Reply
Thread Tools
Posts: 6 | Thanked: 43 times | Joined on Jul 2020
#1
I've read these forums for a long time (I've used an N9 as my daily driver since June 2016), but only just now registered, and this is my first thread. I chose to start a new one, since this topic is touched on in many places, but doesn't have an N9-specific thread dealing just with it. If I'm in the wrong place, mods, please let me know and I'll move it.
I've been working on making things support TLS 1.2, and here's what I've done. Please note that, while it might be possible to find a way to do this in closed mode, I tried several times without success. All the progress I've made, I've made with the patched open mode kernel.

- built OpenSSL 1.0.1t (from Debian Jessie)
- rebuilt aegis-crypto (this is where you will kill your closed mode system)
- rebuilt aegis-certman, replaced all the CA certificates with the Mozilla ones from Debian Buster, hacked the post-install hooks to remove all old certificates
- realized I needed to hack aegis-certman to make hashed-name symlinks for both the old 0.9.8 (which used MD5) and 1.0.1 (which...doesn't), whenever a certificate is added
- started indiscriminately rebuilding open source packages that depended on OpenSSL, watching for API incompatibility
I probably rebuilt far more packages than necessary, but I got to the point where running ldd on both grob and fenix (the browser and email client) showed that they no longer had a dependency on OpenSSL 0.9.8. And...

TLS 1.1 sites still work, so the library upgrade was successful. However, TLS 1.2 does not. I suspect that I will need to code something in aegis-crypto, and may have to give up the BB5 crypto acceleration.

The OpenSSL API seems to be stable enough that I have some hope this is possible, since I was able to rebuild curl 7.21.0 from the Harmattan source, without modifying it, and it is able to access TLS 1.2 sites. So that's progress.

However, the easiest way to get something with modern security shouldn't require open mode at all. I did replace system packages to do it, but using the aegis-install hack, you should be able to as well.
Mozilla has maintained backward compatibility in NSS for a very long time, and by upgrading libnss3 and libnspr4 (because NSS depends on it) on the system, then removing the local copies that Fennec 15 (Firefox) uses from /opt/fennec/, I got it to browse Wikipedia and several other TLS 1.2 sites.
 
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 14:54.