Reply
Thread Tools
peterleinchen's Avatar
Posts: 4,117 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#121
I believe he inserted/refreshed a cert in our store and then the cmcli also succeeded, which failed previously (and if I interprete it right, he succeeded in getting supl data from Nokia?). As I played also with a lot of certs/adding/deleting from common-ca and did not succeed at all, I am waiting eagerly for more details ...
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature
 

The Following 3 Users Say Thank You to peterleinchen For This Useful Post:
Posts: 3,074 | Thanked: 12,960 times | Joined on Mar 2010 @ Sofia,Bulgaria
#122
Well I actually removed one

The certificate in question is 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1. Not that there is something wrong with that certificate, but it seems maemo certman has a bug.

There are 2 verisign root certificates with the same public key:
00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 and 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1. certificate chain of supl.nokia.com cert ends up with 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61, but it seems certman tries to use 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1 instead. So the verification fails.

I didn't debug it, so the actual thing that happens could be a slightly different, however, removing both 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 and 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1 and reimporting 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 workarounds the problem.

seems https://gitorious.org/community-ssu/...c074bfeef6a622 is not enough for multiple-keys-same-public to work on Fremantle. I'll debug the whole mess when I have some free time. Wouldn't try to stop anyone to do the same ofc
__________________
Never fear. I is here.

720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900

Community SSU developer
kernel-power developer and maintainer

 

The Following 8 Users Say Thank You to freemangordon For This Useful Post:
Guest | Posts: n/a | Thanked: 0 times | Joined on
#123
Hmm, I have created a PEM certificate file of the root certificate indicated when connecting to supl.nokia com, also in the zip, is the original crt file.

Code:
root@bt:~# openssl s_client -connect supl.nokia.com:7275                        CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=FI/ST=Espoo/O=Nokia/CN=supl.nokia.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFWTCCBEGgAwIBAgIQHpGupbIVFaSG2r4A10yDuzANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTIwNDE2
MDAwMDAwWhcNMTUwNDE2MjM1OTU5WjBGMQswCQYDVQQGEwJGSTEOMAwGA1UECBMF
RXNwb28xDjAMBgNVBAoUBU5va2lhMRcwFQYDVQQDFA5zdXBsLm5va2lhLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+Ge5eqh68YHvnlvwvJTX36
MJbIvxyqljUarJldINPbp2d2aabRFzr7B7GVbITFLC94djgUKj0TNFpHfTpffmSo
uSWYp8WYNQHCeNO2yezAOVvWhFwFixp2e3/hWi6bmVt+A7jfDN8pOnugZRIkgHxz
6czndRqDAWA/zIi8w5sBPRqQGKS8QnPqcYhtmqh8nVbzCp2JweV8sdg9SnvCyR1a
jIPjqiDXl6hjZQ1w0vckXivr0vB88tmm8ReTvP3plhZXub1ggL2wB7O+jHmRslJF
nlcRQMHc6vVwMWJobjzp8audHxZOX1sCKGVJCLC40MGnyIxIOObPizT3dHLfcQEC
AwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEUGA1UdHwQ+MDww
OqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWduLmNvbS9TVlJT
ZWN1cmVHMy5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55
pTB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1HMy1haWEudmVy
aXNpZ24uY29tL1NWUlNlY3VyZUczLmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFow
WDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEF
GDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZI
hvcNAQEFBQADggEBABx2tb0EQch660oL98RMtEXCQtkCOLPfFQO5X2YS29Tw9a/f
xi/RcmyUN+XuCScgFzvT7tmnaCmuxd6SNqUo/cSF1XRx1m+23RNgA9APVm8uEZ5/
GSswd8DTKU0Gkh2xS8UDS6mqMtST8oFzWiQlinSlfiOvr51PZtQEiQZUzFqKJlbF
yC1BnlIyGokHTt3Izh4CXFrGbZRo4WZSybmu9O/+ziI1smArNIRnMdeinP8mi/y3
atok31Rw1+/qi3142GTVYilfvuJB5zVJu2lnvU7gSSaQr7tuerk47An5rZddMDuf
uzc0MT9HOXlAdTCyqhxEc7ymsSeRFmFGTyIap58=
-----END CERTIFICATE-----
subject=/C=FI/ST=Espoo/O=Nokia/CN=supl.nokia.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4857 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 8FB277CE00000000000000000000000000003570521EF965000000008F0240C0
    Session-ID-ctx:
    Master-Key: 5061BB36F33A7171F87DB1541E127EE58905A40D8463FE672B4349F1097DFD717D5E6DFED58E515A614719CAF8EEBF1F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1377760865
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
I will test later (my N900 needs a reflash :/)
Attached Files
File Type: zip pca3-g5-3.zip (2.7 KB, 83 views)
 
Posts: 3,074 | Thanked: 12,960 times | Joined on Mar 2010 @ Sofia,Bulgaria
#124
@nieldk: there is one more certificate on top of the one you bolded, do:

cmcli -s -T common-ca -v supl.nokia.com:7275

(this will save the whole certificate chain as .pem files) and you'll see there are 4 .pems saved, not 3.

EDIT: nevermind, seems I misread your post
__________________
Never fear. I is here.

720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900

Community SSU developer
kernel-power developer and maintainer

 

The Following 3 Users Say Thank You to freemangordon For This Useful Post:
peterleinchen's Avatar
Posts: 4,117 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#125
YEP!

A THOUSAND THANKS !!!

One mistake above: it iks the second one (with the "-1") that needs to be readded.
And I needed a reboot to make location library aware.

I never thought of removing that one (verisign), actually both and reinstalling only the second one. I fiddled with exactly that cert, but failed miserable due to missing cert experience.

Will do now a second reboot for verification.
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature
 

The Following 3 Users Say Thank You to peterleinchen For This Useful Post:
Posts: 3,074 | Thanked: 12,960 times | Joined on Mar 2010 @ Sofia,Bulgaria
#126
@peterleinchen: "the mistake" could be related to the order of the hashes.

EDIT:

don't forget to "perl /usr/bin/c_rehash /etc/certs/common-ca" after every change to the certificate store
__________________
Never fear. I is here.

720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900

Community SSU developer
kernel-power developer and maintainer


Last edited by freemangordon; 2013-08-29 at 07:48.
 

The Following 5 Users Say Thank You to freemangordon For This Useful Post:
peterleinchen's Avatar
Posts: 4,117 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#127
Originally Posted by freemangordon View Post
@peterleinchen: "the mistake" could be related to the order of the hashes.
Could be, as I failed with reinserting both certs, but in reversed order!

Nevertheless:
after the second clearing cache (gconftool/reboot), I got a fix within 5-10 seconds from supl.nokia.com.

We ARE back, Nokia!

Thank you freemangordon


Originally Posted by freemangordon View Post
EDIT:

don't forget to "perl /usr/bin/c_rehash /etc/certs/common-ca" after every change to the certificate store
edit to your edit:
WHAT?
Never knew/did that. What is this about?
It worked for without that rehashing (some kind of aegis here? )

--edit
Another edit aimed to nieldk
What PR version do you have?

Is it possibly "only" PR1.3 and not PR1.3.1 (with some cert updates/revocations)?
Idk when this problem arised, but could it be due to that one?
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature

Last edited by peterleinchen; 2013-08-29 at 07:58.
 

The Following 3 Users Say Thank You to peterleinchen For This Useful Post:
Posts: 3,074 | Thanked: 12,960 times | Joined on Mar 2010 @ Sofia,Bulgaria
#128
Originally Posted by peterleinchen View Post
Could be, as I failed with reinserting both certs, but in reversed order!

Nevertheless:
after the second clearing cache (gconftool/reboot), I got a fix within 5-10 seconds from supl.nokia.com.

We ARE back, Nokia!

Thank you freemangordon



edit to your edit:
WHAT?
Never knew/did that. What is this about?
It worked for without that rehashing (some kind of aegis here? )

--edit
Another edit aimed to nieldk
What PR version do you have?

Is it possibly "only" PR1.3 and not PR1.3.1 (with some cert updates/revocations)?
Idk when this problem arised, but could it be due to that one?
http://www.tin.org/bin/man.cgi?section=1&topic=c_rehash
__________________
Never fear. I is here.

720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900

Community SSU developer
kernel-power developer and maintainer

 

The Following 2 Users Say Thank You to freemangordon For This Useful Post:
Guest | Posts: n/a | Thanked: 0 times | Joined on
#129
Originally Posted by peterleinchen View Post
Another edit aimed to nieldk
What PR version do you have?
I have pr1.3 (flashes too often and never bothers to do the 1.3.1)
With, KP52 as kernel.
 
Posts: 46 | Thanked: 160 times | Joined on Jun 2010 @ Germany, Berlin
#130
Wow, I almost can't believe it: Nokia N900 can use supl.nokia.com again!!!

Anyway, I didn't have a file/cert 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1.pem , just the one without the -1 .
What was workin for me was (as root):
Code:
mkdir /tmp/supl/ ; cd /tmp/supl/ ; cmcli -s -T common-ca -v supl.nokia.com:7275 ; for CERT in `ls -1 *.pem` ; do cmcli -c common-ca -r ${CERT%%.*} ; cmcli -c common-ca -r ${CERT%%.*}-1 ; cmcli -c common-ca -a ${CERT} ; done
With
Code:
cmcli -T common-ca -v supl.nokia.com:7275
I got a "Verified OK".
Setting location server to supl.nokia.com then gave me the nearby fix within 5 secs. Yey!

@freemangordon: Where did you find the -s flag for cmcli ? It is not shown as an option when called without any param.

Edit: typo ...

Last edited by Ulle; 2013-08-29 at 10:49.
 

The Following 3 Users Say Thank You to Ulle For This Useful Post:
Reply

Tags
a-gps, nokia n900

Thread Tools

 
Forum Jump


All times are GMT. The time now is 14:08.