Dog Tera

SSH into Boxes VM from Host

Gu — Wed, 08 Oct 2025 23:18:38 GMT

In guest VM (Ubuntu)

# Optional, tmux is convinient for long running task
sudo apt install tmux 

# Start a tmux session
tmux

# Creates a reverse SSH tunnel from the host (_gateway) 
# back to your VM, mapping the host port 2222 to VM port 22, 
# allowing SSH access to VM through the gateway. 
# Need to change host_user_name 
ssh -NT -R 2222:localhost:22 host_user_name@_gateway

# Detach tmux session
# Ctrl+b then d

# Optional, to bring tmux session back 
tmux attach
# or list session and bring session with certain ID
tmux ls
# 0 is the session id from previous output
tmux a -t 0

In host

# Need to change guest_user_name
ssh -p 2222 guest_user_name@localhost

Reference

https://unix.stackexchange.com/questions/627187/ssh-into-gnome-boxes-os

My Git Cheat Sheet

Gu — Wed, 07 May 2025 02:40:29 GMT

How to merge upstream changes to my branch

git remote add upstream git@gitlab.com:CentOS/automotive/demos/ffi-demo.git

git fetch upstream
git checkout a_branch
git rebase upstream/a_branch

Reference

https://www.atlassian.com/git/tutorials/git-forks-and-upstreams

HTTP3 Notes

Gu — Wed, 12 Mar 2025 11:05:58 GMT

https://hub.docker.com/r/ymuski/curl-http3

$ docker run -it --rm ymuski/curl-http3 curl -V

$ docker run -it --rm ymuski/curl-http3 curl -svo /dev/null https://lf19-c10.bytedgame.com/ --http3

*   Trying 151.101.110.73:443...
* Connect socket 5 over QUIC to 151.101.110.73:443
* Sent QUIC client Initial, ALPN: h3-29,h3-28,h3-27
* Connected to lf19-c10.bytedgame.com () port 443 (#0)
* h3 [:method: GET]
* h3 [:path: /]
* h3 [:scheme: https]
* h3 [:authority: lf19-c10.bytedgame.com]
* h3 [user-agent: curl/7.76.1-DEV]
* h3 [accept: */*]
* Using HTTP/3 Stream ID: 0 (easy handle 0x40002371e0)
> GET / HTTP/3
> Host: lf19-c10.bytedgame.com
> user-agent: curl/7.76.1-DEV
> accept: */*
>
< HTTP/3 403

Reference

https://developers.cloudflare.com/http3/tutorials/curl-brew https://developers.cloudflare.com/http3/tutorials/chrome

My Python Environment Cheat Sheet

Gu — Mon, 22 Jul 2024 07:39:21 GMT

Install pyenv

Mac

brew update
brew install pyenv

echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.zshrc
echo '[[ -d $PYENV_ROOT/bin ]] && export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.zshrc
echo 'eval "$(pyenv init -)"' >> ~/.zshrc

Linux

curl -fsSL https://pyenv.run | bash

sudo dnf builddep python3

export PYENV_ROOT="$HOME/.pyenv"
[[ -d $PYENV_ROOT/bin ]] && export PATH="$PYENV_ROOT/bin:$PATH"
eval "$(pyenv init - bash)"

Add below to .bash_rc to enable venv

eval "$(pyenv virtualenv-init -)"

Commands

pyenv

# List available versions
# https://www.python.org/doc/versions/
pyenv install -l

# Install a python version
pyenv install 3.12.10

# List currently installed python version
pyenv versions

# Set global python version
pyenv global 3.12.10

# Set python version for a directory
# cd into a directory 
pyenv local 3.12.10

# Set current shell python
pyenv shell 3.12.10

# Remove installation
pyenv uninstall 3.10.10

# Check you current python version
python --version

venv

mkdir some_dir; cd some_dir
python -m venv .venv
source .venv/bin/activate

Reference

https://github.com/pyenv/pyenv

https://opensource.com/article/19/5/python-3-default-mac

https://github.com/pyenv/pyenv

https://dev.to/veer66/pyenv-and-pipenv-on-fedora-13m2

Test TLS Resumption

Gu — Sat, 09 Apr 2022 11:40:11 GMT

Session Ticket Resumption

new connection

Session parameter will be saved in /tmp/ssl_s

openssl s_client -connect t3.fastly.work:443 -sess_out /tmp/ssl_s -servername t3.fastly.work

output

---
SSL handshake has read 4654 bytes and written 304 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 401ABB1C964A75FC5DBC283F963B841AC567FF5CAAC2EEA7645989DB8174A362
    Session-ID-ctx:
    Master-Key: 9C76B3A6773C989D0E092F154C8212F0297EB7D2B7AF5886836D770B4CB3912E521847EE4B878CE88CD44D59C4CC3F51
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:

Issue a http command (extra newline needed) to verify if https works

GET /status/200 HTTP/1.1
Host: t3.fastly.work

resumption

Session parameter saved in /tmp/ssl_s will be used

openssl s_client -connect t3.fastly.work:443 -sess_in /tmp/ssl_s -servername t3.fastly.work

output

---
SSL handshake has read 129 bytes and written 470 bytes
---
Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 401ABB1C964A75FC5DBC283F963B841AC567FF5CAAC2EEA7645989DB8174A362
    Session-ID-ctx:
    Master-Key: 9C76B3A6773C989D0E092F154C8212F0297EB7D2B7AF5886836D770B4CB3912E521847EE4B878CE88CD44D59C4CC3F51
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:

Notice only 129 bytes is read for resumption, compared to 4654 bytes for new connection

Issue a http command (extra newline needed) to verify if https still works. (and YES)

GET /status/200 HTTP/1.1
Host: t3.fastly.work

Session ID Resumption

we can add -no_ticket to test session ID resumption like below.

new connection

openssl s_client -connect t3.fastly.work:443 -no_ticket -sess_out /tmp/ssl_s -servername t3.fastly.work

resumption

openssl s_client -connect t3.fastly.work:443 -no_ticket -sess_in /tmp/ssl_s -servername t3.fastly.work

Reference

https://serverfault.com/questions/345891/how-should-i-check-if-ssl-session-resumption-is-working-or-not

Wireshark's TLS 0-RTT Early-Data Capture

Gu — Tue, 22 Feb 2022 12:27:43 GMT

This article shows how to capture TLS1.3 0-RTT early-data from Chrome browser by wireshark on Mac.

Close all your Chrome instances and start a new instance which will output SSL key to a log file.

SSLKEYLOGFILE=~/temp/sslkeylog.log /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome

Next, we need to enable the 0-RTT feature on Chrome, according to the introduction here
Enter chrome://flags to address bar, then find「TLS 1.3 Early Data」flag and enable it.

Let Wireshark know where is the SSL Key locates, put path of SSL key log file in below dialog
Wireshark --> Preference --> Protocols --> TLS --> (Pre)-Master-Secret log filename

Now we can start Wireshark's capture
Optionally, you may want to set a capture filter to only capture IP ranges of server you cares to reduce noises, like

net 151.101.0.0/16

Now from browser access a site like https://httpbin.fastly.work/html which supports TLS1.3 0-RTT

And you will get capture on wireshark like this, the green part are decrypted messages

Wait for few minutes, make sure from Wireshark that connection is closed, then access https://httpbin.fastly.work/html again, you will find new TLS connection's Client Hello, will come with the early-data.

Build AMD64 Docker on M1

Gu — Thu, 17 Feb 2022 07:46:17 GMT

I plan to verify 0-RTT capability using sslyze as mentioned in here on M1:

python -m sslyze --early_data www.fastly.com

I got below error:

ImportError: dlopen(/Users/gu/.pyenv/versions/3.10.1/lib/python3.10/site-packages/nassl/_nassl.cpython-310-darwin.so, 0x0002): symbol not found in flat namespace '_PEM_write_bio_X509'

It happens because on my Mac M1, installed Python tool-chain is built in ARM64 and one required package has no ARM64 build. This error is mentioned in this post, and one commented:

I’m just going to use docker containers for my development purposes instead of messing with dual installations of homebrew/python

This is how to build a docker container of AMD64 architecture Python environment (if you do not want to use pre-built ones like nablac0d3/sslyze:5.0.0).

Create a requirement.txt to list Python package needed for your environment.

sslyze
requests
# other packages ...

Create a Dockerfile, the first line force the docker to pull an AMD64 image.

FROM --platform=amd64 python:3
WORKDIR /usr/src/app
COPY requirements.txt ./
RUN pip install --no-cache-dir -r requirements.txt
# un-comment below if needs to run some script
# COPY my_script.py .
# CMD [ "python", "./my_script.py" ]

Build docker image

$ docker build -t python-env .

Start a bash terminal

$ docker run -it python-env bash
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
/usr/src/app#

We get some warning but it can be safely ignored, and we can run sslyze like below

/usr/src/app# python -m sslyze --early_data www.fastly.com

If you do not want to build your own python AMD64 docker image to run sslyze, you can use pre-built one like

docker run --rm -it nablac0d3/sslyze:5.0.0 --early_data www.fastly.com