Reply
Thread Tools
Posts: 1,067 | Thanked: 2,383 times | Joined on Jan 2012 @ Finland
#11
Originally Posted by nbedford View Post
Is opensh needed? or is open mode + devel-su + develsh enough?
yes opensh is needed (or adriane sh), openmode+devel-su+develsh is not enough to get right capas.

But if your in open mode then you can just install opensh with (if you have downloaded the deb package to your device).

Harmattan openmode:
apt-get install wget
wget http://maemo.cloud-7.de/HARM/N9/open...nsh/opensh.deb
AEGIS_FIXED_ORIGIN=com.nokia.maemo dpkg -i opensh.deb
__________________
IRC: jonni@freenode
Sailfish: ¤ Qt5 SailfishTouchExample ¤ Qt5 MultiPointTouchArea Example ¤ ipaddress ¤ stoken ¤ Sailbox (Dropbox client) ¤
Harmattan: ¤ Presence VNC for Harmattan ¤ Live-F1 ¤ BTinput-terminal ¤ BabyLock ¤ BabyLock Trial ¤ QML TextTV ¤
Disclaimer: all my posts in this forum are personal trolling and I never post in any official capacity on behalf of any company.

Last edited by rainisto; 2013-01-06 at 15:46.
 

The Following User Says Thank You to rainisto For This Useful Post:
joerg_rw's Avatar
Posts: 2,222 | Thanked: 12,651 times | Joined on Mar 2010 @ SOL 3
#12
Originally Posted by peterleinchen View Post
[...]
For N900 users, please refer to below script.
[...]

Simple script/guide to remove fraudulent CAs:
Code:
#!/bin/sh
#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

if [ `id -u` != 0 ] ; then
    sudo cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    sudo cmcli -c common-ca -r $certID
else
    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID
fi

echo now open microb and goto
echo chrome://pippki/content/certManager.xul 
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"
sudo cp
and others won't work on sane default sudo setup, so you'll have to run this in a root account instead (install rootsh, do `root`)


I have no idea, why we do have them twice. Or if we need to block/delete both. Or if only one is fraudulent ...
According to the google report there were two certs fraudulent.

/j
__________________
Maemo Community Council member [2012-10, 2013-05, 2013-11, 2014-06 terms]
Hildon Foundation Council inaugural member.
MCe.V. foundation member

EX Hildon Foundation approved
Maemo Administration Coordinator (stepped down due to bullying 2014-04-05)
aka "techstaff" - the guys who keep your infra running - Devotion to Duty http://xkcd.com/705/

IRC(freenode): DocScrutinizer*
First USB hostmode fanatic, father of H-E-N

Last edited by joerg_rw; 2013-01-06 at 17:43.
 

The Following 2 Users Say Thank You to joerg_rw For This Useful Post:
peterleinchen's Avatar
Posts: 4,117 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#13
Originally Posted by joerg_rw View Post
sudo cp
and others won't work on sane default sudo setup, so you'll have to run this in a root account instead (install rootsh, do `root`)
/j
Yep, sure. I made this in a rush to get rid of DigiNotar (and for future fraudulents) and did not test out. This would work probably with sudser installed (or manual inclusion of cp/busybox in sudoers ). So please refer to below corrected script (rootsh required).
But why would anybody try to run this as non-root?
Code:
#!/bin/sh

if [ `id -u` != 0 ] ; then
       exec sudo gainroot <<EOF
exec sh $0 $*
EOF
       exit $?
fi

#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID

echo now open microb and goto
echo chrome://pippki/content/certManager.xul 
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"
Originally Posted by joerg_rw View Post
According to the google report there were two certs fraudulent.
/j
After reading link provided by aranel, I was also pretty sure.
Thanks for correction/confirming.
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature

Last edited by peterleinchen; 2013-01-06 at 18:20.
 

The Following 2 Users Say Thank You to peterleinchen For This Useful Post:
Posts: 2,290 | Thanked: 4,133 times | Joined on Apr 2010 @ UK
#14
Should Turktrust still be shown as valid in Smaemo6?
Attached Images
 
__________________

Wiki Admin
sixwheeledbeast's wiki
Testing Squad Subscriber
- mcallerx - tenminutecore - FlopSwap - Qnotted - zzztop - Bander - Fight2048 -


Before posting or starting a thread please try this.
 
Posts: 2,153 | Thanked: 8,462 times | Joined on May 2010
#15
@sixwheeledbeast: This certificate applet had bug - it shown blacklisted certificates as valid. Bug was fixed in PR1.3.1 by this commit: https://gitorious.org/maemo-5-certif...4945c1dce4bf6e

So for blacklisting you *need* PR1.3.1
 
Posts: 2,153 | Thanked: 8,462 times | Joined on May 2010
#16
Originally Posted by peterleinchen View Post
No, it is due to the cert name begins with "(".
You may check with
Code:
dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

Yes, there is such possibility. I will put a script (produced at DigiNotar times) at the end of post.


For N900 users, please refer to below script.
For N9 users, do we need to delete that CA also from browser? (but according to open mentioned bug, there is no such possibility?)


Simple script/guide to remove fraudulent CAs:
Code:
#!/bin/sh
#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

if [ `id -u` != 0 ] ; then
    sudo cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    sudo cmcli -c common-ca -r $certID
else
    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID
fi

echo now open microb and goto
echo chrome://pippki/content/certManager.xul 
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

--edit
BUT, one more question arises here:
I do see two certificate IDs for TÜRKTRUST

and also in browsers

they do appear twice.
So maybe for harmattan users, you also check bettwer twice?

I have no idea, why we do have them twice. Or if we need to block/delete both. Or if only one is fraudulent ...
After blacklisting is needed to re-run openssl c_rehash script (as root). Certman deb package doing it in postinst script: https://gitorious.org/community-ssu/...on-ca.postinst

Code:
$ perl /usr/bin/c_rehash /etc/certs/common-ca
 

The Following User Says Thank You to pali For This Useful Post:
Posts: 3,074 | Thanked: 12,960 times | Joined on Mar 2010 @ Sofia,Bulgaria
#17
Originally Posted by pali View Post
@sixwheeledbeast: This certificate applet had bug - it shown blacklisted certificates as valid. Bug was fixed in PR1.3.1 by this commit: https://gitorious.org/maemo-5-certif...4945c1dce4bf6e

So for blacklisting you *need* PR1.3.1
turktrust root cert was not blacklistet, only the two compromised intermediate certs. so this is not a bug but a feature
__________________
Never fear. I is here.

720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900

Community SSU developer
kernel-power developer and maintainer

 

The Following 3 Users Say Thank You to freemangordon For This Useful Post:
Posts: 27 | Thanked: 5 times | Joined on Mar 2010
#18
hi all, can anyone please some up, is N9 with PR1.3 vulnerable, or is it not?
 
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 07:15.