Active Topics

 


Reply
Thread Tools
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#1
I am writing a qt application which should download a file over ssl connection. Sadly it is not working with the following error message*. The protocol is fixed to TLSv1. I am using cssu-testing with openssl 0.9.8zh-1+maemo1+0m5+0cssu0 and maemosec. version 0.2.10.

*
The host name did not match any of the valid hosts for this certificate
To investigate the problem I am using wget and also getting same error message like:

Der Common Name *.usgs.gov des Zertifikates entspricht nicht dem angeforderten Hostname basemap.nationalmap.gov.
Code:
wget https://navigator.er.usgs.gov/tiles/aerial_Imagery.cgi/
12/2199/1345 --secure-protocol=TLSv1
will redirect to basemap.nationalmap.gov

Code:
wget https://basemap.nationalmap.gov/ArcGIS/rest/services/US
GSImageryOnly/MapServer/tile/12/1345/2199 --secure-protocol=TLSv1
Both downloads not working.

Maybe it has something to do with redirection.

I have also installed needed certificates with the certificate manager and created /etc/osso-af-init/ssl.defs file which get loaded during boot time. I guess this was not needed.

When I check with:

Code:
openssl s_client -connect navigator.er.usgs.gov:443 -tls1 -CApath /etc/certs/common-ca
or
Code:
openssl s_client -connect basemap.nationalmap.gov:443 -tls1 -CApath /etc/certs/common-ca
I will get a successful ssl handshake.
Maybe someone has a clue about this or has maybe some hint.

Could it be possible to make a certificate with a different hostname?

Please help me I am happy to hear any suggestions.
 

The Following 2 Users Say Thank You to Halftux For This Useful Post:
Posts: 391 | Thanked: 908 times | Joined on Aug 2011 @ suncity
#2
Maybe it is silly suggestion as I'm not an expert, but what is the result when you add "--no-check-certificate" flag to the wget command...?
 

The Following User Says Thank You to justmemory For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#3
Originally Posted by justmemory View Post
Maybe it is silly suggestion as I'm not an expert, but what is the result when you add "--no-check-certificate" flag to the wget command...?
I guess it will work but not solving the root of the problem
 

The Following User Says Thank You to Halftux For This Useful Post:
Posts: 391 | Thanked: 908 times | Joined on Aug 2011 @ suncity
#4
Originally Posted by Halftux View Post
I guess it will work but not solving the root of the problem
Yes, it does not solve the root of the problem, and iit does not work either...

But: I typed that command on my chrooted kali linux and the error was the following: "Resolving basemap.nationalmap.gov (basemap.nationalmap.gov)... failed: Name or service not known.
wget: unable to resolve host address `basemap.nationalmap.gov'" so it did not produce the error from above...
On the internet I found that it could be even wget that causing the issue. On Maemo5 I have 1.10, on kali 1.13.
 

The Following 2 Users Say Thank You to justmemory For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#5
Originally Posted by justmemory View Post
But: I typed that command on my chrooted kali linux and the error was the following: "Resolving basemap.nationalmap.gov (basemap.nationalmap.gov)... failed: Name or service not known.
wget: unable to resolve host address `basemap.nationalmap.gov'" so it did not produce the error from above...
On the internet I found that it could be even wget that causing the issue. On Maemo5 I have 1.10, on kali 1.13.
looks like a dns issue maybe only related to the terminal. I tried it on some Ubuntu and was getting a file not found. This is reasonable because a German tile from an US map server is not possible. So here an us-tile-png:

Code:
wget https://navigator.er.usgs.gov/tiles/aerial_Imagery.cgi/
6/16/24.png --secure-protocol=TLSv1
The problem with maemo still exists. It seems we need maybe a new openssl and wget. A new openssl means also patching qt.
As far as I know to many things (also closed ones) depending on the old openssl, so we need to wait for maemo leste.
So atm the only way is to ignore the ssl error which is unsecure due to possible man in the middle attack.
Openssl api changes from 0.9.8 to 1.x.x.

There is another map server from which it is impossible to download because I guess the server does not support all TSLv1 crypting methods. With Ubuntu it works.

Code:
wget https://4umaps.com/12/2201/1344.png --secure-protocol=TLSv1

Last edited by Halftux; 2018-04-13 at 07:36.
 

The Following 3 Users Say Thank You to Halftux For This Useful Post:
Posts: 1,293 | Thanked: 4,319 times | Joined on Oct 2014
#6
I did compile OpenSSL 1.0.1g for n900 some time ago.
I used without issues, so you could try it out

http://talk.maemo.org/showthread.php?t=91787
 

The Following 3 Users Say Thank You to nieldk For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#7
Originally Posted by nieldk View Post
I did compile OpenSSL 1.0.1g for n900 some time ago.
I used without issues, so you could try it out

http://talk.maemo.org/showthread.php?t=91787
Ehmm I thought the backward compatibility is 72,2% from 0.9.8 to 1.0.x, for qt4-x11 it shouldn't be a problem but I thought for other packages it could be a problem if they use removed Symbols. For qt4-x11 you will only need a patch when you want to use openssl 1.1.x.

Hmm but maybe I am wrong I found something similar to your package:

https://github.com/agamez/maemo-openssl-1.0.2

I will try both.

But another thing, for qt4-x11 there is only a build dependencie with libssl-dev but no dependencie to libssl for installing. So I could rebuild qt4-x11 with other openssl and don't need to replace the maemo one?
 

The Following User Says Thank You to Halftux For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#8
 

The Following User Says Thank You to Halftux For This Useful Post:
Community Council | Posts: 685 | Thanked: 1,235 times | Joined on Sep 2010 @ Mbabane
#9
Originally Posted by Halftux View Post
... so we need to wait for maemo leste ...
Or join efforts
I am sure you could make valuable contributions.
 

The Following 6 Users Say Thank You to sicelo For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#10
Originally Posted by sicelo View Post
Or join efforts
I am sure you could make valuable contributions.
Yeah you are right we all should push maemo leste.
I hope I will be able to make some contributions.

Regarding my ssl problem:
  • Rebuilding wget with cssu openssl - not fixing.
  • Using openssl 1.0.1g - not fixing.
  • Rebuilding qt4-x11 from cssu with gcc472 and openssl 1.0.1 ends in a compiler error.

@nieldk do you remember which configure parameters did you use for openssl 1.0.1.
 

The Following 5 Users Say Thank You to Halftux For This Useful Post:
Reply

Tags
certificate, hostname, openssl


 
Forum Jump


All times are GMT. The time now is 15:00.