Security certificates have expired. - Page 3 - maemo.org

Active Topics

Is there a section to talk about Java ME? Apps, etc. (0)
to General by Kalatti - 2 days, 20 hrs ago
Extra softwares in Sailfish using CLI, repositories, etc (117)
to SailfishOS by nieldk - 4 days, 17 hrs ago
Firefox with Leste (6)
to Maemo 7 / Leste by teroyk - 5 days, 13 hrs ago
more...

Page 3 of 4

< Prev

Next >

Thread Tools

ric9K	2019-11-19 , 16:51
Posts: 330 \| Thanked: 860 times \| Joined on May 2011	#21

Working.
Delicious!!!
Lots og thanks to you guys for the help.
Some more month/years to go, no Fx to buy, beautyfull.

Quote & Reply |

The Following User Says Thank You to ric9K For This Useful Post:
juiceme

	Maemish	2019-11-19 , 19:19
	Posts: 1,702 \| Thanked: 4,752 times \| Joined on Apr 2018 @ Helsinki, Finland.	#22

Sorry. That was the trick yes. But wasn't it also neccessary to uppgrade openssl and certs? So sorry. Having a real brain malfunction at the moment and on the sick leave for it. Not the best to give working answers.

__________________
"I don't know how but I can try!" (active)

Master of not knowing (active)

For me it is possible to get lost in any case (active)

Learning to fall from high (DONE)

Learning to code with BASIC (WIP)

Quote & Reply |

The Following 2 Users Say Thank You to Maemish For This Useful Post:
juiceme, ric9K

ric9K	2019-11-19 , 20:28
Posts: 330 \| Thanked: 860 times \| Joined on May 2011	#23

Originally Posted by Maemish

Sorry. That was the trick yes. But wasn't it also neccessary to uppgrade openssl and certs? So sorry. Having a real brain malfunction at the moment and on the sick leave for it. Not the best to give working answers.

No problem, there is frequently no good answer but good parts of it.
Then we have to puzzle...
I guess it was necessary to upgrade these too as said by Halftux.
It's good to do what Halftux says

Except that we (hmmm... am I the last one who cares about Backupmenus's password?) still have the non-working password = free access to Backupmenu once new lib/openssl installed!

Quote & Reply |

The Following 2 Users Say Thank You to ric9K For This Useful Post:
juiceme, xman

	Maemish	2019-11-20 , 14:53
	Posts: 1,702 \| Thanked: 4,752 times \| Joined on Apr 2018 @ Helsinki, Finland.	#24

I don't do backups. I do reflashes. About twenty in two years. Messing a lot. Almost brick device when once installed backup and tried to recover from there. Never again.

Quote & Reply |

The Following User Says Thank You to Maemish For This Useful Post:
juiceme

xman	2019-11-20 , 15:38
Posts: 562 \| Thanked: 1,732 times \| Joined on Jan 2010 @ NYC	#25

I still love and use Backupmenus, with no issues. But will need to deal with the certs at some point myself.

x

Quote & Reply |

The Following 2 Users Say Thank You to xman For This Useful Post:
juiceme, olf

	Halftux	2019-11-20 , 20:29
	Posts: 862 \| Thanked: 2,511 times \| Joined on Feb 2012 @ Germany	#26

Originally Posted by Maemish

But wasn't it also neccessary to uppgrade openssl and certs?

To install the latest certs shouldn't harm anything and should be done. Otherwise it is a security issue.
Openssl could break things but should not. Because in principle no other application will access directly the rehashed certificates and the old libssl is still available.
For backupmenu it is somehow special, it could be that it generates something which will be later encrypted with an older openssl. The question is why it jumps over the password query and doesn't stop.

For qt application to gain profit from the new openssl, it is necessary to install the patched qt. This could break qt applications due to historical reasons. In the past it was not the qt library which got fixed first. Many application switched from secure protocols to only-tlsv1 which is now depreciated. Switching back and recompiling should fix this situation. Other way would be to patch qt library so that only-tlsv1 will be redirected to secure protocols.

However not every application uses openssl, we have also gnutls and nss. It is also possible that application have there own ssl code and not using the maemo infrastructure.

How Opera works I don't know, maybe it still uses nss.

__________________
N900: gpxsee, fahrplan, gpscon, genwall, qrcode, hextool, libjansson4, libevent-2.0-5, cnee, psi-plus, mihphoto, shc

Maemo flasher/rescue live image.
Fremantle Harmattan SDK VM

Quote & Reply |

The Following 3 Users Say Thank You to Halftux For This Useful Post:
juiceme, olf, xman

ric9K	2019-11-20 , 21:56
Posts: 330 \| Thanked: 860 times \| Joined on May 2011	#27

Originally Posted by Halftux

...
For backupmenu it is somehow special, it could be that it generates something which will be later encrypted with an older openssl. The question is why it jumps over the password query and doesn't stop.
...

Because the case of empty return of the openssl instruction seems not to be handled correctly. (If I dare, cause I wouldn'have been able to write something like Backupmenu)

I took a look into usr/share/backupmenu, we see that Backupmenu compares the root encrypted password with the output of openssl.

If openssl returns nothing because it was looking for a lib which is not present, the shell (/bin/sh) has to compare a variable with nothing.
This is generating an error and it skips the instructions following the comparison (stop and reboot).

usr/share/backupmenu:

Code:

if [ -e /usr/share/backupmenu/lock-enable.txt ]; then #display password screen
	#clear display
	$T2S -c -x 16 -y 18 -w 768 -h 440
	y=20
	passhash=`cat /usr/share/backupmenu/lock-enable.txt`
	if [ -z "$passhash" ] || [ ! `expr length $passhash` == 13 ]; then
		passhash=`cat /etc/passwd | grep root |cut -d ':' -f 2`
	fi
	pass2dig=`echo "$passhash" | cut -c 1-2`
	for i in 1 2 3; do
		password=""
		$T2S -s 2 -H center -y $y -T 0 -t ">> Enter Password <<"; y=$((y+40))
		
		$T2S -s 2 -H left -y $y -T 0x0000 -t "  Alt/shift keys must be pressed one at a time"
		$T2S -s 2 -H left -y $y -T 0x0410 -t "  Alt shift"; y=$((y+20))
		getUserInputString 1
		password=$inputString
		y=$((y+60))
		encpass=`openssl passwd -crypt -salt "$pass2dig" "$password"`
		if [ $passhash == $encpass ]; then
			break
		fi
		$T2S -s 2 -H center -y $y -T 0xF800 -t "Password wrong."; y=$((y+20)) 
	done

##################################################
#Is the error here in next line?
##################################################
	if [ ! $passhash == $encpass ]; then
		$T2S -s 2 -H center -y $y -T 0xF800 -t "You have entered an incorrect password 3 times"; y=$((y+20))
		$T2S -s 2 -H center -y $y -T 0xF800 -t "Rebooting in 30 seconds."; y=$((y+20))
		sleep 30
		reboot -f
		sleep 60
	fi
fi

Instead of

Code:

if [ ! $passhash == $encpass ]; then

Shouldn't we write this?

Code:

if [ ! x$passhash == x$encpass ]; then

But now, why is openssl not finding the right libssl once we installed version 1.1?
Because when I use it from within maemo, both libs are present.
When I test openssl from the terminal in Backupmenu, openssl complains not finding the version 1.1. And if I look for it with find, it'is not there, effectively.

Isn't it the same root?
Is it a kind of initramsomething and not the definitive root filesystem?
But in this case, why is the new openssl installed on it?

edit: I meant:

Code:

if [ ! "x"$passhash == "x"$encpass ]; then

But the below Olf's solution seems to be more correct:

Code:

if [ ! "$passhash" = "$encpass" ]; then

Last edited by ric9K; 2019-11-21 at 08:03.

Quote & Reply |

The Following 3 Users Say Thank You to ric9K For This Useful Post:
Halftux, juiceme, olf

	Halftux	2019-11-20 , 23:01
	Posts: 862 \| Thanked: 2,511 times \| Joined on Feb 2012 @ Germany	#28

Originally Posted by ric9K

Isn't it the same root?
Is it a kind of initramsomething and not the definitive root filesystem?
But in this case, why is the new openssl installed on it?

The files get copied to a temp directory. But now the new openssl and the old libssl get copied.

Code:

cp /usr/lib/libssl.so.0.9.8 /tmp/disk/usr/lib/

/usr/share/backupmenu/extrafiles.tar.gz has a filelist.txt inside, which list copied files and mounted folders. In principle you need to remove the old libssl library and add the new one.

__________________
N900: gpxsee, fahrplan, gpscon, genwall, qrcode, hextool, libjansson4, libevent-2.0-5, cnee, psi-plus, mihphoto, shc

Maemo flasher/rescue live image.
Fremantle Harmattan SDK VM

Quote & Reply |

The Following 2 Users Say Thank You to Halftux For This Useful Post:
juiceme, ric9K

	olf	2019-11-21 , 00:44
	Posts: 304 \| Thanked: 1,246 times \| Joined on Aug 2015	#29

Originally Posted by ric9K

[...] Instead of
Code:
if [ ! $passhash == $encpass ]; then
Shouldn't we write this?
Code:
if [ ! x$passhash == x$encpass ]; then

No.
The original is a classic case on non-failsafe coding. Quoting per

Code:

is the right measure.
Plus the

Code:

==

is an unnecessary bashism, which the bash man-page explicitly does not recommend to use.

Hence using

Code:

if [ ! "$passhash" = "$encpass" ]; then

there and three lines above would make the password comparison always correctly fail, because OpenSSL is not found to calculate the password hash to compare.

Thus that has to be resolved by adapting the environment variable PATH or LD_LIBRARY_PATH or other measures.
Then you may also leave Backup-Menu's code as it is.

Last edited by olf; 2019-11-21 at 16:45.

Quote & Reply |

The Following 4 Users Say Thank You to olf For This Useful Post:
Halftux, juiceme, peterleinchen, ric9K

ric9K	2019-11-21 , 07:43
Posts: 330 \| Thanked: 860 times \| Joined on May 2011	#30

Originally Posted by Maemish

I don't do backups. I do reflashes. About twenty in two years. Messing a lot. Almost brick device when once installed backup and tried to recover from there. Never again.

Don't abandon! Bm is a great help for messing

If you intend to reflash, just be carefull to reinstall the right (same than when you made the backup) kernel before restoring the rootfs and optfs. I have been blocked because of that problem once.