Thread: TLS1.2 and N9 (polishing brass on a sinking ship)
View Single Post
n9erator is offline n9erator
2021-03-27 , 00:22
Posts: 6 | Thanked: 43 times | Joined on Jul 2020
#6
I apologize. Your reply reminded me that I was going to put up a list of the other packages I rebuilt against the newer OpenSSL, even though they probably weren't necessary for the project. I'm sorry for the long delay. But here are the others besides aegis-crypto, aegis-certman, and Qt itself (all these are the last versions from Harmattan source, not newer versions):

cryptsetup
curl (for testing purposes)
cyrus-sasl2
libaccounts-glib
libsignoncrypto-qt
qca2-plugin-ossl

I also promised the changes I made to aegis-certman. Here's the brutish hack to aegis-certman-common-ca.postinst in the debian directory to cause it to remove all old certs before installing the new ones. Keep in mind that I completely replaced the etc/certs directory in the package with recent Mozilla certs:

Code:
--- aegis-certman-common-ca.postinst.old	2012-05-08 06:26:05.000000000 -0500
+++ aegis-certman-common-ca.postinst	2020-06-30 21:16:56.040808550 -0500
@@ -1,12 +1,11 @@
 #!/bin/sh -e
 if [ "$1" = "configure" ]; then
+	for deletename in /var/lib/aegis/certs/common-ca/*.pem; do
+		acmcli -C aegis-certman-common-ca::CertCACommonAdd \
+		-lc common-ca -r `echo $deletename | sed "s/.*\/\([-0123456789abcdef]*\).*/\\1/"`
+	done;
 	acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca\
            -a /usr/share/aegis-certman-common-ca/*.pem
-	# Remove DigiNotar CA if still in store
-	if [ -f /var/lib/aegis/certs/common-ca/8868bfe08e35c43b386b62f7283b8481c80cd74d.pem ] ; then
-		acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca\
-               -r 8868bfe08e35c43b386b62f7283b8481c80cd74d
-	fi
 	chmod 0777 /var/lib/aegis/certs
 	if [ ! -e /usr/lib/ssl/certs ]
 	then

Here's the hack to certman_main.cpp to make symlinks for both old and new hashing methods:

Code:
--- certman_main.cpp.old	2012-05-08 06:26:05.000000000 -0500
+++ certman_main.cpp	2020-07-21 21:14:32.432448891 -0500
@@ -436,13 +436,13 @@
 #define MAX_TRIES 100
 
 void
-make_hash_filename(X509* of_cert, storage* pstore, const char* to_certfile, string &result)
+make_hash_filename(X509* of_cert, storage* pstore, const char* to_certfile, string &result, string &result_old)
 {
 	X509* lcert = of_cert;
 	char hash_file_name[32];
 	string full_name;
-	long hash;
-	int i;
+	long hash[2]; // changed to [0] for new, [1] for old
+	int i, j; // added counter j
 
 	AEGIS_DEBUG(1, "%s: make hash to '%s'", __func__, to_certfile);
 	if (NULL == lcert) {
@@ -453,12 +453,18 @@
 			return;
 		}
 	}
-	hash = X509_subject_name_hash(lcert);
+
+	// changed to array, now getting old hash as well
+	hash[0] = X509_subject_name_hash(lcert);
+	hash[1] = X509_subject_name_hash_old(lcert);
+
 	if (of_cert != lcert)
 		X509_free(lcert);
+
+	for (j = 0; j < 2; j++) {
 	
 	for (i = 0; i < MAX_TRIES; i++) {
-		snprintf(hash_file_name, sizeof(hash_file_name), "%08lx.%d", hash, i);
+		snprintf(hash_file_name, sizeof(hash_file_name), "%08lx.%d", hash[j], i);
 		if (!pstore->contains_link(hash_file_name))
 			break;
 	}
@@ -466,7 +472,10 @@
 		AEGIS_ERROR("%s: %d colliding hash files for '%s'?",
 					   __func__, i, to_certfile);
 	} else {
-		result.assign(hash_file_name);
+		if (j) result_old.assign(hash_file_name);
+		else result.assign(hash_file_name);
+	}
+
 	}
 }
 
@@ -967,14 +976,17 @@
 			rc = errno;
 
 		if (0 == rc) {
-            string hash_name;
+            string hash_name, hash_name_old;
 			make_hash_filename(cert, mydomain->index, filename.c_str(), 
-							   hash_name);
+							   hash_name, hash_name_old);
             if (!mydomain->index->contains_file(filename.c_str())) {
                 mydomain->index->add_file(filename.c_str());
                 if ("" != hash_name)
                     mydomain->index->add_link(hash_name.c_str(), 
 										  filename.c_str());
+                if ("" != hash_name_old)
+                    mydomain->index->add_link(hash_name_old.c_str(), 
+										  filename.c_str());
                 if (do_commit) {
 					if (!mydomain->index->commit()) {
 						AEGIS_DEBUG(1, "%s: add of '%s' failed (%s)", __func__,

Thank you everyone for your kind words. I will mention there's a lot more to do if you want a truly modern, but slow, web experience on the N9. Stock browser is running a WebKit that walked out of 2012 and will definitely have many security holes, as well as lack of support for newer features. Now if grob used the WebKit 1 in Qt4 it would be easier to upgrade, at least to the last released version of QtWebKit 1, but it uses its own, probably patched, WebKit 2 (split process model) in a separate package, and there's no source.

It needs a whole new browser. I had wondered at the possibility of building WebKit WPE for Harmattan, but I currently don't have the time to dive into that now. That's the only option that I think wouldn't be painfully slow on the N9. Even then I would need to write a browser frontend to use it. Maybe someday
 

The Following 3 Users Say Thank You to n9erator For This Useful Post: