client channel reliability policies:

  • Non-mobile clients might ping more frequently to ensure stable connection, and reconnect as soon as possible in case of failure.
  • Mobile clients (ie. Android phones) might ping less frequently to save battery.

OCC ping can be enabled with (boolean) occ-ping directive and it integrates with all existing ping settings (ping/ping-restart/… directives) – simply instead of ‘normal’ pings OCC pings will be send.

Additionally occ-ping-compat directive makes it possible to use backward compatible OCC pings, that sends instead of newly implemented OCC_PING message, already existing OCC_REQUEST that will be always replied  by other side with OCC_REPLY. This makes it possible to use this new behavior with clients running openvpn without having OCC ping implemented.

Patch can be found here: openvpn-2.2.2-occ-ping.patch.