Reply
Thread Tools
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#1
I updated the root certificate set in maemo-security-certman (and hence microb) to the latest Mozilla root certificate set and now some sites have stopped working (e.g. https://www.microsoft.com and anything using entrust certificates (including https://www.entrust.com itself). These sites work just fine with the previous maemosec-certman-common-ca version but not the new set.

Is there anyone out there who knows anything about ssl, certificate authorities, nss etc who can help me figure out why sites that work fine with the old set of root certificates somehow dont work with the new set?
 

The Following User Says Thank You to jonwil For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#2
I tested with openssl s_client and the new set of root CAs and sites that fail in microb work in openssl so that suggests its microb-engine or nss failing somewhere.
 

The Following User Says Thank You to jonwil For This Useful Post:
Feathers McGraw's Avatar
Posts: 654 | Thanked: 2,368 times | Joined on Jul 2014 @ UK
#3
Did you run the c_rehash command to generate symlinks that match the certificate hashes? Some apps can't find the right root cert without them.
 

The Following 2 Users Say Thank You to Feathers McGraw For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#4
c_rehash is run automatically by the postinst script for maemosec-certman-common-ca so its covered.
Microb/nss isn't using the files c_rehash creates in any case.
 

The Following 2 Users Say Thank You to jonwil For This Useful Post:
Feathers McGraw's Avatar
Posts: 654 | Thanked: 2,368 times | Joined on Jul 2014 @ UK
#5
Haven't some types of cert validation been retired recently (was it md5?). Maybe microb is missing the mechanism that replaces it - presumably that's what changed with the new certificates?

Edit: see here http://blog.cacert.org/2015/12/re-si...t-certificate/

Last edited by Feathers McGraw; 2016-02-09 at 09:58. Reason: add link
 
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#6
Have further verified that the CA certificates are not broken (and that NSS or Gecko is at fault) by running cmcli -T common-ca -v www.microsoft.com:443 and similar on various domains that are broken.

So now I am going to read the microb-engine source code and find where the error I get comes from and then get into microb-engine/nss via GDB and trace to see why its giving the error in question.
 

The Following 4 Users Say Thank You to jonwil For This Useful Post:
Posts: 75 | Thanked: 269 times | Joined on Aug 2012
#7
Have you tried running nsscfg and copying the db files generated to /home/user/.mozilla/microb/*.db

The db files are:
key3.db
cert8.db
secmod.db
 
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#8
That doesn't help since the root certificates aren't connected to those 3 .db files.

At this point I am now convinced that something in some of the new root certificates (new PKCS#11 extention, new algorithm, new flags, something removed or whatever) is not supported by the NSS/security code we have in the current microb-engine codebase. How we can update NSS (and make any necessary changes elsewhere in the microb-engine code to support new things like newer TLS versions and stuff) is something I am playing with although I haven't figured it out yet.
 

The Following User Says Thank You to jonwil For This Useful Post:
Posts: 75 | Thanked: 269 times | Joined on Aug 2012
#9
I installed your deb packages to see the error but it seems to be working for me.

Any ideas?

Code:
Nokia-N900:~# apt-cache policy libmaemosec0
libmaemosec0:
  Installed: 0.2.4
  Candidate: 0.2.4
  Version table:
 *** 0.2.4 0
        100 /var/lib/dpkg/status
     0.2.3 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.2 0
        500 http://repository.maemo.org fremantle/free Packages
        500 http://maemo.merlin1991.at fremantle/free Packages
     0.2.1 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.0 0
        500 http://repository.maemo.org fremantle/free Packages
Nokia-N900:~# apt-cache policy maemosec-certman-common-ca
maemosec-certman-common-ca:
  Installed: 0.2.4
  Candidate: 0.2.4
  Version table:
 *** 0.2.4 0
        100 /var/lib/dpkg/status
     0.2.3 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.2 0
        500 http://repository.maemo.org fremantle/free Packages
        500 http://maemo.merlin1991.at fremantle/free Packages
     0.2.1 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.0 0
        500 http://repository.maemo.org fremantle/free Packages
Nokia-N900:~# apt-cache policy maemosec-certman-tools    
maemosec-certman-tools:
  Installed: 0.2.4
  Candidate: 0.2.4
  Version table:
 *** 0.2.4 0
        100 /var/lib/dpkg/status
     0.2.3 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.2 0
        500 http://repository.maemo.org fremantle/free Packages
        500 http://maemo.merlin1991.at fremantle/free Packages
     0.2.1 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.0 0
        500 http://repository.maemo.org fremantle/free Packages
Nokia-N900:~# apt-cache policy libmaemosec-certman0  
libmaemosec-certman0:
  Installed: 0.2.4
  Candidate: 0.2.4
  Version table:
 *** 0.2.4 0
        100 /var/lib/dpkg/status
     0.2.3 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.2 0
        500 http://repository.maemo.org fremantle/free Packages
        500 http://maemo.merlin1991.at fremantle/free Packages
     0.2.1 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.0 0
        500 http://repository.maemo.org fremantle/free Packages
Attached Images
  
 

The Following 2 Users Say Thank You to Ilew For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#10
Ok, that is very weird that it works for you when it doesn't for me.
Can you post the contents of /etc/certs and /etc/secure on your N900 so I can compare them to what I have and make sure they are the same? (shouldn't contain anything personal or private)

Also can you share the apt-cache output for libnspr4, libnss3-certs, libnss3, microb-engine-common and microb-engine?

And are you using CSSU?
 
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 19:47.