|
Nwer OpenSSL on Maemo Fremantle
So it looks like (at least per what happens when I try to use wget on the relavent URL) Translink have updated their system to require TLS 1.2. Which means I need to add TLS 1.2 support to QT. Which means I need a newer OpenSSL than the 0.9.8zh version currently in use on Fremantle.
I know there are ports of newer OpenSSL for Fremantle but I dont know which one I should use or where to get it from. I also dont know if anyone has already done the work to support TLS 1.2 in the Maemo QT version or not and if so where to get it from (if not, I will have to do the back-port myself). Can anyone help me out? |
Re: Nwer OpenSSL on Maemo Fremantle
1 Attachment(s)
I am struggling to make a newer openssl version running in parallel with an old version. So from myside I can't help here atm.:(
Regarding TSL1.2 and qt4 I don't have a clue, if there are some patches. For qt 4.8.7 there is a debian openssl 1.1.0 patch I will attach it. |
Re: Nwer OpenSSL on Maemo Fremantle
Here I found something about backport tls version to qt4.
https://github.com/mkrautz/mumble-de...b523a3eccb8b58 This one is maybe newer: https://github.com/mkrautz/mumble-de...bc7545b80bd7fe And here a backport of Support for DH and ECDH key exchange for QSslSocket servers. So this one is not needed for clients. https://github.com/mkrautz/mumble-de...9129d74f609f40 |
Re: Nwer OpenSSL on Maemo Fremantle
Looks like the main issue then is getting a newer OpenSSL working and running on-device without breaking the older OpenSSL.
|
Re: Nwer OpenSSL on Maemo Fremantle
I have identified that there are no local Nokia-specific changes needed for OpenSSL 1.1.0h (all the patches in Nokia 0.9.8n that aren't in Debian 0.9.8n are either not needed or got merged upstream). All I need to do know is to figure out how to get Debian 1.1.0h to compile on Fremantle.
|
Re: Nwer OpenSSL on Maemo Fremantle
I have managed to get OpenSSL 1.1.0h to compile in Scratchbox. Current source tree is at https://github.com/jonwil/openssl/
The openssl test cases are failing on Scratchbox armel (doesn't surprise me given how "unique" scratchbox is in the way it runs the arm binaries and stuff) so I have turned them off in the packaging. All the tests pass on my N900 so I am going to continue and test the actual packages on my N900 and see what happens. Once I get OpenSSL working, I will then move onto getting TLS 1.2 support into QT and then getting Fahrplan fixed. |
Re: Nwer OpenSSL on Maemo Fremantle
Ok, new OpenSSL works so far in that I can run openssl s_client -connect blah and get the results I expect (I had to run a command on the certificates to get them in the format the new OpenSSL wants but my analysis of the N900 rootfs suggests nothing is reading the certificates that way, they are all either using maemosec-certman or reading the maemosec-certman pem files so it should be safe to run that rehash)
New packages are at http://maemo.merlin1991.at/cssu/comm...ree/o/openssl/ Next up, QT and Fahrplan :) |
Re: Nwer OpenSSL on Maemo Fremantle
For reference, these are the packages on a stock N900 PR1.3 install that link to OpenSSL:
Closed packages: as-daemon (active sync daemon for Microsoft email servers) osso-wlan-security (provides security stuff for WiFi) nokiamessaging (nokia messaging stuff, no longer works AFAIK) adobe-flashplayer (Flash plugin) sharing-services-default (sharing services stuff, its the OVI plugin that uses OpenSSL) funambol-cpp-api (SyncML stuff) location-proxy (proxy to handle the communications between the GPS hardware and the AGPS SUPL server) osso-backup (backup program) ota-settings (handles cellular data connection settings sent over the air) maesync-backend (backend for syncing with Nokia PC application and things) liblomesa (low level image viewer API) Open packages: maemo-security-certman (maemo certificate manager) maemo-security-certman-applet (maemo certificate manager applet) tinymail (tinymail backend stuff for modest) xorg-server (main binaries for X11) curl (command line tool for accessing URLs) loudmouth (library for Jabber) microb-eal (microb component) qt4-x11 (QT4 package) sofia-sip (SIP library) clinkc (UPnP library) Packages who's openness is unknown: tablet-browser-ui (tablet browser main binary, I think I saw source code for this one somewhere but I cant find it and I may have been mistaken) connui-internet (internet connectivity UI widgets, dont know if the clone done for maemo-leste is complete and can be compiled to work as a drop-in replacement for the Fremantle package) connui-wlan (wlan connectivity UI widgets, dont know if the clone done for maemo-leste is complete and can be compiled to work as a drop-in replacement for the Fremantle package) |
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
Code:
Nokia-N900:~$ openssl version -aQuote:
Code:
# perl /usr/bin/c_rehash /etc/certs/common-ca |
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
|
Re: Nwer OpenSSL on Maemo Fremantle
I don't have a specific example, hence i said 'guess.'
It is just that I could use openssl s_client without needing -CApath before. There are a couple of SSL/TLS issues I have, but I won't directly say are a result of the new OpenSSL. For example, since I update it and the corresponding qt4-x11, some https feeds aren't refreshing for me with cutenews, etc. I doubt it is related, but yeah |
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
So when recompiling did nothing then cutenews need more network connection debug output to analyse the problem. Sometimes redirection could be a pain. |
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
Try to rehash without perl infront. For my system and same openssl version it is working without the -CApath. Also myself compiled wget against new openssl is working without specifying --ca-directory=directory (Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.) and it works. I could upload wget for >=cssu-testing+openssl 1.1.0h to openrepos if it is needed. |
Re: Nwer OpenSSL on Maemo Fremantle
2 Attachment(s)
@sicelo
I recompiled cutenews and qmlbrowser with cssu-devel libqt4. For cutenews I set QSsl::AnyProtocol and for qmlbrowser I set QSsl::SecureProtocols. Both should now support TLS 1.1 and 1.2 If you like you can try them. I will try qmlbrowser when I find some time for it. |
Re: Nwer OpenSSL on Maemo Fremantle
Thanks very much @Halftux. Even though my openssl still needs -CApath after the rehash without 'perl', it is really nice to see the updated qmlbrowser. https://howsmyssl.com now says it is Probably Okay, as opposed to Bad in the previous version. Thank you.
I will test my openssl situation properly later on. |
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
Did you made this rehash as root? From where do you starting openssl binary, from ssh or from osso-terminal? I will make also some test with openssl again and make a cross check. I have also not so much experience with openssl 1.1.0h before I was using 1.0.1g + SNI patched libqt4 for cssu-testing. |
Re: Nwer OpenSSL on Maemo Fremantle
@ sicelo
Ok you are right I have now a device where I installed openssl1.1.0 from scratch which it is not working without -CApath. So this one is tricky can't remember what I did to the other device where it is working. I will dive into it. Stay tuned. |
Re: Nwer OpenSSL on Maemo Fremantle
1 Attachment(s)
Ok here it is, I found the difference.
I created a "ssl.defs" file in "/etc/osso-af-init/". I will attach the file. Furthermore I edited af-defines.sh in the same folder. Add a new line around line 160(were other *.defs get loaded): Code:
source_if_is ssl.defsCongratulation now you are finished and all console tools like openssl, ssh and wget should work without -CApath. I think I did it when I had some problems with other openssl in the past, the date of the file is 12.04.2018 and now it helps:). |
Re: Nwer OpenSSL on Maemo Fremantle
Yay! That solved the issue, and I am ashamed it never occured to me to think about environment variables.
There are still lots of sites that won't open in qmlbrower or update in cutenews, but let me assume something changed in them. Will try downgrading qt4 though. Example feed that worked in cutenews up to the 29th September (around when I did the upgrade): https://mybroadband.co.za/news/feed Enabling cutenews' logging, I get: Code:
Updating feed 'MyBroadband' using URL 'https://mybroadband.co.za/news/feed' |
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
I need to have a look at the sources from libqt4 from repo, the patch at github looks smaller than I thought it would be. Here as a goody: I will attach wget and a libssl1.0.2 which you could use parallel with older openssl versions. When you use openssl >=1.1.0h you should use the version from openrepos. Both versions are only debianized and maemo optified. For the libssl1.0.2 I used the sources from ceene. edit: post to wget for older openssl |
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
The host is using TLSv1.2 but still provide for example TLSv1.0 so the older cutenews was set fixed to TLSv1.0. |
Re: Nwer OpenSSL on Maemo Fremantle
Is there no easier solution for the problem?
Glamurös & auffallend: Exklusiver Schmuck mit funkelnden Kristallen. Online Shop Assistent. Gratislieferung über € 75. Sicheres Online-Shopping. Geschenkverpackung. Kostenlose Grusskarte. Finde exklusiv kuratierten Schmuck von Designern und Boutiquen aus aller Welt. Kuratierte Auswahl. |
Re: Nwer OpenSSL on Maemo Fremantle
Hm..
easier solution? Actually ... if you open up the cover that exposes the battery.. (make sure you have a nice clean flat area of ..say your kitchen table for this...don't want to be missing parts...) Take the batt out... remove the screws holding the assembly in... Now you will notice an off - fuchsia colored wire, beside a deep magenta coupling. Just go and rip that off - fuchsia colored wire right out... Tie it in a bow on your left pinkie toe ... and then put back the assembly and the batt. cover back on. openssl should work now... but only as long as the off - fuchsia colored wire tied in a bow on your left pinkie toe is within exactly 1.24 feet of the n900 Proximity issue ... So you may need to figure out exactly how to walk and keep the device within left - pinkie - toe range. There we go. Much easier eh? |
Re: Nwer OpenSSL on Maemo Fremantle
I am currently using QT4 with TLS 1.2 support on my N900.
I am using this OpenSSL source tree https://github.com/jonwil/openssl/ with binaries at http://maemo.merlin1991.at/cssu/comm...ree/o/openssl/ I am using the tls12 branch in this source tree https://github.com/community-ssu/qt-x11-maemo for QT with binaries at http://maemo.merlin1991.at/cssu/comm...ree/q/qt4-x11/ Both currently work on my N900 when I run Fahrplan (a QT app talking to a server that only accepts TLS 1.2) so I know they are good in that context. |
Re: Nwer OpenSSL on Maemo Fremantle
Since recently SoundCloud download from gPodder fails with sslv3 handshake error.
Notice, retrieving podcast list is still possible. Upgrading openssl alone does not help. What should I do? Rebuild GTK and gPodder from sources? |
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
But can't say for 100% sure maybe somebody else has more experience with python and give a better answer. |
Re: Nwer OpenSSL on Maemo Fremantle
Is this the right way to change the line 160?
source_if_is osso-gtk.defs source_if_is ssl.defs # There is no matchbox.defs in Fremantle # source_if_is matchbox.defs source_if_is keyboard.defs source_if_is sdl.defs or this source_if_is osso-gtk.defs source_if_is ssl.defs # source_if_is matchbox.defs source_if_is keyboard.defs source_if_is sdl.defs The line 160 is # There is no matchbox.defs in Fremantle. So I can either put your edit before that line so it makes it to be line 160 or delete the line which doesn't really make sense cause the default line is already opt out. And when I installed man-db-N900 it could not find the file you had attached even it is in the folder/directory where you said it should be. |
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
The line you are removing/replacing in your example is a comment line so the system will be not effected but you will lost some information for human readers. So I will edit my post to make it more clear. However I think this modification will effect mainly command line tools, but do it anyway because it doesn't hurt and is worth a try. |
Re: Nwer OpenSSL on Maemo Fremantle
Can you figure why installation of man-db-N900 did not find the file you attached? How could I check the log what it says?
|
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
It could be that I excluded man pages from some packages to keep them small. Please be more precise so that I could update the package with the manual you like to have. Otherwise you could also extract man pages from some linux package and put them to the man directory. I personally never used man on N900, but I guess in principle with mandb you could refresh the database for manually extracted man pages. |
Re: Nwer OpenSSL on Maemo Fremantle
Well yes, I remember installation said installing manually after the error. I just thought that maybe it is not working at all but then it may concern only the man installation. Have by the way now started to go through youtube basic linux stuff so hopefully I don't fill this forum for long with my uneducationess. Like I don't know how to check installation logs to see what has happened. Or is it the same as in ham?
|
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
Quote:
When there is no log file the best would be to read the console output during installation. |
Re: Nwer OpenSSL on Maemo Fremantle
I was visiting doctor and she asked me to come in just when the installation finished and I accidentally shot the xterm before reading well the output.
|
Re: Nwer OpenSSL on Maemo Fremantle
Quote:
Not sure if it doesnt broke anything else so packages not in the repositories yet. Actually only _ssl.so from python2.5_2.5.4-1maemo7_armel.deb is needed. If you want to revert back: Code:
apt-get install python2.5=2.5.4-1maemo6 |
Re: Nwer OpenSSL on Maemo Fremantle
I have built the latest version of 1.0.2 as I needed it for OSM2go, the packages are here: https://github.com/osm2go/openssl/tree/openssl-1.0.2
Since 1.1.0 was longer out of support than 1.0.2 I skipped that one. Building 1.1.1 isn't possible without a Perl update as it seems, has anyone managed to build that? I would be very much interested in having a more recent, more upstreamish (as in CSSU or so) version that can be installed in parallel to the old system library. |
| All times are GMT. The time now is 13:54. |
vBulletin® Version 3.8.8