Security certificates have expired.
 

Ug so many security certificates have expired. I keepbgetting a "No cypher overlap" error message when I use the maemo web browser. Opera's only a little better.

Re: Security certificates have expired.
 

Its got nothing to do with security certificates expiring. The problem is that many websites now require TLS 1.2 (because TLS 1.2 is a lot more secure than the older TLS 1.0 standard) and the Maemo web browser doesn't support TLS 1.2. I have been trying to find a way to get TLS 1.2 support into the Maemo browser but so far have not had any success with my plans.

Re: Security certificates have expired.
 

My solution at the moment is webcat, which is also a nice browser. Anyway I think there is the need to bring the stock browser to an actual state of art.

Re: Security certificates have expired.
 

So were I can get webcat for maemo5 then?

@jonwil you done a great job with the qt fixes. So could there be a possibility that there is a webbrowser on Qt basis which profit of your TLS patches. Like with my qt application, they working now with TLS 1.2. Thanks for that.
Or does QtWebKit not using the network modules from QT?
Or how about this QML browser is a recompilation with your latest cssu patches maybe the key to a right out of the box working browser?

Re: Security certificates have expired.
 

Good question ;)
Stupid me has totally overseen, that it is a N900 thread.
SORRY!

p.s. Maybe you can at least find some comfort with the knowledge, that also the Sailfish stock browser is somewhat outdated ;P

Re: Security certificates have expired.
 

Btw the Dillo webbrowser in debian sid is compiled against openssl 1.1.
And it is already in the maemo repository. So including the latest debian patches and compiling against latest cssu openssl could be a solution for the tls 1.2 problem. It will not be useable for people who like to visit javascript sites.

Maybe it is worth a try.

Re: Security certificates have expired.
 

The best solution I suspect will be to somehow get the latest Debian QT 4.x version (with all the Debian local patches) working completly on Maemo Fremantle (which will require identifying all the maemo-local QT patches and forward porting them and also fixing anything that needs fixing due to the newer QT needing newer versions of libraries than Maemo Fremantle has. Then we need to find an existing QT4.x/webkit/whatever-based browser with the needed features that can run on Maemo and port it over (mostly there may need to be features like whatever it is that brings up the phone dialer when you click phone numbers in a web page).

I dont have the time right now to contribute to the effort but I would love a better browser on the N900 that can run TLS 1.2 web sites and all the other things that just wont run on the N900's ancient engine because they use more modern HTML/CSS/JS/etc features.

Re: Security certificates have expired.
 

Bumping this thread up and onto The Active Topics.

Re: Security certificates have expired.
 

I just uploaded a netsurf 3.9 build for Easy Debian that should support up to TLS 1.3:

https://talk.maemo.org/showthread.ph...69#post1559169

Re: Security certificates have expired.
 

I forgot there was a workaround to this problem; found it months ago. The following, or any well configured, proxy website will circumvent the errors:

https://proxy.toolur.com/

Re: Security certificates have expired.
 

Thanks but can we be sure nobody is reading what goes through this proxy?
Example: I'm trying to read webmail from my n900. Is it secure to use this proxy with passwords and mails?

Can someone open https://webmail1.infomaniak.com from any n900 browser?

I was unable with (CSSUt) microb, midori, fennec, opera ED-iceweasel, ED-epiphany, ED-netsurf...

My ED is debian_jessie2sulu_armhf.img

I know and read threads/debates about security updates on n900
I know there is maybe no solution (at the moment?) but pffff... just this site... just webmail!

All the best

Re: Security certificates have expired.
 

Opera 12,1beta1-16 with tls/ssl 1.2

Re: Security certificates have expired.
 

Great!
But how comes?
I have the same version installed on cssu testing but no way, I get an error 552.

All these ssl questions are a bit dark to me.

How did you upgrade the ssl/tls things for opera?

Thanks
Eric

Re: Security certificates have expired.
 

Check a thread I started "Devel upgrades". Was it Halitux who gave some instructions with openssl. But don't do sudo apt-get uppgrade with devel repos. I have done it couple of times. Makes N900 a bit unstable. There are some tls ssl threads here. But I think that the qt core upgrade with openssl stuff could do the trick.

Re: Security certificates have expired.
 

IMO the best hope for solving this issue would be to find a webkit-based browser setup that works on the N900 (and works with decent performance) and then add the necessary encryption support to that (I already have a fork of QT that supports TLS 1.2 that is being used for the Fahrplan public transport journey planning app)

Re: Security certificates have expired.
 

Thanks Maemish,

Yes it is here

When I tried it, I had a problem with backupmenu password (see on the thread)
I'll retry and test Opera.

(edit: url error)

Re: Security certificates have expired.
 

@Maemish, didn't you install/modify something else? Because even after installing what Halftux said, Opera doesn't open the page.

I verified: backupmenu password not working since installing what Halftux propolsed (it is reversible) because the only libssl available on the "rootfs" at the stage where BM is used is version 0.9.8. On the rootfs when the n900 has fully booted, I can find bolth versions of libssl, 0.9.8 and 1.1.

Re: Security certificates have expired.
 

On my device where I did my devel steps (certificates, openssl, qt4):
Opera does not open the webmail.
But qml browser does open it.

Re: Security certificates have expired
 

Ok, thanks for trying. Strange...

Maybe Maemish will remember what else he did...

I wonder now how to upgrade the libssl into the initrafs (or equivalent part) which is mounted as / during Backupmenu use...

Re: Security certificates have expired.
 

I use Opera 11.50.14 on almost bare maemo. That webmail works when I check only tls1.2 in opera:config. When I check all tls 1.0, 1.1 and 1.2 this page fails with 552 code.

So try type opera:config into url field and into search type 'tls' and uncheck 1.0 and 1.1 and check only tls 1.2. Should be good on opera 12 also.

Re: Security certificates have expired.
 

Working.
Delicious!!!
Lots og thanks to you guys for the help.
Some more month/years to go, no Fx to buy, beautyfull.

Re: Security certificates have expired.
 

Sorry. That was the trick yes. But wasn't it also neccessary to uppgrade openssl and certs? So sorry. Having a real brain malfunction at the moment and on the sick leave for it. Not the best to give working answers.

Re: Security certificates have expired.
 

No problem, there is frequently no good answer but good parts of it.
Then we have to puzzle...
I guess it was necessary to upgrade these too as said by Halftux.
It's good to do what Halftux says :)

Except that we (hmmm... am I the last one who cares about Backupmenus's password?) still have the non-working password = free access to Backupmenu once new lib/openssl installed!

Re: Security certificates have expired.
 

I don't do backups. I do reflashes. About twenty in two years. Messing a lot. Almost brick device when once installed backup and tried to recover from there. Never again.

Re: Security certificates have expired.
 

I still love and use Backupmenus, with no issues. But will need to deal with the certs at some point myself.

x

Re: Security certificates have expired.
 

To install the latest certs shouldn't harm anything and should be done. Otherwise it is a security issue.
Openssl could break things but should not. Because in principle no other application will access directly the rehashed certificates and the old libssl is still available.
For backupmenu it is somehow special, it could be that it generates something which will be later encrypted with an older openssl. The question is why it jumps over the password query and doesn't stop.

For qt application to gain profit from the new openssl, it is necessary to install the patched qt. This could break qt applications due to historical reasons. In the past it was not the qt library which got fixed first. Many application switched from secure protocols to only-tlsv1 which is now depreciated. Switching back and recompiling should fix this situation. Other way would be to patch qt library so that only-tlsv1 will be redirected to secure protocols.

However not every application uses openssl, we have also gnutls and nss. It is also possible that application have there own ssl code and not using the maemo infrastructure.

How Opera works I don't know, maybe it still uses nss.

Re: Security certificates have expired.
 

Because the case of empty return of the openssl instruction seems not to be handled correctly. (If I dare, cause I wouldn'have been able to write something like Backupmenu)

I took a look into usr/share/backupmenu, we see that Backupmenu compares the root encrypted password with the output of openssl.

If openssl returns nothing because it was looking for a lib which is not present, the shell (/bin/sh) has to compare a variable with nothing.
This is generating an error and it skips the instructions following the comparison (stop and reboot).

usr/share/backupmenu:
Instead of

Shouldn't we write this?


But now, why is openssl not finding the right libssl once we installed version 1.1?
Because when I use it from within maemo, both libs are present.
When I test openssl from the terminal in Backupmenu, openssl complains not finding the version 1.1. And if I look for it with find, it'is not there, effectively.

Isn't it the same root?
Is it a kind of initramsomething and not the definitive root filesystem?
But in this case, why is the new openssl installed on it?


edit: I meant:

But the below Olf's solution seems to be more correct:

Re: Security certificates have expired.
 

The files get copied to a temp directory. But now the new openssl and the old libssl get copied.

/usr/share/backupmenu/extrafiles.tar.gz has a filelist.txt inside, which list copied files and mounted folders. In principle you need to remove the old libssl library and add the new one.

Re: Security certificates have expired.
 

No.
The original is a classic case on non-failsafe coding. Quoting per is the right measure.
Plus the is an unnecessary bashism, which the bash man-page explicitly does not recommend to use.

Hence using
there and three lines above would make the password comparison always correctly fail, because OpenSSL is not found to calculate the password hash to compare.

Thus that has to be resolved by adapting the environment variable PATH or LD_LIBRARY_PATH or other measures.
Then you may also leave Backup-Menu's code as it is.

Re: Security certificates have expired.
 

Don't abandon! Bm is a great help for messing ;)
If you intend to reflash, just be carefull to reinstall the right (same than when you made the backup) kernel before restoring the rootfs and optfs. I have been blocked because of that problem once.

Re: Security certificates have expired.
 

Ok, thanks, it works.


Sure, but if we can make BM code cleaner by the way...

Re: Security certificates have expired.
 

Working.
Added
Backupmenu now manages passwords correctly.