-
Adding your FRiTZ!Box as a “secure” DNS resolver for the fritz.box pseudo-domain
Your FRiTZ!Box maintains a useful list of names of machines in your local network in its pseudo-domain fritz.box, based on DHCP requests and web interface. This information is useful, but adding the pseudo-domain “fritz.box” to your own DNS hierarchy is no longer straightforward in the days of DNSSEC. Here is how to include it into…
-
DANE: The CA game changer
Securing the Internet is important. However, many design decisions are broken: For example, encrypted web pages are considered less secure than unencrypted pages, even outright dangerous, unless you regularly pay a lot of money to certificate authorities, which have shown to make the Internet less secure. The new kid on the block, DANE (DNS-based Authentication…
-
Disable client certificate requests for Cyrus IMAP
Cyrus IMAPd always asks for a client certificate. This can be unnerving for users running Thunderbird as their mail client which have a user certificate installed and are thus always asked whether they want to send it. (There is no way to tell Thunderbird not to send a client certificate, you can only select which…
-
Using TLS Interposer with OpenSSL 0.9.8g (Debian Lenny)
Older installations, such as trusty Debian Lenny, come with versions of OpenSSL 0.9.8. The default cipher suite used by TLS Interposer is very restrictive, on purpose. For OpenSSL 0.9.8g, the only remaining cipher is RC4-SHA. Especially when configuring XMPP servers such as ejabberd to use TLS Interposer, RC4-SHA alone can be not enough (e.g., when…
