Ryan Bolger

@rmbolger
42 Followers
35 Following
323 Posts
Dad, tech enthusiast, casual gamer, a cappella music lover, and DDI Architect at Alight Solutions
Githubhttps://github.com/rmbolger
Bloghttps://www.dvolve.net/
Posh-ACMEhttps://poshac.me/docs/latest/
Ryan BolgerJan 18
Clément Joly Jan 17

I’ve tried the new short-lived (~6 days) Let’s Encrypt certificate with Caddy: https://cj.rs/blog/6days/, here are my first impressions.

💬 Feel free to comment here!

#blog #blogging #tls #security #LetsEncrypt #Caddy

6-day Certificates With Let’s Encrypt and Caddy

First impressions

Clément Joly – Open-Source, Rust & SQLite
Ryan BolgerDec 13
Jan SchaumannDec 12

I finally jotted down a table of in how far the big three browsers currently support RFC9460 HTTPS records.

In summary:
- All browsers support ALPN
- Safari has the best support; it's the only browser that supports AliasMode, but Safari doesn't support ECH
- Firefox requires DoH, but then supports several parameters
- Chrome only support ALPN and ECH

See this page for details, I may update it in the future:
https://www.netmeister.org/blog/https-caniuse.html

#dns

Ryan BolgerOct 22
Andy NewtonOct 22
This old meme has been going around for years, but in the aftermath of the AWS outage there has been some pushback on-line about it. And that's a good thing, because it is likely that people new to the industry are not in on the joke and might take the meme more literally.

This meme was never about DNS being unreliable, but about the nature of troubleshooting issues in that DNS is so reliable many of us assume we have set it up correctly and overlook our mistakes with DNS when looking for root causes.

It is unfortunate, but way too many people function off of received opinion, and AI is likely making that worse. FWIW, I did once work with an operations manager who insisted we hardcode IP addresses because DNS used UDP and UDP was "unreliable".

#dns #memes #receivedopinion
Ryan BolgerJul 10, 2025
Show threadPatrick MevzekJul 10, 2025
@postmodern Don't invent TLDs, this is a sure road to hell. Also `.local` is reserved for mDNS, better not to name hosts with it. ICANN decided to reserve `.internal`, so that would be the best (and only) choice. `.corp` will never exist for real exactly because it got abused "internally": https://www.theregister.com/2018/02/12/icann_corp_home_mail_gtlds/ ; but in fact the good way is just to register a domain for real, in any public TLD, and then use it as suffix for all naming needs.
It's official: .corp, .home, .mail will never be top-level domains on the 'net

Sigh with relief, fellow geeks, if you're using them on your home or business network

The Register
Ryan BolgerJun 19, 2025
Show threadDrScripttJun 19, 2025

@evgandr

Yep, what @rmbolger said.

Also, what’s often called “propagation” is really “waiting on other DNS servers cached copy of an old record to expire.

New updates should be quick, double digit seconds at the most when querying properly configured authoritative sources.

Ryan BolgerMay 27, 2025
Jordan BoreanMay 27, 2025
Anyone interested in yet another attempt at trying to enhance splatting in #PowerShell. I've tried to collate all the options proposed over the years with their pros/cons. Hoping to get any community feedback before trying to champion a proper RFC https://github.com/jborean93/PowerShell-RFC/pull/1.
Add enhanced splatting RFC draft by jborean93 · Pull Request #1 · jborean93/PowerShell-RFC

This is a draft RFC of an enhanced splatting proposal. While I have my own recommendations there is no final choice as of yet to open with the real RFC. So far my gut choice would be Option 4 - the...

GitHub
Ryan BolgerMar 16, 2025
kriware Mar 16, 2025

Reinventing PowerShell in C/C++: Bypassing Security Features

The article demonstrates creating a full PowerShell console using native C/C++ code, bypassing security features like AMSI and Constrained Language Mode.

https://blog.scrt.ch/2025/02/18/reinventing-powershell-in-c-c/

#PowerShell

Reinventing PowerShell in C/C++ – SCRT Team Blog

Ryan BolgerFeb 25, 2025
Kristof ProvostFeb 25, 2025

@BjornW @letsencrypt They're a certificate authority. They don't actually get your private keys, there's no unique new risk to them.
One of the issues with the CA system is that you trust all of the CAs in your trust store for everything. So we already trust Apple, Amazon, .... (and that's a long list. 153 certs on my system).

Each CA in your trust store could create a certificate for any @letsencrypt protected website and have your browser accept it.

It doesn't actually matter (much) which CA you use, you're vulnerable to subversion of any CA in your trust store.

There's no additional risk here, realistically. We already only get the lowest common denominator security.

Ryan BolgerFeb 12, 2025
Jordan BoreanFeb 12, 2025
Pushed a new version of my #PowerShell module OpenAuthenticode https://github.com/jborean93/PowerShell-OpenAuthenticode. It adds support for signing using Azure's Trusted Signing service. I've found it has been pretty easy to setup as an individual to use but a pity pwsh's trust model won't work nicely with it.
GitHub - jborean93/PowerShell-OpenAuthenticode: Cross platform PowerShell implementation of Authenticode signing and verification

Cross platform PowerShell implementation of Authenticode signing and verification - jborean93/PowerShell-OpenAuthenticode

GitHub
Ryan BolgerJan 28, 2025
Jordan BoreanJan 28, 2025
I've opened a #PowerShell RFC to set environment variables for sub processes similar to the 'FOO=bar command' functionality on sh based shells https://github.com/PowerShell/PowerShell-RFC/pull/384. If you are interested in this, it would be great to get some feedback around the proposed syntax or potential alternatives.
Add RFC for process environment blocks by jborean93 · Pull Request #384 · PowerShell/PowerShell-RFC

Adds the RFC to support specifying environment variable(s) that are only set on subprocesses. This is to support a feature that is currently preset on sh based shells like bash but is not possible ...

GitHub