Reply
Thread Tools
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#1
So it looks like (at least per what happens when I try to use wget on the relavent URL) Translink have updated their system to require TLS 1.2. Which means I need to add TLS 1.2 support to QT. Which means I need a newer OpenSSL than the 0.9.8zh version currently in use on Fremantle.

I know there are ports of newer OpenSSL for Fremantle but I dont know which one I should use or where to get it from. I also dont know if anyone has already done the work to support TLS 1.2 in the Maemo QT version or not and if so where to get it from (if not, I will have to do the back-port myself). Can anyone help me out?
 

The Following 5 Users Say Thank You to jonwil For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#2
I am struggling to make a newer openssl version running in parallel with an old version. So from myside I can't help here atm.
Regarding TSL1.2 and qt4 I don't have a clue, if there are some patches.

For qt 4.8.7 there is a debian openssl 1.1.0 patch I will attach it.
Attached Files
File Type: gz qt4-openssl-1.1.patch.tar.gz (6.0 KB, 316 views)
 

The Following 5 Users Say Thank You to Halftux For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#3
Here I found something about backport tls version to qt4.

https://github.com/mkrautz/mumble-de...b523a3eccb8b58

This one is maybe newer:
https://github.com/mkrautz/mumble-de...bc7545b80bd7fe

And here a backport of Support for DH and ECDH key exchange for QSslSocket servers.
So this one is not needed for clients.
https://github.com/mkrautz/mumble-de...9129d74f609f40

Last edited by Halftux; 2018-05-30 at 12:27.
 

The Following 4 Users Say Thank You to Halftux For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#4
Looks like the main issue then is getting a newer OpenSSL working and running on-device without breaking the older OpenSSL.
 

The Following 4 Users Say Thank You to jonwil For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#5
I have identified that there are no local Nokia-specific changes needed for OpenSSL 1.1.0h (all the patches in Nokia 0.9.8n that aren't in Debian 0.9.8n are either not needed or got merged upstream). All I need to do know is to figure out how to get Debian 1.1.0h to compile on Fremantle.
 

The Following 4 Users Say Thank You to jonwil For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#6
I have managed to get OpenSSL 1.1.0h to compile in Scratchbox. Current source tree is at https://github.com/jonwil/openssl/

The openssl test cases are failing on Scratchbox armel (doesn't surprise me given how "unique" scratchbox is in the way it runs the arm binaries and stuff) so I have turned them off in the packaging.
All the tests pass on my N900 so I am going to continue and test the actual packages on my N900 and see what happens.

Once I get OpenSSL working, I will then move onto getting TLS 1.2 support into QT and then getting Fahrplan fixed.
 

The Following 10 Users Say Thank You to jonwil For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#7
Ok, new OpenSSL works so far in that I can run openssl s_client -connect blah and get the results I expect (I had to run a command on the certificates to get them in the format the new OpenSSL wants but my analysis of the N900 rootfs suggests nothing is reading the certificates that way, they are all either using maemosec-certman or reading the maemosec-certman pem files so it should be safe to run that rehash)

New packages are at http://maemo.merlin1991.at/cssu/comm...ree/o/openssl/

Next up, QT and Fahrplan
 

The Following 14 Users Say Thank You to jonwil For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#8
For reference, these are the packages on a stock N900 PR1.3 install that link to OpenSSL:
Closed packages:
as-daemon (active sync daemon for Microsoft email servers)
osso-wlan-security (provides security stuff for WiFi)
nokiamessaging (nokia messaging stuff, no longer works AFAIK)
adobe-flashplayer (Flash plugin)
sharing-services-default (sharing services stuff, its the OVI plugin that uses OpenSSL)
funambol-cpp-api (SyncML stuff)
location-proxy (proxy to handle the communications between the GPS hardware and the AGPS SUPL server)
osso-backup (backup program)
ota-settings (handles cellular data connection settings sent over the air)
maesync-backend (backend for syncing with Nokia PC application and things)
liblomesa (low level image viewer API)

Open packages:
maemo-security-certman (maemo certificate manager)
maemo-security-certman-applet (maemo certificate manager applet)
tinymail (tinymail backend stuff for modest)
xorg-server (main binaries for X11)
curl (command line tool for accessing URLs)
loudmouth (library for Jabber)
microb-eal (microb component)
qt4-x11 (QT4 package)
sofia-sip (SIP library)
clinkc (UPnP library)

Packages who's openness is unknown:
tablet-browser-ui (tablet browser main binary, I think I saw source code for this one somewhere but I cant find it and I may have been mistaken)
connui-internet (internet connectivity UI widgets, dont know if the clone done for maemo-leste is complete and can be compiled to work as a drop-in replacement for the Fremantle package)
connui-wlan (wlan connectivity UI widgets, dont know if the clone done for maemo-leste is complete and can be compiled to work as a drop-in replacement for the Fremantle package)
 

The Following 9 Users Say Thank You to jonwil For This Useful Post:
Community Council | Posts: 685 | Thanked: 1,235 times | Joined on Sep 2010 @ Mbabane
#9
Originally Posted by jonwil View Post
Ok, new OpenSSL works so far in that I can run openssl s_client -connect blah and get the results I expect
I seem to be having a problem with this version:

Code:
Nokia-N900:~$ openssl version -a
OpenSSL 1.1.0h  27 Mar 2018
built on: reproducible build, date unspecified
platform: debian-armel
options:  bn(64,32) rc4(char) des(long) blowfish(ptr) 
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/engines-1.1\"" 
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/engines-1.1"




Nokia-N900:~$ openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
   i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgIIJkr7Y04MXcAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODA5MTgxMjM0MDBaFw0x
ODEyMTExMjM0MDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRcw
FQYDVQQDDA53d3cuZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALp6zTXM7aFhWh8XEFulRxlHdX1BQKt6F/rRZ36wuELrXhI41UQvC51B
B3OWTVsJM4iKlu3LX7ji3zx/wtkoYGW647AU+JPnUPHs65qmBI1Cshjrb6T7l0ew
E8FfI09Y7UedK3H7hcU98otBHHO1HPxJEbADcKbTew5HLgcjBS7eDgsNtLSFnMep
kOY6wKmWQfL1fs8dESoUroAm3zS1/+hJJ+HGCABABFID9J1AB1XGfADQM4GvBpEV
aWP+w1bK00DISBni4DIR13ZahL4epZvIP5DwawMZtMt4CvMnLhqcI2sJEfVyE8Fq
ykuPf9xf2/NV15n+j0sTftOZVLcW42kCAwEAAaOCAUIwggE+MBMGA1UdJQQMMAoG
CCsGAQUFBwMBMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMGgGCCsGAQUFBwEB
BFwwWjAtBggrBgEFBQcwAoYhaHR0cDovL3BraS5nb29nL2dzcjIvR1RTR0lBRzMu
Y3J0MCkGCCsGAQUFBzABhh1odHRwOi8vb2NzcC5wa2kuZ29vZy9HVFNHSUFHMzAd
BgNVHQ4EFgQUp6q8SfkDA+sKB9UNHw+i+P8ZqfgwDAYDVR0TAQH/BAIwADAfBgNV
HSMEGDAWgBR3wrhQmmd2drEtwobQg6B+pn66SzAhBgNVHSAEGjAYMAwGCisGAQQB
1nkCBQMwCAYGZ4EMAQICMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwucGtp
Lmdvb2cvR1RTR0lBRzMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBHT9OHvfMJw+hx
QMyV4TdsrkV9Ks9tHKBRh4vM5MRw2h6tKwkJxsmBtRbIJzn47auznh26ddL5IwxO
/9OciSqS67FkaHKQHSXnlhHiovOIHLXyrn4un8oxM78XPMWDnsRcPLHK2dx+5qKI
fHlG3TM/UQpBMGkU6jS2O4dYteUrf76qs0030kARWnZMkR1aDvZVvRztdzb189gf
6SgB8eVEuiEgwDK6Fi3Be41EylmIvo1fOpaAjv5aSNguWLY3hh06+9sx4Ta0GLYE
lfoKorrzpuGGncQoZ5nYRo9g3HQjedK5KaAEG1jT70LmbAhTyKY4WaWJWfbTDitm
r63fkykp
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2954 bytes and written 261 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 19F8BCE849085E0809C3C0A2B8627397908AB1AD722DAA28A489B796FEF75A94
    Session-ID-ctx: 
    Master-Key: CCFB428554021CD6349242DED35127D2A907B62A5748F0560A4667CF8EAB48670B52ECBDB7BF7BB28F86785B610909D5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100798 (seconds)
    TLS session ticket:
    0000 - 00 ae 27 6f f3 b5 e8 75-9c c4 c1 88 8e dd d3 a6   ..'o...u........
    0010 - 4a 04 16 b7 4a 09 ef b8-11 cc f9 0c 32 f2 2e 13   J...J.......2...
    0020 - 72 00 60 e9 29 e8 cf fe-1e 01 0b db 1f bc cc 13   r.`.)...........
    0030 - ae 4f 9b 09 41 56 5a 19-5f ff bf ea f5 14 ad 1c   .O..AVZ._.......
    0040 - 95 e6 ff d7 ed 3f 7b 1e-56 08 5a 72 28 f6 c5 e6   .....?{.V.Zr(...
    0050 - 1f 1b aa 2f 36 9d 5e 76-52 33 0c 36 c7 20 f1 ae   .../6.^vR3.6. ..
    0060 - 34 b2 91 e9 44 fb bd 52-57 93 67 0a dd f6 8b 62   4...D..RW.g....b
    0070 - 44 27 11 df 1c 5b 48 68-20 a3 8f 96 37 38 90 2d   D'...[Hh ...78.-
    0080 - ba af b3 17 0e 80 a6 70-b2 7f d3 7d b1 fa 90 16   .......p...}....
    0090 - f8 cf 16 e2 d8 e4 25 09-85 16 54 b9 f7 89 61 f1   ......%...T...a.
    00a0 - 2f bf 18 89 ea 1a 73 1a-fc 37 49 34 c4 9c c3 cf   /.....s..7I4....
    00b0 - f1 43 79 b2 b3 ff 3d 31-32 4e e2 32 ba fe 82 fe   .Cy...=12N.2....
    00c0 - 1f 5e b3 49 e0 41 bd 51-c8 c0 a4 03 e6 e6 1c 1c   .^.I.A.Q........
    00d0 - 87 f9 c6 84 a5 a8 2d f2-10 f6                     ......-...

    Start Time: 1539101657
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---
read:errno=0
Nokia-N900:~$
EDIT: adding the CApath switch allows it to work, but I guess for 'average' applications that use openssl this won't help

Originally Posted by jonwil View Post
I had to run a command on the certificates to get them in the format the new OpenSSL wants but my analysis of the N900 rootfs suggests nothing is reading the certificates that way, they are all either using maemosec-certman or reading the maemosec-certman pem files so it should be safe to run that rehash
how did you run the rehash?
Code:
# perl /usr/bin/c_rehash /etc/certs/common-ca
didn't fix it for me
__________________
RX-51

Last edited by sicelo; 2018-10-09 at 16:44. Reason: added info
 

The Following 4 Users Say Thank You to sicelo For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#10
Originally Posted by sicelo View Post
I seem to be having a problem with this version:

EDIT: adding the CApath switch allows it to work, but I guess for 'average' applications that use openssl this won't help
Which application is not working with the newer openssl?
 

The Following 4 Users Say Thank You to Halftux For This Useful Post:
Reply


 
Forum Jump


All times are GMT. The time now is 20:17.