Active Topics

 



Notices


Reply
Thread Tools
Posts: 2,129 | Thanked: 8,325 times | Joined on May 2010
#241
jonwil: Cannot we just include "0 s:/C=NL/ST=Noord-Brabant/L=Veldhoven/O=HERE Global BV/CN=supl.nokia.com" cert into storage and establish connection without checking whole certificate chain?

That cert has CN=supl.nokia.com so is valid only for supl.nokia.com. And once you trust some certificate in chain, you do not have to validate other in chain...
 
Posts: 2,129 | Thanked: 8,325 times | Joined on May 2010
#242
Anyway, on Ubuntu 12.04 verification to supl.nokia.com:7275 pass:
Code:
$ openssl s_client -connect supl.nokia.com:7275 -CAfile /etc/ssl/certs/ca-certificates.crt
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = NL, ST = Noord-Brabant, L = Veldhoven, O = HERE Global BV, CN = supl.nokia.com
verify return:1
---
Certificate chain
 0 s:/C=NL/ST=Noord-Brabant/L=Veldhoven/O=HERE Global BV/CN=supl.nokia.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGWzCCBUOgAwIBAgIQNUQLMS6rnzbNIfXt19aBADANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDIxODAwMDAwMFoX
DTE3MDUxNTIzNTk1OVowazELMAkGA1UEBhMCTkwxFjAUBgNVBAgMDU5vb3JkLUJy
YWJhbnQxEjAQBgNVBAcMCVZlbGRob3ZlbjEXMBUGA1UECgwOSEVSRSBHbG9iYWwg
QlYxFzAVBgNVBAMMDnN1cGwubm9raWEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA34Z7l6qHrxge+eW/C8lNffowlsi/HKqWNRqsmV0g09unZ3Zp
ptEXOvsHsZVshMUsL3h2OBQqPRM0Wkd9Ol9+ZKi5JZinxZg1AcJ407bJ7MA5W9aE
XAWLGnZ7f+FaLpuZW34DuN8M3yk6e6BlEiSAfHPpzOd1GoMBYD/MiLzDmwE9GpAY
pLxCc+pxiG2aqHydVvMKnYnB5Xyx2D1Ke8LJHVqMg+OqINeXqGNlDXDS9yReK+vS
8Hzy2abxF5O8/emWFle5vWCAvbAHs76MeZGyUkWeVxFAwdzq9XAxYmhuPOnxq50f
Fk5fWwIoZUkIsLjQwafIjEg45s+LNPd0ct9xAQIDAQABo4IC5jCCAuIwGQYDVR0R
BBIwEIIOc3VwbC5ub2tpYS5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdIARaMFgwVgYGZ4EM
AQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsG
AQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1UdIwQYMBaAFF9g
z2GQVd+EQxSKYCqy9Xr0QxjvMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9zcy5z
eW1jYi5jb20vc3MuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0
cDovL3NzLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNv
bS9zcy5jcnQwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2AN3rHSt6DU+mIIuB
rYFocH4ujp0B1VyIjT0RxM227L7MAAABUvXU0HQAAAQDAEcwRQIhALnrb8gmpKob
6WD6R2NfNUDdxmEry6PbLdAgrYxoxd7YAiAq5oaIjTWuS7VvGOl7aSfxLxXKoX/H
afFyFY759kv4RQB3AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAAB
UvXU0LUAAAQDAEgwRgIhAIcx1pylH31cUgbUvXDu/Ue5DJwx2P187DQmxnPQIUmz
AiEA7oNhaU1u9jf27FbMQAAnpMuNV1MNy1XCLNUyr9vmTQEAdgBo9pj4H2SCvjqM
7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVL11NCOAAAEAwBHMEUCIQCKc7VKuFgM
RW3bUVUFZNlBxAh7GBZmK5MDQSe4twwewwIgPbZiWohxrz2KmebNq2aXBL6hZL4Q
uDFi2mjHrB5Ddp0wDQYJKoZIhvcNAQELBQADggEBAAskbpaa0lzIpXoYRqemUzsd
SWnzfTEIanTIpuXUUfYdtKvcPlJ496f+W9eR2nNv0W3+iNIdYUZ9Kua0v6iOw+s/
kL81zFBlDELXRjzVmMr5z0qC3i61aCAwhpWwQcp9PtrnSObxCs0I41oUoQt47H+L
KJfIQQCPxHRNC0Szv6Q61vXbrGRiGOIlZKGXfWGTY4mtzrQoWezkL62uU1LCp2RM
yIu3hgHTT8rJEAnPrgsZtK34gteKhjrVQwBFki0ewUZoC2/wyxCUYRiEVl+St1Rv
Gi2Cz9WI6B5oycD+qMkWfjl4nMw3tREPxTX1mAQE9cvh5j+8b1cjEV+rUCwhxyA=
-----END CERTIFICATE-----
subject=/C=NL/ST=Noord-Brabant/L=Veldhoven/O=HERE Global BV/CN=supl.nokia.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 5304 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FA31BE7E16B88AA4065D88CF78256C136596EFEA30667A7773FD7AF6403A4DE1
    Session-ID-ctx: 
    Master-Key: 11D4F52DEA6E4324BD9276717F90F26FE76AE54F8FE65732244C22E080D11BFF537884DE502187F91FEA23580261842B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1486306871
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE
On Debian 8 too:
Code:
$ openssl s_client -connect supl.nokia.com:7275 -CAfile /etc/ssl/certs/ca-certificates.crt
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = NL, ST = Noord-Brabant, L = Veldhoven, O = HERE Global BV, CN = supl.nokia.com
verify return:1
---
Certificate chain
 0 s:/C=NL/ST=Noord-Brabant/L=Veldhoven/O=HERE Global BV/CN=supl.nokia.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGWzCCBUOgAwIBAgIQNUQLMS6rnzbNIfXt19aBADANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDIxODAwMDAwMFoX
DTE3MDUxNTIzNTk1OVowazELMAkGA1UEBhMCTkwxFjAUBgNVBAgMDU5vb3JkLUJy
YWJhbnQxEjAQBgNVBAcMCVZlbGRob3ZlbjEXMBUGA1UECgwOSEVSRSBHbG9iYWwg
QlYxFzAVBgNVBAMMDnN1cGwubm9raWEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA34Z7l6qHrxge+eW/C8lNffowlsi/HKqWNRqsmV0g09unZ3Zp
ptEXOvsHsZVshMUsL3h2OBQqPRM0Wkd9Ol9+ZKi5JZinxZg1AcJ407bJ7MA5W9aE
XAWLGnZ7f+FaLpuZW34DuN8M3yk6e6BlEiSAfHPpzOd1GoMBYD/MiLzDmwE9GpAY
pLxCc+pxiG2aqHydVvMKnYnB5Xyx2D1Ke8LJHVqMg+OqINeXqGNlDXDS9yReK+vS
8Hzy2abxF5O8/emWFle5vWCAvbAHs76MeZGyUkWeVxFAwdzq9XAxYmhuPOnxq50f
Fk5fWwIoZUkIsLjQwafIjEg45s+LNPd0ct9xAQIDAQABo4IC5jCCAuIwGQYDVR0R
BBIwEIIOc3VwbC5ub2tpYS5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdIARaMFgwVgYGZ4EM                                                                                                                                                                 
AQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsG                                                                                                                                                                 
AQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1UdIwQYMBaAFF9g                                                                                                                                                                 
z2GQVd+EQxSKYCqy9Xr0QxjvMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9zcy5z                                                                                                                                                                 
eW1jYi5jb20vc3MuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0                                                                                                                                                                 
cDovL3NzLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNv                                                                                                                                                                 
bS9zcy5jcnQwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2AN3rHSt6DU+mIIuB                                                                                                                                                                 
rYFocH4ujp0B1VyIjT0RxM227L7MAAABUvXU0HQAAAQDAEcwRQIhALnrb8gmpKob                                                                                                                                                                 
6WD6R2NfNUDdxmEry6PbLdAgrYxoxd7YAiAq5oaIjTWuS7VvGOl7aSfxLxXKoX/H                                                                                                                                                                 
afFyFY759kv4RQB3AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAAB                                                                                                                                                                 
UvXU0LUAAAQDAEgwRgIhAIcx1pylH31cUgbUvXDu/Ue5DJwx2P187DQmxnPQIUmz                                                                                                                                                                 
AiEA7oNhaU1u9jf27FbMQAAnpMuNV1MNy1XCLNUyr9vmTQEAdgBo9pj4H2SCvjqM                                                                                                                                                                 
7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVL11NCOAAAEAwBHMEUCIQCKc7VKuFgM
RW3bUVUFZNlBxAh7GBZmK5MDQSe4twwewwIgPbZiWohxrz2KmebNq2aXBL6hZL4Q
uDFi2mjHrB5Ddp0wDQYJKoZIhvcNAQELBQADggEBAAskbpaa0lzIpXoYRqemUzsd
SWnzfTEIanTIpuXUUfYdtKvcPlJ496f+W9eR2nNv0W3+iNIdYUZ9Kua0v6iOw+s/
kL81zFBlDELXRjzVmMr5z0qC3i61aCAwhpWwQcp9PtrnSObxCs0I41oUoQt47H+L
KJfIQQCPxHRNC0Szv6Q61vXbrGRiGOIlZKGXfWGTY4mtzrQoWezkL62uU1LCp2RM
yIu3hgHTT8rJEAnPrgsZtK34gteKhjrVQwBFki0ewUZoC2/wyxCUYRiEVl+St1Rv
Gi2Cz9WI6B5oycD+qMkWfjl4nMw3tREPxTX1mAQE9cvh5j+8b1cjEV+rUCwhxyA=
-----END CERTIFICATE-----
subject=/C=NL/ST=Noord-Brabant/L=Veldhoven/O=HERE Global BV/CN=supl.nokia.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 5304 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 7B20D6346EE3595B55010B4DEAC1AF886A55CD48F0E7B380767E0D15B23F9DB0
    Session-ID-ctx: 
    Master-Key: 3D9D14E0642329844E5FBDB5B0F95E915FB844C00A99BA1E70BA66CD33D24C58B38D52035DA67960429BDA0399941711
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1486306958
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE
So... it is really problem with certificates?
 

The Following 2 Users Say Thank You to pali For This Useful Post:
Posts: 3,007 | Thanked: 12,351 times | Joined on Mar 2010 @ Sofia,Bulgaria
#243
Originally Posted by pali View Post
Anyway, on Ubuntu 12.04 verification to supl.nokia.com:7275 pass:
Code:
...
So... it is really problem with certificates?
Yes, it is problem with certificates, Ubuntu and Debian seem to provide outdated certs.
__________________
Never fear. I is here.

720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900

Community SSU developer
kernel-power developer and maintainer

 

The Following 2 Users Say Thank You to freemangordon For This Useful Post:
Posts: 430 | Thanked: 2,165 times | Joined on Oct 2009
#244
I found a different fix that doesn't need any patches to location-proxy.
The latest maemo-security-certman tree contains that fix which is now working just fine on the N900 sitting in front of me.
Nice fast GPS lock.

The fix involves putting the old insecure VeriSign certificate into a separate certificate store that location-proxy will load but that microb and other things wont.

This is with supl.nokia.com btw.
 

The Following 4 Users Say Thank You to jonwil For This Useful Post:
Posts: 2,129 | Thanked: 8,325 times | Joined on May 2010
#245
Originally Posted by freemangordon View Post
Yes, it is problem with certificates, Ubuntu and Debian seem to provide outdated certs.
Ah... thats not good.


Originally Posted by jonwil View Post
I found a different fix that doesn't need any patches to location-proxy.
The latest maemo-security-certman tree contains that fix which is now working just fine on the N900 sitting in front of me.
Nice fast GPS lock.

The fix involves putting the old insecure VeriSign certificate into a separate certificate store that location-proxy will load but that microb and other things wont.

This is with supl.nokia.com btw.
How do you force location-proxy load certs from that new store?
 

The Following User Says Thank You to pali For This Useful Post:
Posts: 430 | Thanked: 2,165 times | Joined on Oct 2009
#246
location-proxy already has code in there that loads from the new store (added by Nokia for reasons unknown).
 

The Following 5 Users Say Thank You to jonwil For This Useful Post:
Posts: 454 | Thanked: 515 times | Joined on Sep 2010 @ Krugersdorp
#247
we might have reached the end. supl.nokia.com resolves to 127.0.0.1 at this time :-(
 

The Following 3 Users Say Thank You to sicelo For This Useful Post:
Posts: 430 | Thanked: 2,165 times | Joined on Oct 2009
#248
Google brought up this link showing the IP details for supl.nokia.com:
http://supl.nokia.com.ipaddress.com/

If I add 35.157.6.107 supl.nokia.com to /etc/hosts on my N900, it seems to work (nokia maps works and finds accurate location, location-test gets fast connection to satellite etc)
So until/unless the SUPL server running on the Amazon AWS instance answering at that IP address goes away, this should be a good short term fix.

That IP address is probably the best one to use since its the actual last known IP address of supl.nokia.com.

Going forward, maemo should run its own SUPL server as recently suggested by DocScrutinizer05 and freemangordon...

EDIT:
I found this other link
http://www.ip-tracker.org/locator/ip...Supl.nokia.com
which lists an IP address of 52.22.201.16 (also an AWS instance)
along with https://www.robtex.com/dns-lookup/supl.nokia.com that lists a bunch of IP addresses.

The first one I found seems to work though so I will stick with it until something else happens (supl.nokia.com DNS returns a valid IP again, alternative SUPL server is set up or whatever)

EDIT 2:
Its possible the different IP addresses all point to different instances running the same SUPL code (i.e. distributing the load over multiple Amazon AWS instances) or something (I dont know how Amazon AWS works)

Last edited by jonwil; 2017-03-08 at 12:55.
 

The Following 7 Users Say Thank You to jonwil For This Useful Post:
Posts: 42 | Thanked: 139 times | Joined on Jun 2010 @ Germany, Berlin
#249
Originally Posted by jonwil View Post
...
along with https://www.robtex.com/dns-lookup/supl.nokia.com that lists a bunch of IP addresses.
Via http://geoip.ubuntu.com/lookup/?ip=52.22.201.16 and the others listed in that bunch I got the following result:

35.157.6.107 : <TimeZone>Europe/Berlin
52.213.194.13 : <TimeZone>Europe/Dublin
52.220.245.140 : <TimeZone>Asia/Singapore
52.22.201.16 : <TimeZone>America/New_York
52.3.37.45 : <TimeZone>America/New_York
52.74.234.216 : <TimeZone>Asia/Singapore
54.171.105.63 : <TimeZone>Europe/Dublin

So everyone could set the one next to its main location in /etc/hosts with a new line like for example
Code:
52.22.201.16 supl.nokia.com
EDIT:
I can't ping none of the above except the one from Berlin 35.157.6.107 .
52.213.194.13 , 52.220.245.140 , 52.74.234.216 don't seem to answer supl requests. So the remaining list should be

35.157.6.107 : <TimeZone>Europe/Berlin
52.22.201.16 : <TimeZone>America/New_York
52.3.37.45 : <TimeZone>America/New_York
54.171.105.63 : <TimeZone>Europe/Dublin

No Asia anymore ...

EDIT 2:
And unfortunately the certificate for supl.nokia.com ist only valid until May 15 23:59:59 2017 GMT . Hope it will be renewed again ...

Cheers, Ulle

Last edited by Ulle; 2017-03-08 at 15:45.
 

The Following 5 Users Say Thank You to Ulle For This Useful Post:
Reply

Tags
a-gps, nokia n900

Thread Tools

 
Forum Jump


All times are GMT. The time now is 06:34.