Skip to content

Recent Articles


California Requirements for Wiring an Oven

Just in case you wanted to know, the Section 422.16 (B) (3) of the California Electric Code for 2013 contains the following:

(3) Wall-Mounted Ovens and Counter-Mounted Cooking Units. Wall-mounted ovens and counter- mounted cooking units complete with provisions for mounting and for making electrical connections shall be permitted to be permanently connected or, only for ease in servicing or for installation, cord-and-plug-connected.

A separable connector or a plug and receptacle combination in the supply line to an oven or cooking unit shall be approved for the temperature of the space in which it is located.

So, if you wanted to replace your oven’s direct wiring with a plug (in case you were experimenting with something that required 240 V power), you’re good to go (assuming you do it right).



A few days ago I got back from London. It was a great trip; I really love that city (and I’m from San Francisco, so that’s saying something).

One of my geekier sub-trips was a day trip out to Cardiff, Wales, where a lot of Doctor Who is filmed. Wales is beautiful, and I can’t wait to go back. I saw the area where Torchwood Headquarters is, and the Doctor Who Experience (which is surprisingly awesome). I also got it into my head that I wanted to see Amy’s duck pond.

For those of you who don’t know, the first episode of the fifth season of the new Doctor Who introduced a new companion Amy Pond, played by Karen Gillan. In the first episode, there was a short exchange between The Doctor and Amy about a small pond in her home town of Leadworth. The pond had no ducks, but Amy insisted it was a duck pond.

A little googling turned up the filming location, a place known as Cathedral Green in Cardiff. So, I took a bus out there to check it out. It’s much smaller in person than it appears to be on TV. The duck pond doesn’t actually exist. Its location is a parking lot, and the pond itself was created for the episode in a corner of the lot. A number of other elements aren’t there, either (the phone booth, the mailbox at the post office, etc.). Here are a few screen caps from the episode, and some of the photos I took while there (you can click on my images for a larger version).

On my way to Cardiff (via train; I love trains!), I met a woman from Texas who was also going because she was a big Doctor Who fan. Like me, she thought visiting Amy’s pond was cooler than expected.

Stone Wall

Walking from Amy’s house.

My photo of the path from Amy’s house.

Stone Argh 2

Walking from Mrs. Angelo’s house.

My photos of the road and the stone arch behind them.

Duck Pond

Amy’s duck pond!

A long shot in the direction the actors are walking.

The corner of the lot where they built the pond.

Me standing where the pond was.

Green 1

Green 2

Green 3


More shots from the episode.

More photos from my visit.

For completeness, here are a few more photos from my visit to Cardiff:

Daleks This Way

Daleks this way.

Eleventh Doctor’s TARDIS.

Season five costumes.

Eleventh Doctor’s costume.

Amelia Pond’s costume.

Kissogram Amy Costume

Kissogram Amy’s costume.

Amy Pond’s Costume

Amy Pond’s costume (one of many).

The Doctor’s and Melody Pond’s Cradle

The Doctor’s and Melody Pond’s cradle.

River Song’s Costume

River Song’s costume.

The Face of Boe

The Face of Boe.



Weeping Angel

Weeping Angel.


Silence (sorry you’ll forget about this one).

Oswin Oswald’s costume.

Oswin as Dalek.

Clara’s Book, 101 Places to See.

Torchwood HQ

Torchwood HQ.


Validating a Self-Signed SSL Certificate in iOS and OS X Against a Changing Host Name

We developed a device with which we communicate securely over SSL using a self-signed certificate. The device gets a dynamically-assigned IP address, and that is communicated to the iOS app via other means. By default, NSURLConnection tries to validate the SSL certificate against the hostname, but it was impossible for us to create a wildcard cert that would match.

So instead, I figured out how to get Security.framework to ignore the host name. You must use the supplied trust’s certificate chain to create a new trust, which allows you to specify the trust policy. You then set the root (anchor) cert that was used to sign the self-signed cert. In our case, these are one and the same (an explanation of how to do this is included below).

- (void)
connection: (NSURLConnection*) inConnection
    willSendRequestForAuthenticationChallenge: (NSURLAuthenticationChallenge*) inChallenge
    NSLogDebug(@"Connection challenged");
    //  Build a new trust based on the supplied trust, so that we can set the policy…
    NSURLProtectionSpace* protectionSpace = inChallenge.protectionSpace;
    SecTrustRef trust = protectionSpace.serverTrust;
    CFIndex numCerts = SecTrustGetCertificateCount(trust);
    NSMutableArray* certs = [NSMutableArray arrayWithCapacity: numCerts];
    for (CFIndex idx = 0; idx < numCerts; ++idx)
        SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, idx);
        [certs addObject: CFBridgingRelease(cert)];
    //  Create a policy that ignores the host name…
    SecPolicyRef policy = SecPolicyCreateSSL(true, NULL);
    OSStatus err = SecTrustCreateWithCertificates(CFBridgingRetain(certs), policy, &trust);
    if (err != noErr)
        NSLogDebug(@"Error creating trust: %d", err);
        [inChallenge.sender cancelAuthenticationChallenge: inChallenge];
    //  Set the root cert and evaluate the trust…
    NSArray* rootCerts = @[ CFBridgingRelease(mRootCert) ];
    err = SecTrustSetAnchorCertificates(trust, CFBridgingRetain(rootCerts));
    if (err == noErr)
        SecTrustResultType trustResult;
        err = SecTrustEvaluate(trust, &trustResult);
        NSURLCredential* credential = [NSURLCredential credentialForTrust: trust];
        bool trusted = err == noErr;
        trusted = trusted && (trustResult == kSecTrustResultProceed || trustResult == kSecTrustResultUnspecified);
        if (trusted)
            [inChallenge.sender useCredential: credential forAuthenticationChallenge: inChallenge];
    //  An error occurred, or we don't trust the cert, so disallow it…
    [inChallenge.sender cancelAuthenticationChallenge: inChallenge];

Chances are, when you created your self-signed cert, you did something like this:

$ openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout my.key -out my.crt

That produces a certificate in PEM format (ASCII). Security.framework requires the certificate in DER format. You can convert the cert with the following (note that this will overwrite the PEM cert you generated):

$ openssl x509 -in my.crt -outform der -out my.crt

You can create the root SecCertificateRef with something like this:

- (void)
    NSURL* certURL = [[NSBundle mainBundle] URLForResource: @"my" withExtension: @"crt"];
    NSData* certData = [NSData dataWithContentsOfURL: certURL];
    mRootCert = SecCertificateCreateWithData(kCFAllocatorDefault, CFBridgingRetain(certData));