Active Topics

 


Page 2 of 2 1 2
Reply
Thread Tools
rainisto is offline rainisto
2013-01-06 , 15:42
Posts: 1,067 | Thanked: 2,383 times | Joined on Jan 2012 @ Finland
#11
Originally Posted by nbedford View Post
Is opensh needed? or is open mode + devel-su + develsh enough?
yes opensh is needed (or adriane sh), openmode+devel-su+develsh is not enough to get right capas.

But if your in open mode then you can just install opensh with (if you have downloaded the deb package to your device).

Harmattan openmode:
apt-get install wget
wget http://maemo.cloud-7.de/HARM/N9/open...nsh/opensh.deb
AEGIS_FIXED_ORIGIN=com.nokia.maemo dpkg -i opensh.deb
__________________
IRC: jonni@freenode
Sailfish: ¤ Qt5 SailfishTouchExample ¤ Qt5 MultiPointTouchArea Example ¤ ipaddress ¤ stoken ¤ Sailbox (Dropbox client) ¤
Harmattan: ¤ Presence VNC for Harmattan ¤ Live-F1 ¤ BTinput-terminal ¤ BabyLock ¤ BabyLock Trial ¤ QML TextTV ¤
Disclaimer: all my posts in this forum are personal trolling and I never post in any official capacity on behalf of any company.
Last edited by rainisto; 2013-01-06 at 15:46.
 

The Following User Says Thank You to rainisto For This Useful Post:
joerg_rw's Avatar
joerg_rw is offline joerg_rw
2013-01-06 , 17:39
Posts: 2,222 | Thanked: 12,651 times | Joined on Mar 2010 @ SOL 3
#12
Originally Posted by peterleinchen View Post
[...]
For N900 users, please refer to below script.
[...]

Simple script/guide to remove fraudulent CAs:
Code:
#!/bin/sh
#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

if [ `id -u` != 0 ] ; then
    sudo cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    sudo cmcli -c common-ca -r $certID
else
    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID
fi

echo now open microb and goto
echo chrome://pippki/content/certManager.xul 
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"
sudo cp
and others won't work on sane default sudo setup, so you'll have to run this in a root account instead (install rootsh, do `root`)


I have no idea, why we do have them twice. Or if we need to block/delete both. Or if only one is fraudulent ...
According to the google report there were two certs fraudulent.

/j
__________________
Maemo Community Council member [2012-10, 2013-05, 2013-11, 2014-06 terms]
Hildon Foundation Council inaugural member.
MCe.V. foundation member

EX Hildon Foundation approved Maemo Administration Coordinator (stepped down due to bullying 2014-04-05)
aka "techstaff" - the guys who keep your infra running - Devotion to Duty http://xkcd.com/705/

IRC(freenode): DocScrutinizer*
First USB hostmode fanatic, father of H-E-N
Last edited by joerg_rw; 2013-01-06 at 17:43.
 

The Following 2 Users Say Thank You to joerg_rw For This Useful Post:
peterleinchen's Avatar
peterleinchen is offline peterleinchen
2013-01-06 , 18:16
Posts: 4,118 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#13
Originally Posted by joerg_rw View Post
sudo cp
and others won't work on sane default sudo setup, so you'll have to run this in a root account instead (install rootsh, do `root`)
/j
Yep, sure. I made this in a rush to get rid of DigiNotar (and for future fraudulents) and did not test out. This would work probably with sudser installed (or manual inclusion of cp/busybox in sudoers ). So please refer to below corrected script (rootsh required).
But why would anybody try to run this as non-root?
Code:
#!/bin/sh

if [ `id -u` != 0 ] ; then
       exec sudo gainroot <<EOF
exec sh $0 $*
EOF
       exit $?
fi

#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID

echo now open microb and goto
echo chrome://pippki/content/certManager.xul 
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"
Originally Posted by joerg_rw View Post
According to the google report there were two certs fraudulent.
/j
After reading link provided by aranel, I was also pretty sure.
Thanks for correction/confirming.
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature
Last edited by peterleinchen; 2013-01-06 at 18:20.
 

The Following 2 Users Say Thank You to peterleinchen For This Useful Post:
sixwheeledbeast is offline sixwheeledbeast
2013-01-19 , 23:40
Posts: 2,292 | Thanked: 4,135 times | Joined on Apr 2010 @ UK
#14
Should Turktrust still be shown as valid in Smaemo6?
Attached Images
 
__________________

Wiki Admin
sixwheeledbeast's wiki
Testing Squad Subscriber
- mcallerx - tenminutecore - FlopSwap - Qnotted - zzztop - Bander - Fight2048 -


Before posting or starting a thread please try this.
 
pali is offline pali
2013-01-20 , 00:55
Posts: 2,154 | Thanked: 8,464 times | Joined on May 2010
#15
@sixwheeledbeast: This certificate applet had bug - it shown blacklisted certificates as valid. Bug was fixed in PR1.3.1 by this commit: https://gitorious.org/maemo-5-certif...4945c1dce4bf6e

So for blacklisting you *need* PR1.3.1
 
pali is offline pali
2013-01-20 , 00:57
Posts: 2,154 | Thanked: 8,464 times | Joined on May 2010
#16
Originally Posted by peterleinchen View Post
No, it is due to the cert name begins with "(".
You may check with
Code:
dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

Yes, there is such possibility. I will put a script (produced at DigiNotar times) at the end of post.


For N900 users, please refer to below script.
For N9 users, do we need to delete that CA also from browser? (but according to open mentioned bug, there is no such possibility?)


Simple script/guide to remove fraudulent CAs:
Code:
#!/bin/sh
#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

if [ `id -u` != 0 ] ; then
    sudo cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    sudo cmcli -c common-ca -r $certID
else
    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID
fi

echo now open microb and goto
echo chrome://pippki/content/certManager.xul 
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

--edit
BUT, one more question arises here:
I do see two certificate IDs for TÜRKTRUST

and also in browsers

they do appear twice.
So maybe for harmattan users, you also check bettwer twice?

I have no idea, why we do have them twice. Or if we need to block/delete both. Or if only one is fraudulent ...
After blacklisting is needed to re-run openssl c_rehash script (as root). Certman deb package doing it in postinst script: https://gitorious.org/community-ssu/...on-ca.postinst

Code:
$ perl /usr/bin/c_rehash /etc/certs/common-ca
 

The Following User Says Thank You to pali For This Useful Post:
freemangordon is offline freemangordon
2013-01-20 , 01:06
Posts: 3,074 | Thanked: 12,964 times | Joined on Mar 2010 @ Sofia,Bulgaria
#17
Originally Posted by pali View Post
@sixwheeledbeast: This certificate applet had bug - it shown blacklisted certificates as valid. Bug was fixed in PR1.3.1 by this commit: https://gitorious.org/maemo-5-certif...4945c1dce4bf6e

So for blacklisting you *need* PR1.3.1
turktrust root cert was not blacklistet, only the two compromised intermediate certs. so this is not a bug but a feature
__________________
Never fear. I is here.

720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900

Community SSU developer
kernel-power developer and maintainer
 

The Following 3 Users Say Thank You to freemangordon For This Useful Post:
bng is offline bng
2014-09-01 , 21:49
Posts: 27 | Thanked: 5 times | Joined on Mar 2010
#18
hi all, can anyone please some up, is N9 with PR1.3 vulnerable, or is it not?
 
Reply
Page 2 of 2 1 2

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 10:54.

Contact Us - Home - Archive - Top