Active Topics
-
Sailfish OS for the Motorola Moto G7 Power (XT1955-5) - (ocean) (3)
to SailfishOS by edp17 - 6 hrs, 18 mins ago -
The N900 is now 15 years old! (6)
to Nokia N900 by Macros - 1 day, 10 hrs ago -
F(x)tec Pro1x (QWERTY) for sale (0)
to Buy & Sell by aln00000 - 1 day, 23 hrs ago -
n770 youtube video (0)
to General by nmdv - 5 days, 22 hrs ago - more...
| The Following 3 Users Say Thank You to peterleinchen For This Useful Post: | ||
|
2013-08-29
, 06:59
|
|
Posts: 3,074 |
Thanked: 12,960 times |
Joined on Mar 2010
@ Sofia,Bulgaria
|
#122
|
Well I actually removed one 
The certificate in question is 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1. Not that there is something wrong with that certificate, but it seems maemo certman has a bug.
There are 2 verisign root certificates with the same public key:
00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 and 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1. certificate chain of supl.nokia.com cert ends up with 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61, but it seems certman tries to use 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1 instead. So the verification fails.
I didn't debug it, so the actual thing that happens could be a slightly different, however, removing both 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 and 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1 and reimporting 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 workarounds the problem.
seems https://gitorious.org/community-ssu/...c074bfeef6a622 is not enough for multiple-keys-same-public to work on Fremantle. I'll debug the whole mess when I have some free time. Wouldn't try to stop anyone to do the same ofc
The certificate in question is 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1. Not that there is something wrong with that certificate, but it seems maemo certman has a bug.
There are 2 verisign root certificates with the same public key:
00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 and 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1. certificate chain of supl.nokia.com cert ends up with 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61, but it seems certman tries to use 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1 instead. So the verification fails.
I didn't debug it, so the actual thing that happens could be a slightly different, however, removing both 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 and 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1 and reimporting 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 workarounds the problem.
seems https://gitorious.org/community-ssu/...c074bfeef6a622 is not enough for multiple-keys-same-public to work on Fremantle. I'll debug the whole mess when I have some free time. Wouldn't try to stop anyone to do the same ofc
__________________
Never fear. I is here.
720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900
Community SSU developer
kernel-power developer and maintainer
Never fear. I is here.
720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900
Community SSU developer
kernel-power developer and maintainer
| The Following 8 Users Say Thank You to freemangordon For This Useful Post: | ||
|
|
2013-08-29
, 07:37
|
|
Guest |
Posts: n/a |
Thanked: 0 times |
Joined on
|
#123
|
Hmm, I have created a PEM certificate file of the root certificate indicated when connecting to supl.nokia com, also in the zip, is the original crt file.
I will test later (my N900 needs a reflash :/)
Code:
root@bt:~# openssl s_client -connect supl.nokia.com:7275 CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=FI/ST=Espoo/O=Nokia/CN=supl.nokia.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFWTCCBEGgAwIBAgIQHpGupbIVFaSG2r4A10yDuzANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTIwNDE2
MDAwMDAwWhcNMTUwNDE2MjM1OTU5WjBGMQswCQYDVQQGEwJGSTEOMAwGA1UECBMF
RXNwb28xDjAMBgNVBAoUBU5va2lhMRcwFQYDVQQDFA5zdXBsLm5va2lhLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+Ge5eqh68YHvnlvwvJTX36
MJbIvxyqljUarJldINPbp2d2aabRFzr7B7GVbITFLC94djgUKj0TNFpHfTpffmSo
uSWYp8WYNQHCeNO2yezAOVvWhFwFixp2e3/hWi6bmVt+A7jfDN8pOnugZRIkgHxz
6czndRqDAWA/zIi8w5sBPRqQGKS8QnPqcYhtmqh8nVbzCp2JweV8sdg9SnvCyR1a
jIPjqiDXl6hjZQ1w0vckXivr0vB88tmm8ReTvP3plhZXub1ggL2wB7O+jHmRslJF
nlcRQMHc6vVwMWJobjzp8audHxZOX1sCKGVJCLC40MGnyIxIOObPizT3dHLfcQEC
AwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEUGA1UdHwQ+MDww
OqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWduLmNvbS9TVlJT
ZWN1cmVHMy5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55
pTB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1HMy1haWEudmVy
aXNpZ24uY29tL1NWUlNlY3VyZUczLmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFow
WDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEF
GDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZI
hvcNAQEFBQADggEBABx2tb0EQch660oL98RMtEXCQtkCOLPfFQO5X2YS29Tw9a/f
xi/RcmyUN+XuCScgFzvT7tmnaCmuxd6SNqUo/cSF1XRx1m+23RNgA9APVm8uEZ5/
GSswd8DTKU0Gkh2xS8UDS6mqMtST8oFzWiQlinSlfiOvr51PZtQEiQZUzFqKJlbF
yC1BnlIyGokHTt3Izh4CXFrGbZRo4WZSybmu9O/+ziI1smArNIRnMdeinP8mi/y3
atok31Rw1+/qi3142GTVYilfvuJB5zVJu2lnvU7gSSaQr7tuerk47An5rZddMDuf
uzc0MT9HOXlAdTCyqhxEc7ymsSeRFmFGTyIap58=
-----END CERTIFICATE-----
subject=/C=FI/ST=Espoo/O=Nokia/CN=supl.nokia.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4857 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 8FB277CE00000000000000000000000000003570521EF965000000008F0240C0
Session-ID-ctx:
Master-Key: 5061BB36F33A7171F87DB1541E127EE58905A40D8463FE672B4349F1097DFD717D5E6DFED58E515A614719CAF8EEBF1F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1377760865
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
|
|
2013-08-29
, 07:40
|
|
Posts: 3,074 |
Thanked: 12,960 times |
Joined on Mar 2010
@ Sofia,Bulgaria
|
#124
|
@nieldk: there is one more certificate on top of the one you bolded, do:
cmcli -s -T common-ca -v supl.nokia.com:7275
(this will save the whole certificate chain as .pem files) and you'll see there are 4 .pems saved, not 3.
EDIT: nevermind, seems I misread your post
cmcli -s -T common-ca -v supl.nokia.com:7275
(this will save the whole certificate chain as .pem files) and you'll see there are 4 .pems saved, not 3.
EDIT: nevermind, seems I misread your post
__________________
Never fear. I is here.
720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900
Community SSU developer
kernel-power developer and maintainer
Never fear. I is here.
720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900
Community SSU developer
kernel-power developer and maintainer
 |
|
2013-08-29
, 07:41
|
|
Posts: 4,118 |
Thanked: 8,901 times |
Joined on Aug 2010
@ Ruhrgebiet, Germany
|
#125
|
YEP!
A THOUSAND THANKS !!!
One mistake above: it iks the second one (with the "-1") that needs to be readded.
And I needed a reboot to make location library aware.
I never thought of removing that one (verisign), actually both and reinstalling only the second one. I fiddled with exactly that cert, but failed miserable due to missing cert experience.
Will do now a second reboot for verification.
A THOUSAND THANKS !!!
One mistake above: it iks the second one (with the "-1") that needs to be readded.
And I needed a reboot to make location library aware.
I never thought of removing that one (verisign), actually both and reinstalling only the second one. I fiddled with exactly that cert, but failed miserable due to missing cert experience.
Will do now a second reboot for verification.
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!
Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257
editsignature, http://talk.maemo.org/profile.php?do=editsignature
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!
Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257
editsignature, http://talk.maemo.org/profile.php?do=editsignature
| The Following 3 Users Say Thank You to peterleinchen For This Useful Post: | ||
|
|
2013-08-29
, 07:43
|
|
Posts: 3,074 |
Thanked: 12,960 times |
Joined on Mar 2010
@ Sofia,Bulgaria
|
#126
|
@peterleinchen: "the mistake" could be related to the order of the hashes.
EDIT:
don't forget to "perl /usr/bin/c_rehash /etc/certs/common-ca" after every change to the certificate store
Last edited by freemangordon; 2013-08-29 at 07:48.
EDIT:
don't forget to "perl /usr/bin/c_rehash /etc/certs/common-ca" after every change to the certificate store
__________________
Never fear. I is here.
720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900
Community SSU developer
kernel-power developer and maintainer
Never fear. I is here.
720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900
Community SSU developer
kernel-power developer and maintainer
Last edited by freemangordon; 2013-08-29 at 07:48.
| The Following 5 Users Say Thank You to freemangordon For This Useful Post: | ||
|
|
2013-08-29
, 07:56
|
|
Posts: 4,118 |
Thanked: 8,901 times |
Joined on Aug 2010
@ Ruhrgebiet, Germany
|
#127
|
Originally Posted by freemangordon
Could be, as I failed with reinserting both certs, but in reversed order!
@peterleinchen: "the mistake" could be related to the order of the hashes.
Nevertheless:
after the second clearing cache (gconftool/reboot), I got a fix within 5-10 seconds from supl.nokia.com.
We ARE back, Nokia!
Thank you freemangordon
Originally Posted by freemangordon
edit to your edit:
EDIT:
don't forget to "perl /usr/bin/c_rehash /etc/certs/common-ca" after every change to the certificate store
WHAT?
Never knew/did that. What is this about?
It worked for without that rehashing (some kind of aegis here?
)--edit
Another edit aimed to nieldk
What PR version do you have?
Is it possibly "only" PR1.3 and not PR1.3.1 (with some cert updates/revocations)?
Idk when this problem arised, but could it be due to that one?
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!
Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257
editsignature, http://talk.maemo.org/profile.php?do=editsignature
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!
Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257
editsignature, http://talk.maemo.org/profile.php?do=editsignature
Last edited by peterleinchen; 2013-08-29 at 07:58.
|
|
2013-08-29
, 07:59
|
|
Posts: 3,074 |
Thanked: 12,960 times |
Joined on Mar 2010
@ Sofia,Bulgaria
|
#128
|
Originally Posted by peterleinchen
http://www.tin.org/bin/man.cgi?section=1&topic=c_rehash
Could be, as I failed with reinserting both certs, but in reversed order!
Nevertheless:
after the second clearing cache (gconftool/reboot), I got a fix within 5-10 seconds from supl.nokia.com.
We ARE back, Nokia!
Thank you freemangordon
edit to your edit:
WHAT?
Never knew/did that. What is this about?
It worked for without that rehashing (some kind of aegis here?
--edit
Another edit aimed to nieldk
What PR version do you have?
Is it possibly "only" PR1.3 and not PR1.3.1 (with some cert updates/revocations)?
Idk when this problem arised, but could it be due to that one?
__________________
Never fear. I is here.
720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900
Community SSU developer
kernel-power developer and maintainer
Never fear. I is here.
720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900
Community SSU developer
kernel-power developer and maintainer
| The Following 2 Users Say Thank You to freemangordon For This Useful Post: | ||
|
|
2013-08-29
, 08:02
|
|
Guest |
Posts: n/a |
Thanked: 0 times |
Joined on
|
#129
|
Originally Posted by peterleinchen
I have pr1.3 (flashes too often and never bothers to do the 1.3.1)
Another edit aimed to nieldk
What PR version do you have?
With, KP52 as kernel.
|
|
2013-08-29
, 10:42
|
|
Posts: 46 |
Thanked: 160 times |
Joined on Jun 2010
@ Germany, Berlin
|
#130
|
Wow, I almost can't believe it: Nokia N900 can use supl.nokia.com again!!!
Anyway, I didn't have a file/cert 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1.pem , just the one without the -1 .
What was workin for me was (as root):
With
I got a "Verified OK".
Setting location server to supl.nokia.com then gave me the nearby fix within 5 secs. Yey!
@freemangordon: Where did you find the -s flag for cmcli ? It is not shown as an option when called without any param.
Edit: typo ...
Last edited by Ulle; 2013-08-29 at 10:49.
Anyway, I didn't have a file/cert 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1.pem , just the one without the -1 .
What was workin for me was (as root):
Code:
mkdir /tmp/supl/ ; cd /tmp/supl/ ; cmcli -s -T common-ca -v supl.nokia.com:7275 ; for CERT in `ls -1 *.pem` ; do cmcli -c common-ca -r ${CERT%%.*} ; cmcli -c common-ca -r ${CERT%%.*}-1 ; cmcli -c common-ca -a ${CERT} ; done
Code:
cmcli -T common-ca -v supl.nokia.com:7275
Setting location server to supl.nokia.com then gave me the nearby fix within 5 secs. Yey!
@freemangordon: Where did you find the -s flag for cmcli ? It is not shown as an option when called without any param.
Edit: typo ...
Last edited by Ulle; 2013-08-29 at 10:49.
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!
Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257
editsignature, http://talk.maemo.org/profile.php?do=editsignature