tivdzualubem · tivdzualubem · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,78 @@
+name: ci
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'app/**'
+      - '.github/workflows/ci.yml'
+  pull_request:
+    branches: [main]
+    paths:
+      - 'app/**'
+      - '.github/workflows/ci.yml'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  GOFLAGS: -buildvcs=false
+
+jobs:
+  vet:
+    name: vet-go-${{ matrix.go }}
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        go: ['1.23', '1.24']
+    defaults:
+      run:
+        working-directory: app
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        with:
+          go-version: ${{ matrix.go }}
+          cache: true
+          cache-dependency-path: app/go.sum
+      - run: go vet ./...
+
+  test:
+    name: test-go-${{ matrix.go }}
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        go: ['1.23', '1.24']
+    defaults:
+      run:
+        working-directory: app
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        with:
+          go-version: ${{ matrix.go }}
+          cache: true
+          cache-dependency-path: app/go.sum
+      - run: go test -race -count=1 ./...
+
+  lint:
+    name: lint
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        with:
+          go-version: '1.24'
+          cache: true
+          cache-dependency-path: app/go.sum
+      - uses: golangci/golangci-lint-action@7119f3d5ddced62a10a044847a6c6bb0f7a5e76a  # v7.0.0
+        with:
+          version: v2.5.0
+          working-directory: app
+          args: --timeout=5m
diff --git a/lab4-debug-commands.txt b/lab4-debug-commands.txt
@@ -0,0 +1,18 @@
+## ss -tlnp | grep :8080
+LISTEN 0      4096               *:8080             *:*    users:(("quicknotes",pid=9136,fd=3))
+
+## ip route show
+default via 192.168.240.1 dev eth0 proto kernel 
+192.168.240.0/20 dev eth0 proto kernel scope link src 192.168.254.234 
+
+## mtr -rwc 5 localhost
+Start: 2026-06-09T23:27:15+0300
+HOST: DESKTOP-U1R4GKD Loss%   Snt   Last   Avg  Best  Wrst StDev
+  1.|-- localhost        0.0%     5    0.1   0.3   0.1   1.4   0.6
+
+## dig +short example.com @1.1.1.1
+8.47.69.0
+8.6.112.0
+
+## journalctl --user -u quicknotes -n 20 || true
+-- No entries --
diff --git a/lab4-openssl-cert.txt b/lab4-openssl-cert.txt
@@ -0,0 +1,91 @@
+depth=1 CN = Caddy Local Authority - ECC Intermediate
+verify error:num=20:unable to get local issuer certificate
+verify return:1
+depth=0 
+verify return:1
+CONNECTED(00000003)
+---
+Certificate chain
+ 0 s:
+   i:CN = Caddy Local Authority - ECC Intermediate
+   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
+   v:NotBefore: Jun  9 20:48:14 2026 GMT; NotAfter: Jun 10 08:48:14 2026 GMT
+-----BEGIN CERTIFICATE-----
+MIIBvTCCAWOgAwIBAgIQQcnwtGhA8QZmpzU5YZBHIjAKBggqhkjOPQQDAjAzMTEw
+LwYDVQQDEyhDYWRkeSBMb2NhbCBBdXRob3JpdHkgLSBFQ0MgSW50ZXJtZWRpYXRl
+MB4XDTI2MDYwOTIwNDgxNFoXDTI2MDYxMDA4NDgxNFowADBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABKQGbR3xQZoh4Ucbfe7a6jHnVLkd8/vBTFucDkt5dvuu1tw+
+NnojK/ubgJ2UV8tlQ6pzZ1KFNl6U2Gbp5tl6kAOjgYswgYgwDgYDVR0PAQH/BAQD
+AgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUCPjb
+l9HGvF+gVa3o9khyxf0MXjIwHwYDVR0jBBgwFoAUTGmPgBhIOa7b25swHNZvU2Oj
+UwAwFwYDVR0RAQH/BA0wC4IJbG9jYWxob3N0MAoGCCqGSM49BAMCA0gAMEUCIQDw
+O4mOKmGt4was4D/o9xBcGVnLO1ueUHUgTr2iuQ5b0gIgUakXWDRTGFaR1/+R8C8M
+UOqDBuVN4WoHveo3m2FXWVA=
+-----END CERTIFICATE-----
+ 1 s:CN = Caddy Local Authority - ECC Intermediate
+   i:CN = Caddy Local Authority - 2026 ECC Root
+   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
+   v:NotBefore: Jun  9 20:48:14 2026 GMT; NotAfter: Jun 16 20:48:14 2026 GMT
+-----BEGIN CERTIFICATE-----
+MIIByTCCAW6gAwIBAgIRAL2uoSTtjl1i+Mhr0XQLwvIwCgYIKoZIzj0EAwIwMDEu
+MCwGA1UEAxMlQ2FkZHkgTG9jYWwgQXV0aG9yaXR5IC0gMjAyNiBFQ0MgUm9vdDAe
+Fw0yNjA2MDkyMDQ4MTRaFw0yNjA2MTYyMDQ4MTRaMDMxMTAvBgNVBAMTKENhZGR5
+IExvY2FsIEF1dGhvcml0eSAtIEVDQyBJbnRlcm1lZGlhdGUwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAATwBaaqryuHE9RLEjMLOpPmoexH9I9Uy9rSrTa/Q1lHG0h5
+9+XR6qJ4AG02A8v6b09ctrGPppVYm/DJN6+dD8zbo2YwZDAOBgNVHQ8BAf8EBAMC
+AQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUTGmPgBhIOa7b25swHNZv
+U2OjUwAwHwYDVR0jBBgwFoAURi39BFvOjRCvcRJVK+3cGI1GxIcwCgYIKoZIzj0E
+AwIDSQAwRgIhAKYIQEKcQx8uj1l7uKX820yWBhpVMBddVEYc+ViT9xqkAiEAl4Pf
+xfF89l7vM/PVHGCoxEkl8L6QBib86J+SDlIxO48=
+-----END CERTIFICATE-----
+---
+Server certificate
+subject=
+issuer=CN = Caddy Local Authority - ECC Intermediate
+---
+No client certificate CA names sent
+Peer signing digest: SHA256
+Peer signature type: ECDSA
+Server Temp Key: X25519, 253 bits
+---
+SSL handshake has read 1271 bytes and written 375 bytes
+Verification error: unable to get local issuer certificate
+---
+New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
+Server public key is 256 bit
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+Early data was not sent
+Verify return code: 20 (unable to get local issuer certificate)
+---
+DONE
+---
+Post-Handshake New Session Ticket arrived:
+SSL-Session:
+    Protocol  : TLSv1.3
+    Cipher    : TLS_AES_128_GCM_SHA256
+    Session-ID: 70E999CD090B0313F81067A24843BFAB91A54C3DCBCA730266CD3925368C4807
+    Session-ID-ctx: 
+    Resumption PSK: 1993D9804CADCCEB6AA7B19BD148196492F6A251C587B1FE3E434D7E81D6A5C1
+    PSK identity: None
+    PSK identity hint: None
+    SRP username: None
+    TLS session ticket lifetime hint: 604800 (seconds)
+    TLS session ticket:
+    0000 - d9 16 3e a2 78 f7 01 06-42 ec 8b dd fd 78 3c 70   ..>.x...B....x<p
+    0010 - 50 db 47 be d6 99 ba a5-e9 15 96 c8 f3 cb 8a 5c   P.G............\
+    0020 - be c3 41 18 a7 7b c3 ef-d0 64 f2 37 28 5a 8b ac   ..A..{...d.7(Z..
+    0030 - e1 cb d0 0e 22 4e ce b7-14 4f c7 4c 87 d4 2d 3b   ...."N...O.L..-;
+    0040 - d8 fa 06 91 b8 ca ec 55-a7 a6 ac b8 b1 5a e1 61   .......U.....Z.a
+    0050 - 08 c3 65 d7 1b 2e 3a 33-17 e4 8f 95 85 c7 e9 f4   ..e...:3........
+    0060 - 70 2e d3 5f cd 51 59 32-2c                        p.._.QY2,
+
+    Start Time: 1781038432
+    Timeout   : 7200 (sec)
+    Verify return code: 20 (unable to get local issuer certificate)
+    Extended master secret: no
+    Max Early Data: 0
+---
+read R BLOCK
diff --git a/lab4-outside-in.txt b/lab4-outside-in.txt
@@ -0,0 +1,19 @@
+## 1) systemctl-style: is it running?
+teeroyce    9382    9319  0 23:35 pts/2    00:00:00 /home/teeroyce/.cache/go-build/90/9016c83a63fe787e68575294d14cbd10b92027c8670ffbf0636d85882db88588-d/quicknotes
+teeroyce    9319    3091  0 23:35 pts/2    00:00:00 go run .
+
+## 2) is it listening?
+LISTEN 0      4096               *:8080             *:*    users:(("quicknotes",pid=9382,fd=3))
+
+## 3) reachable from host?
+200
+
+## 4) firewall blocking?
+
+## 5) DNS?
+127.0.0.1
+
+## Broken log
+2026/06/09 23:35:11 quicknotes listening on :8080 (notes loaded: 6)
+2026/06/09 23:35:11 listen: listen tcp :8080: bind: address already in use
+exit status 1
diff --git a/lab4-repair.txt b/lab4-repair.txt
@@ -0,0 +1,14 @@
+## Repair evidence
+Killed actual quicknotes listener pid=9382 after kill PID1 only killed the go run wrapper.
+
+8080 is free after killing actual listener
+
+Restarted QuickNotes:
+ADDR=:8080 go run . &
+
+Health check:
+{"notes":6,"status":"ok"}
+
+
+Listener after repair:
+LISTEN 0      4096               *:8080             *:*    users:(("quicknotes",pid=9617,fd=3))
diff --git a/lab4-tls-curl.txt b/lab4-tls-curl.txt
@@ -0,0 +1,64 @@
+* Host localhost:8443 was resolved.
+* IPv6: ::1
+* IPv4: 127.0.0.1
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying [::1]:8443...
+* Connected to localhost (::1) port 8443
+* ALPN: curl offers h2,http/1.1
+} [5 bytes data]
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+} [512 bytes data]
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+{ [122 bytes data]
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+{ [15 bytes data]
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+{ [928 bytes data]
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+{ [79 bytes data]
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+{ [36 bytes data]
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+} [1 bytes data]
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+} [36 bytes data]
+* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / id-ecPublicKey
+* ALPN: server accepted h2
+* Server certificate:
+*  subject: [NONE]
+*  start date: Jun  9 20:48:14 2026 GMT
+*  expire date: Jun 10 08:48:14 2026 GMT
+*  issuer: CN=Caddy Local Authority - ECC Intermediate
+*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
+*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
+*   Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
+{ [5 bytes data]
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+{ [122 bytes data]
+* using HTTP/2
+* [HTTP/2] [1] OPENED stream for https://localhost:8443/health
+* [HTTP/2] [1] [:method: GET]
+* [HTTP/2] [1] [:scheme: https]
+* [HTTP/2] [1] [:authority: localhost:8443]
+* [HTTP/2] [1] [:path: /health]
+* [HTTP/2] [1] [user-agent: curl/8.5.0]
+* [HTTP/2] [1] [accept: */*]
+} [5 bytes data]
+> GET /health HTTP/2
+> Host: localhost:8443
+> User-Agent: curl/8.5.0
+> Accept: */*
+> 
+{ [5 bytes data]
+< HTTP/2 200 
+< alt-svc: h3=":8443"; ma=2592000
+< content-type: application/json
+< date: Tue, 09 Jun 2026 20:51:19 GMT
+< server: Caddy
+< content-length: 26
+< 
+{ [26 bytes data]
+100    26  100    26    0     0    760      0 --:--:-- --:--:-- --:--:--   764
+* Connection #0 to host localhost left intact
+{"notes":6,"status":"ok"}

diff --git a/lab4-tls-deprecation.txt b/lab4-tls-deprecation.txt
@@ -0,0 +1,59 @@
+## TLS 1.0 test
+4047A33D54750000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
+CONNECTED(00000003)
+---
+no peer certificate available
+---
+No client certificate CA names sent
+---
+SSL handshake has read 0 bytes and written 7 bytes
+Verification: OK
+---
+New, (NONE), Cipher is (NONE)
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+Early data was not sent
+Verify return code: 0 (ok)
+---
+
+## TLS 1.1 test
+40F78B10BA770000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
+CONNECTED(00000003)
+---
+no peer certificate available
+---
+No client certificate CA names sent
+---
+SSL handshake has read 0 bytes and written 7 bytes
+Verification: OK
+---
+New, (NONE), Cipher is (NONE)
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+Early data was not sent
+Verify return code: 0 (ok)
+---
+
+## TLS 1.2 test
+CONNECTED(00000003)
+New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
+    Protocol  : TLSv1.2
+    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
+    Verify return code: 20 (unable to get local issuer certificate)
+
+## TLS 1.3 evidence from curl
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / id-ecPublicKey
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+< HTTP/2 200 
diff --git a/lab4-tls.pcap b/lab4-tls.pcap
diff --git a/lab4-trace.pcap b/lab4-trace.pcap
diff --git a/lab4-trace.txt b/lab4-trace.txt
@@ -0,0 +1,43 @@
+23:21:16.065482 IP6 ::1.32966 > ::1.8080: Flags [S], seq 413340489, win 65476, options [mss 65476,sackOK,TS val 2475753567 ecr 0,nop,wscale 7], length 0
+`....(.@.......................................I.........0.........
+..._........
+23:21:16.066930 IP6 ::1.8080 > ::1.32966: Flags [S.], seq 2599690076, ack 413340490, win 65464, options [mss 65476,sackOK,TS val 2475753569 ecr 2475753567,nop,wscale 7], length 0
+`../.(.@.......................................\...J.....0.........
+...a..._....
+23:21:16.067406 IP6 ::1.32966 > ::1.8080: Flags [.], ack 1, win 512, options [nop,nop,TS val 2475753570 ecr 2475753569], length 0
+`.... .@.......................................J...].....(.....
+...b...a
+23:21:16.068922 IP6 ::1.32966 > ::1.8080: Flags [P.], seq 1:175, ack 1, win 512, options [nop,nop,TS val 2475753571 ecr 2475753569], length 174: HTTP: POST /notes HTTP/1.1
+`......@.......................................J...]...........
+...c...aPOST /notes HTTP/1.1
+Host: localhost:8080
+User-Agent: curl/8.5.0
+Accept: */*
+Content-Type: application/json
+Content-Length: 39
+
+{"title":"trace me","body":"in flight"}
+23:21:16.068950 IP6 ::1.8080 > ::1.32966: Flags [.], ack 175, win 511, options [nop,nop,TS val 2475753571 ecr 2475753571], length 0
+`../. .@.......................................].........(.....
+...c...c
+23:21:16.084058 IP6 ::1.8080 > ::1.32966: Flags [P.], seq 1:207, ack 175, win 512, options [nop,nop,TS val 2475753587 ecr 2475753571], length 206: HTTP: HTTP/1.1 201 Created
+`../...@.......................................]...............
+...s...cHTTP/1.1 201 Created
+Content-Type: application/json
+Date: Tue, 09 Jun 2026 20:21:16 GMT
+Content-Length: 93
+
+{"id":6,"title":"trace me","body":"in flight","created_at":"2026-06-09T20:21:16.071257766Z"}
+
+23:21:16.084120 IP6 ::1.32966 > ::1.8080: Flags [.], ack 207, win 511, options [nop,nop,TS val 2475753587 ecr 2475753587], length 0
+`.... .@.......................................... +.....(.....
+...s...s
+23:21:16.090747 IP6 ::1.32966 > ::1.8080: Flags [F.], seq 175, ack 207, win 512, options [nop,nop,TS val 2475753593 ecr 2475753587], length 0
+`.... .@.......................................... +.....(.....
+...y...s
+23:21:16.091016 IP6 ::1.8080 > ::1.32966: Flags [F.], seq 207, ack 176, win 512, options [nop,nop,TS val 2475753593 ecr 2475753593], length 0
+`../. .@...................................... +.........(.....
+...y...y
+23:21:16.091238 IP6 ::1.32966 > ::1.8080: Flags [.], ack 208, win 512, options [nop,nop,TS val 2475753594 ecr 2475753593], length 0
+`.... .@.......................................... ,.....(.....
+...z...y
diff --git a/lab4-wireshark-certchain.png b/lab4-wireshark-certchain.png
diff --git a/lab4-wireshark-clienthello.png b/lab4-wireshark-clienthello.png
diff --git a/lab4-wireshark-serverhello.png b/lab4-wireshark-serverhello.png