Results 1 to 15 of 15
Like Tree2Likes
  • 2 Post By dkirker
  1.    #1  
    This thread is for general discussion of issues that arose from this thread: Here is the pivotCE article: Fixing Yahoo mail | pivotCE
    You can see there is a method to obtain, install and trust certificates for this problem, but it doesn't seem to work for 1.x users.

    Other relevant threads are:
    SHA1-deprecation: What you need to know.

    The idea is that the community may need to replace the root certificates - especially as SHA256 is brought in as the preferred encyption standard.

    Here is a handy list from 2015 of email provider settings which could be useful for getting certificates with the OpenSSL method
    Geek Squad's email server settings guide

    If we can identify a standard package and expiry dates of existing certificates, we can at minimum direct users to updates and explain the install process. Note that Grabber5.0 has already made a package of Globalsign certificates available. Some other suppliers are Digicert, Verisign & Symantec.
    UPDATE: Now supplied by frantid:

    It is not clear if the legacy version of OpenSSL (0.9.8j / k) will automatically process SHA256. It is apparently capable, but needs to be activated. It's not clear if webOS does this.

    Update (14th August 2015): NIN_ru has done some research that indicates there was a bug in OSSL. It was patched in a later, incompatible version. The conclusion seems to be that webOS is capable of matching SHA256 certificates, but not installing them automatically.

    If possible, it may be worth updating this component. There is a version in Preware, but it's not clear to me if this is an upgrade or modification. Without this function, users may soon have to frequently use the work around above. UPDATE: Apparently, this SSL version is a separate install for use by webOS Internals' Optware packages.

    This is currently in Alpha status & must be installed carefully, but reports indicate that it works and will also work for 1.4.5 devices!
    Last edited by Preemptive; 03/24/2016 at 11:36 PM. Reason: Added list of settings
  2.    #2  
    I'll just put these in the thread. Make notes in your calendar and when Yahoo breaks again, we'll remember what to do.
    IMAP * Valid from 24/Feb/2015 to 24/Feb/2016 Issuer: Symantec Class 3 Secure Server CA – G4
    SMTP * Valid from 26/Jan/2015 to 26/Jan/2016 Issuer: VeriSign Class 3 Secure Server CA – G3
    POP Valid from 04/Nov/2014 to 04/Nov/2015 Issuer: VeriSign Class 3 Secure Server CA – G3

    IMAP Valid to 3/Oct/2017 Issuer: thawte SSL CA – G2
    SMTP Valid to 3/Oct/2017 Issuer: thawte SSL CA – G2
    Last edited by Preemptive; 09/24/2015 at 07:58 PM.
  3.    #3  
    So the same fix appears to be working for Gmail, though some seem to find each fix temporary and have installed up to 5 gmail certificates now.

    It seems a shame that we are stuck fixing symptoms instead of finding a cure, so I'll just 'go up the chain' a bit and make some suggestions. Possible reasons for these problems:
    • Functionality for processing SHA256 certificates is not switched on in the Certificate manager/OpenSSL. If it IS switched on, then...
    • Root certificates have expired and installing new ones would allow other certificates to be automatically validated.
    • UPDATE: In this post, Grabber5.0 suggests the problem may actually lie with the connection made by the email app.

    Logic would suggest that solutions are:
    • Update the root certificates
    • Update the certificate manager to activate SHA256 capability in OpenSSL (assuming this is actually 'broken')
    • Update OpenSSL to a version where SHA256 processing is enabled by default. (newer should be better anyway)
    • Update the email app. (unfortunately this appears to be a binary - not easily patched)

    I guess the Root certificates would be the easiest thing to do, Someone with the right skills could perhaps get a newer version of OSSL onto webOS without too much difficulty and perhaps fixing the certificate manager would be hardest, but perhaps necessary if OSSL has to be instructed as to the type of processing rather than automatically detecting it. (I have no idea). Of course, replacing everything is the ideal, 'belt & braces' approach. The best place to find this stuff would be in a similar project. Assuming this functionality has been implemented, then I wonder how difficult it would be to transfer the certification system from LuneOS to webOS. Update: Maybe it's actually the email app we need?
    Last edited by Preemptive; 09/10/2015 at 12:41 PM.
  4.    #4  
    Here are some work arounds (mainly for Gmail, but could be applied to other services):
    The guide for Yahoo
    Horzel shows how do do it with WOSQI
    Grabber has produced a script
    gizmo21 adds timestamps
    The script is now incorporated into an app. For Gmail only, this is now the easiest method.
    Last edited by Preemptive; 11/23/2015 at 09:46 AM. Reason: Added the Script Grabber App
  5. #5  
    It seems a shame that we are stuck fixing symtoms instead of finding a cure, so I'll just 'go up the chain' a bit and make some suggestions.
    Agree, but at least we still have a working imap gmail client in our hands. When Grabber gets his final version of his cert upgrader finished, we should have a workable solution to the frequent Google cert updating. And I believe that Google will continue with the frequent cert updating...not sure why...possibly they are doing trial and error tests.
  6. #6  
    Also, if I may add that Internet security is a very real and significant concern not just for Google, but for all the big players, including Microsoft. On my laptop computers, I get MS security updates automatically at least twice a week. Almost all of the updates deal with security fixes for the OS and also the Internet Explorer browser. And I suspect that this will continue on indefinitely.
  7. #7  
    As of today's date (9/12/2015) my Touchpad's certificate manger reports the following;

    GeoTrust Global CA Root Certificate
    issued by: Equifax
    expire date: Aug. 21, 2018
    signature algorythm: sha1WithRSAEncryption

    Google Internet Authority G2 Intermediate Certificate
    issued by: GeoTrust Global CA
    expire date: Dec. 31, 2016
    signature algorythm: sha1WithRSAEncryption Google Server Certificate
    issued by: Google Internet Authority G2
    expire date: Nov. 23, 2015
    signature algorythm: sha256WithRSAEncryption

    This is the latest information that I have regarding the Google certificate chain.
  8.    #8  
    It seems the cert problem has now happened with email services.

    The Yahoo fix seems to work. The inputs for gmx are:
    s_client -showcerts -connect (inbox, IMAP protocol)
    s_client -showcerts -connect (that's the outgoing, SMTP protocol)

    I have attached a file with my IMAP output. It should be Linux formatted text. Just split it into the three certs (I don't know if they're all required, but I trusted all three). My triangle is gone, but I'll test send and receive and post the SMTP if needed.

    Note: This certificate expires on the 3rd of October 2017.
    Attached Files Attached Files
    Last edited by Preemptive; 11/23/2015 at 09:36 AM.
  9.    #9  
    It seems the smtp certs are also required so you can again retrieve them with the Yahoo method and the input noted above, I have again attached my output. Splitting this file into three and saving each with the .pem suffix (then trusting, etc.) has restored my sending ability also.

    Let's hope this is an infrequent fix like Yahoo, but if not, it should be easy to customise Grabber5.0's script & maybe the app for Google will get an extra function

    Note: This certificate expires on the 3rd of October 2017.
    Attached Files Attached Files
    Last edited by Preemptive; 11/23/2015 at 09:37 AM.
  10. Kel280green's Avatar
    8 Posts
    Global Posts
    7 Global Posts
    Having just returned to webOS with a Pre 3 (as mentioned in my post about stock music & video apps), I am really enjoying using it again in tandem with my iphone 5S.
    Its now time to get shot of the iphone and make the Pre 3 my daily/main phone.
    Unfortunately, trying to set up my email has me stumped.
    Having used one before, the email set-up is simple, BUT!, I have tried auto set-up and manual set-up using both POP and IMAP, but I just get the same message- "Your username (or email address) and password are incorrect".
    Now I know for certain that those are correct, but nothing doing.

    I am in the UK and use a major telecom provider for my broadband and email (Talktalk) and searching the internet it appears that they still use SHA-1 and so I am perplexed as to whats wrong.

    I have global root sign, certificate grabber and Root Certs Update added but to no effect. I have done a full erase and started from scratch adding each of the above one at a time and then trying again.

    I have even copied all of the email settings that are on my iphone (with working mail) to the Pre but still it gives the same message. So this points to something missing on the Pre internals???

    With your help I have my music and video working as well as Accuweather. It seems such a shame that the email is now an issue and this could well be the last straw.

    I want this to work and write in the hope that someone has an idea. I have read the OpenSSL thread and would adding that help things? However I have no experience of Alpha feeds and wouldn't know where to begin, even after reading and re-reading the instructions! So at present, not really a starter.

    Any help really appreciated. I want to use my Pre 3.

    Thank you.
  11.    #12  
    Just got this through on the laptop:
    This package includes PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections.
    It includes, among others, certificate authorities used by the debian infrastructure and those shipped with Mozilla's browsers.
    Please note that debian can neither confirm nor deny whether the certificate authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. Full responsibility to assess them belongs to the local system administrator.
    Perhaps this means there are new updates out there that could be added to webOS?
  12.    #13  
    Note: I think it's around this time of year that certificates expire - take note.

    Also, we now have the Open SSL update and other things to fix this problem - check the service pack link below.
  13. #14  
    I'm trying to get my mojo back and spend some time this weekend getting the updates I've been making into a form that others can use (I have been adding legacy support into the webOS-Ports certmgrd as well). I kind of also want to patch the Certificates app and create a service that can be used (maybe extend certmgrd for that -- the old one used to support CRL -- Certificate Revocation List -- download and application, so why not CA bundle?) to download the latest CA bundle from Mozilla (or another source if you choose) and install it. That way one doesn't need to install a new ipk any time the CA bundle is updated. (Hell, it could even eventually support running at the next cert expiration! So it is all auto-magic!)
    Did you know:

    webOS ran on a Treo 800 during initial development.
    Grabber5.0 and jasondoes like this.
  14. #15  
    Looks like older Android devices are about to suffer the same fate. Maybe we can give them some tips!

Similar Threads

  1. HP announces webOS update rolling today for root certificates
    By hellonnnewman in forum General News & Discussion
    Replies: 3
    Last Post: 06/09/2013, 04:16 AM
  2. Challenge for LG: Root Certificates
    By GMMan in forum webOS Discussion Lounge
    Replies: 17
    Last Post: 03/06/2013, 08:37 PM
  3. HELP: Export Security Certificates
    By GHT in forum webOS Tips, Info & Resources
    Replies: 1
    Last Post: 11/27/2011, 08:51 AM
  4. Removing/revoking root certificates
    By pa28pilot in forum webOS Discussion Lounge
    Replies: 3
    Last Post: 09/11/2011, 08:37 PM
  5. Wifi security certificates
    By davidra in forum Palm Pre and Pre Plus
    Replies: 5
    Last Post: 03/22/2011, 01:44 PM

Tags for this Thread

Posting Permissions