maemo.org - Talk - Nokia N900 A-GPS Not Working Anymore

maemo.org - Talk (https://talk.maemo.org/index.php)

- Nokia N900 (https://talk.maemo.org/forumdisplay.php?f=44)

- - Nokia N900 A-GPS Not Working Anymore (https://talk.maemo.org/showthread.php?t=90651)

Re: Nokia N900 A-GPS Not Working Anymore

I believe he inserted/refreshed a cert in our store and then the cmcli also succeeded, which failed previously (and if I interprete it right, he succeeded in getting supl data from Nokia?). As I played also with a lot of certs/adding/deleting from common-ca and did not succeed at all, I am waiting eagerly for more details ...

Re: Nokia N900 A-GPS Not Working Anymore

Well I actually removed one :)

The certificate in question is 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1. Not that there is something wrong with that certificate, but it seems maemo certman has a bug.

There are 2 verisign root certificates with the same public key:
00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 and 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1. certificate chain of supl.nokia.com cert ends up with 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61, but it seems certman tries to use 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1 instead. So the verification fails.

I didn't debug it, so the actual thing that happens could be a slightly different, however, removing both 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 and 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1 and reimporting 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 workarounds the problem.

seems https://gitorious.org/community-ssu/...c074bfeef6a622 is not enough for multiple-keys-same-public to work on Fremantle. I'll debug the whole mess when I have some free time. Wouldn't try to stop anyone to do the same ofc :)

Re: Nokia N900 A-GPS Not Working Anymore

Hmm, I have created a PEM certificate file of the root certificate indicated when connecting to supl.nokia com, also in the zip, is the original crt file.

Code:

root@bt:~# openssl s_client -connect supl.nokia.com:7275                        CONNECTED(00000003)

depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority

verify error:num=19:self signed certificate in certificate chain

verify return:0

---

Certificate chain

 0 s:/C=FI/ST=Espoo/O=Nokia/CN=supl.nokia.com

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3

 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFWTCCBEGgAwIBAgIQHpGupbIVFaSG2r4A10yDuzANBgkqhkiG9w0BAQUFADCB

tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug

YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm

VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTIwNDE2

MDAwMDAwWhcNMTUwNDE2MjM1OTU5WjBGMQswCQYDVQQGEwJGSTEOMAwGA1UECBMF

RXNwb28xDjAMBgNVBAoUBU5va2lhMRcwFQYDVQQDFA5zdXBsLm5va2lhLmNvbTCC

ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+Ge5eqh68YHvnlvwvJTX36

MJbIvxyqljUarJldINPbp2d2aabRFzr7B7GVbITFLC94djgUKj0TNFpHfTpffmSo

uSWYp8WYNQHCeNO2yezAOVvWhFwFixp2e3/hWi6bmVt+A7jfDN8pOnugZRIkgHxz

6czndRqDAWA/zIi8w5sBPRqQGKS8QnPqcYhtmqh8nVbzCp2JweV8sdg9SnvCyR1a

jIPjqiDXl6hjZQ1w0vckXivr0vB88tmm8ReTvP3plhZXub1ggL2wB7O+jHmRslJF

nlcRQMHc6vVwMWJobjzp8audHxZOX1sCKGVJCLC40MGnyIxIOObPizT3dHLfcQEC

AwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEUGA1UdHwQ+MDww

OqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWduLmNvbS9TVlJT

ZWN1cmVHMy5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF

BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsG

AQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55

pTB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz

aWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1HMy1haWEudmVy

aXNpZ24uY29tL1NWUlNlY3VyZUczLmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFow

WDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEF

GDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZI

hvcNAQEFBQADggEBABx2tb0EQch660oL98RMtEXCQtkCOLPfFQO5X2YS29Tw9a/f

xi/RcmyUN+XuCScgFzvT7tmnaCmuxd6SNqUo/cSF1XRx1m+23RNgA9APVm8uEZ5/

GSswd8DTKU0Gkh2xS8UDS6mqMtST8oFzWiQlinSlfiOvr51PZtQEiQZUzFqKJlbF

yC1BnlIyGokHTt3Izh4CXFrGbZRo4WZSybmu9O/+ziI1smArNIRnMdeinP8mi/y3

atok31Rw1+/qi3142GTVYilfvuJB5zVJu2lnvU7gSSaQr7tuerk47An5rZddMDuf

uzc0MT9HOXlAdTCyqhxEc7ymsSeRFmFGTyIap58=

-----END CERTIFICATE-----

subject=/C=FI/ST=Espoo/O=Nokia/CN=supl.nokia.com

issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3

---

No client certificate CA names sent

---

SSL handshake has read 4857 bytes and written 631 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-MD5

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : RC4-MD5

    Session-ID: 8FB277CE00000000000000000000000000003570521EF965000000008F0240C0

    Session-ID-ctx:

    Master-Key: 5061BB36F33A7171F87DB1541E127EE58905A40D8463FE672B4349F1097DFD717D5E6DFED58E515A614719CAF8EEBF1F

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1377760865

    Timeout   : 300 (sec)

    Verify return code: 19 (self signed certificate in certificate chain)

---

I will test later (my N900 needs a reflash :/)

Re: Nokia N900 A-GPS Not Working Anymore

@nieldk: there is one more certificate on top of the one you bolded, do:

cmcli -s -T common-ca -v supl.nokia.com:7275

(this will save the whole certificate chain as .pem files) and you'll see there are 4 .pems saved, not 3.

EDIT: nevermind, seems I misread your post

Re: Nokia N900 A-GPS Not Working Anymore

YEP!

A THOUSAND THANKS !!!

One mistake above: it iks the second one (with the "-1") that needs to be readded.
And I needed a reboot to make location library aware.

I never thought of removing that one (verisign), actually both and reinstalling only the second one. I fiddled with exactly that cert, but failed miserable due to missing cert experience.

Will do now a second reboot for verification.

Re: Nokia N900 A-GPS Not Working Anymore

@peterleinchen: "the mistake" could be related to the order of the hashes.

EDIT:

don't forget to "perl /usr/bin/c_rehash /etc/certs/common-ca" after every change to the certificate store

Re: Nokia N900 A-GPS Not Working Anymore

Quote:

Originally Posted by freemangordon (Post 1370315)

@peterleinchen: "the mistake" could be related to the order of the hashes.

Quote:

Originally Posted by freemangordon (Post 1370315)

EDIT:

don't forget to "perl /usr/bin/c_rehash /etc/certs/common-ca" after every change to the certificate store

edit to your edit:
WHAT?
Never knew/did that. What is this about?
It worked for without that rehashing (some kind of aegis here? ;))

--edit
Another edit aimed to nieldk
What PR version do you have?

Is it possibly "only" PR1.3 and not PR1.3.1 (with some cert updates/revocations)?
Idk when this problem arised, but could it be due to that one?

Re: Nokia N900 A-GPS Not Working Anymore

Quote:

Originally Posted by peterleinchen (Post 1370318)

Could be, as I failed with reinserting both certs, but in reversed order!

Nevertheless:
after the second clearing cache (gconftool/reboot), I got a fix within 5-10 seconds from supl.nokia.com.

We ARE back, Nokia!

Thank you freemangordon

edit to your edit:
WHAT?
Never knew/did that. What is this about?
It worked for without that rehashing (some kind of aegis here? ;))

--edit
Another edit aimed to nieldk
What PR version do you have?

Is it possibly "only" PR1.3 and not PR1.3.1 (with some cert updates/revocations)?
Idk when this problem arised, but could it be due to that one?

http://www.tin.org/bin/man.cgi?section=1&topic=c_rehash

Re: Nokia N900 A-GPS Not Working Anymore

Quote:

Originally Posted by peterleinchen (Post 1370318)

Another edit aimed to nieldk
What PR version do you have?

I have pr1.3 (flashes too often and never bothers to do the 1.3.1)
With, KP52 as kernel.

Re: Nokia N900 A-GPS Not Working Anymore

Wow, I almost can't believe it: Nokia N900 can use supl.nokia.com again!!!

Anyway, I didn't have a file/cert 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1.pem , just the one without the -1 .
What was workin for me was (as root):

Code:

mkdir /tmp/supl/ ; cd /tmp/supl/ ; cmcli -s -T common-ca -v supl.nokia.com:7275 ; for CERT in `ls -1 *.pem` ; do cmcli -c common-ca -r ${CERT%%.*} ; cmcli -c common-ca -r ${CERT%%.*}-1 ; cmcli -c common-ca -a ${CERT} ; done

With

Code:

cmcli -T common-ca -v supl.nokia.com:7275

I got a "Verified OK".
Setting location server to supl.nokia.com then gave me the nearby fix within 5 secs. Yey!

@freemangordon: Where did you find the -s flag for cmcli ? It is not shown as an option when called without any param.

Edit: typo ...