I've gotten TLSv1.2 working in grob (stock browser) and fenix (stock email client) on my N9. Granted, this is too late for me and for other users in the USA, since the last US carrier with 3G is shutting it down next year, but perhaps if anyone using the N9 in other countries that are maintaining at least their 2G GSM can get good out of this, here's what I did.

NOTE: I'm in open mode with the patched open-mode kernel. It may be possible to do this VERY carefully in closed mode with the aegis-install hack, but I haven't tried again after I failed the first 2 times. I was still figuring it out back then.

I don't have a solid HOWTO built for this yet, as I rebuilt a lot more packages than I probably needed to, and my N9 is my daily driver, so it'll be difficult to experiment with this to trim it down.

I used Scratchbox for all builds.

First, I built OpenSSL 1.0.1t out of Debian Jessie, since I figured it would be easier to do proof of concept on a version closer to the original that was already debianized. There are vulnerabilities in it that you could avoid by using a newer version, but be prepared to do more patching of the open source components that link against it. There are closed packages that link to 0.9.8, so it's not possible to get rid of it completely.

I rebuilt aegis-crypto, and that's where I ran into trouble with closed mode. I hadn't realized that OpenSSL 1 hashes certs differently from 0.9.8, and that I was going to need two sets of symlinks in /etc/ssl/certs for both versions. The moment I installed aegis-crypto, all the code on the system couldn't be verified, since Aegis couldn't find the codesigning certs. It *might* be possible to get this to work closed by doing the next step before this one.

I changed all the CA certificates in aegis-certman to the latest Mozilla certs, patched the source to create both old and new symlinks when new certs are added, and patched the install scripts to delete all preexisting CA certs before installing the new ones (so that everything would get both symlinks).

By this point, I could use OpenSSL from the command line to access TLSv1.2 sites, like Wikipedia.

I then rebuilt a ton of other packages against 1.0.1t until ldd showed that fenix and grob no longer depended on libssl.so.0.9.8, just libssl.so.1.0.0. But they still didn't work. I assumed it was a lost cause, until I discovered that fenix uses libqmf, which uses libqt4-network for SSL.

libqt4-network doesn't seem to depend on OpenSSL, so I started looking at the source, and found that it dlopen()'s it, like a plugin, instead of linking against it. By default, it looks for the version of OpenSSL that was on the system that built it. So I just rebuilt that (yeah, I rebuilt the entirety of Qt4 just for that one .deb. I should've hacked it to just build that, but I didn't have the time, and my build computer did).

Rebooted phone after installing, and it works!

I'll pull out my patches to aegis-certman and post them here in a couple days once I have a chance, along with the list of all other packages I rebuilt against 1.0.1t.

Another related update I tried: I have Firefox (Fennec) 15 installed from openrepos.net, and I dropped in a new build of libnss and libnspr into it. It made a few TLSv1.2 sites work, but there are still many where there's no cipher overlap. I'm not surprised, as this was just a hackish experiment. Nice thing is that Mozilla keeps the ABI of NSS and NSPR so stable.

Another unrelated update I've done is GStreamer to 0.10.36, so I could use plugins-bad-0.10.23, which has Opus. That was hard, and I recently noticed that MMS video transcoding doesn't work anymore. Haven't yet tried to figure out why. If anyone is interested, I'll try to throw together a more detailed explanation. Main thing that gave me trouble was the debianization, not the actual code. If you wanted to just build the new stuff without making .debs and throw it in /usr/local, it might work. The only stuff I really had to do to the code was apply some Nokia-specific camera patches from the 0.10.34 source that came with Harmattan.

Now if only the N9's modem could do LTE...