Page 16 of 47 FirstFirst ... 6111213141516171819202126 ... LastLast
Results 301 to 320 of 923
Like Tree236Likes
  1. #301  
    OK, as we all know, we are now living in an Internet world that is being exploited and attacked by malware and malicious code writers with no end in sight. So now, we are faced with the situation of trusted certificates, and the need for frequent cert changing and updating. It seems that Google is at cutting edge of this situation. On my HP Touchpad, I can see the expiration dates and details of all installed certificates.

    The cert of immediate concern is: imap.gmail.com. I believe we have been calling this the google5 cert. On my TP, the indicated expiration date is 11/05/2015 which is only 84 days from today. So on 11/5 we will need a new replacement cert for imap.gmail.com. It seems that any new certs will have to be downloaded and installed MANUALLY. My question is: how can we get/download this new cert? Does anyone here know the answer to this? I'm quite sure that some of you advanced tech guys must be on top of this. My thanks in advance for any help on this. I'm still in the learning curve on this SSL cert stuff.
  2. #302  
    if you open a command prompt and type

    openssl s_client -showcerts -connect pop.gmail.com:993

    you'll see it'll give various data, including the whole cert chain. So to get a new certificate, it's only required to copy the ----begin
    ----end part with the first cert, and put it in a txt file with a pem extension
    TJs11thPre likes this.
  3. #303  
    That is basically what my script does right now. My goal is to have it clean up any old certs and install the new one. Ideally I would like to have it run periodically so the user does not have to run it manually and trust the cert.
  4. #304  
    Quote Originally Posted by Jeff Marshall7 View Post
    OK, as we all know, we are now living in an Internet world that is being exploited and attacked by malware and malicious code writers with no end in sight. So now, we are faced with the situation of trusted certificates, and the need for frequent cert changing and updating. It seems that Google is at cutting edge of this situation. On my HP Touchpad, I can see the expiration dates and details of all installed certificates.

    The cert of immediate concern is: imap.gmail.com. I believe we have been calling this the google5 cert. On my TP, the indicated expiration date is 11/05/2015 which is only 84 days from today. So on 11/5 we will need a new replacement cert for imap.gmail.com. It seems that any new certs will have to be downloaded and installed MANUALLY. My question is: how can we get/download this new cert? Does anyone here know the answer to this? I'm quite sure that some of you advanced tech guys must be on top of this. My thanks in advance for any help on this. I'm still in the learning curve on this SSL cert stuff.
    Yes, your option at the moment is to note the expiry dates in your calendar and manually update as required.

    I suppose it's possible to then set the script proposed above to run on those dates. I suppose a really ambitious program would scan expiry dates and set itself up, but on the other hand, if the email program can be fixed or replaced, the certs would just be automatically approved (maybe not the roots, but that's a less frequent problem).

    Just to cheer you up: Certificate Authorities are actually a tremendous problem
    Last edited by Preemptive; 08/13/2015 at 03:36 PM.
  5. #305  
    If I may shoot holes in that idea, they have been updating the certificates every few days - long before their exipiration date.
  6. #306  
    Oh, yeah... good point! I've been assuming this was a bit of transitional turmoil...

    Well, there's still that slim hope of the LuneOS email app...
  7. #307  
    Okay, so we need the certificate for imap.google.com.

    I have just deleted any certificate I installed, rebooted.
    Can still browse to mail.google.com

    Mail cannot connect to imap.xs4all.nl nor imap.google.com

    Imported the certificate for *.xs4all.nl

    I can get my mail for xs4all

    Will try the other certificate later

    -- Sent from my Palm Pre3 using Forums
  8. #308  
    Quote Originally Posted by horzel View Post
    Okay, so we need the certificate for imap.google.com.

    I have just deleted any certificate I installed, rebooted.
    Can still browse to mail.google.com

    Mail cannot connect to imap.xs4all.nl nor imap.google.com

    Imported the certificate for *.xs4all.nl

    I can get my mail for xs4all

    Will try the other certificate later

    -- Sent from my Palm Pre3 using Forums
    You'll need 4 for GMail to work properly (sending + receiving):
    1 for smtp: smtp.gmail.com
    1 for imap: imap.gmail.com

    The following 2 are required for both imap and smtp but are identical for both:
    GeoTrust Global CA
    Google Internet Authority G2
    HP Veer (daily driver), HP Pre 3, HP Touchpad Proper 4G/LTE (Sierra MC7710), HP Touchpad 32GB WiFi, Palm Pre 2
  9. #309  
    Quote Originally Posted by Preemptive View Post
    I suppose it's possible to then set the script proposed above to run on those dates. I suppose a really ambitious program would scan expiry dates and set itself up...
    Quote Originally Posted by Grabber5.0 View Post
    If I may shoot holes in that idea, they have been updating the certificates every few days - long before their exipiration date.
    Of course the certificates do not have to be updated based on the expiry date. If you'd have a script that updates them daily (whether currently required or not) you should - as a result - always have an updated certificate. There shouldn't be any problem (as far as I know with my limited knowledge on this subject) to update the certificate regularly even when it's not strictly needed. With a back-end you could make this interval user-defined (with the option to update manually if the interval if too long).

    And if you want to be even more ambitious you could expand the existing email client. The expansion/patch would respond to specific errors by updating the related certificates as part of the error-response. That way certificates would always be updated when needed.

    But yeah...that would be quite an ambitious project. Not impossible (I think), but ambitious.
    Last edited by Misj'; 08/14/2015 at 07:18 AM.
  10. #310  
    I made some analysis based on suggestions in this and related threads and logs.

    Analysis:
    mojomail-imap logs (without installed gmail1.pem), if anyone interested:
    Code:
    mojomail-imap: {libpalmsocket}: crypto_do_SSL_handshake (fsm=0x152fc0): ENTERING: connKind=2, openSSL state=4640 (SSLv2/v3 read server hello A)
    mojomail-imap: {libpalmsocket}: crypto_do_SSL_handshake (fsm=0x152fc0): SSL_do_handshake() return=-1, errno=11
    mojomail-imap: {libpalmsocket}: psl_err_get_and_process_SSL_channel_error (fsm=0x152fc0): SSL is waiting for readable sock
    mojomail-imap: {libpalmsocket}: crypto_update_multi_fd_watch_giocondition (fsm=0x152fc0): same as last, skipping: GIOCondition=0x1
    mojomail-imap: {libpalmsocket}: crypto_do_SSL_handshake (fsm=0x152fc0): LEAVING: handshakeFinished=0, PslError=0 (ok), openSSL state=4400 (SSLv3 read server certificate A)
    mojomail-imap: {libpalmsocket}: FSM.PSL_CHAN(0x152fc0/c=0x152aa8): <-- <HANDLED> (EVT.30 ==> CRYPTO_CONN)
    mojomail-imap: {libpalmsocket}: FSM.PSL_CHAN(0x152fc0/c=0x152aa8): EVT.30 ==> CRYPTO_CONN
    mojomail-imap: {libpalmsocket}: crypto_do_SSL_handshake (fsm=0x152fc0): ENTERING: connKind=2, openSSL state=4400 (SSLv3 read server certificate A)
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): ENTERING: preverify_ok=1, x509_ctx=0x7eb30574
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): Detected start of a new verification session: first_verify_session=1, openSSL state=4401 (SSLv3 read server certificate B)
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): On entry: preverify_ok=1, x509Error=0 (ok); depth=3; subj='[OBFUSCATED]'; issuer='[OBFUSCATED]'
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): LEAVING: preverify_ok=1, PslError=0 (ok), X509_V_ERR_=0 (ok)
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): ENTERING: preverify_ok=1, x509_ctx=0x7eb30574
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): On entry: preverify_ok=1, x509Error=0 (ok); depth=2; subj='[OBFUSCATED]'; issuer='[OBFUSCATED]'
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): LEAVING: preverify_ok=1, PslError=0 (ok), X509_V_ERR_=0 (ok)
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): ENTERING: preverify_ok=1, x509_ctx=0x7eb30574
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): On entry: preverify_ok=1, x509Error=0 (ok); depth=1; subj='[OBFUSCATED]'; issuer='[OBFUSCATED]'
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): LEAVING: preverify_ok=1, PslError=0 (ok), X509_V_ERR_=0 (ok)
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): ENTERING: preverify_ok=0, x509_ctx=0x7eb30574
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): On entry: preverify_ok=0, x509Error=7 (certificate signature failure); depth=0; subj='[OBFUSCATED]'; issuer='[OBFUSCATED]'
    mojomail-imap: {libpalmsocket}: crypto_resolve_peer_cert_error (fsm=0x152fc0): ENTERING: PslError=23 (Certificate verification failed), X509_V_ERR_=7 (certificate signature failure)
    mojomail-imap: {libpalmsocket}: crypto_resolve_peer_cert_error (fsm=0x152fc0): kPmSockCertVerifyOpt_fallbackToInstalledLeaf: attempting to supressed PslError=23 (Certificate verification failed), X509_V_ERR_=7 (certificate signature failure)
    mojomail-imap: {libpalmsocket}: PmSockOpensslMatchCertInStore: x509StoreCtx=0x7eb30574, cert=0x155e28, matchOpts=0x0
    mojomail-imap: {libpalmsocket}: PmSockOpensslMatchCertInStore (cert=0x155e28): cert not found: X509_LU_=0
    jomail-imap: {libpalmsocket}: crypto_resolve_peer_cert_error (fsm=0x152fc0): ERROR: kPmSockCertVerifyOpt_fallbackToInstalledLeaf: unable to supress cert verification error
    jomail-imap: {libpalmsocket}: crypto_resolve_peer_cert_error (fsm=0x152fc0): LEAVING: preverify_ok=0, PslError=23 (Certificate verification failed), X509_V_ERR_=7 (certificate signature failure)
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): Detected end of verification session: openSSL state=4401 (SSLv3 read server certificate B)
    mojomail-imap: {libpalmsocket}: crypto_ssl_peer_verify_callback (fsm=0x152fc0): LEAVING: preverify_ok=0, PslError=23 (Certificate verification failed), X509_V_ERR_=7 (certificate signature failure)
    mojomail-imap: {libpalmsocket}: crypto_do_SSL_handshake (fsm=0x152fc0): SSL_do_handshake() return=-1, errno=0
    jomail-imap: {libpalmsocket}: psl_err_process_and_purge_openssl_err_stack (client=0x152fc0): ERROR from openssl error-stack (raw) 218910881 (0xd0c50a1); lib=13, func=197, reason=161 (error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm)
    jomail-imap: {libpalmsocket}: psl_err_process_and_purge_openssl_err_stack (client=0x152fc0): ERROR from openssl error-stack (raw) 336134278 (0x14090086); lib=20, func=144, reason=134 (error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)
    mojomail-imap: {libpalmsocket}: crypto_do_SSL_handshake (fsm=0x152fc0): LEAVING: handshakeFinished=1, PslError=29 (Non-specific SSL protcol error), openSSL state=4401 (SSLv3 read server certificate B)
    mojomail-imap: {libpalmsocket}: FSM.PSL_CHAN(0x152fc0/c=0x152aa8): requesting transition to CRYPTO_FAIL
    mojomail-imap: {libpalmsocket}: FSM.PSL_CHAN(0x152fc0/c=0x152aa8): EVT.EXIT ==> CRYPTO_CONN
    mojomail-imap: {libpalmsocket}: crypto_reset_multi_fd_watch (fsm=0x152fc0): resetting multi-fd-watch
    mojomail-imap: {libpalmsocket}: psl_multi_fd_watch_reset (watch=0x1500d8): ENTERING
    mojomail-imap: {libpalmsocket}: FSM.PSL_CHAN(0x152fc0/c=0x152aa8): <-- <HANDLED> (EVT.EXIT ==> CRYPTO_CONN)
    mojomail-imap: {libpalmsocket}: FSM.PSL_CHAN(0x152fc0/c=0x152aa8): <-- <HANDLED> (EVT.30 ==> CRYPTO_CONN)
    ojomail-imap: {libpalmsocket}: FSM.PSL_CHAN(0x152fc0/c=0x152aa8): EVT.ENTER ==> CRYPTO_FAIL
    mojomail-imap: {libpalmsocket}: FSM.PSL_CHAN(0x152fc0/c=0x152aa8): <-- <HANDLED> (EVT.ENTER ==> CRYPTO_FAIL)
    mojomail-imap: {libpalmsocket}: FSM.PSL_CHAN(0x152fc0/c=0x152aa8): EVT.BEGIN ==> CRYPTO_FAIL
    mojomail-imap: {libpalmsocket}: FSM.PSL_CHAN(0x152fc0/c=0x152aa8): <-- <HANDLED> (EVT.BEGIN ==> CRYPTO_FAIL)
    mojomail-imap: {libpalmsocket}: FSM.PSL_CHAN(0x152fc0/c=0x152aa8): Entry completed; current state is CRYPTO_FAIL
    mojomail-imap: {libpalmsocket}: psl_chan_fsm_dispatch_completion_cb (fsm=0x152fc0/ch=0x152aa8): Dispatching 'connect' callback to legacy user: PslError=29 (Non-specific SSL protcol error)
    So i think "unknown message digest algorithm" shows what gmail changed in june.
    Changing digest algorithm isn't a problem in general, but seems our version of openssl is buggy.

    Looking into libpalmsocket source(psl_channel_fsm_crypto.c) we can see why email works with manual installation of certificate(note: mojomail and libpalmsocket were opensourced; and are being used in LuneOS).
    Despite openssl error, libpalmsocket will accept certificates, if it can find matching.

    If we connect to gmail forcing to use ssl, we will get such error:
    Code:
    openssl  s_client -showcerts -connect imap.gmail.com:993 -ssl3
    CONNECTED(00000003)
    depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    verify return:1
    depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    verify return:1
    depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2
    verify return:1
    depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
    verify return:1
    10299:error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected
    message:s3_both.c:428:
    This bug was reported in 2007 (see #1576 ) and solved on the same day(see Update ssl code to support digests other than MD5+SHA1 in handshake.).
    So we need to update openssl, or backport this patch. The problem is it was included only in openssl starting from 1.0.0, which isn't compatible with 0.9.8.
    I tried to point mojomail-imap to libpalmsocket.so linked against openssl 1.0(from LuneOS), but this doesn't work for me because email app requested to trust new certificates, but certificate manager on my TP is broken, and I can't do this.
    I guess this way doesn't simply work because there will be conflict between certificates for different openssl versions.

    Another way, which worked for me, is to run mojomail-imap in separate environment, configured to newer openssl.

    Proof-of-concept:
    This way can be easily tested by users who have LuneOS installation.
    Mount your LuneOS partition and copy chroot.sh into it(adjust CHROOT to LuneOS mount point).
    Rename /usr/bin/mojomail-imap (and kill it) so it doesn't interfere with another in chroot.
    In device terminal navigate to chroot.sh and execute
    Code:
    source chroot.sh
    mojomail-imap
    Then you can open email app and make sure it can work without any gmail certificate.(note: mojomail-imap can exit after some period of inactivity)
    horzel likes this.
  11. #311  
    I tried what mazzinia suggested in his post #302, but in my Windows 7 command prompt window (version 6.1.7601) it said "openssl is not a recognized internal or external command" and it could not proceed. I typed the entire line exactly as he suggested, but it did not work. So maybe I'm doing something wrong?
  12. #312  
    Quote Originally Posted by Jeff Marshall7 View Post
    I tried what mazzinia suggested in his post #302, but in my Windows 7 command prompt window (version 6.1.7601) it said "openssl is not a recognized internal or external command" and it could not proceed. I typed the entire line exactly as he suggested, but it did not work. So maybe I'm doing something wrong?
    You need to download and extract openssl and run it from the directory where openssl is located.
    HP Veer (daily driver), HP Pre 3, HP Touchpad Proper 4G/LTE (Sierra MC7710), HP Touchpad 32GB WiFi, Palm Pre 2
  13. #313  
    Quote Originally Posted by Jeff Marshall7 View Post
    I tried what mazzinia suggested in his post #302, but in my Windows 7 command prompt window (version 6.1.7601) it said "openssl is not a recognized internal or external command" and it could not proceed. I typed the entire line exactly as he suggested, but it did not work. So maybe I'm doing something wrong?

    To do that in Windows, you need to install OpenSSH for windows. You can also run this command directly on your device by opening a command prompt from WebOSQuickInstall. The syntax is identical.
  14. #314  
    (responding to NIN_ru's post)

    Hmmm...

    Well if I understand that correctly, then this is a bug in OpenSSL. I've noticed that there were two 'parallel' versions: the 0.9x that are possibly for embedded/mobile devices and the 1.x - perhaps for desktop systems or maybe it's ARM vs x86 chips sets, I don't know.. OH! maybe not because 1.0 is running on LuneOS.

    So the good news/bad news is that LuneOS should work OK, but on webOS we are stuck with the work around UNLESS some brave soul installs OSSL 1.x then updates everything that uses it (mail + browser for a start). At this point, the idea of back porting LuneOS... nah it'll never happen, but maybe bits would work? Install OSSL alongside the legacy version and the LuneOS email app (if that's the open-sourced mojomail)?

    So it seems Grabber5.0's script is the practical solution and maybe Misj's suggestion of user-set auto/timed updates is the best idea for frequency?

    A shame that a proper fix seems possible but likely impractical.

    @NIN_ru: Is this of any use? http://preware.pivotce.com/package/mobi.optware.openssl It's not clear what it is for or how it differs from the standard version.
    Last edited by Preemptive; 08/14/2015 at 11:08 AM.
  15. #315  
    From what I can see, all the certs in the cert chain have expiration dates, but it appears that the "imap.gmail.com cert is the one that is being frequently changed and updated by Google. Apparently, they can update that cert anytime they want for any reason.
  16. #316  
    Quote Originally Posted by Jeff Marshall7 View Post
    I tried what mazzinia suggested in his post #302, but in my Windows 7 command prompt window (version 6.1.7601) it said "openssl is not a recognized internal or external command" and it could not proceed. I typed the entire line exactly as he suggested, but it did not work. So maybe I'm doing something wrong?
    To clarify:
    Open Secure Shell (OSSH) is a means to connect to your phone/tablet/other_computer from your PC and execute commands remotely via a command line interface.

    Open Secure Sockets Layer (OSSL) is a library of cryptographic functions.

    Your error suggests that you have not extracted OSSL.exe to your desktop and run it. Perhaps you are typing the command into the standard windows command line terminal by mistake? I'm assuming that you are attempting the method for Fixing Yahoo mail on a windows7 machine. OpenSSL is not included and I don't think it can be directly accessed via the terminal (unless maybe you first run it from the CLI). The easiest thing is just to run the stand alone program from the desktop and use the CLI offered by OSSL.exe.

    You could use OSSH to connect to your phone and query the version of OSSL that's already on it, then creating certs via the command line or whatever, but I suspect your skill level is closer to mine: Doing most of the work using GUI's & transferring your certificates over USB to be approved on device is probably a simpler process if you're unfamiliar with the command line.
    Last edited by Preemptive; 08/14/2015 at 10:17 AM.
  17. #317  
    Quote Originally Posted by Grabber5.0 View Post
    That is basically what my script does right now. My goal is to have it clean up any old certs and install the new one. Ideally I would like to have it run periodically so the user does not have to run it manually and trust the cert.
    Wait what? Are you making something "automagical" for us? Yesssss!


    My primary question right now is, how is the browser able to function without these security issues that the email app has? Isn't that the secret to a solution?
    Sporting my 13th Pre device, a NOS unlocked ROW Pre3!
  18. #318  
    Well, I'm not that properly versed in the command line interface. On my PC, I pressed the Windows key and typed CMD to open the command line window, and then I entered the line that was suggested by mazzinia in post #302.
    I think only the latest version (5.0?) of the DOS commands are recognized. I think I tossed out my old DOS books a long time ago. I'm not a programmer and I know nothing about C or C+. So for me the USB connection from PC to Touchpad tablet is the only way I can install any kind of upgrade. But I do appreciate your input.
  19. #319  
    My HP Touchpad is set up for Gmail IMAP SSL and TSL, so I will definitely need the latest Gmail certs. In my opinion, Grabber5.0 has the right idea with the creation of an auto updating program since these certs are going to be an endless problem with updates.
  20. #320  
    Quote Originally Posted by Jeff Marshall7 View Post
    Well, I'm not that properly versed in the command line interface. On my PC, I pressed the Windows key and typed CMD to open the command line window, and then I entered the line that was suggested by mazzinia in post #302.
    I think only the latest version (5.0?) of the DOS commands are recognized. I think I tossed out my old DOS books a long time ago. I'm not a programmer and I know nothing about C or C+. So for me the USB connection from PC to Touchpad tablet is the only way I can install any kind of upgrade. But I do appreciate your input.
    Yes, may I politely point out, you are doing it wrongly.

    Windows has an SSL built in to it, but it is their own, Microsoft version. Maybe it's possible to query it directly, I don't know, but Linux systems like webOS use the Open-source version. On a Linux machine, you could simply enter the commands in the standard terminal. On a windows machine, you can run the version of OSSL for windows.

    When you run OpenSSL.exe on your windows machine, it should open it's own CLI and accept the commands. You should see the prompt, OpenSSL>. DON'T go via the standard windows terminal.

    Also note: If you are using the IMAP protocol, that is how you need to alter the command:
    s_client -showcerts -connect imap.gmail.com:993
    Last edited by Preemptive; 08/14/2015 at 11:16 AM.

Similar Threads

  1. Replies: 23
    Last Post: 09/04/2015, 11:51 AM
  2. "Requested encryption not supported by server"
    By freebirds in forum webOS Tips, Info & Resources
    Replies: 14
    Last Post: 02/28/2015, 07:33 AM
  3. Replies: 3
    Last Post: 11/10/2014, 04:31 AM
  4. CM9 Encryption Unsuccessful Touchpad Error
    By JackisBack in forum Android on webOS
    Replies: 6
    Last Post: 08/04/2012, 11:51 AM
  5. Can not access 128 encryption server (sercurity) error code 18
    By quedawg in forum Palm OS Devices & Apps
    Replies: 0
    Last Post: 02/06/2005, 02:16 PM

Posting Permissions