Reply
Thread Tools
Posts: 6 | Thanked: 44 times | Joined on Jul 2020
#1
I've gotten TLSv1.2 working in grob (stock browser) and fenix (stock email client) on my N9. Granted, this is too late for me and for other users in the USA, since the last US carrier with 3G is shutting it down next year, but perhaps if anyone using the N9 in other countries that are maintaining at least their 2G GSM can get good out of this, here's what I did.

NOTE: I'm in open mode with the patched open-mode kernel. It may be possible to do this VERY carefully in closed mode with the aegis-install hack, but I haven't tried again after I failed the first 2 times. I was still figuring it out back then.

I don't have a solid HOWTO built for this yet, as I rebuilt a lot more packages than I probably needed to, and my N9 is my daily driver, so it'll be difficult to experiment with this to trim it down.

I used Scratchbox for all builds.

First, I built OpenSSL 1.0.1t out of Debian Jessie, since I figured it would be easier to do proof of concept on a version closer to the original that was already debianized. There are vulnerabilities in it that you could avoid by using a newer version, but be prepared to do more patching of the open source components that link against it. There are closed packages that link to 0.9.8, so it's not possible to get rid of it completely.

I rebuilt aegis-crypto, and that's where I ran into trouble with closed mode. I hadn't realized that OpenSSL 1 hashes certs differently from 0.9.8, and that I was going to need two sets of symlinks in /etc/ssl/certs for both versions. The moment I installed aegis-crypto, all the code on the system couldn't be verified, since Aegis couldn't find the codesigning certs. It *might* be possible to get this to work closed by doing the next step before this one.

I changed all the CA certificates in aegis-certman to the latest Mozilla certs, patched the source to create both old and new symlinks when new certs are added, and patched the install scripts to delete all preexisting CA certs before installing the new ones (so that everything would get both symlinks).

By this point, I could use OpenSSL from the command line to access TLSv1.2 sites, like Wikipedia.

I then rebuilt a ton of other packages against 1.0.1t until ldd showed that fenix and grob no longer depended on libssl.so.0.9.8, just libssl.so.1.0.0. But they still didn't work. I assumed it was a lost cause, until I discovered that fenix uses libqmf, which uses libqt4-network for SSL.

libqt4-network doesn't seem to depend on OpenSSL, so I started looking at the source, and found that it dlopen()'s it, like a plugin, instead of linking against it. By default, it looks for the version of OpenSSL that was on the system that built it. So I just rebuilt that (yeah, I rebuilt the entirety of Qt4 just for that one .deb. I should've hacked it to just build that, but I didn't have the time, and my build computer did).

Rebooted phone after installing, and it works!

I'll pull out my patches to aegis-certman and post them here in a couple days once I have a chance, along with the list of all other packages I rebuilt against 1.0.1t.

Another related update I tried: I have Firefox (Fennec) 15 installed from openrepos.net, and I dropped in a new build of libnss and libnspr into it. It made a few TLSv1.2 sites work, but there are still many where there's no cipher overlap. I'm not surprised, as this was just a hackish experiment. Nice thing is that Mozilla keeps the ABI of NSS and NSPR so stable.

Another unrelated update I've done is GStreamer to 0.10.36, so I could use plugins-bad-0.10.23, which has Opus. That was hard, and I recently noticed that MMS video transcoding doesn't work anymore. Haven't yet tried to figure out why. If anyone is interested, I'll try to throw together a more detailed explanation. Main thing that gave me trouble was the debianization, not the actual code. If you wanted to just build the new stuff without making .debs and throw it in /usr/local, it might work. The only stuff I really had to do to the code was apply some Nokia-specific camera patches from the 0.10.34 source that came with Harmattan.

Now if only the N9's modem could do LTE...
 

The Following 27 Users Say Thank You to n9erator For This Useful Post:
peterleinchen's Avatar
Posts: 4,118 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#2
Wow, just wow! Thanks.
And welcome to TMO.
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature

Last edited by peterleinchen; 2021-02-07 at 09:45.
 

The Following 2 Users Say Thank You to peterleinchen For This Useful Post:
Posts: 1,296 | Thanked: 4,320 times | Joined on Oct 2014
#3
Amazing. I am sure that cost you countless hours.
Hopefully to the benefits of all us here.

Thanks for the update
 

The Following 3 Users Say Thank You to nieldk For This Useful Post:
Posts: 1 | Thanked: 3 times | Joined on Feb 2021
#4
Just posting that just did this on my old N800. Used this repohttps://github.com/jonwil/openssl for updating to Openssl 1.1.0h but it was meant to use on N900, I suppose. Just changed the Perl version to 5.8.3 from 5.8.4 and disabled AMS to turn-off NEON instructions.
Since one of the tests failed, I'm still checking the effectiveness of this workaround.
 

The Following 3 Users Say Thank You to pauloerweber For This Useful Post:
Posts: 119 | Thanked: 217 times | Joined on Feb 2015 @ Poland
#5
Really amazing news.

I've stopped using n9 month ago, because USB port stopped working.
But lack of 'wokring' web browser was very annoying on n9, and I'm sure I will order news usb ports + screens(got many broken screens on mine n9s, batteries and other parts)

Personally I think it's the biggest achievment from many years in n9 community.
 

The Following User Says Thank You to badpixel For This Useful Post:
Posts: 6 | Thanked: 44 times | Joined on Jul 2020
#6
I apologize. Your reply reminded me that I was going to put up a list of the other packages I rebuilt against the newer OpenSSL, even though they probably weren't necessary for the project. I'm sorry for the long delay. But here are the others besides aegis-crypto, aegis-certman, and Qt itself (all these are the last versions from Harmattan source, not newer versions):

cryptsetup
curl (for testing purposes)
cyrus-sasl2
libaccounts-glib
libsignoncrypto-qt
qca2-plugin-ossl

I also promised the changes I made to aegis-certman. Here's the brutish hack to aegis-certman-common-ca.postinst in the debian directory to cause it to remove all old certs before installing the new ones. Keep in mind that I completely replaced the etc/certs directory in the package with recent Mozilla certs:

Code:
--- aegis-certman-common-ca.postinst.old	2012-05-08 06:26:05.000000000 -0500
+++ aegis-certman-common-ca.postinst	2020-06-30 21:16:56.040808550 -0500
@@ -1,12 +1,11 @@
 #!/bin/sh -e
 if [ "$1" = "configure" ]; then
+	for deletename in /var/lib/aegis/certs/common-ca/*.pem; do
+		acmcli -C aegis-certman-common-ca::CertCACommonAdd \
+		-lc common-ca -r `echo $deletename | sed "s/.*\/\([-0123456789abcdef]*\).*/\\1/"`
+	done;
 	acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca\
            -a /usr/share/aegis-certman-common-ca/*.pem
-	# Remove DigiNotar CA if still in store
-	if [ -f /var/lib/aegis/certs/common-ca/8868bfe08e35c43b386b62f7283b8481c80cd74d.pem ] ; then
-		acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca\
-               -r 8868bfe08e35c43b386b62f7283b8481c80cd74d
-	fi
 	chmod 0777 /var/lib/aegis/certs
 	if [ ! -e /usr/lib/ssl/certs ]
 	then

Here's the hack to certman_main.cpp to make symlinks for both old and new hashing methods:

Code:
--- certman_main.cpp.old	2012-05-08 06:26:05.000000000 -0500
+++ certman_main.cpp	2020-07-21 21:14:32.432448891 -0500
@@ -436,13 +436,13 @@
 #define MAX_TRIES 100
 
 void
-make_hash_filename(X509* of_cert, storage* pstore, const char* to_certfile, string &result)
+make_hash_filename(X509* of_cert, storage* pstore, const char* to_certfile, string &result, string &result_old)
 {
 	X509* lcert = of_cert;
 	char hash_file_name[32];
 	string full_name;
-	long hash;
-	int i;
+	long hash[2]; // changed to [0] for new, [1] for old
+	int i, j; // added counter j
 
 	AEGIS_DEBUG(1, "%s: make hash to '%s'", __func__, to_certfile);
 	if (NULL == lcert) {
@@ -453,12 +453,18 @@
 			return;
 		}
 	}
-	hash = X509_subject_name_hash(lcert);
+
+	// changed to array, now getting old hash as well
+	hash[0] = X509_subject_name_hash(lcert);
+	hash[1] = X509_subject_name_hash_old(lcert);
+
 	if (of_cert != lcert)
 		X509_free(lcert);
+
+	for (j = 0; j < 2; j++) {
 	
 	for (i = 0; i < MAX_TRIES; i++) {
-		snprintf(hash_file_name, sizeof(hash_file_name), "%08lx.%d", hash, i);
+		snprintf(hash_file_name, sizeof(hash_file_name), "%08lx.%d", hash[j], i);
 		if (!pstore->contains_link(hash_file_name))
 			break;
 	}
@@ -466,7 +472,10 @@
 		AEGIS_ERROR("%s: %d colliding hash files for '%s'?",
 					   __func__, i, to_certfile);
 	} else {
-		result.assign(hash_file_name);
+		if (j) result_old.assign(hash_file_name);
+		else result.assign(hash_file_name);
+	}
+
 	}
 }
 
@@ -967,14 +976,17 @@
 			rc = errno;
 
 		if (0 == rc) {
-            string hash_name;
+            string hash_name, hash_name_old;
 			make_hash_filename(cert, mydomain->index, filename.c_str(), 
-							   hash_name);
+							   hash_name, hash_name_old);
             if (!mydomain->index->contains_file(filename.c_str())) {
                 mydomain->index->add_file(filename.c_str());
                 if ("" != hash_name)
                     mydomain->index->add_link(hash_name.c_str(), 
 										  filename.c_str());
+                if ("" != hash_name_old)
+                    mydomain->index->add_link(hash_name_old.c_str(), 
+										  filename.c_str());
                 if (do_commit) {
 					if (!mydomain->index->commit()) {
 						AEGIS_DEBUG(1, "%s: add of '%s' failed (%s)", __func__,

Thank you everyone for your kind words. I will mention there's a lot more to do if you want a truly modern, but slow, web experience on the N9. Stock browser is running a WebKit that walked out of 2012 and will definitely have many security holes, as well as lack of support for newer features. Now if grob used the WebKit 1 in Qt4 it would be easier to upgrade, at least to the last released version of QtWebKit 1, but it uses its own, probably patched, WebKit 2 (split process model) in a separate package, and there's no source.

It needs a whole new browser. I had wondered at the possibility of building WebKit WPE for Harmattan, but I currently don't have the time to dive into that now. That's the only option that I think wouldn't be painfully slow on the N9. Even then I would need to write a browser frontend to use it. Maybe someday
 

The Following 3 Users Say Thank You to n9erator For This Useful Post:
Posts: 29 | Thanked: 31 times | Joined on May 2019 @ france
#7
Absolutely amazing. Do you think its possible to re use your work on a standard N9 ?
The only partial solution I found for TLS1.2 on N9 is Opera Mini 8. But it's slow and not very well integrated (java midlet...) with harmattan.
 

The Following User Says Thank You to smartblu9 For This Useful Post:
Posts: 6 | Thanked: 44 times | Joined on Jul 2020
#8
I apologize. Your reply reminded me that I was going to put up a list of the other packages I rebuilt against the newer OpenSSL, even though they probably weren't necessary for the project. I'm sorry for the long delay. But here are the others besides aegis-crypto, aegis-certman, and Qt itself (all these are the last versions from Harmattan source, not newer versions):

cryptsetup
curl (for testing purposes)
cyrus-sasl2
libaccounts-glib
libsignoncrypto-qt
qca2-plugin-ossl

I also promised the changes I made to aegis-certman. Here's the brutish hack to aegis-certman-common-ca.postinst in the debian directory to cause it to remove all old certs before installing the new ones. Keep in mind that I completely replaced the etc/certs directory in the package with recent Mozilla certs:

Code:
--- aegis-certman-common-ca.postinst.old	2012-05-08 06:26:05.000000000 -0500
+++ aegis-certman-common-ca.postinst	2020-06-30 21:16:56.040808550 -0500
@@ -1,12 +1,11 @@
 #!/bin/sh -e
 if [ "$1" = "configure" ]; then
+	for deletename in /var/lib/aegis/certs/common-ca/*.pem; do
+		acmcli -C aegis-certman-common-ca::CertCACommonAdd \
+		-lc common-ca -r `echo $deletename | sed "s/.*\/\([-0123456789abcdef]*\).*/\\1/"`
+	done;
 	acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca\
            -a /usr/share/aegis-certman-common-ca/*.pem
-	# Remove DigiNotar CA if still in store
-	if [ -f /var/lib/aegis/certs/common-ca/8868bfe08e35c43b386b62f7283b8481c80cd74d.pem ] ; then
-		acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca\
-               -r 8868bfe08e35c43b386b62f7283b8481c80cd74d
-	fi
 	chmod 0777 /var/lib/aegis/certs
 	if [ ! -e /usr/lib/ssl/certs ]
 	then

Here's the hack to certman_main.cpp to make symlinks for both old and new hashing methods:

Code:
--- certman_main.cpp.old	2012-05-08 06:26:05.000000000 -0500
+++ certman_main.cpp	2020-07-21 21:14:32.432448891 -0500
@@ -436,13 +436,13 @@
 #define MAX_TRIES 100
 
 void
-make_hash_filename(X509* of_cert, storage* pstore, const char* to_certfile, string &result)
+make_hash_filename(X509* of_cert, storage* pstore, const char* to_certfile, string &result, string &result_old)
 {
 	X509* lcert = of_cert;
 	char hash_file_name[32];
 	string full_name;
-	long hash;
-	int i;
+	long hash[2]; // changed to [0] for new, [1] for old
+	int i, j; // added counter j
 
 	AEGIS_DEBUG(1, "%s: make hash to '%s'", __func__, to_certfile);
 	if (NULL == lcert) {
@@ -453,12 +453,18 @@
 			return;
 		}
 	}
-	hash = X509_subject_name_hash(lcert);
+
+	// changed to array, now getting old hash as well
+	hash[0] = X509_subject_name_hash(lcert);
+	hash[1] = X509_subject_name_hash_old(lcert);
+
 	if (of_cert != lcert)
 		X509_free(lcert);
+
+	for (j = 0; j < 2; j++) {
 	
 	for (i = 0; i < MAX_TRIES; i++) {
-		snprintf(hash_file_name, sizeof(hash_file_name), "%08lx.%d", hash, i);
+		snprintf(hash_file_name, sizeof(hash_file_name), "%08lx.%d", hash[j], i);
 		if (!pstore->contains_link(hash_file_name))
 			break;
 	}
@@ -466,7 +472,10 @@
 		AEGIS_ERROR("%s: %d colliding hash files for '%s'?",
 					   __func__, i, to_certfile);
 	} else {
-		result.assign(hash_file_name);
+		if (j) result_old.assign(hash_file_name);
+		else result.assign(hash_file_name);
+	}
+
 	}
 }
 
@@ -967,14 +976,17 @@
 			rc = errno;
 
 		if (0 == rc) {
-            string hash_name;
+            string hash_name, hash_name_old;
 			make_hash_filename(cert, mydomain->index, filename.c_str(), 
-							   hash_name);
+							   hash_name, hash_name_old);
             if (!mydomain->index->contains_file(filename.c_str())) {
                 mydomain->index->add_file(filename.c_str());
                 if ("" != hash_name)
                     mydomain->index->add_link(hash_name.c_str(), 
 										  filename.c_str());
+                if ("" != hash_name_old)
+                    mydomain->index->add_link(hash_name_old.c_str(), 
+										  filename.c_str());
                 if (do_commit) {
 					if (!mydomain->index->commit()) {
 						AEGIS_DEBUG(1, "%s: add of '%s' failed (%s)", __func__,

Thank you everyone for your kind words. I will mention there's a lot more to do if you want a truly modern, but slow, web experience on the N9. Stock browser is running a WebKit that walked out of 2012 and will definitely have many security holes, as well as lack of support for newer features. Now if grob used the WebKit 1 in Qt4 it would be easier to upgrade, at least to the last released version of QtWebKit 1, but it uses its own, probably patched, WebKit 2 (split process model) in a separate package, and there's no source.

It needs a whole new browser. I had wondered at the possibility of building WebKit WPE for Harmattan, but I currently don't have the time to dive into that now. That's the only option that I think wouldn't be painfully slow on the N9. Even then I would need to write a browser frontend to use it. Maybe someday
 

The Following 6 Users Say Thank You to n9erator For This Useful Post:
Posts: 6 | Thanked: 44 times | Joined on Jul 2020
#9
Originally Posted by smartblu9 View Post
Absolutely amazing. Do you think its possible to re use your work on a standard N9 ?
The only partial solution I found for TLS1.2 on N9 is Opera Mini 8. But it's slow and not very well integrated (java midlet...) with harmattan.
If by standard N9, you mean in closed mode with fully enforcing Aegis, I don't know. I had wanted to do that, but wasn't successful. I suspect it may be doable if you rebuild aegis-certman first AND reinstall all the codesigning certificates with both old and new hashed symlinks. I did not reinstall those certs, just the CA ones, as I am in open mode.

Another possible solution would be to figure out what's keeping Fennec 15 from using the newer ciphers in libnss, fix that, and rebuild it, leaving the base Harmattan system untouched. I haven't checked into this yet, but it would be even nicer to backport a newer version of Fennec - but it's probably a porting nightmare.
 

The Following 4 Users Say Thank You to n9erator For This Useful Post:
Posts: 2 | Thanked: 3 times | Joined on Aug 2021
#10
Hi, would love to see any updates to the project. Will most of the internet-based apps will be revived because of this?
 

The Following User Says Thank You to thisismartinn For This Useful Post:
Reply


 
Forum Jump


All times are GMT. The time now is 22:54.