Reply
Thread Tools
Community Council | Posts: 685 | Thanked: 1,235 times | Joined on Sep 2010 @ Mbabane
#231
Originally Posted by pali View Post
Can you update *maemosec-certman-applet* back to 0.1.5 and verify if those packages are not problematic?
Ok .. no problem with *maemosec-certman-applet* .. even with 0.1.5 I still have fix.
 

The Following User Says Thank You to sicelo For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#232
I cant seem to get a fix on my N900 GPS at all.
If I try "GNSS" or "AGNSS" in location-test-gui neither works. location-test-gui shows up to 5 satellites as "visible" but none as "in use" Tried rebooting the phone. Tried pulling the battery for a few minutes. Tried offline mode (with "GNSS"). Tried multiple versions of maemosec-certman-common-ca (including the 0.2.3 version with the "Fixes supl server not working." change in it). Tried the clear-gps-cache tool multiple times. Tried multiple SUPL servers (supl.nokia.com, supl.google.com, supl.vodafone.com). Tried going outside away from obstructions. Nothing works.

Anyone got any suggestions on what else to try? I dont see anything in syslog (but maybe I dont have it configured properly to capture useful logs)
 
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#233
The "sats" button in location-test-gui shows a bunch of SNR values for various satellites (up as high as 6 when I was standing further away from any buildings etc) with values ranging from high 20s through to 40 or more.

So its clearly actually talking to satellites in space (it woudn't be giving me SNR values if it wasn't) but for whatever reason it isn't working. Anyone know what SNR values I should be looking for and whether bigger or smaller values are good?
 
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#234
ok, wtf, now it got a lock somehow. I dont know what I did but it got a lock in location-test-GUI and now a lock in nokia-maps.

No ideas what might be going on now. Anyone got any ideas on what to try to figure out why it isn't getting a lock or why its taking so long or whatever? Being able to get reliable lock when I open maps app or whatever would be usefull

Last edited by jonwil; 2017-02-05 at 02:38.
 
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#235
Looks like we do need to figure out what certificates are missing from the current maemo-security-certman root CA store (which matches the current mozilla root CA set) that are needed for the SUPL server and why they are missing. Or if they are there but the ordering is wrong, we need to figure out why and find a way to correct it by fixing the tools in maemo-security-certman somehow (even if it means adding some sort of hardcoded "these certificates need to be in this order" feature to the relavent tools or some changes to the instructions to manually add the correct certificate back)
 

The Following 2 Users Say Thank You to jonwil For This Useful Post:
Posts: 75 | Thanked: 269 times | Joined on Aug 2012
#236
Originally Posted by sicelo View Post
Code:
cmcli -T common-ca -v supl.nokia.com:7275
1ad16dd494e161abd39bd94ed94bf8eafe4ede28 supl.nokia.com
 Verification failed: self signed certificate
Running the following can fix this issue by installing a missing certificate:
Code:
cmcli -c common-ca -a /etc/certs/common-ca/00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1.pem
The cert should be on your device unless it was removed.

The cert was removed in this commit:
https://github.com/community-ssu/mae...0033bde5b16535

Can you try get a lock with the latest maemo-security-certman and the above cert?
 

The Following 2 Users Say Thank You to Ilew For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#237
It looks like we need to figure out why supl.nokia.com needs that specific old certificate (one that the smart people at Mozilla have stopped including for presumably good reasons) and whether we really need that cert or whether there is some other issue going on.
 

The Following 2 Users Say Thank You to jonwil For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#238
Oh and installing a random cert without understanding what cert it is and why its needed and why Mozilla don't ship it anymore and etc is a stupid idea (the set of certs distributed by Mozilla is chosen very carefully)
 

The Following 3 Users Say Thank You to jonwil For This Useful Post:
Posts: 75 | Thanked: 269 times | Joined on Aug 2012
#239
Originally Posted by jonwil View Post
Oh and installing a random cert without understanding what cert it is and why its needed and why Mozilla don't ship it anymore and etc is a stupid idea (the set of certs distributed by Mozilla is chosen very carefully)
Yes agreed.
With that said everyone with a n900 besides the people running the cssu-devel version of maemo-security-certman are using this cert and since sicelo has reverted back to the previous version to fix his issue he will be using that cert anyway.
 

The Following 2 Users Say Thank You to Ilew For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#240
Ok so it seems the real problem here is that supl.nokia.com has 2 obsolete VeriSign certificates in its chain, one with
Subject: "CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US"
and one with
Subject: "OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US"

The current mozilla root CA store (and by extention the current maemo-security-certman git which I updated earlier) contains a newer certificate that matches
Subject: "CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US"
and will correctly validate the certificate
Subject: "CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US"
which in turn will correctly validate the certificate
Subject: "CN=supl.nokia.com,O=HERE Global BV,L=Veldhoven,ST=Noord-Brabant,C=NL"

I have an idea how to fix this without security risk to other things (e.g. browser) involving the fact that location-proxy will read from a private certificate store named location-proxy. This will require a binary patch to location-proxy (to correct a bug in the code that accesses the private certificate store) and installing the necessary root certificate into the private certificate store via cmcli. Both should be fairly easy to do I suspect (we do binary patches for the cell broadcast SMS stuff, I see no reason we cant do the same for location-proxy)

The fix is working on my own N900 (I am running the modified location-proxy and with the relavent certificate installed, I cleared all the GPS caches, rebooted the phone to flush out anything in RAM and got a GPS fix in no time with a dozen or so satellites returning signal levels in location-test-gui)

With the current contents of maemo-security-certman Git plus the 2 byte change to location-proxy plus the extra certificate stored in the private certificate store, AGPS with supl.nokia.com will work and work great.

We just need to figure out how best to package up the fix
 

The Following 4 Users Say Thank You to jonwil For This Useful Post:
Reply

Tags
a-gps, nokia n900

Thread Tools

 
Forum Jump


All times are GMT. The time now is 08:12.