Reply
Thread Tools
dannemil is offline dannemil
2008-03-03 , 01:31
Posts: 60 | Thanked: 17 times | Joined on Feb 2008
#1
OK, this is fairly obscure, but I'll try it any way. I have an amazon s3 online storage account (s3.amazonaws.com -- incredibly cheap, but also user unfriendly at first). I can access the account from my linux machine from the command line using Tim Kay's aws program

http://timkay.com/aws/

I would love to be able to upload files from my N810 to this storage. I did the following successfully on the N810:

1. installed curl (become root then apt-get install curl)
2. installed openssl
3. installed aws as shown on the above web site.

Now I can connect to amazonaws but as soon as I connect, I get a certificate problem like this:

* About to connect() to s3.amazonaws.com port 443
* Trying 207.171.191.241... connected
* Connected to s3.amazonaws.com (207.171.191.241) port 443
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS alert, Server hello (2):
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:lib(20):func(144):reason(134)
* Closing connection #0

So it fails possibly because the program is using curl to access the web site, and curl looks for a certificate. The problem is that s3 doesn't use certificates for authentication. It uses an ID and Signature file which the program finds in a ~/.awssecret file.

Has anyone else experienced problems with curl on the N810 looking for certificates, or could anyone help me workaround this problem?
 
delaroca is offline delaroca
2008-03-03 , 02:19
Posts: 289 | Thanked: 83 times | Joined on Jul 2006
#2
Originally Posted by dannemil View Post
Has anyone else experienced problems with curl on the N810 looking for certificates, or could anyone help me workaround this problem?
The problem might be with OpenSSL. The OpenSSL configuration provided by Nokia is broken in regards Certficate handling... they use instead their own API and Cert-Store to handle certificates.

It is possible, though, to configure certificates on the NIT so that OpenSLL, and the utilities that depend on it, work fine. Take a look at my web page,

http://home.mminternet.com/~delaroca/

Look for the section on configuring certificates properly on the NIT.

-- Denis
 
dannemil is offline dannemil
2008-03-03 , 17:07
Posts: 60 | Thanked: 17 times | Joined on Feb 2008
#3
Thanks for the quick reply. I have traced the problem to the way aws works (or doesn't) work on the Nokia. It should be possible since it is using curl to tell it to use --insecure mode, but that fails with the same error as above. I can use curl in --insecure mode, so it is something about the way aws is running on the NIT. I am trying to sort this out with Tim Kay, who is a big help in this regard, and will report back if we get it working.
 
dannemil is offline dannemil
2008-03-03 , 21:13
Posts: 60 | Thanked: 17 times | Joined on Feb 2008
#4
I think from some errors that I received that curl on the N810 by default looks for a cert-bundle specifically in

/etc/ssl/certs/curl-ca-bundle.crt

when it uses ssl. But I found that unless I pass this file to curl on the command line with the --cacert option, then it fails to find the cert-bundle file.

So I keep getting failures on the N810 in trying to use aws to access s3 storage at amazonaws because aws is calling curl, but curl doesn't appear to be using the cert-file that it needs to go through the verification at amazonaws.
 
delaroca is offline delaroca
2008-03-03 , 22:20
Posts: 289 | Thanked: 83 times | Joined on Jul 2006
#5
Originally Posted by dannemil View Post
So I keep getting failures on the N810 in trying to use aws to access s3 storage at amazonaws because aws is calling curl, but curl doesn't appear to be using the cert-file that it needs to go through the verification at amazonaws.
I am not sure the OpenSLL in the NIT is configured to use the certs-bundle file... instead, it is looking for certs in /usr/lib/ssl/certs -- this directory is supposed to contain both Cert files, in PEM format, and their hash links. You could do this for the single cert that you need for Amazon. It's all explained in my web page, which I pointed you earlier.

-- Denis
 
dannemil is offline dannemil
2008-03-03 , 23:30
Posts: 60 | Thanked: 17 times | Joined on Feb 2008
#6
Originally Posted by delaroca View Post
I am not sure the OpenSLL in the NIT is configured to use the certs-bundle file... instead, it is looking for certs in /usr/lib/ssl/certs -- this directory is supposed to contain both Cert files, in PEM format, and their hash links. You could do this for the single cert that you need for Amazon. It's all explained in my web page, which I pointed you earlier.

-- Denis
Thanks, Denis. Being new at this, I am having a hard time figuring out this part:

When dealing with a remote server whose certificate does not validate, use openssl s_client -connect <remote-server>:<port> to trace the connection. The resulting output will show the remote server certificate, as well as it's CA signing authority. If the certificate is self-signed, it suffices to add it to the Cert Store – do so by capturing the PEM dump of the cert in the output above.

---what do you mean by add it to the cert store?

If the certificate is signed by a CA, then it's certificate must be located and added to /usr/lib/ssl/certs. With luck, such a CA cert exists in the n800's certificate manager DB and it suffices to export a copy.

I believe that amazonaws is signed by Verisign. But how is this different from what you just described above in terms of adding it to the cert store?

Also, curl lets you set an environment variable for the certs-bundle like this

CURL_CA_BUNDLE=/etc/ssl/certs/curl-ca-bundle.crt

Are you saying that curl on the NIT will not work that way if I set and export that environment variable?

Jim
 
delaroca is offline delaroca
2008-03-04 , 03:00
Posts: 289 | Thanked: 83 times | Joined on Jul 2006
#7
Originally Posted by dannemil View Post
Also, curl lets you set an environment variable for the certs-bundle like this

CURL_CA_BUNDLE=/etc/ssl/certs/curl-ca-bundle.crt

Are you saying that curl on the NIT will not work that way if I set and export that environment variable?
What I am saying is that the libcrypto library (the OpenSSL code) has been configured in the NIT to look for certs in /usr/lib/ssl/certs. For reasons I do not understand the cert-ca-bundle.crt file is not recognized in the NIT... as is on some other linux systems.

The certs are stored at the above location in PEM format, ie., Verisign1.pem, Verisign2.pem, etc. Then you have to build symbolic links to them using their x509 hashes. It's a tad complicated but a shellscript to do this, as well as a bundle of certs in .pem format is provided in my web page.

If 'curl' can be driven by an environment variable to make it use a ert-ca-bundle.crt then that would be the simplest way to go. But keep in mind that this only deal with 'curl' being able to use certs... for any other general app (not a nokia app) you do need to fix the openssl certs configuration.

-- Denis
 
dannemil is offline dannemil
2008-03-04 , 03:51
Posts: 60 | Thanked: 17 times | Joined on Feb 2008
#8
Denis,
As far as I can tell, it works to set an environment variable as follows

CURL_CA_BUNDLE=/usr/lib/ssl/certs/curl-ca-bundle.crt
export CURL_CA_BUNDLE

It could be that this works only because it is pointing curl to the directory that has the certs. I used your script to generate the hash links, so maybe that is why it is working - because now it knows where to look for the pem files. One other thing - as far as I can tell, the export above does not produce a persisting environment variable. When I try to echo that variable after a reboot, it's not there???

Another very important piece of information. I had to use rdate to set the time on my Nokia - otherwise it would not authenticate. The time was off and ssl failed.

The only problem as far as I can tell is that I have to do this time sync after every boot - that is pretty lame
 
delaroca is offline delaroca
2008-03-04 , 06:19
Posts: 289 | Thanked: 83 times | Joined on Jul 2006
#9
Originally Posted by dannemil View Post
Denis,
As far as I can tell, it works to set an environment variable as follows

CURL_CA_BUNDLE=/usr/lib/ssl/certs/curl-ca-bundle.crt
export CURL_CA_BUNDLE

One other thing - as far as I can tell, the export above does not produce a persisting environment variable. When I try to echo that variable after a reboot, it's not there???

Another very important piece of information. I had to use rdate to set the time on my Nokia - otherwise it would not authenticate. The time was off and ssl failed.

The only problem as far as I can tell is that I have to do this time sync after every boot - that is pretty lame
Define your environment variable in your .profile file, it gets run every time you initiate a shell session... see a sample .profile file on my web page. Maybe you could call rdate from here as well.

-- Denis
 
dannemil is offline dannemil
2008-03-04 , 16:01
Posts: 60 | Thanked: 17 times | Joined on Feb 2008
#10
Thanks, Denis. That worked for the curl environment variable, but rdate has to be run by root. I thought about putting a shell script into /etc/init.d and softlinking it into /etc/rc2.d, but then I realized that rdate requires the network to be up to get the time from an ntp server, so it won't work at boot because the network is not up on the NIT.

Still searching for a way to get the time updated automatically as soon as the network connects.
 
Reply

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 07:43.

Contact Us - Home - Archive - Top