|
TLS1.2 and N9 (polishing brass on a sinking ship)
I've gotten TLSv1.2 working in grob (stock browser) and fenix (stock email client) on my N9. Granted, this is too late for me and for other users in the USA, since the last US carrier with 3G is shutting it down next year, but perhaps if anyone using the N9 in other countries that are maintaining at least their 2G GSM can get good out of this, here's what I did.
NOTE: I'm in open mode with the patched open-mode kernel. It may be possible to do this VERY carefully in closed mode with the aegis-install hack, but I haven't tried again after I failed the first 2 times. I was still figuring it out back then. I don't have a solid HOWTO built for this yet, as I rebuilt a lot more packages than I probably needed to, and my N9 is my daily driver, so it'll be difficult to experiment with this to trim it down. I used Scratchbox for all builds. First, I built OpenSSL 1.0.1t out of Debian Jessie, since I figured it would be easier to do proof of concept on a version closer to the original that was already debianized. There are vulnerabilities in it that you could avoid by using a newer version, but be prepared to do more patching of the open source components that link against it. There are closed packages that link to 0.9.8, so it's not possible to get rid of it completely. I rebuilt aegis-crypto, and that's where I ran into trouble with closed mode. I hadn't realized that OpenSSL 1 hashes certs differently from 0.9.8, and that I was going to need two sets of symlinks in /etc/ssl/certs for both versions. The moment I installed aegis-crypto, all the code on the system couldn't be verified, since Aegis couldn't find the codesigning certs. It *might* be possible to get this to work closed by doing the next step before this one. I changed all the CA certificates in aegis-certman to the latest Mozilla certs, patched the source to create both old and new symlinks when new certs are added, and patched the install scripts to delete all preexisting CA certs before installing the new ones (so that everything would get both symlinks). By this point, I could use OpenSSL from the command line to access TLSv1.2 sites, like Wikipedia. I then rebuilt a ton of other packages against 1.0.1t until ldd showed that fenix and grob no longer depended on libssl.so.0.9.8, just libssl.so.1.0.0. But they still didn't work. I assumed it was a lost cause, until I discovered that fenix uses libqmf, which uses libqt4-network for SSL. libqt4-network doesn't seem to depend on OpenSSL, so I started looking at the source, and found that it dlopen()'s it, like a plugin, instead of linking against it. By default, it looks for the version of OpenSSL that was on the system that built it. So I just rebuilt that (yeah, I rebuilt the entirety of Qt4 just for that one .deb. I should've hacked it to just build that, but I didn't have the time, and my build computer did). Rebooted phone after installing, and it works! I'll pull out my patches to aegis-certman and post them here in a couple days once I have a chance, along with the list of all other packages I rebuilt against 1.0.1t. Another related update I tried: I have Firefox (Fennec) 15 installed from openrepos.net, and I dropped in a new build of libnss and libnspr into it. It made a few TLSv1.2 sites work, but there are still many where there's no cipher overlap. I'm not surprised, as this was just a hackish experiment. Nice thing is that Mozilla keeps the ABI of NSS and NSPR so stable. Another unrelated update I've done is GStreamer to 0.10.36, so I could use plugins-bad-0.10.23, which has Opus. That was hard, and I recently noticed that MMS video transcoding doesn't work anymore. Haven't yet tried to figure out why. If anyone is interested, I'll try to throw together a more detailed explanation. Main thing that gave me trouble was the debianization, not the actual code. If you wanted to just build the new stuff without making .debs and throw it in /usr/local, it might work. The only stuff I really had to do to the code was apply some Nokia-specific camera patches from the 0.10.34 source that came with Harmattan. Now if only the N9's modem could do LTE... |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Wow, just wow! Thanks.
And welcome to TMO. |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Amazing. I am sure that cost you countless hours.
Hopefully to the benefits of all us here. Thanks for the update |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Just posting that just did this on my old N800. Used this repohttps://github.com/jonwil/openssl for updating to Openssl 1.1.0h but it was meant to use on N900, I suppose. Just changed the Perl version to 5.8.3 from 5.8.4 and disabled AMS to turn-off NEON instructions.
Since one of the tests failed, I'm still checking the effectiveness of this workaround. |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Really amazing news.
I've stopped using n9 month ago, because USB port stopped working. But lack of 'wokring' web browser was very annoying on n9, and I'm sure I will order news usb ports + screens(got many broken screens on mine n9s, batteries and other parts) Personally I think it's the biggest achievment from many years in n9 community. |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
I apologize. Your reply reminded me that I was going to put up a list of the other packages I rebuilt against the newer OpenSSL, even though they probably weren't necessary for the project. I'm sorry for the long delay. But here are the others besides aegis-crypto, aegis-certman, and Qt itself (all these are the last versions from Harmattan source, not newer versions):
cryptsetup curl (for testing purposes) cyrus-sasl2 libaccounts-glib libsignoncrypto-qt qca2-plugin-ossl I also promised the changes I made to aegis-certman. Here's the brutish hack to aegis-certman-common-ca.postinst in the debian directory to cause it to remove all old certs before installing the new ones. Keep in mind that I completely replaced the etc/certs directory in the package with recent Mozilla certs: Code:
--- aegis-certman-common-ca.postinst.old 2012-05-08 06:26:05.000000000 -0500Here's the hack to certman_main.cpp to make symlinks for both old and new hashing methods: Code:
--- certman_main.cpp.old 2012-05-08 06:26:05.000000000 -0500Thank you everyone for your kind words. I will mention there's a lot more to do if you want a truly modern, but slow, web experience on the N9. Stock browser is running a WebKit that walked out of 2012 and will definitely have many security holes, as well as lack of support for newer features. Now if grob used the WebKit 1 in Qt4 it would be easier to upgrade, at least to the last released version of QtWebKit 1, but it uses its own, probably patched, WebKit 2 (split process model) in a separate package, and there's no source. It needs a whole new browser. I had wondered at the possibility of building WebKit WPE for Harmattan, but I currently don't have the time to dive into that now. That's the only option that I think wouldn't be painfully slow on the N9. Even then I would need to write a browser frontend to use it. Maybe someday :) |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Absolutely amazing. Do you think its possible to re use your work on a standard N9 ?
The only partial solution I found for TLS1.2 on N9 is Opera Mini 8. But it's slow and not very well integrated (java midlet...) with harmattan. |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
I apologize. Your reply reminded me that I was going to put up a list of the other packages I rebuilt against the newer OpenSSL, even though they probably weren't necessary for the project. I'm sorry for the long delay. But here are the others besides aegis-crypto, aegis-certman, and Qt itself (all these are the last versions from Harmattan source, not newer versions):
cryptsetup curl (for testing purposes) cyrus-sasl2 libaccounts-glib libsignoncrypto-qt qca2-plugin-ossl I also promised the changes I made to aegis-certman. Here's the brutish hack to aegis-certman-common-ca.postinst in the debian directory to cause it to remove all old certs before installing the new ones. Keep in mind that I completely replaced the etc/certs directory in the package with recent Mozilla certs: Code:
--- aegis-certman-common-ca.postinst.old 2012-05-08 06:26:05.000000000 -0500Here's the hack to certman_main.cpp to make symlinks for both old and new hashing methods: Code:
--- certman_main.cpp.old 2012-05-08 06:26:05.000000000 -0500Thank you everyone for your kind words. I will mention there's a lot more to do if you want a truly modern, but slow, web experience on the N9. Stock browser is running a WebKit that walked out of 2012 and will definitely have many security holes, as well as lack of support for newer features. Now if grob used the WebKit 1 in Qt4 it would be easier to upgrade, at least to the last released version of QtWebKit 1, but it uses its own, probably patched, WebKit 2 (split process model) in a separate package, and there's no source. It needs a whole new browser. I had wondered at the possibility of building WebKit WPE for Harmattan, but I currently don't have the time to dive into that now. That's the only option that I think wouldn't be painfully slow on the N9. Even then I would need to write a browser frontend to use it. Maybe someday :) |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Quote:
Another possible solution would be to figure out what's keeping Fennec 15 from using the newer ciphers in libnss, fix that, and rebuild it, leaving the base Harmattan system untouched. I haven't checked into this yet, but it would be even nicer to backport a newer version of Fennec - but it's probably a porting nightmare. |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Hi, would love to see any updates to the project. Will most of the internet-based apps will be revived because of this?
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Hey, any news to this project?
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
"polishing brass on a sinking ship"
not so bad considering some of us are still on board this ship since over a decade. |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
I would happily send a donation for TLS1.2 on N9,
I still use it as one of my daily drivers. (No distraction, no adds, just works) I would love to be able to visit Wikipedia with it. |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Have you tried to set up nginx?
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Hi, have anybody succeeded in reproducing all steps done by n9erator? I would like to give it a try, but I don't think I would be able to do that without more detailed instructions.
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Harmattan FTW!!
Don't let N9/N950 becoming unusable bricks! |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Any news? Maybe a guide/instructions?
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Is Meego Harmattan too new for this TSL1.3 solution:
https://talk.maemo.org/showthread.php?p=1571418 |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Hi, I would like to repeat your steps. However I have stupid question - where did you get source of packages from? Like, CODeRUS N9 mirror has only DEBs, and I can't find e.g. Grob on Thecust mirror of SDK repository (which has sources).
Thanks in advance |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Quote:
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Quote:
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Great! Thank you!
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
It's missing a lot... no grob, libqt4-network and other packages... :(
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Quote:
Qt4 builds to many different binary packages (libqt4-network being one of them), but there's only one source package. I think it's qt4-x11. Grob is closed source - there is no source package. If I had access to the grob source, I'd have fixed some bugs and also rebuilt it against a newer WebKit. The worst part is that the particular WebKit lib that grob uses is not in the source distribution (it's a different lib than libqt4-webkit). I believe I used the ISO that nieldk linked to for source packages. |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
God! Thanks. Everything is clear now.
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
https://i.imgur.com/w4tf6Ld.png
Do you know how to fix it perhaps? I have OpenSSL 1.0.1t compiled and installed, while all other OpenSSL are "removed" to ensure only latest one is used. Everything built successfully, even Qt4 uses new SSL now - but not qca2-plugin-ossl, ends with error like on screen. Any ideas? |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Is somewhere in qca-ossl source code the evp.h file included or openssl/evp.h file? You need to add the directory to the include directories.
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
evp.h exists in /usr/include/openssl, and the cpp file in qca2-plugin-ossl does #include <openssl/evp.h>...
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
You can add configure options for your openssl path to the debian/rules file.
Code:
$(DEB_BUILDDIR)/Makefile:Code:
--with-openssl-inc=[path] Path to OpenSSL include files |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
I managed to repeat the things done by @n9erator and TLS 1.2 in default browser of my N9 is working!!!
Sadly not certificates thing. I mean - TLS 1.2 in browser itself works. But every site complains about certificates. "Security certificate is not trusted" I know that to fix this aegis-certman-common-ca changes were needed. But. 1. Applying the postinst patch worked 2. In etc/ssl/certs/common-ca I removed all files and inserted crt files from ca-certificates of Ubuntu, moved to *.pem as they were text ones 3. Patch on certman_main.cpp didn't work, something got rejected. I applied changes manually then. Building worked fine, installing not, though. Error during postinst part: Code:
ERROR: cannot not convert '00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1' to key idTried different way, usually working - injecting PEM files into /usr/local/ssl/certs (my OpenSSL 1.0.1t is in /usr/local + /usr/local/ssl), doing c_rehash then (had to use custom perl), it worked but still browser always complains. What certs did you use and how did you put them to aegis-certman source? But don't think that's the cause, because only applying patch to postinst causes error on installing as well (keeping default certs from source). Thanks in advance |
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Made sure date is correct, added latest CA certs from Ubuntu, skipped part about postinst, patched the certman_main manually and... Every working TLS 1.2 site loads without single warning on N9!!
|
Re: TLS1.2 and N9 (polishing brass on a sinking ship)
Turns out my c_rehash trick did the job! After changing date to correct one on fresh device and trying my packages WITHOUT c_rehash yet, websites complained. Then I put certs to /usr/local/ssl/certs, changed c_rehash to use my custom Perl, executed c_rehash, sites do not complain. I edited the postinst of my OpenSSL to do this.
Also, I managed to use a bit newer version (1.0.2u instead of 1.0.1t), looks like 1.1 changed too many things and Harmattan packages can't compile. Here is the package with everything (only for brave people willing to test). Read README.txt carefully. http://wunderwungiel.pl/MeeGo/files/...or%20N9.tar.gz |
| All times are GMT. The time now is 12:12. |
vBulletin® Version 3.8.8