• SSL server certificate via Keychain Access in macOS Catalina

    If you ever tried to create a CA and sign an SSL server certificate using macOS Keychain Access you’d be surprised to find that resulting certificate is not a valid SSL certificate anymore due to new requirements in iOS 13 and macOS 10.15.


  • Opening ports 80 and 443 on a Synology NAS via UI

    Synology NAS’s OS DSM 6.x does not allow one to directly use ports 80 and 443. There are several different articles flowing around that try to cover it, but they often require SSH access to a box and may not be compatible with future versions of DSM. Turns out there is “one weird trick” to make it all work via built-in Nginx server relying on “Host” headers from HTTP requests.

    Verified on DS718+ DSM 5.2.1 with Ubiquity mFI controller and Homebridge (for HomeKit) running within Docker containers on Synology. As a side effect now I can use DSM without ugly port numbers (e.g. :5001) via a redirection below.


  • Hardware-Accelerated h264 Encoding on Synology NAS

    Updated after publishing: I’ve got reports of verified support on DS218+ and DS418play. I’ve added Debian Stretch-specific instructions. Added a disclaimer. Opened a pull request #30 for homebridge-camera-ffmpeg-ufv to add support for VAAPI-based video transcoding.

    Disclaimer: I know very little about ffmpeg and video encoding. I played around for several days to figure out how to make hardware video transcoding to work and just wrote down my findings. I’d be happy if somebody who knows knows about these things would help me to better understand why things behave the way they do.

    Many Synology NAS do have an Intel CPU that supports hardware-accelerated h264 encoding, which Intel calls QuickSync for marketing purposes. You would get around 10x improvement and most importantly real-time video transcoding with low latency. Surprisingly they seemingly do not use it themselves internally, but it’s possible to use it manually. This easily works from within Docker as well.

    Synology NAS Models with Hardware h264

    These instructions were verified on Synology NAS DiskStation DS718+ which uses Intel Celeron J3455. It’s the same CPU as DS918+, so this should apply to that model as well. Similar Intel Celeron J3355 also has QuickSync, all of this applies to DS218+ (verified by ArtisanalCollabo) and DS418play (verified by Arsen Vartapetov).


  • Marrying Byobu/tmux and Marathono

    Marathono is a great services manager for macOS. It natively integrates with launchd and works well overall. Unfortunately due to #29 it always uses login interactive shell with a TTY attached. This triggers .zprofile and friends and Byobu/tmux interactive mode and prevents scripts from being executed. There is a simple solution, detect Marathono in .zprofile and skip Byobu/tmux when detected:

    ps -fp $PPID | grep Marathono || \
    _byobu_sourced=1 . /usr/local/bin/byobu-launch 2>/dev/null || true


  • Fronting Ubiquiti's UniFi Controllers with Nginx with SSL

    All Ubiquiti controllers (mFI, UniFi Controller and UniFi Video Controller) insist on using HTTPS for all connections, which may break the experience in Safari when one uses default out-of-the-box self-signed certificates.

    Solution is simple: use Nginx to deal with SSL for most of the cases, the rest is to use SSL via Java to make secure sockets work.

    File extensions are very confusing when one is dealing with certificates. In short if you use OpenSSL:

    • PEM means ASCII plaintext, DER means binary format, these only apply to -inform and -outform parameters (quoting this article)
    • PKCS#8 is a format for private keys, Java can read its DER form. Use -topk8 (to PK8 i.e. to PKCS#8) to output it. Use -nocrypt to disable key encryption enabled by default.
    • PKCS#12 is a format for a key bag, where several keys and certificates may be stored. Output is controlled with -nodes (no DES i.e. no encryption), -nocerts (skips public keys), and -nokeys (skips private keys)
    • X.509 is the default format for keys and certificates, can be read by Nginx. Can be directly concatenated in its PEM form


  • Installing UniFi and mFI Controller Software onto Ubiquiti's UNC-NVR

    It makes some sense to keep all Ubiquiti’s software on the same PC, and UNV-NVR is the best one with software already preinstalled. NVR has Debian 7 installed by default, so it’s easy to install both mFI and UniFi, with a caveat of using MongoDB 2.4 instead of a default 2.0 or 3.0 one.


  • How to Recover iPhone Backup's Password?

    If you backup your iPhone or iPad onto your iMac via iTunes you probably use encrypted backups. Sometimes it happens that you forget your encryption password. As it turns out there is no way to disable backups or change their password without knowing the original password. See Apple support article About encrypted backups in iTunes.

    There are several paid solutions that can decrypt your password that could be run inside a Windows virtual machine. But there is little guarantee that they would not share all your data through the Internet. So, the obvious solution is to use a command-line utility that does it for free.

    Time to try one password is roughly a minute per core on my 2014 iMac, so this solution does not work if really don’t remember your password.


  • Taking Your LAN Network under Control in the Presence of IoT Devices

    Using Internet of Things devices like Wi-Fi-connected light bulbs, switches, motion detectors and such poses a challenge to secure your LAN. Devices’ firmware usually is of a pretty bad quality with administrator password hard-coded and exploits never patched. At the same time these devices heavily rely on zero-configuration protocols for ease of discovery, and these protocols were never developed with security in mind.

    I’m trying to reconcile these inherently insecure devices working with inherently insecure protocols by using a specially configured Linux-based firewall. I’ll guide you through my thought process to show how to make everything work seamlessly, but (more) secure at the same time.

    (ETH00) ====== Router ( ====== (192.168.0.X)
      |               |                         Secured Wi-Fi/Eth Network
    Firewall          |
    | | |          (
    | | |          Guest Wi-Fi Network
    | | (ETH01)
    | | (192.168.0.X)
    | | DeviceType0
    | |
    | (WLAN01)
    | (192.168.0.X)
    | DeviceType1


  • Decoding any Java-originated SSL Connection with Pre-Shared Master Secret

    When you try to decode SSL connection from your Java application for a purpose of testing you usually can go by using a known specified server certificate.

    But, when Diffie-Hellman key exchange is used or when server-side certificate is outside of your control you still may decrypt the connection as long as you have access to startup command-line parameters of your Java application.

    Basic idea is to specify,keygen during Java start up, and export all pre-shared master secret keys to a log file. Log file is read by Wireshark or similar application to aid decoding of SSL traffic.


  • Maven Integration Tests and Jetty with SSL Enabled

    Running integration tests with Jetty using maven usually is plain and awesome. At least not until you try to enable SSL. And then suddenly everything goes to hell. As I have not found a definitive source of a simple working Jetty config and I’m sharing my findings.

    To run integration tests with Jetty under maven with SSL you’ll need to

    • Start and stop Jetty before and after integration tests
    • Generate Jetty SSL keys in a PKCS12 format using keytool
    • Config Jetty to enable SSL and use generated keys


  • Show Git Status in ZSH Prompt with Respect to a Remote Repo

    zsh is a powerful shell that allows you to show your current git status in your command prompt: Show git state in zsh prompt via vcs_info. It supports current branch, repo path and many other options, most notably stage/unstaged symbols to show you current git dirty state.

    Here is how to reconfigure zsh to respect remote repo e.g. GitHub’s status properly.


  • Fixing sbin for Homebrew on macOS

    Homebrew installs iftop into /usr/local/sbin and not in /usr/local/bin so it’s not a part of your $PATH by default.

    Yes, you can add it manually via .zprofile or something similar, but there is a native way to add new paths to all shells of all users:

    echo '/usr/local/sbin' | tee -a /etc/paths

    Or you can add a new entry to paths.d:

    echo '/usr/local/sbin' | tee -a /etc/paths.d/homebrew


  • Enable Secure Signed Email on macOS and iOS

    Both macOS and iOS support secure signing for your email messages. It’s easy to setup and it “just works”.

    If you ever receive a signed message from somebody you can send them encrypted email. Only your recipient will be able to read it. Even if your email account is compromised, this still holds true.


  • Install Certificates on iOS Devices Securely via a Custom Profile

    Installing certificates on iOS devices (at least on iPads and iPhones) can be done via a cable without using a less secure email-based transport. It’s easy and free via Apple Configurator 2.


  • Configuring Byobu/Tmux to Support Tabbed & Windowed Terminals

    As of April 2017 this instruction does not apply anymore. Default byobu installation would work just fine. I’ll leave it here for historical purposes.

    At some point my favorite console “window manager” byobu switched from screen to tmux as a backend. tmux is much more feature rich and supports splits, for example.

    There is only one downside, but a big one: there could only be one client per tmux session. So when you open terminal in several different windows each of them connects to the same tmux session and they show exactly the same window. Yes, you can use tmux internal windowing capabilities just fine, but I always wanted to have several “real” windows into the same tmux session.

    Looks like there is a way to exactly that using tmux “session grouping”. This piece of functionality is quite quirky and is almost never mentioned in all the articles about tmux that I’ve read. But it does exactly what I need: several sessions looking into the same set of windows.


  • Show Git State in ZSH Prompt via vcs_info

    zsh has excellent capabilities of supporting different version control systems, like git in its command line prompt. Setup is pretty convoluted and I’ll try to guide you through it to give you basic understanding of all the building blocks. You’ll be able to craft your own one.

    I’ll show evolution of a command line prompt after each modification in .zshrc. I’ll assume ~/.git exists and has changes on the master branch. Current directory is set to ~/.ssh.


  • Guice Singletons Parallelization

    Guice is a Java library for dependency injection. It’s a very widespread one and a lot of servers written in Java use it. Surprisingly until recently all singleton objects created by Guice were created sequentially.


  • TeamCity + Gerrit Integration for Verified Patchset Statuses

    Recently I’ve made it possible to integrate TeamCity and Gerrit code review tool. As far as I know there is no page in the internets about this particular integration, then here is a post.


  • Writing Java ICMP Ping for Windows

    As everybody knows it is impossible to do normal icmp ping using standard Java classes. You Must use JNI. But, it is much simpler to to use JNI through JniWrapper.


  • How to Develop SharePoint Features on a Remote Server

    Usually all SPS 2007 developers create their programs on localhost server and later they publish them onto production one. But I have not that much RAM to install server onto my developer machine. Plus - using remote machine as a server is pretty convenient, cause you may test your programme in a battle field, which should help you to avoid different code security problems. The choice is up to you, but even on local machine some parts of my story will be usable.


subscribe via RSS