Microb and TLS 1.2

[Wikiwide]

Quote:

Originally Posted by jonwil

I managed to get elfhack working so that's a little progress.

Although I am very close to saying "screw it" and looking for a fork of webkit or similar that works on our ancient libraries but supports the features needed (TLS 1.2 in particular but also more modern HTML/CSS/JS so it can render web pages that microb can't do).

I dont know of anything suitable though...

Please don't give up! It sounds like you are very close to getting MicroB-engine work with new internals.

Thank you. Best wishes...
~~~~~~~~~~~~~~~~~
Per aspera ad astra...

[oldnumpty]

I've just signed up because my browser/duckduckgo on my phone no longer works and it tells me it won't work any more because it doesn't support tls 1.1 after January 2020 (it doesn't work now....).
It there any browser that can be installed on Nokia N900 with Fremantle that works?
I would love to contribute to the efforts to update Microb, but unfortunately I have no coding knowledge to be able to

[Maemish]

Opera from testing repository (check thread "Devel upgrades" hiow to install openssl and update certificates from devel repository) and then Opera settings tag TLS1.2 on. Not fully secure though, some certs should be removed.

Or you can get QML Browser to also use these updated certs. It wasn't as easy as I thought. There is some Qtstuff to be downloaded and it may be found on TLS1.2 or SSL related thread or then it was in Micro-b security related thread. Sorry but can't remember who member it was who helped with it.

Then there is Iceweasel and Netsurf 3.9 from easy debian side. Iceweasel is slow but opens almost any page, netsurf is extremely fast but many things do not work with it. Netsurf is your safest browser for N900, Iceweasel your best browser to open pages, Opera is best as a main browser on known secure sites, miocro-b is best for the forum (except mine renders the images somehow wrong way).

And then there is Dooble. Which could be updated. It would be great.

For netsurf 3.9 here are instruction by juiceme: https://wiki.maemo.org/Easy_Debian/L..._Debian_Jessie

You just need to check the Easy Debian thread where sulu shared the netsurf 3.9 and download that and follow juiceme instructions. The jessie image has a problem though so first you have to "groupadd crontab" before you can install stuff. Or you can delete that group.

[Halftux]

Maybe someone want to try nginx with the http_proxy_connect_module don't know if this works.

https://github.com/chobits/ngx_http_...connect_module

https://github.com/chobits/ngx_http_proxy_connect_module/issues/22#issuecomment-346941271

nginx.conf

Code:

/opt/nginx/nginx.conf

add to config to load the module:

Code:

load_module /opt/nginx/modules/ngx_http_proxy_connect_module.so;

You need to further tune the nginx.conf to get a forward proxy with "sslbump" see the link above, the browser need to be configured for the proxy too.

I will attach a nginx version with a dynamic ngx_http_proxy_connect_module
compiled for maemo no additional patches or changes were needed:
Depends: libc6 (>= 2.5.0-1), libgcc1 (>= 1:4.4.0), libpcre3 (>= 4.5), libssl1.1 (>= 1.1.0h), zlib1g (>= 1:1.2.1)

configure parameters:

Code:

./configure \
		--prefix=/opt/nginx \
		--sbin-path=/opt/nginx/nginx \
		--conf-path=/opt/nginx/nginx.conf \
		--error-log-path=/opt/nginx/logs/error.log \
		--http-log-path=/opt/nginx/logs/access.log \
		--pid-path=/opt/nginx/logs/nginx.pid \
		--lock-path=/opt/nginx/logs/nginx.lock \
		--http-client-body-temp-path=/opt/nginx/optified/client_temp \
		--http-proxy-temp-path=/opt/nginx/optified/proxy_temp \
		--http-fastcgi-temp-path=/opt/nginx/optified/fastcgi_temp \
		--http-uwsgi-temp-path=/opt/nginx/optified/uwsgi_temp \
		--http-scgi-temp-path=/opt/nginx/optified/scgi_temp \
		--user=user \
		--group=users \
		--with-http_ssl_module \
		--with-http_realip_module \
		--with-http_addition_module \
		--with-http_sub_module \
		--with-http_dav_module \
		--with-http_flv_module \
		--with-http_mp4_module \
		--with-http_gzip_static_module \
		--with-http_random_index_module \
		--with-http_secure_link_module \
		--with-http_stub_status_module \
		--with-mail \
		--with-mail_ssl_module \
		--without-http_upstream_zone_module \
		--add-dynamic-module=ngx_http_proxy_connect_module

Maybe this parameter should be also activated "--with-threads". To get it compiled I needed to disable http_upstream_zone_module. Next try would to update libatomic to get it compiled with this upstream module.

Another possibility could be maybe to use squid or stunnel.

At the moment I don't have the time to try it over x-mas :-(
But please post your experience if you fail or succeed or if you have some knowledge about squid or stunnel. It would be nice to use old software with newer ssl with the help of a proxy.

The discussion is open now.

Here some links with such a topic.
https://developpaper.com/using-nginx...-proxy-server/
https://stackoverflow.com/questions/...onfig/46382990
https://superuser.com/questions/6043...roxy-for-https
https://github.com/reiz/nginx_proxy
https://www.reddit.com/r/sysadmin/co...ion_to_tls_12/

[oldnumpty]

Thanks, Maemish, I'll check it out. I rarely use the internet on my phone, just sometimes to look up a phone number or address, it's a shame I have to put effort into getting back something I already had.

I have no clue about certificates. I guess it's something I'll get to learn.

[Maemish]

Ok. For that Opera would be fine. Unless you are very very concerned about someone knowing what you are doing in the net.

[oldnumpty]

Quote:

Originally Posted by Maemish

Ok. For that Opera would be fine. Unless you are very very concerned about someone knowing what you are doing in the net.

No, not at all. I only fire it up if I'm lost somewhere when I'm out shopping. I only "internet" on my computer at home. It is handy to have though. I could make do with "just a phone", but if I can keep a usable browser, I'd like to.

[Maemish]

Then Opera from testing or devel repo and make the cert upgraded from devel upgrade thread.

[oldnumpty]

I didn't get far trying to install opera. It complained that it couldn't install because libhildon1 is missing.

[Maemish]

What repos you have enabled? It should load dependencies automatically. What if you try to install it in console? And then apt-get install -f after the error? Or are you familiar with console and have rootsh installed? Have to ask cause I didn't know many stuff a short while ago and got instructions which supposed I knew more than I did.