Reply
Thread Tools
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#1
Thanks to some VERY useful help and information (and code) from Juhani Mäkelä (original creator of the maemo-security-certman package) I have been able to get the latest set of root CA certificates imported into CSSU git at https://github.com/community-ssu/mae...urity-certman/

I think its fairly safe to assume Mozilla knows what they are doing when it comes to which certificates to trust and which ones not to trust (and which ones to blacklist)

Changes made:
Back-port a change from Harmattan to handle the fact that /etc is a symlink in Scratchbox
Update the root CA store to match revision 64df3815df9c of the certdata.txt file from the mozilla-central repository.
Add a parse-certdata-txt tool and an updateca.txt instruction file showing how to update the root CA set.

In regards to previous CSSU commits to maemo-securtiy-certman, I see information online indicating Mozilla added the TÜRKTRUST certificates to their CA store blacklist at some point so if they are no longer blacklisted by Mozilla it must mean they no longer need to be blacklisted.

And in regards to the Verisign certificate change, I haven't been able to test things to see if that change is or isn't necessary in the new root CA set (anyone who has a simple test I can do to see for sure if the SUPL servers are working rather than relying on something fuzzy like "does GPS work" or "does GPS load fast", please do share)

I have attached .deb files that I have built (in my dev VM) and am currently running on my pwn N900.

They dont seem to work properly though. If I visit https://www.google.com.au the page loads just fine but if I visit https://ib.boq.mobi/Mobile (my bank) it gives me a certificate trust error.
I haven't tested any other https sites yet.

Visiting https://ib.boq.mobi/Mobile worked just fine with the previous set of root certificates and it works just fine on the various desktop browsers I have here so there is nothing wrong with the site. I also ran it through the ssllabs ssltest and it shows nothing out of the ordinary.

Firstly it would be good if people (e.g. CSSU people) would look at my work and figure out if what I have done looks good. Especially look at the instructions for updating the root CA store and see if they are clear enough for people to follow.

Secondly it would be good if someone could help me figure out what I did wrong (or what else broke) that caused ib.boq.mobi to stop working.

And thirdly, please do test this on lots of https sites and things to see if anything else is wrong or failing.
Attached Files
File Type: deb libmaemosec0_0.2.4_armel.deb (37.0 KB, 145 views)
File Type: deb libmaemosec-certman0_0.2.4_armel.deb (35.7 KB, 126 views)
File Type: deb maemosec-certman-common-ca_0.2.4_all.deb (199.3 KB, 124 views)
File Type: deb maemosec-certman-tools_0.2.4_armel.deb (29.0 KB, 129 views)
 

The Following 14 Users Say Thank You to jonwil For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#2
Thinking about it, its entirely possible there are certificates in the new CA store that aren't working with the old build of nss we are using...
 

The Following 3 Users Say Thank You to jonwil For This Useful Post:
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 07:16.