Page 15 of 47 FirstFirst ... 51011121314151617181920 25 ... LastLast
Results 281 to 300 of 923
Like Tree236Likes
  1. #281  
    Quote Originally Posted by Grabber5.0 View Post
    I have a script (complements of a Google search) that I have modified to download and create the updated imap and smtp certs (note the smtp cert is not a problem yet, but I expect it to be in the future) on a 2.x or 3.x device. I want to modify it to copy them to the proper location and replace the symlink, and try to remove any old certificates matching the hash code. Based on my prior experimenting, that will also remove them from the cert manager if it is working properly. I would like to have it run on a periodic basis, checking to see if the cert has changed, to keep the manual work down to a minimum.
    I am trying to figure out why should we keep updating leaf-certificate? SSL Chain Certificates validation should automagically grab the newest end-use certificate. I am actually trying to update openSSL on me Pre3
  2. #282  
    Well the /etc/ssl/certs/trustedcerts/GeotrustGlobal1.pem delivered by palm and valid until 2022 has the same Subject Key Identifier and hash:
    Code:
         Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
                Not After : May 21 04:00:00 2022 GMT
            Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
                  X509v3 Subject Key Identifier: 
                    C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
                X509v3 Authority Key Identifier: 
                    keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
      
             Hash 799be0d
    as the one in the google.zip of grabber, but which is Issued by Equifax (they will have bought GeoTrust) and is sooner invalid:

    Code:
          Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
             Not After : Aug 21 04:00:00 2018 GMT
            Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
      X509v3 Authority Key Identifier: 
                    keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
                X509v3 Subject Key Identifier: 
                    C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
    
        Hash 799be0d
    The then needed Equifax CA in the chain is there in trustedcerts too.

    So i tried to replace that old one with the new equifax issued, but it did not work out (even the hash-link 799be0d.0 should be the same).

    But again no luck.
  3. #283  
    Quote Originally Posted by Jeff Marshall7 View Post
    I can see that many of the posters here, are much more advanced and knowledgeable then I am. I'm trying to understand what is required to get Gmail to run on my HP Touchpad tablet with this Google error: "REQUESTED ENCRYTION NOT SUPPORTED BY SERVER". I've read all the latest posts in this thread, and I can see that some of the solutions for Gmail on the HP Touchpad are concerned with the latest Gmail MAP certificates. Which ones do I need and where do I get them?

    Please understand that I'm not a techno wizard in regard to this matter. At the "nuts and bolts level, things get extremely complicated. So I guess I need some step by step instructions as to what to do and how to do it. I'm quite sure I'm not alone in this situation...it looks like several others here are in the same or similar situation. Again, my sincere thanks to anyone who can help me.



    to do at this point. I feel that I'm so close, yet so far away.

    So, my straightforward request is: What do I have to do to get Gmail to run on my HP Touchpad tablet as
    of this date. Let me express my thanks to all who can be of help...I realize that this is not an easy task.
    first uninstall all certificates. 5 to txt certified copy and sent it to sd pre2, there you change the extention to .pem, install certificate 4 and 5 certificate. gmail running.

    -- Sent from my Palm Pre using Forums
  4. #284  
    Quote Originally Posted by gizmo21 View Post
    Well the /etc/ssl/certs/trustedcerts/GeotrustGlobal1.pem delivered by palm and valid until 2022 has the same Subject Key Identifier and hash:
    Code:
         Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
                Not After : May 21 04:00:00 2022 GMT
            Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
                  X509v3 Subject Key Identifier: 
                    C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
                X509v3 Authority Key Identifier: 
                    keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
      
             Hash 799be0d
    as the one in the google.zip of grabber, but which is Issued by Equifax (they will have bought GeoTrust) and is sooner invalid:

    Code:
          Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
             Not After : Aug 21 04:00:00 2018 GMT
            Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
      X509v3 Authority Key Identifier: 
                    keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
                X509v3 Subject Key Identifier: 
                    C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
    
        Hash 799be0d
    The then needed Equifax CA in the chain is there in trustedcerts too.

    So i tried to replace that old one with the new equifax issued, but it did not work out (even the hash-link 799be0d.0 should be the same).

    But again no luck.
    I tried the same thing yesterday when I noticed the pre-installed Geotrust cert was slightly different than the downloaded one, and with the same result.

    Quote Originally Posted by CvvB View Post
    I am trying to figure out why should we keep updating leaf-certificate? SSL Chain Certificates validation should automagically grab the newest end-use certificate. I am actually trying to update openSSL on me Pre3

    Agreed. I have discussed updating OpenSSL too, but don't know what all to replace or how to get a new version compiled for the ARM chips used on the devices. I hope you are successful in doing this.

    Since the rest of the chain appears to be valid, and the openssl command-line process that downloads the certificates seems to be ok with the sha256 certificate from imap.gmail.com, I'm starting to get the feeling the problem lies within the mojomail-imap process (which is a binary, so patching may not be an option) not accepting the new sha256 certificate. I discovered a test page on Google's site ( https://cert-test.sandbox.google.com ) that says it is an sha256 test that loads successfully, but I haven't confirmed the cert it presents is really sha256. I checked in Chrome and I believe it uses the Google Internet Authority certificate, but didn't notice if it was sha1 or sha256.
    Last edited by Grabber5.0; 08/11/2015 at 09:45 AM.
    Preemptive likes this.
  5. #285  
    Attention folks coming late to this conversation: a brief summary...

    - we have been discussing (and installing) new security certs to overcome the issue with yellow triangles. I think the latest, which we are calling #5 ( available in post #241) is enough to restore functionality. The how-to specifics are in this thread, (save file to pc, rename google5.pem, transfer using PC connection to device via USB, trust with DeviceInfo/Peers/Cert Mgr/+) It's currently "fixable" but still recurring until a permanent solution is identified.

    - please don't forget that you can still access your gmail through the web browser, regardless of the yellow triangle condition in your email app. I've bookmarked my gmail inbox and have been able to access it directly without problem, don't even have to sign in each time. You just don't have incoming mail notification, otherwise it's working.

    I'm wondering how the browser is not having security issues, but idk. Stay tuned for updates.
    Last edited by TJs11thPre; 08/12/2015 at 02:36 AM.
    Sporting my 13th Pre device, a NOS unlocked ROW Pre3!
    chbaz2 likes this.
  6. #286  
    Quote Originally Posted by Grabber5.0 View Post
    Since the rest of the chain appears to be valid, and the openssl command-line process that downloads the certificates seems to be ok with the sha256 certificate from imap.gmail.com, I'm starting to get the feeling the problem lies within the mojomail-imap process (which is a binary, so patching may not be an option) not accepting the new sha256 certificate. I discovered a test page on Google's site ( https://cert-test.sandbox.google.com ) that says it is an sha256 test that loads successfully, but I haven't confirmed the cert it presents is really sha256. I checked in Chrome and I believe it uses the Google Internet Authority certificate, but didn't notice if it was sha1 or sha256.
    So you are suggesting that the certs and OpenSSL are working, but that the webOS cert manager is not activating the SHA256 function correctly (or maybe not at all)?

    If I read that right and the manager is (non-patchable) binary code, my suggestion on the general security thread was that it might be possible to use the cert manager from LuneOS (assuming they already have one). This might make an OSSL update unnecessary (though obviously welcome), but of course an updated manager might require an updated OSSL. I'd love to think that code parts were like Lego bricks, but it seems some 'shimming' is often required.
  7. #287  
    Quote Originally Posted by Preemptive View Post
    So you are suggesting that the certs and OpenSSL are working, but that the webOS cert manager is not activating the SHA256 function correctly (or maybe not at all)?

    If I read that right and the manager is (non-patchable) binary code, ...
    No, the cert manager and SSL seem to have no problem with sha256 certs. I was talking about the email IMAP module that actually makes the https connection(which, it could quite possibly farm out to another module). If that page is correct, the browser appears to accept sha256 certs as well.
    Now, if the email module could be back-ported, that could be interesting. I didn't suggest that earlier, as I could be wrong about where the problem lies.
    Preemptive likes this.
  8. #288  
    Quote Originally Posted by Preemptive View Post
    So you are suggesting that the certs and OpenSSL are working, but that the webOS cert manager is not activating the SHA256 function correctly (or maybe not at all)?

    If I read that right and the manager is (non-patchable) binary code, my suggestion on the general security thread was that it might be possible to use the cert manager from LuneOS (assuming they already have one). This might make an OSSL update unnecessary (though obviously welcome), but of course an updated manager might require an updated OSSL. I'd love to think that code parts were like Lego bricks, but it seems some 'shimming' is often required.
    We do have a new cert manager in LuneOS since HP didn't open source the legacy one. It's still quite limited though compared to legacy. It's written in C++ and only imports and lists installed certs. It doesn't display cert details yet from what I've seen. I think the solution needs to come from elsewhere in the system. The cert manager itself doesn't do much really except for importing, listing, deleting and viewing certs into a central storage location.

    -- Sent from my Palm Veer using Forums
    HP Veer (daily driver), HP Pre 3, HP Touchpad Proper 4G/LTE (Sierra MC7710), HP Touchpad 32GB WiFi, Palm Pre 2
    Preemptive likes this.
  9. #289  
    Ah, I see. Yes, I suppose that makes sense: The certificates just have to... match? Processing is done as needed then it's the actual email app making the secure connection. Hmmm. Well that might even be an easier backport. I'll add a note to the other thread.

    I noticed this recently: JMAP (because there's not enough javascript in the world!)

    Maybe it's better? It's not binary for a start. I'm not clear who (aside from Fastmail) is using it or if it's actually compatible with IMAP (i.e. use a JMAP client and get IMAP access). It's aiming to be protocol compatible, it seems...

    EDIT:...I get the feeling it makes for easy migration rather than being directly compatible - maybe too far ahead of the curve right now.

    Do you know of any email developers? ( cough, cough )
    Last edited by Preemptive; 08/11/2015 at 04:17 PM.
  10. #290  
    I need to boot up LuneOS and see if the email app there has the same problems with Gmail's certificates...
    Preemptive and TJs11thPre like this.
  11. #291  
    I'm happy to report that the LuneOS Bombon email app downloaded my email with no issues after I added my gmail account. No certificates had to be installed, and none are reported by the certificate section of the settings app.

    Send doesn't work yet (in my experience), and right now is causing a Luna Next restart.
    Last edited by Grabber5.0; 08/11/2015 at 04:40 PM.
    Preemptive likes this.
  12. #292  
    It's still bugging me (in my ignorance!).

    If the certificate approval process (involving the Cert. manager & OpenSSL) is working, then it DOES suggest a problem with the email app. But if the problem is with that app either failing to present new certs to the manager or failing to present or match approved certs in the connection process, why does manually importing and approving certificates work at all? (if only temporarily for Google). Also, Yahoo still works - was that not an SHA256 upgrade? If it were SHA1, I would assume it would have worked automatically as before and no problem would have been noticed.

    I don't have your software skills, but looking at it as a 'black box', I'd first guess, "The same problem as Yahoo" and the solution seemed to work at first. The need to keep putting in new certs suggested, "Google messing about". That a fix which works for Yahoo seems only temporary for Google... still seems to point the finger at Google.

    Of course there is the fundamental issue of, "Why aren't the certificates simply updated automatically?" If you are getting it to work via the command line, then are you including a specific SHA256 instruction? Perhaps this instruction is not being issued by the manager or the email app - whichever is supposed to initiate the approval process?

    Sorry, I wish I had the expertise to help rather than just ask stupid questions!

    I'm just thinking: Yahoo breaks = some problem with either root certs or SHA256 approval. Workaround = manually import & approve. FIXED, but not solved...
    Google breaks = same problem? Old workaround works, then breaks, is applied multiple times...

    In the light of Yahoo, it seems there must be an issue in the SHA256 process & maybe it IS in the email app, but the intermittent Google issues... Maybe there is more than one problem here? Perhaps Google are doing some rolling update of the cert chain and the webOS problem means email breaks on each cert?

    I suppose fixing the fundamental SHA256 (or root cert) issue would hide all the new cert updates that Google seem to be supplying and we'd never even notice...
  13. #293  
    Google is indeed making frequent updates, but what I got from the articles I read makes me think it shouldn't be this frequently. https://konklone.com/post/why-google...-to-kill-sha-1

    To clarify about the cert manager, it is only there to display existing manually trusted certs and add new ones. It should not be involved in making SSL connections.
    Preemptive likes this.
  14. #294  
    GOOD NEWS at last. I just got my HP Touchpad Gmail app working again with the help of many posters here on this WeOS forum. I can't get into the details at this time except to say the latest google5 cert did the trick.
    No more yellow triangle and the Gmail is indeed working as it should...a MIRACLE! It's working for NOW, but who knows for how long. This has been a real learning curve for me.

    My sincere thanks to who ALL who helped with this. This WebOS forum has saved the day.

    More later in my next post...
  15. #295  
    Quote Originally Posted by Grabber5.0 View Post
    Google is indeed making frequent updates, but what I got from the articles I read makes me think it shouldn't be this frequently. https://konklone.com/post/why-google...-to-kill-sha-1

    To clarify about the cert manager, it is only there to display existing manually trusted certs and add new ones. It should not be involved in making SSL connections.
    Yes, I was half thinking out loud there to clarify to myself that it's two problems.
    That article is a good read! I see what you mean about the change frequency, but the linked discussion does mention using certs with a life of days... maybe Google is doing that?

    On the plus side, the good news seems to be that webOS can support SHA256 - even if we are stuck with manually adding certificates.

    Also, the LuneOS email app can receive mail - that it crashes LunaNext when you try to send might be a bug in (unfinished) LuneOS - not necessarily in the app itself. So if it can be made available as an IPK, it might work OK on webOS..?
  16. #296  
    Quote Originally Posted by Preemptive View Post
    Also, the LuneOS email app can receive mail - that it crashes LunaNext when you try to send might be a bug in (unfinished) LuneOS - not necessarily in the app itself. So if it can be made available as an IPK, it might work OK on webOS..?
    Well, like webOS, I'd bet that the LuneOS email app is just a client, and the back-end process actually connects to the mail server to send and receive emails. I would be interested to know if that is compatible with webOS.
  17. #297  
    Quote Originally Posted by Grabber5.0 View Post
    Well, like webOS, I'd bet that the LuneOS email app is just a client, and the back-end process actually connects to the mail server to send and receive emails. I would be interested to know if that is compatible with webOS.
    I think by default LuneOS uses the unsecured GMail IMAP That's why it works and it doesn't bother about certificates (at least on my N4 when I tried it last time)
    HP Veer (daily driver), HP Pre 3, HP Touchpad Proper 4G/LTE (Sierra MC7710), HP Touchpad 32GB WiFi, Palm Pre 2
    Rnp likes this.
  18. #298  
    Quote Originally Posted by Herrie View Post
    I think by default LuneOS uses the unsecured GMail IMAP That's why it works and it doesn't bother about certificates (at least on my N4 when I tried it last time)
  19. #299  
    Quote Originally Posted by Grabber5.0 View Post
    I need to check to see if it works with a TLS/SSL one I hope to get that tonight when I install the latest nightlies
    HP Veer (daily driver), HP Pre 3, HP Touchpad Proper 4G/LTE (Sierra MC7710), HP Touchpad 32GB WiFi, Palm Pre 2
  20. #300  
    Quote Originally Posted by Herrie View Post
    I need to check to see if it works with a TLS/SSL one I hope to get that tonight when I install the latest nightlies
    Does it honor the settings you use when setting up the account manually? I recreated the account and selected SSL and it is still working.

    -- Sent from my Palm Pre3 using Forums

Similar Threads

  1. Replies: 23
    Last Post: 09/04/2015, 11:51 AM
  2. "Requested encryption not supported by server"
    By freebirds in forum webOS Tips, Info & Resources
    Replies: 14
    Last Post: 02/28/2015, 07:33 AM
  3. Replies: 3
    Last Post: 11/10/2014, 04:31 AM
  4. CM9 Encryption Unsuccessful Touchpad Error
    By JackisBack in forum Android on webOS
    Replies: 6
    Last Post: 08/04/2012, 11:51 AM
  5. Can not access 128 encryption server (sercurity) error code 18
    By quedawg in forum Palm OS Devices & Apps
    Replies: 0
    Last Post: 02/06/2005, 02:16 PM

Posting Permissions