timdoug's interesting tidbits

Little bits of technical documentation and such. Hopefully helpful.


Using the TCP MD5 Signature Option in Linux

It's entirely undocumented, for good reason. In case you also have a peculiar interest in RFC2385, this is what you need to do:

#include <linux/tcp.h>


struct tcp_md5sig md5sig;
char *key = "foobar";

/* addr is the struck sockaddr * passed to connect(2), from getaddrinfo() or otherwise */
memcpy(&md5sig.tcpm_addr, addr, sizeof addr);

md5sig.tcpm_keylen = strlen(key);
memcpy(&md5sig.tcpm_key, key, md5sig.tcpm_keylen);

setsockopt(sockfd, IPPROTO_TCP, TCP_MD5SIG, &md5sig, sizeof md5sig);
Not actually that hard. A successful application, with -M and the key passed to tcpdump, will show md5valid in the TCP options. An incorrect key will show md5invalid.

[/coding] permanent link


Using TLS v1.2 with OpenVPN 2.3.4

It's disabled by default, and if you add e.g. tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 (a TLS v1.2 cipher) to your server config it silently breaks. The solution is to add tls-version-min 1.2 to both the server and client config, and then it works like a charm. OpenVPN 2.3.3 added support for v1.2, so this won't work with anything older than 2.3.3.

[/general] permanent link


How to Watch Sopcast/Ustream Feeds with VLC on Mac OS X

For certain international sports, the two most popular kinds of streams I've come across are Sopcast and Ustream. Both require a bit of work to set up, but they tend to provide 720p-quality and in VLC they don't contain the endless barrage of advertisements or cause Flash Player-related CPU hogging. I suggest you set everything up well in advance and test with non-sport streams.


  1. Install Xcode through the App Store. This is needed to build the following tools.
  2. Download VLC and make sure to copy it to /Applications.
  3. Install Homebrew. The instructions on the page should be self-explanatory.
  4. Open Terminal.app and type:
    1. brew install rtmpdump
    2. sudo bash -c "CFLAGS=-Qunused-arguments CPPFLAGS=-Qunused-arguments easy_install cffi"
    3. sudo bash -c "CFLAGS=-Qunused-arguments CPPFLAGS=-Qunused-arguments easy_install python-librtmp"
    4. sudo easy_install livestreamer
    These installation instructions you only need to do once.
  5. Once you've got a Ustream URL, open Terminal.app and type livestreamer http://www.ustream.tv/eukanuba substituting the URL appropriately. It'll spit out a list of quality settings.
  6. With that quality setting, now type livestreamer http://www.ustream.tv/eukanuba 480p (note the suffixed quality value) and it'll open VLC and start your stream. Make sure to leave Terminal.app open, or your stream will stop.


  1. Download the Mac .dmg from here.
  2. Mount the downloaded disk image but don't do anything with the application.
  3. Open Terminal.app and type mkdir -p ~/bin && cp /Volumes/SopCast/SopCast.app/Contents/Resources/binaries/m32/sp-sc-auth ~/bin. You can now unmount and remove the disk image. Everything up to now you only need to do once.
  4. When you've found a stream, open Terminal.app again and type ~/bin/spsc-auth sop://broker.sopcast.com:3912/xxxxxx 3000 3001 (substituting the Sopcast URL appropriately) and leave it running. If you quit Terminal.app it'll stop the stream.
  5. Open VLC and go to File -> Open Network.... In the URL field type http://localhost:3001 and click Open; you should be good to go.

[/osx] permanent link


Setting up IPv6 with Sonic.net and an OpenWRT Router

This uses the newer 6rd mechanism instead of the 6in4 tunnels, so other documentation you enounter may inapplicable. I'm using nightly builds; YMMV with stable builds.

  1. Enable "LAN Subport" on the equipment provided by Sonic.net for your OpenWRT router (might work with double NAT, haven't tried)
  2. On your router: opkg update && opkg install 6rd (if it complains about version conflicts, try flashing the most recent build)
  3. Make the wan6 entry in your /etc/config/network look like so:
    config interface 'wan6'
            option proto '6rd'
            option peeraddr ''
            option ip6prefix '2602:240::'
            option ip6prefixlen '28'
  4. /etc/init.d/networking restart
  5. Disconnect and reconnect your machine, and IPv6 autoconfiguration should be good to go.
Addresses were taken from this post on the Sonic.net forums, and configuration for OpenWRT from here.

[/general] permanent link


The smallest preseed file for an entirely automated Ubuntu 12.04 Precise Pangolin install

Pass these options on the kernel command line: auto=true priority=critical url=http://your.server/foo.seed, and use this preseed file:

d-i debian-installer/locale string en_US.UTF-8

d-i passwd/root-login boolean true
d-i passwd/make-user boolean false
d-i passwd/root-password password changemeplease
d-i passwd/root-password-again password changemeplease

d-i partman-auto/method string regular
d-i partman-auto/choose_recipe select atomic
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

d-i finish-install/reboot_in_progress note
This will assuredly do thinks you don't want / care about, to make sure to amend it accordingly.

[/ubuntu] permanent link


I can't install gcc on OpenLogic CentOS!

Yeah, someone really dropped the ball here. If you see this when you try to yum install gcc:

--> Finished Dependency Resolution
Error: Package: glibc-headers-2.12-1.80.el6_3.7.x86_64 (updates)
           Requires: kernel-headers
Error: Package: glibc-headers-2.12-1.80.el6_3.7.x86_64 (updates)
           Requires: kernel-headers >= 2.2.1
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
Then try doing this: sudo yum --disableexcludes=main install kernel-headers-*.el6.openlogic.x86_64

I don't know who's the idiot who put exclude=kernel* in /etc/yum.conf to break installing gcc, but...you're an idiot.

[/gcc] permanent link


How to install and use Errbit through nginx & Passenger

Capistrano scares the shit out of me. I'd rather know what I'm deploying, rather than rely on some foreign script, thank you very much. To install Errbit and deploy with Passenger through nginx, try this:

git clone https://github.com/errbit/errbit.git
rake errbit:copy_configs
vi config/config.yml # and change hostnames / SMTP settings
vi config/mongoid.yml # and change production mongo settings
echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > config/initializers/secret_token.rb
RAILS_ENV=production rake assets:precompile
RAILS_ENV=production rake db:mongoid:create_indexes
RAILS_ENV=production rake db:seed
Then add something like the following to your nginx config:
server {
    listen 8080;
    server_name errbit.example.com;
    root /wherever/errbit/public;
    passenger_enabled on;
    rails_env production;

[/general] permanent link


Use tcpdump to download arbitrary Flash videos

I came across an interesting video on the web that I wanted to watch offline, but it played through a Flash application, there were no download links, grabbing the stream by looking through the HTML/DOM was nontrivial, and the youtube-dl mainstay didn't work. tcpdump to the rescue!

  1. tcpdump -v -i <interface> -w output.cap
  2. Load the video up and start playing. Sadly, this has to be done in real-time.
  3. When done, tcpflow -r output.cap
  4. The largest file should be your video; use an editor to strip the HTTP headers from the beginning.
  5. If all goes well, you should have a video.flv. For extra credit, use ffmpeg -i video.flv to see if it's H.264/AAC. If so, use ffmpeg -i video.flv -acodec copy -vcodec copy video.mp4 for lossless container conversion to a standard MPEG-4 Part 14 file.
Thanks to this post for the tip.

[/general] permanent link


How to send email through Gmail / Google Apps Email with the Amazon Linux AMI on EC2

First, install the Heirloom mailx client with yum install mailx. The NSS certificates included with the AMI are either out of date or incomplete, so you've got to grab the Equifax root cert and set it up yourself, like this:

wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
certutil -d ~/.mailcerts/ -A -t TC -n "Equifax Secure Certificate Authority" -i Equifax_Secure_Certificate_Authority.cer
Then set up your ~/.mailrc like this:
set smtp-use-starttls
set smtp=smtp://smtp.gmail.com:587
set smtp-auth=login
set smtp-auth-user="your_username@example.com"
set smtp-auth-password="your_password"
set from="your_username@example.com"
set nss-config-dir="~/.mailcerts"
set ssl-verify=warn
That last "ssl-verify=warn" line looks pretty dangerous, and it definitely could be. I needed it because otherwise mailx would bark with Comparing DNS name: "smtp.gmail.com" Continue (y/n)? and...giving up, instead of accepting any input. For whatever reason my Debian box works fine without this line. Also, one could use this line without setting up the root certificate appropriately, but that's playing a bit too fast and loose for me.

With this configuration you should be good to go with: echo "body here" | mailx -s "Subject here" recipient@example.com

[/aws] permanent link


My 2007-era MacBookPro3,1 doesn't fully go to sleep / cannot wake from sleep with 10.8!

Yep, I had a reason to break out my old MBP and install the newest version of OS X on it. It works wonderfully for a five year old box (the SSD sure helps!), except for not being able to sleep properly. What worked for me was disabling "safe sleep" a la this hint.

sudo pmset -a hibernatemode 0
sudo nvram "use-nvramrc?"=false
Then restart. You can also remove /private/var/vm/sleepimage to save some space, which is nice.

[/osx] permanent link

© 2006-14 timdoug | email: "me" at this domain
So necessary