maemo.org - Talk - Security certificates have expired.

maemo.org - Talk (https://talk.maemo.org/index.php)

- Maemo 5 / Fremantle (https://talk.maemo.org/forumdisplay.php?f=40)

- - Security certificates have expired. (https://talk.maemo.org/showthread.php?t=100396)

Re: Security certificates have expired.

Working.
Delicious!!!
Lots og thanks to you guys for the help.
Some more month/years to go, no Fx to buy, beautyfull.

Re: Security certificates have expired.

Sorry. That was the trick yes. But wasn't it also neccessary to uppgrade openssl and certs? So sorry. Having a real brain malfunction at the moment and on the sick leave for it. Not the best to give working answers.

Re: Security certificates have expired.

Quote:

Originally Posted by Maemish (Post 1562302)

No problem, there is frequently no good answer but good parts of it.
Then we have to puzzle...
I guess it was necessary to upgrade these too as said by Halftux.
It's good to do what Halftux says :)

Except that we (hmmm... am I the last one who cares about Backupmenus's password?) still have the non-working password = free access to Backupmenu once new lib/openssl installed!

Re: Security certificates have expired.

I don't do backups. I do reflashes. About twenty in two years. Messing a lot. Almost brick device when once installed backup and tried to recover from there. Never again.

Re: Security certificates have expired.

I still love and use Backupmenus, with no issues. But will need to deal with the certs at some point myself.

x

Re: Security certificates have expired.

Quote:

Originally Posted by Maemish (Post 1562302)

But wasn't it also neccessary to uppgrade openssl and certs?

To install the latest certs shouldn't harm anything and should be done. Otherwise it is a security issue.
Openssl could break things but should not. Because in principle no other application will access directly the rehashed certificates and the old libssl is still available.
For backupmenu it is somehow special, it could be that it generates something which will be later encrypted with an older openssl. The question is why it jumps over the password query and doesn't stop.

For qt application to gain profit from the new openssl, it is necessary to install the patched qt. This could break qt applications due to historical reasons. In the past it was not the qt library which got fixed first. Many application switched from secure protocols to only-tlsv1 which is now depreciated. Switching back and recompiling should fix this situation. Other way would be to patch qt library so that only-tlsv1 will be redirected to secure protocols.

However not every application uses openssl, we have also gnutls and nss. It is also possible that application have there own ssl code and not using the maemo infrastructure.

How Opera works I don't know, maybe it still uses nss.

Re: Security certificates have expired.

Quote:

Originally Posted by Halftux (Post 1562353)

...
For backupmenu it is somehow special, it could be that it generates something which will be later encrypted with an older openssl. The question is why it jumps over the password query and doesn't stop.
...

Because the case of empty return of the openssl instruction seems not to be handled correctly. (If I dare, cause I wouldn'have been able to write something like Backupmenu)

I took a look into usr/share/backupmenu, we see that Backupmenu compares the root encrypted password with the output of openssl.

If openssl returns nothing because it was looking for a lib which is not present, the shell (/bin/sh) has to compare a variable with nothing.
This is generating an error and it skips the instructions following the comparison (stop and reboot).

usr/share/backupmenu:

Code:

if [ -e /usr/share/backupmenu/lock-enable.txt ]; then #display password screen

        #clear display

        $T2S -c -x 16 -y 18 -w 768 -h 440

        y=20

        passhash=`cat /usr/share/backupmenu/lock-enable.txt`

        if [ -z "$passhash" ] || [ ! `expr length $passhash` == 13 ]; then

                passhash=`cat /etc/passwd | grep root |cut -d ':' -f 2`

        fi

        pass2dig=`echo "$passhash" | cut -c 1-2`

        for i in 1 2 3; do

                password=""

                $T2S -s 2 -H center -y $y -T 0 -t ">> Enter Password <<"; y=$((y+40))

                

                $T2S -s 2 -H left -y $y -T 0x0000 -t "  Alt/shift keys must be pressed one at a time"

                $T2S -s 2 -H left -y $y -T 0x0410 -t "  Alt shift"; y=$((y+20))

                getUserInputString 1

                password=$inputString

                y=$((y+60))

                encpass=`openssl passwd -crypt -salt "$pass2dig" "$password"`

                if [ $passhash == $encpass ]; then

                        break

                fi

                $T2S -s 2 -H center -y $y -T 0xF800 -t "Password wrong."; y=$((y+20)) 

        done



##################################################

#Is the error here in next line?

##################################################

        if [ ! $passhash == $encpass ]; then

                $T2S -s 2 -H center -y $y -T 0xF800 -t "You have entered an incorrect password 3 times"; y=$((y+20))

                $T2S -s 2 -H center -y $y -T 0xF800 -t "Rebooting in 30 seconds."; y=$((y+20))

                sleep 30

                reboot -f

                sleep 60

        fi

fi

Instead of

Code:

if [ ! $passhash == $encpass ]; then

Shouldn't we write this?

Code:

if [ ! x$passhash == x$encpass ]; then

But now, why is openssl not finding the right libssl once we installed version 1.1?
Because when I use it from within maemo, both libs are present.
When I test openssl from the terminal in Backupmenu, openssl complains not finding the version 1.1. And if I look for it with find, it'is not there, effectively.

Isn't it the same root?
Is it a kind of initramsomething and not the definitive root filesystem?
But in this case, why is the new openssl installed on it?

edit: I meant:

Code:

if [ ! "x"$passhash == "x"$encpass ]; then

But the below Olf's solution seems to be more correct:

Code:

if [ ! "$passhash" = "$encpass" ]; then

Re: Security certificates have expired.

Quote:

Originally Posted by ric9K (Post 1562358)

Isn't it the same root?
Is it a kind of initramsomething and not the definitive root filesystem?
But in this case, why is the new openssl installed on it?

The files get copied to a temp directory. But now the new openssl and the old libssl get copied.

Code:

cp /usr/lib/libssl.so.0.9.8 /tmp/disk/usr/lib/

/usr/share/backupmenu/extrafiles.tar.gz has a filelist.txt inside, which list copied files and mounted folders. In principle you need to remove the old libssl library and add the new one.

Re: Security certificates have expired.

Quote:

Originally Posted by ric9K (Post 1562358)

[...] Instead of

Code:

if [ ! $passhash == $encpass ]; then

Shouldn't we write this?

Code:

if [ ! x$passhash == x$encpass ]; then

No.
The original is a classic case on non-failsafe coding. Quoting per

Code:

"

is the right measure.
Plus the

Code:

==

is an unnecessary bashism, which the bash man-page explicitly does not recommend to use.

Hence using

Code:

if [ ! "$passhash" = "$encpass" ]; then

there and three lines above would make the password comparison always correctly fail, because OpenSSL is not found to calculate the password hash to compare.

Thus that has to be resolved by adapting the environment variable PATH or LD_LIBRARY_PATH or other measures.
Then you may also leave Backup-Menu's code as it is.

Re: Security certificates have expired.

Quote:

Originally Posted by Maemish (Post 1562345)

I don't do backups. I do reflashes. About twenty in two years. Messing a lot. Almost brick device when once installed backup and tried to recover from there. Never again.

Don't abandon! Bm is a great help for messing ;)
If you intend to reflash, just be carefull to reinstall the right (same than when you made the backup) kernel before restoring the rootfs and optfs. I have been blocked because of that problem once.