Looking for help from anyone who knows anything about nss/ssl/certs/etc - Page 2 - maemo.org

Ilew · #11 2016-02-10, 20:18

See attached file for contents.

Code:

Nokia-N900:~# apt-cache policy libnspr4 libnss3-certs libnss3 microb-engine-common microb-engine       
libnspr4:
  Installed: 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0
  Candidate: 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0
  Version table:
 *** 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0 0
        500 http://maemo.merlin1991.at fremantle/free Packages
        100 /var/lib/dpkg/status
     1:20100401-1.9.2-5.2+0m5+0cssu2 0
        500 http://repository.maemo.org fremantle/free Packages
     1:20100401-1.9.2-5.2+0m5+0cssu1 0
        500 http://repository.maemo.org fremantle/free Packages
     1:20100401-1.9.2-5.2+0m5+0cssu0 0
        500 http://repository.maemo.org fremantle/free Packages
libnss3-certs:
  Installed: 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0
  Candidate: 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0
  Version table:
 *** 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0 0
        500 http://maemo.merlin1991.at fremantle/free Packages
        100 /var/lib/dpkg/status
     1:20100401-1.9.2-5.2+0m5+0cssu2 0
        500 http://repository.maemo.org fremantle/free Packages
     1:20100401-1.9.2-5.2+0m5+0cssu1 0
        500 http://repository.maemo.org fremantle/free Packages
     1:20100401-1.9.2-5.2+0m5+0cssu0 0
        500 http://repository.maemo.org fremantle/free Packages
libnss3:
  Installed: 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0
  Candidate: 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0
  Version table:
 *** 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0 0
        500 http://maemo.merlin1991.at fremantle/free Packages
        100 /var/lib/dpkg/status
     1:20100401-1.9.2-5.2+0m5+0cssu2 0
        500 http://repository.maemo.org fremantle/free Packages
     1:20100401-1.9.2-5.2+0m5+0cssu1 0
        500 http://repository.maemo.org fremantle/free Packages
     1:20100401-1.9.2-5.2+0m5+0cssu0 0
        500 http://repository.maemo.org fremantle/free Packages
microb-engine-common:
  Installed: 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0
  Candidate: 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0
  Version table:
 *** 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0 0
        500 http://maemo.merlin1991.at fremantle/free Packages
        100 /var/lib/dpkg/status
     1:20100401-1.9.2-5.2+0m5+0cssu2 0
        500 http://repository.maemo.org fremantle/free Packages
     1:20100401-1.9.2-5.2+0m5+0cssu1 0
        500 http://repository.maemo.org fremantle/free Packages
     1:20100401-1.9.2-5.2+0m5+0cssu0 0
        500 http://repository.maemo.org fremantle/free Packages
microb-engine:
  Installed: 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0
  Candidate: 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0
  Version table:
 *** 1:20100401-1.9.2-5.2+0m5+0cssu2+thumb0 0
        500 http://maemo.merlin1991.at fremantle/free Packages
        100 /var/lib/dpkg/status
     1:20100401-1.9.2-5.2+0m5+0cssu2 0
        500 http://repository.maemo.org fremantle/free Packages
     1:20100401-1.9.2-5.2+0m5+0cssu1 0
        500 http://repository.maemo.org fremantle/free Packages
     1:20100401-1.9.2-5.2+0m5+0cssu0 0
        500 http://repository.maemo.org fremantle/free Packages

CSSU-T (thumb) version:
21.2011.38-1Tmaemo11+thumb0

jonwil · #12 2016-02-10, 22:42

You have the correct set of certificates on your device that you should have so that isn't why it works for you and not for me.
The microb-engine version looks ok too from what I can see.

Its very wierd that your system works and mine does not...

sicelo · #13 2016-02-11, 07:50

Tested the packages. On my CSSU-Testing device, it worked right away.

My thumb device however had completely opposite results. Not only did it not work, but all certificates disappeared. After some help, all look ok in the certificate manager. However cmcli/openssl all don't "see" them.

Attached are contents of my /etc/certs and /etc/secure

jonwil · #14 2016-02-11, 11:32

Ok, the plot thickens even more.
I loaded the microb-refui package that matches the microb-engine stuff I am currently running (so all of them were built in the same build run)

If I load a site (say https://www.entrust.net) into the normal microb UI (via the "web" thing) I get the sec_error_unknown_issuer error.
Yet if I then load the exact same URL into the microb-engine reference UI (via the run-mozembed.sh file in the microb-refui package) it loads just fine without errors.

Getting microb and browserd into GDB is probably the only way I am going to be able to get to the bottom of this and as of yet I haven't found a way to do that

jonwil · #15 2016-02-11, 12:00

I found the problem.
Seems that stale certificates have ended up in the mozilla/microb cert8.db file and are causing the errors.
If I move that file out of the way, all the sites that are failing load in microb.
Simply deleting it though isn't the real answer since I dont know what information that file contains. What we need is something that can remove all the bogus certificates from that file (likely bogus intermediate certificates I bet) and "clean" the file up but without removing anything important.

Ilew · #16 2016-02-11, 20:25

I knew it had something to do with those db files.
The db files are in the BerkeleyDB format.
So you can use db_util to dump the certificates to read them.

There's also certutil:
https://developer.mozilla.org/en-US/...Tools/certutil

colin.stephane · #17 2016-02-12, 13:54

Quote:

Originally Posted by Ilew

I knew it had something to do with those db files.
The db files are in the BerkeleyDB format.
So you can use db_util to dump the certificates to read them.

There's also certutil:
https://developer.mozilla.org/en-US/...Tools/certutil

jonwil,

Yes certutil seem to be the tool you need ...

Here is another link that can help you to build it : Certutil is not building properly on Scratchbox ARM builds

Hope it help ...

A++

Maemish · #18 2019-12-12, 17:18

I think this thread is right place to ask. I have updated maemosec-certs from extras-devel. "How's My SSL?" site warns that I have to unsecure SSL certs accepted. How can I remove/disable these certs?

And another question. Here is said that have updated root certificates from mozilla. Is it good thing to do and can it help with micro-b being able to access more sites? I would like to get micro-b more secure but at the moment I'm batling with getting Opera to be labeled in that site at least OK (now it is bad because these two files) and I don't know how to edit and what file exactly and with what. Is it the common-ca-certificates.crt or something?

The Following 2 Users Say Thank You to Ilew For This Useful Post:
Feathers McGraw, jellyroll

The Following User Says Thank You to jonwil For This Useful Post:
Ilew

The Following 3 Users Say Thank You to sicelo For This Useful Post:
Feathers McGraw, Ilew, peterleinchen

The Following User Says Thank You to jonwil For This Useful Post:
sicelo

The Following 7 Users Say Thank You to jonwil For This Useful Post:
Android_808, Feathers McGraw, luf, mr_pingu, peterleinchen, sicelo, wicket

The Following 3 Users Say Thank You to Ilew For This Useful Post:
Android_808, Feathers McGraw, wicket

The Following 2 Users Say Thank You to colin.stephane For This Useful Post:
Feathers McGraw, wicket

The Following User Says Thank You to Maemish For This Useful Post:
nonsuch