maemo.org - Talk - View Single Post - Nwer OpenSSL on Maemo Fremantle

sicelo	2018-10-09 , 16:27
Community Council \| Posts: 680 \| Thanked: 1,227 times \| Joined on Sep 2010 @ Mbabane	#9

Originally Posted by jonwil

Ok, new OpenSSL works so far in that I can run openssl s_client -connect blah and get the results I expect

I seem to be having a problem with this version:

Code:

Nokia-N900:~$ openssl version -a
OpenSSL 1.1.0h  27 Mar 2018
built on: reproducible build, date unspecified
platform: debian-armel
options:  bn(64,32) rc4(char) des(long) blowfish(ptr) 
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/engines-1.1\"" 
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/engines-1.1"




Nokia-N900:~$ openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
   i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgIIJkr7Y04MXcAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODA5MTgxMjM0MDBaFw0x
ODEyMTExMjM0MDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRcw
FQYDVQQDDA53d3cuZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALp6zTXM7aFhWh8XEFulRxlHdX1BQKt6F/rRZ36wuELrXhI41UQvC51B
B3OWTVsJM4iKlu3LX7ji3zx/wtkoYGW647AU+JPnUPHs65qmBI1Cshjrb6T7l0ew
E8FfI09Y7UedK3H7hcU98otBHHO1HPxJEbADcKbTew5HLgcjBS7eDgsNtLSFnMep
kOY6wKmWQfL1fs8dESoUroAm3zS1/+hJJ+HGCABABFID9J1AB1XGfADQM4GvBpEV
aWP+w1bK00DISBni4DIR13ZahL4epZvIP5DwawMZtMt4CvMnLhqcI2sJEfVyE8Fq
ykuPf9xf2/NV15n+j0sTftOZVLcW42kCAwEAAaOCAUIwggE+MBMGA1UdJQQMMAoG
CCsGAQUFBwMBMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMGgGCCsGAQUFBwEB
BFwwWjAtBggrBgEFBQcwAoYhaHR0cDovL3BraS5nb29nL2dzcjIvR1RTR0lBRzMu
Y3J0MCkGCCsGAQUFBzABhh1odHRwOi8vb2NzcC5wa2kuZ29vZy9HVFNHSUFHMzAd
BgNVHQ4EFgQUp6q8SfkDA+sKB9UNHw+i+P8ZqfgwDAYDVR0TAQH/BAIwADAfBgNV
HSMEGDAWgBR3wrhQmmd2drEtwobQg6B+pn66SzAhBgNVHSAEGjAYMAwGCisGAQQB
1nkCBQMwCAYGZ4EMAQICMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwucGtp
Lmdvb2cvR1RTR0lBRzMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBHT9OHvfMJw+hx
QMyV4TdsrkV9Ks9tHKBRh4vM5MRw2h6tKwkJxsmBtRbIJzn47auznh26ddL5IwxO
/9OciSqS67FkaHKQHSXnlhHiovOIHLXyrn4un8oxM78XPMWDnsRcPLHK2dx+5qKI
fHlG3TM/UQpBMGkU6jS2O4dYteUrf76qs0030kARWnZMkR1aDvZVvRztdzb189gf
6SgB8eVEuiEgwDK6Fi3Be41EylmIvo1fOpaAjv5aSNguWLY3hh06+9sx4Ta0GLYE
lfoKorrzpuGGncQoZ5nYRo9g3HQjedK5KaAEG1jT70LmbAhTyKY4WaWJWfbTDitm
r63fkykp
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2954 bytes and written 261 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 19F8BCE849085E0809C3C0A2B8627397908AB1AD722DAA28A489B796FEF75A94
    Session-ID-ctx: 
    Master-Key: CCFB428554021CD6349242DED35127D2A907B62A5748F0560A4667CF8EAB48670B52ECBDB7BF7BB28F86785B610909D5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100798 (seconds)
    TLS session ticket:
    0000 - 00 ae 27 6f f3 b5 e8 75-9c c4 c1 88 8e dd d3 a6   ..'o...u........
    0010 - 4a 04 16 b7 4a 09 ef b8-11 cc f9 0c 32 f2 2e 13   J...J.......2...
    0020 - 72 00 60 e9 29 e8 cf fe-1e 01 0b db 1f bc cc 13   r.`.)...........
    0030 - ae 4f 9b 09 41 56 5a 19-5f ff bf ea f5 14 ad 1c   .O..AVZ._.......
    0040 - 95 e6 ff d7 ed 3f 7b 1e-56 08 5a 72 28 f6 c5 e6   .....?{.V.Zr(...
    0050 - 1f 1b aa 2f 36 9d 5e 76-52 33 0c 36 c7 20 f1 ae   .../6.^vR3.6. ..
    0060 - 34 b2 91 e9 44 fb bd 52-57 93 67 0a dd f6 8b 62   4...D..RW.g....b
    0070 - 44 27 11 df 1c 5b 48 68-20 a3 8f 96 37 38 90 2d   D'...[Hh ...78.-
    0080 - ba af b3 17 0e 80 a6 70-b2 7f d3 7d b1 fa 90 16   .......p...}....
    0090 - f8 cf 16 e2 d8 e4 25 09-85 16 54 b9 f7 89 61 f1   ......%...T...a.
    00a0 - 2f bf 18 89 ea 1a 73 1a-fc 37 49 34 c4 9c c3 cf   /.....s..7I4....
    00b0 - f1 43 79 b2 b3 ff 3d 31-32 4e e2 32 ba fe 82 fe   .Cy...=12N.2....
    00c0 - 1f 5e b3 49 e0 41 bd 51-c8 c0 a4 03 e6 e6 1c 1c   .^.I.A.Q........
    00d0 - 87 f9 c6 84 a5 a8 2d f2-10 f6                     ......-...

    Start Time: 1539101657
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---
read:errno=0
Nokia-N900:~$

EDIT: adding the CApath switch allows it to work, but I guess for 'average' applications that use openssl this won't help

Originally Posted by jonwil

I had to run a command on the certificates to get them in the format the new OpenSSL wants but my analysis of the N900 rootfs suggests nothing is reading the certificates that way, they are all either using maemosec-certman or reading the maemosec-certman pem files so it should be safe to run that rehash

how did you run the rehash?

Code:

# perl /usr/bin/c_rehash /etc/certs/common-ca

didn't fix it for me

__________________
N900, the essence of life

Last edited by sicelo; 2018-10-09 at 16:44. Reason: added info

Quote & Reply |

The Following 4 Users Say Thank You to sicelo For This Useful Post:
Halftux, juiceme, reinob, Wikiwide