Page 1 of 7 123456 ... LastLast
Results 1 to 20 of 138
Like Tree59Likes
  1.    #1  


    Lately, more and more webOS users have been experiencing the "error: requested encryption not supported by server" in the mail application, aka "the yellow triangle of death" (see webOS Nation thread).

    TL;DR; Major servers on the web are moving away from SHA-1 to SHA-256 certificates. However, legacy webOS devices cannot natively process SHA-256 certificates, forcing users to trust server-presented certificates in their devices on a regular basis to keep their mail application working... No-one can survive that, not for long!

    OpenSSL-Updater is a system-wide solution for webOS 1.x/2.x/3.x that brings SHA-256 certificates digest capability from the latest OpenSSL 0.9.8 release to your webOS smartphone/tablet (this is not to be confused with the optware version that gets installed in /opt).


    Alpha Test

    OpenSSL-Updater is currently in alpha test.

    At the moment, to get OpenSSL-Updater, you have to enable the alpha feeds in Preware. To do so, please follow these instructions. Then enable the "alpha-apps" feed.

    Ideally, testing shall be conducted as follows (one step at a time, only a single parameter change per step):
    • without the app installed, remove installed certs until you get the issue (yellow triangle, "error: requested encryption not supported by server", ...)
    • install the app and verify the issue does not happen anymore
    • remove the app, the issue shall be back


    Alpha testers, please report issues directly in GitHub (can you also identify in this thread or PM me, we're not so many left in the field and your feedback is needed so we can safely move out of alpha/beta...)

    Any other information/request you would like to share/ask, please report in this thread.


    Installation / Removal

    Just install OpenSSL-Updater from Preware.

    To return your device to its original, unpatched state, simply uninstall the application (either directly from the device, through Preware or via the "palm-install -r org.webosinternals.openssl-updater" command).

    A system reboot is required after installation/removal, as running programs will see their OpenSSL dynamic libraries change (and most certainly crash). This is automagically performed by the end of the installation/removal process.


    Documentation

    The official documentation for OpenSSL-Updater can be found in the OpenSSL-Updater wiki page.


    Testing

    OpenSSL-Updater was successfully tested on the following devices:
    • webOS 2.2.4 Emulator Image for Pre2/Pre3/Veer (started its life fresh from the SDK-2222.vmdk.zip emulator-images)
    • webOS 2.2.4 Palm Pre2 (started its life quite some time ago after a visit to the webOS Doctor / webosdoctorp224pre2wr.jar), a day-to-day phone up to now
    • webOS 3.0.5 WiFi Touchpad (most probably started its life 3.0.2, then went OTA 3.0.4 and 3.0.5), a day-to-day tablet up to now
    • webOS 1.4.5 Emulator Image for Pre/Pixi (started its life fresh from the Palm/SDK distribution)
    • webOS 1.4.5 Pixi Plus (in the state it was before being brought back from the shadows), resurrected for the sake of testing


    Current version is meant/expected to work on webOS 2.x/3.x devices. As a "side-effect", it appears to work as well on webOS 1.4.x (still to be tested on a real device, though)!


    Possible Issues

    Because OpenSSL libraries are being replaced live (for now), programs dynamically linked with those libraries are likely to crash and in-turn cause a system-wide crash (and reboot) with an unfinished installation, leaving the device in an intermediate unusable state (unix/novacom running but LunaSysMgr down). One specific case is being investigated on this suspicion, you've been warned!


    Acknowledgments

    Many thanks to Rod & the webOS Internals team for building the tools and the distribution infrastructure, this would not have been possible without their great work. Special thanks to Rod for his quick and effective support in accepting the app in the build system and reviving the WOI feeds.

    Last edited by Thibaud; 10/26/2015 at 05:47 AM.
  2. #2  
    This is of course interesting...

    A few questions...

    The wiki mentions HP patches that were not released to open source. But I assume these patches are included in the official releases.

    So what is the origin of this code? Are you simply packaging a newer version of Open SSL for webOS? Or are you patching?

    Are you modifying with your own code, HP modifications or simply replacing the OpenSSL module?

    It appears that the browser can accept SHA256 certs, suggesting that the fault is in the email app, but your solution suggests the fault is in OSSL - or are you modifying both?

    Finally, from the opening summary of the wiki, are you referring to the newer version of OSSL from webOS Internals? Was/is this intended only for optware operations? So webOS and optware use separate installations of OSSL?

    It certainly sounds promising! I look forward to see how your work develops. Hopefully it is a system-wide solution for all the SHA256 problems.
  3. #3  
    Looking forward to a final version. I don't do alphas, and don't really like betas either.

    But thanks for any effort to improve and maintain webOS!!
    Sporting my 13th Pre device, a NOS unlocked ROW Pre3!
  4.    #4  
    Quote Originally Posted by Preemptive View Post
    This is of course interesting...
    A few questions...
    Quoting you for the sake clarity! ;-)

    Quote Originally Posted by Preemptive View Post
    The wiki mentions HP patches that were not released to open source. But I assume these patches are included in the official releases.
    So what is the origin of this code? Are you simply packaging a newer version of Open SSL for webOS? Or are you patching?
    Both, it's the newest version of OpenSSL (0.9.8zg), with a single reverse-engineered patch (for now).

    Quote Originally Posted by Preemptive View Post
    Are you modifying with your own code, HP modifications or simply replacing the OpenSSL module?
    This is answered in the "Solution" section in the wiki...

    Quote Originally Posted by Preemptive View Post
    It appears that the browser can accept SHA256 certs, suggesting that the fault is in the email app, but your solution suggests the fault is in OSSL - or are you modifying both?
    The browser is the tip of the iceberg, because it has the capability to ask you to trust a (server-presented) certificate it cannot digest (OpenSSL 0.9.8k). But there are just many more other webOS applications linked against the OpenSSL libraries (hint: 2 files mentioned in the above-referred section) that don't/can't ask the user the same question, hence the need to manually trust the server-presented certificates, one-by-one, and again...

    Quote Originally Posted by Preemptive View Post
    Finally, from the opening summary of the wiki, are you referring to the newer version of OSSL from webOS Internals? Was/is this intended only for optware operations? So webOS and optware use separate installations of OSSL?
    Yes, they do! WebOS has openSSL located in /usr, while Optware OpenSSL is located in /opt (this one was meant for optware packages like OpenSSH and a few others).

    Quote Originally Posted by Preemptive View Post
    It certainly sounds promising! I look forward to see how your work develops. Hopefully it is a system-wide solution for all the SHA256 problems.
    Yes, it definitely is (and was meant from day one as) a system-wide solution for the SHA-256 issue and probably quite a few more as the servers elevate their requirement in the future

    OP updated following your questions, thank you for the quick feedback. :-)
    Last edited by Thibaud; 10/19/2015 at 02:25 PM.
  5. #5  
    Thanks for the great work! Just for clarity: This will BREAK existing working EAS (Exchange Active Sync)-supported accounts. (I have my corporate Exchange account on my daily driver phone, so that's crucial for me).

    I cannot lose this functionality as you can imagine! I don't use it on my Touchpads for example, so I would be OK testing it there
    HP Veer (daily driver), HP Pre 3, HP Touchpad Proper 4G/LTE (Sierra MC7710), HP Touchpad 32GB WiFi, Palm Pre 2
  6. #6  
    I noticed the labels in github have 1.4.5 in them - is this patch compatible with 1.4.5? I guess that won't help the Google API situation though, even if it is.
  7. #7  
    Well, in any case this is a huge step forward maintaining all the "classic" (can I use this term ?) devices.
    If it would be feasible to do the same for webkit, we would be practically brought up to date, sort of (plus it would also allow to easily backport all luneos apps, since some rely on a current webkit.. or at least telegram does)
  8. #8  
    I just deleted the two gmail certs and a cert I had for xs4all.

    Installed this update

    Email still comes in!

    Great!

    -- Sent from my Palm Pre3 using Forums
  9. #9  
    Quote Originally Posted by mazzinia View Post
    Well, in any case this is a huge step forward maintaining all the "classic" (can I use this term ?) devices. ...
    I agree!

    Quote Originally Posted by mazzinia View Post
    ... If it would be feasible to do the same for webkit, we would be practically brought up to date, sort of (plus it would also allow to easily backport all luneos apps, since some rely on a current webkit.. or at least telegram does)
    I was thinking the same thing. I wonder if an updated webkit and web browser could be created in /opt just like openSSL has 2 versions (one in /usr and other /opt), according to:

    Quote Originally Posted by Thibaud View Post
    ... Yes, they do! WebOS has openSSL located in /usr, while Optware OpenSSL is located in /opt (this one was meant for optware packages like OpenSSH and a few others). ...
    What a wonderful Christmas present this would make...
    Last edited by UI Designer; 10/19/2015 at 02:06 PM.
  10. #10  
    I installed this last night. Working good so far!

    Herrie, interestingly, my Google Apps backed work Exchange account is working fine. But, this isn't a broad statement about the state of Exchange.
    Did you know:

    webOS ran on a Treo 800 during initial development.
  11. #11  
    There was a security guy in the local webOS group here in the San Francisco Bay Area. I should see if I can find him again. He might be able to provide some more advanced security testing.
    Did you know:

    webOS ran on a Treo 800 during initial development.
    Preemptive and TJs11thPre like this.
  12. #12  
    Palm forked and hacked WebKit big time, so the OS is very much tied to the old version. I dont know what it would take for a specific app to use an updated one - but I don't think the Palm frameworks would support it.
  13.    #13  
    Quote Originally Posted by Herrie View Post
    Thanks for the great work! Just for clarity: This will BREAK existing working EAS (Exchange Active Sync)-supported accounts. (I have my corporate Exchange account on my daily driver phone, so that's crucial for me).

    I cannot lose this functionality as you can imagine! I don't use it on my Touchpads for example, so I would be OK testing it there
    Guess what? I have a corporate Exchange account on my Pre2 and it is working OK now (mojomail-eas just broke when I first moved to OpenSSL 0.9.8zg, I had to spend quite a few nights and week-ends reverse engineering libssl.so to get it back to normal, this delayed the release by a few weeks). So I suspect you should be fine too...

    Quote Originally Posted by Grabber5.0 View Post
    I noticed the labels in github have 1.4.5 in them - is this patch compatible with 1.4.5? I guess that won't help the Google API situation though, even if it is.
    1.4.x is a different beast when it comes to certs location, I prepared the environment for future investigation but did/tested nothing yet. This might be my next area if you need it (and can alpha test it).

    Quote Originally Posted by mazzinia View Post
    Well, in any case this is a huge step forward maintaining all the "classic" (can I use this term ?) devices.
    If it would be feasible to do the same for webkit, we would be practically brought up to date, sort of (plus it would also allow to easily backport all luneos apps, since some rely on a current webkit.. or at least telegram does)
    Is "legacy" the word you're looking for? If webkit is dynamically linked against system OpenSSL libraries (I need to check), then it should be OK out of the box (remember this is a system-wide solution).

    Quote Originally Posted by horzel View Post
    I just deleted the two gmail certs and a cert I had for xs4all.

    Installed this update

    Email still comes in!

    Great!

    -- Sent from my Palm Pre3 using Forums
    Sounds very good to me, thanks!

    Quote Originally Posted by dkirker View Post
    I installed this last night. Working good so far!

    Herrie, interestingly, my Google Apps backed work Exchange account is working fine. But, this isn't a broad statement about the state of Exchange.
    Sounds very good to me too, thanks!

    I'll try to organize a poll so we can move out of alpha/beta with no dark corner left behind. Do not expect anything more before next week-end, though.
    Last edited by Thibaud; 10/19/2015 at 03:35 PM.
    dkirker and TJs11thPre like this.
  14. #14  
    OK bit the bullet based on feedback and installed it.

    Removed my TransIP and Gmail certificates and will see how it behaves

    -- Sent from my Palm Veer using Forums
    HP Veer (daily driver), HP Pre 3, HP Touchpad Proper 4G/LTE (Sierra MC7710), HP Touchpad 32GB WiFi, Palm Pre 2
    dkirker likes this.
  15. #15  
    Quote Originally Posted by Herrie View Post
    OK bit the bullet based on feedback and installed it.

    Removed my TransIP and Gmail certificates and will see how it behaves

    -- Sent from my Palm Veer using Forums
    The nice thing is that it is uninstallable. I didn't test that part, yet. I'm enjoying having stuff work. :P
    Did you know:

    webOS ran on a Treo 800 during initial development.
  16. #16  
    Quote Originally Posted by dkirker View Post
    The nice thing is that it is uninstallable. I didn't test that part, yet. I'm enjoying having stuff work. :P
    Now you have more time at your hands get dev-ing :P

    -- Sent from my Palm Veer using Forums
    HP Veer (daily driver), HP Pre 3, HP Touchpad Proper 4G/LTE (Sierra MC7710), HP Touchpad 32GB WiFi, Palm Pre 2
  17. bbjoe41's Avatar
    Posts
    26 Posts
    Global Posts
    32 Global Posts
    #17  
    Quote Originally Posted by Thibaud View Post
    Guess what? I have a corporate Exchange account on my Pre2 and it is working OK now (mojomail-eas just broke when I first moved to OpenSSL 0.9.8zg, I had to spend quite a few nights and week-ends reverse engineering libssl.so to get it back to normal, this delayed the release by a few weeks). So I suspect you should be fine too...

    1.4.x is a different beast when it comes to certs location, I prepared the environment for future investigation but did/tested nothing yet. This might be my next area if you need it (and can alpha test it).

    Is "legacy" the word you're looking for? If webkit is dynamically linked against system OpenSSL libraries (I need to check), then it should be OK out of the box (remember this is a system-wide solution).

    Sounds very good to me, thanks!

    Sounds very good to me too, thanks!

    I'll try to organize a poll so we can move out of alpha/beta with no dark corner left behind. Do not expect anything more before next week-end, though.
    I'm ready to alpha test on a pixi plus of mine
  18. #18  
    OK bit the bullet based on feedback and installed it.

    Removed my TransIP and Gmail certificates and will see how it behaves

    -- Sent from my Palm Veer using [i]Forums
    All seems OK so far, Exchange, TransIP and Gmail all work!


    -- Sent from my TouchPad Go using Communities
    HP Veer (daily driver), HP Pre 3, HP Touchpad Proper 4G/LTE (Sierra MC7710), HP Touchpad 32GB WiFi, Palm Pre 2
  19. #19  
    Also relying on EAS, but will test on my only and everyday Pre2 after that small reallife issue buying a house is done

    One interesting part of systemwide update would be the reenabling of our cooperate eduroam wifi which switched to SHA256 certs a while ago and is not operable since then (but then again it could be something else as webos was never easy with enterprise wifis )
  20. #20  
    Quote Originally Posted by dkirker View Post
    There was a security guy in the local webOS group here in the San Francisco Bay Area. I should see if I can find him again. He might be able to provide some more advanced security testing.
    Someone did post here a few weeks ago about reviewing / securing LuneOS. No idea who it was or if it was the person you mention.

    In this day & age, I suppose everybody needs all the security help they can get!
Page 1 of 7 123456 ... LastLast

Similar Threads

  1. webOS SSL certificate updater
    By dkirker in forum webOS Discussion Lounge
    Replies: 11
    Last Post: 10/12/2014, 08:33 PM
  2. Old issues need fixing before buying Pre 3
    By Dvigilante1 in forum HP Pre 3
    Replies: 16
    Last Post: 03/12/2011, 01:00 PM
  3. fixing verizon gps issues in version 2
    By gbafam in forum Palm Pre and Pre Plus
    Replies: 3
    Last Post: 02/20/2011, 10:48 PM
  4. email client and self-signed openssl certificate?
    By sf_basilix in forum Palm Pre and Pre Plus
    Replies: 8
    Last Post: 02/19/2010, 03:27 PM
  5. Treo 680 fixing bugs/issues of 650 ??
    By hyiu00 in forum Palm OS Devices & Apps
    Replies: 32
    Last Post: 11/13/2006, 02:40 PM

Tags for this Thread

Posting Permissions