Active Topics

 


Reply
Thread Tools
Community Council | Posts: 685 | Thanked: 1,235 times | Joined on Sep 2010 @ Mbabane
#11
I don't have a specific example, hence i said 'guess.'
It is just that I could use openssl s_client without needing -CApath before.

There are a couple of SSL/TLS issues I have, but I won't directly say are a result of the new OpenSSL. For example, since I update it and the corresponding qt4-x11, some https feeds aren't refreshing for me with cutenews, etc. I doubt it is related, but yeah
__________________
RX-51
 

The Following 3 Users Say Thank You to sicelo For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#12
Originally Posted by sicelo View Post
There are a couple of SSL/TLS issues I have, but I won't directly say are a result of the new OpenSSL. For example, since I update it and the corresponding qt4-x11, some https feeds aren't refreshing for me with cutenews, etc. I doubt it is related, but yeah
You could try to recompile cutenews with cssu packages. However it could be that cutenews need some patching. Or something with the certificates, or with qt something is not 100% ok.

So when recompiling did nothing then cutenews need more network connection debug output to analyse the problem. Sometimes redirection could be a pain.
 

The Following 4 Users Say Thank You to Halftux For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#13
Originally Posted by sicelo View Post
It is just that I could use openssl s_client without needing -CApath before.
After the rehash and restarting the console it should work also without -CApath.
Try to rehash without perl infront.

For my system and same openssl version it is working without the -CApath. Also myself compiled wget against new openssl is working without specifying --ca-directory=directory (Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.) and it works.
I could upload wget for >=cssu-testing+openssl 1.1.0h to openrepos if it is needed.

Last edited by Halftux; 2018-10-17 at 18:40.
 

The Following 7 Users Say Thank You to Halftux For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#14
@sicelo

I recompiled cutenews and qmlbrowser with cssu-devel libqt4.
For cutenews I set QSsl::AnyProtocol and for qmlbrowser I set QSsl::SecureProtocols.

Both should now support TLS 1.1 and 1.2

If you like you can try them. I will try qmlbrowser when I find some time for it.
Attached Files
File Type: deb cutenews_1.3.0cssu_armel.deb (318.6 KB, 126 views)
File Type: deb qml-browser_0.9.0cssu_armel.deb (92.7 KB, 158 views)
 

The Following 10 Users Say Thank You to Halftux For This Useful Post:
Community Council | Posts: 685 | Thanked: 1,235 times | Joined on Sep 2010 @ Mbabane
#15
Thanks very much @Halftux. Even though my openssl still needs -CApath after the rehash without 'perl', it is really nice to see the updated qmlbrowser. https://howsmyssl.com now says it is Probably Okay, as opposed to Bad in the previous version. Thank you.

I will test my openssl situation properly later on.
__________________
RX-51
 

The Following 4 Users Say Thank You to sicelo For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#16
Originally Posted by sicelo View Post
... it is really nice to see the updated qmlbrowser. https://howsmyssl.com now says it is Probably Okay, as opposed to Bad in the previous version.
Thats great.
Did you made this rehash as root?
From where do you starting openssl binary, from ssh or from osso-terminal? I will make also some test with openssl again and make a cross check.
I have also not so much experience with openssl 1.1.0h before I was using 1.0.1g + SNI patched libqt4 for cssu-testing.
 

The Following 6 Users Say Thank You to Halftux For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#17
@ sicelo

Ok you are right I have now a device where I installed openssl1.1.0 from scratch which it is not working without -CApath.

So this one is tricky can't remember what I did to the other device where it is working. I will dive into it. Stay tuned.
 

The Following 3 Users Say Thank You to Halftux For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#18
Ok here it is, I found the difference.

I created a "ssl.defs" file in "/etc/osso-af-init/". I will attach the file.
Furthermore I edited af-defines.sh in the same folder.

Add a new line around line 160(were other *.defs get loaded):
Code:
  source_if_is ssl.defs
After the changes restart the N900.
Congratulation now you are finished and all console tools like openssl, ssh and wget should work without -CApath.

I think I did it when I had some problems with other openssl in the past, the date of the file is 12.04.2018 and now it helps.
Attached Files
File Type: txt ssl.defs.txt (143 Bytes, 343 views)

Last edited by Halftux; 2019-09-05 at 10:07. Reason: more clear statement to prevent confusion
 

The Following 10 Users Say Thank You to Halftux For This Useful Post:
Community Council | Posts: 685 | Thanked: 1,235 times | Joined on Sep 2010 @ Mbabane
#19
Yay! That solved the issue, and I am ashamed it never occured to me to think about environment variables.

There are still lots of sites that won't open in qmlbrower or update in cutenews, but let me assume something changed in them. Will try downgrading qt4 though. Example feed that worked in cutenews up to the 29th September (around when I did the upgrade):

https://mybroadband.co.za/news/feed

Enabling cutenews' logging, I get:
Code:
Updating feed 'MyBroadband' using URL 'https://mybroadband.co.za/news/feed'
2018-10-17T22:23:37: Download::startDownload(). URL: https://mybroadband.co.za/news/feed
2018-10-17T22:23:37: Transfer::setStatus(). ID: 07de78d1-428f-4c2f-a7ee-74f460dc1a80, Status: Downloading
2018-10-17T22:23:39: Transfer::setStatus(). ID: 07de78d1-428f-4c2f-a7ee-74f460dc1a80, Status: Failed: SSL handshake failed
Thank you very much for all you've uncovered!
__________________
RX-51

Last edited by sicelo; 2018-10-17 at 20:27.
 

The Following 5 Users Say Thank You to sicelo For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#20
Originally Posted by sicelo View Post
Thank you very much for all you've uncovered!
No problem you are welcome I also want a bug free system so if somebody find something it is a big help too.

I need to have a look at the sources from libqt4 from repo, the patch at github looks smaller than I thought it would be.

Here as a goody:
I will attach wget and a libssl1.0.2 which you could use parallel with older openssl versions.
When you use openssl >=1.1.0h you should use the version from openrepos.
Both versions are only debianized and maemo optified. For the libssl1.0.2 I used the sources from ceene.

edit: post to wget for older openssl

Last edited by Halftux; 2018-10-20 at 18:57.
 

The Following 6 Users Say Thank You to Halftux For This Useful Post:
Reply


 
Forum Jump


All times are GMT. The time now is 08:20.