The Following 5 Users Say Thank You to jonwil For This Useful Post: | ||
|
2018-05-30
, 11:22
|
|
Posts: 868 |
Thanked: 2,516 times |
Joined on Feb 2012
@ Germany
|
#2
|
The Following 5 Users Say Thank You to Halftux For This Useful Post: | ||
|
2018-05-30
, 11:59
|
|
Posts: 868 |
Thanked: 2,516 times |
Joined on Feb 2012
@ Germany
|
#3
|
The Following 4 Users Say Thank You to Halftux For This Useful Post: | ||
|
2018-05-30
, 13:07
|
Posts: 567 |
Thanked: 2,965 times |
Joined on Oct 2009
|
#4
|
The Following 4 Users Say Thank You to jonwil For This Useful Post: | ||
|
2018-06-04
, 05:03
|
Posts: 567 |
Thanked: 2,965 times |
Joined on Oct 2009
|
#5
|
|
2018-06-06
, 13:31
|
Posts: 567 |
Thanked: 2,965 times |
Joined on Oct 2009
|
#6
|
The Following 10 Users Say Thank You to jonwil For This Useful Post: | ||
|
2018-06-06
, 15:37
|
Posts: 567 |
Thanked: 2,965 times |
Joined on Oct 2009
|
#7
|
The Following 14 Users Say Thank You to jonwil For This Useful Post: | ||
|
2018-06-06
, 16:41
|
Posts: 567 |
Thanked: 2,965 times |
Joined on Oct 2009
|
#8
|
The Following 9 Users Say Thank You to jonwil For This Useful Post: | ||
|
2018-10-09
, 16:27
|
Community Council |
Posts: 685 |
Thanked: 1,235 times |
Joined on Sep 2010
@ Mbabane
|
#9
|
Ok, new OpenSSL works so far in that I can run openssl s_client -connect blah and get the results I expect
Nokia-N900:~$ openssl version -a OpenSSL 1.1.0h 27 Mar 2018 built on: reproducible build, date unspecified platform: debian-armel options: bn(64,32) rc4(char) des(long) blowfish(ptr) compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/engines-1.1\"" OPENSSLDIR: "/usr/lib/ssl" ENGINESDIR: "/usr/lib/engines-1.1" Nokia-N900:~$ openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign --- Server certificate -----BEGIN CERTIFICATE----- MIIEgjCCA2qgAwIBAgIIJkr7Y04MXcAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODA5MTgxMjM0MDBaFw0x ODEyMTExMjM0MDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRcw FQYDVQQDDA53d3cuZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALp6zTXM7aFhWh8XEFulRxlHdX1BQKt6F/rRZ36wuELrXhI41UQvC51B B3OWTVsJM4iKlu3LX7ji3zx/wtkoYGW647AU+JPnUPHs65qmBI1Cshjrb6T7l0ew E8FfI09Y7UedK3H7hcU98otBHHO1HPxJEbADcKbTew5HLgcjBS7eDgsNtLSFnMep kOY6wKmWQfL1fs8dESoUroAm3zS1/+hJJ+HGCABABFID9J1AB1XGfADQM4GvBpEV aWP+w1bK00DISBni4DIR13ZahL4epZvIP5DwawMZtMt4CvMnLhqcI2sJEfVyE8Fq ykuPf9xf2/NV15n+j0sTftOZVLcW42kCAwEAAaOCAUIwggE+MBMGA1UdJQQMMAoG CCsGAQUFBwMBMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMGgGCCsGAQUFBwEB BFwwWjAtBggrBgEFBQcwAoYhaHR0cDovL3BraS5nb29nL2dzcjIvR1RTR0lBRzMu Y3J0MCkGCCsGAQUFBzABhh1odHRwOi8vb2NzcC5wa2kuZ29vZy9HVFNHSUFHMzAd BgNVHQ4EFgQUp6q8SfkDA+sKB9UNHw+i+P8ZqfgwDAYDVR0TAQH/BAIwADAfBgNV HSMEGDAWgBR3wrhQmmd2drEtwobQg6B+pn66SzAhBgNVHSAEGjAYMAwGCisGAQQB 1nkCBQMwCAYGZ4EMAQICMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwucGtp Lmdvb2cvR1RTR0lBRzMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBHT9OHvfMJw+hx QMyV4TdsrkV9Ks9tHKBRh4vM5MRw2h6tKwkJxsmBtRbIJzn47auznh26ddL5IwxO /9OciSqS67FkaHKQHSXnlhHiovOIHLXyrn4un8oxM78XPMWDnsRcPLHK2dx+5qKI fHlG3TM/UQpBMGkU6jS2O4dYteUrf76qs0030kARWnZMkR1aDvZVvRztdzb189gf 6SgB8eVEuiEgwDK6Fi3Be41EylmIvo1fOpaAjv5aSNguWLY3hh06+9sx4Ta0GLYE lfoKorrzpuGGncQoZ5nYRo9g3HQjedK5KaAEG1jT70LmbAhTyKY4WaWJWfbTDitm r63fkykp -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3 --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: X25519, 253 bits --- SSL handshake has read 2954 bytes and written 261 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: 19F8BCE849085E0809C3C0A2B8627397908AB1AD722DAA28A489B796FEF75A94 Session-ID-ctx: Master-Key: CCFB428554021CD6349242DED35127D2A907B62A5748F0560A4667CF8EAB48670B52ECBDB7BF7BB28F86785B610909D5 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100798 (seconds) TLS session ticket: 0000 - 00 ae 27 6f f3 b5 e8 75-9c c4 c1 88 8e dd d3 a6 ..'o...u........ 0010 - 4a 04 16 b7 4a 09 ef b8-11 cc f9 0c 32 f2 2e 13 J...J.......2... 0020 - 72 00 60 e9 29 e8 cf fe-1e 01 0b db 1f bc cc 13 r.`.)........... 0030 - ae 4f 9b 09 41 56 5a 19-5f ff bf ea f5 14 ad 1c .O..AVZ._....... 0040 - 95 e6 ff d7 ed 3f 7b 1e-56 08 5a 72 28 f6 c5 e6 .....?{.V.Zr(... 0050 - 1f 1b aa 2f 36 9d 5e 76-52 33 0c 36 c7 20 f1 ae .../6.^vR3.6. .. 0060 - 34 b2 91 e9 44 fb bd 52-57 93 67 0a dd f6 8b 62 4...D..RW.g....b 0070 - 44 27 11 df 1c 5b 48 68-20 a3 8f 96 37 38 90 2d D'...[Hh ...78.- 0080 - ba af b3 17 0e 80 a6 70-b2 7f d3 7d b1 fa 90 16 .......p...}.... 0090 - f8 cf 16 e2 d8 e4 25 09-85 16 54 b9 f7 89 61 f1 ......%...T...a. 00a0 - 2f bf 18 89 ea 1a 73 1a-fc 37 49 34 c4 9c c3 cf /.....s..7I4.... 00b0 - f1 43 79 b2 b3 ff 3d 31-32 4e e2 32 ba fe 82 fe .Cy...=12N.2.... 00c0 - 1f 5e b3 49 e0 41 bd 51-c8 c0 a4 03 e6 e6 1c 1c .^.I.A.Q........ 00d0 - 87 f9 c6 84 a5 a8 2d f2-10 f6 ......-... Start Time: 1539101657 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: yes --- read:errno=0 Nokia-N900:~$
I had to run a command on the certificates to get them in the format the new OpenSSL wants but my analysis of the N900 rootfs suggests nothing is reading the certificates that way, they are all either using maemosec-certman or reading the maemosec-certman pem files so it should be safe to run that rehash
# perl /usr/bin/c_rehash /etc/certs/common-ca
|
2018-10-10
, 14:14
|
|
Posts: 868 |
Thanked: 2,516 times |
Joined on Feb 2012
@ Germany
|
#10
|
I seem to be having a problem with this version:
EDIT: adding the CApath switch allows it to work, but I guess for 'average' applications that use openssl this won't help
I know there are ports of newer OpenSSL for Fremantle but I dont know which one I should use or where to get it from. I also dont know if anyone has already done the work to support TLS 1.2 in the Maemo QT version or not and if so where to get it from (if not, I will have to do the back-port myself). Can anyone help me out?