00:24.37 | jonwil | Time to see how one would update NSS on Maemo |
01:01.39 | *** join/#maemo-ssu DrCode (~DrCode@5.28.134.3) |
01:01.44 | luf_ | jonwil: Doesn't sound like NSS problem. It's weird that it worked in previous version. |
01:02.26 | jonwil | My guess (and the reason I am suspecting NSS) is that its possible there are new/updated root CA certificates in the new set that the ancient NSS on Maemo doesn't like |
01:02.58 | jonwil | i.e. new features added to cetificates (new crypto etc) |
01:12.02 | luf_ | jonwil: But the certificate is signed with the same CA which was trusted in previous version |
01:12.46 | jonwil | Yeah but its possible that the same CA now has a new root certificate. Same public key but something else has been updated. |
01:12.47 | luf_ | jonwil: I know there is still some possibility you're right. |
01:13.03 | jonwil | Since its got the same public key its still correct |
01:13.15 | jonwil | in any case updating NSS is a good idea |
01:13.35 | luf_ | And still the older version recognize it correctly? |
01:14.15 | jonwil | yes because the older version has the same public key also |
01:14.44 | jonwil | as long as the root CA doesn't change their public key any certificates they signed remain valid |
01:15.29 | jonwil | oh and even www.microsoft.com has certificate errors with the new root CA set |
01:16.57 | luf_ | Does it work with openssl s_client? |
01:18.09 | luf_ | I don't know similar cmd line tool to check using NSS :( |
01:22.04 | jonwil | dont know about openssl but wget (which I believe ultimately uses openssl underneath) gives errors even for domains that work correctly in microb |
01:22.19 | jonwil | yeah wget uses openssl |
01:23.25 | jonwil | Updating NSS is necessary if we want TLS1.2 etc anyway |
01:24.57 | jonwil | our NSS matches mozilla-central revision d9f4a1b15192 |
01:27.21 | luf_ | jonwil: openssl s_client can show you the error in more verbose form. |
01:28.46 | jonwil | It tells me "unable to get local issuer certificate" (which reads like openssl cant read the ca store) |
01:29.06 | jonwil | even on google |
01:29.16 | jonwil | so using openssl to see whats wrong with microb is not going to help |
01:30.29 | luf_ | jonwil: sounds like a problem which should be fixed |
01:30.46 | jonwil | yeah probably but that's not my concern here, my concern is making microb work |
01:31.08 | jonwil | and updating NSS seems like a good thing regardless |
01:31.10 | jonwil | so lets do that |
01:35.03 | *** join/#maemo-ssu LauRoman|Phone (~yaaic@5-14-33-187.residential.rdsnet.ro) |
01:41.45 | jonwil | Pushing my workaround for the google issue (the one Google knows about but hasn't indicated that it will fix that is causing errors when you search for stuff due to Google returning & instead of & in some cases) to CSSU microb-engine so I dont have to keep other local stuff in my microb-engine tree when fiddling with NSS |
01:43.11 | luf_ | BTW I created new pull-request for libxml2 again with several CVEs and few bug fixes from wheezy. |
01:43.43 | luf_ | I'll merge it if no negative comment for some time. |
01:44.05 | luf_ | I'm testing it in my dev and also primary N900. |
01:44.15 | jonwil | great |
04:19.27 | *** join/#maemo-ssu DocScrutinizer05 (~saturn@openmoko/engineers/joerg) |
05:18.28 | freemangordon | jonwil: openssl s_client needs certificate path provided, something like -CApath |
06:30.22 | *** join/#maemo-ssu Sicelo009N (~sicelo@unaffiliated/sicelo) |
06:46.00 | jonwil | so yeah its definatly microb-engine or nss that's at fault, not the set of certificates (openssl s_client works with the right certificate path) |
07:46.51 | *** join/#maemo-ssu LauRoman (~LauRoman@5-14-33-187.residential.rdsnet.ro) |
08:50.29 | *** join/#maemo-ssu mickname (~mickname@low6.kyla.fi) |
08:51.09 | *** join/#maemo-ssu Sicelo009N (~sicelo@unaffiliated/sicelo) |
09:00.40 | jonwil | wishes people who understand how nss and mozilla/gecko security code works weren't so hard to find :( |
09:03.16 | bencoh | most of them just dont want to here about it anymore ;p |
09:03.21 | bencoh | hear* even |
09:04.26 | bencoh | and ... I dunno about maemo, but mozilla on desktop OSes has its own store |
09:04.35 | bencoh | afaict |
09:14.50 | kerio | bencoh: well |
09:15.06 | kerio | on linux the mozilla store is the one that gets converted into the system store |
09:30.44 | jonwil | Mozilla has the root CA store inside the nssckbi library |
09:34.42 | jonwil | so on all platforms the Mozilla store is just for Mozilla |
09:35.23 | jonwil | Some Linux distros (Debian for example) do what Maemo does and parse the Mozilla certdata.txt file and store it in their root store though |
09:35.48 | jonwil | well technically there are other apps that also use NSS that would be using the same root CA store |
09:37.27 | bencoh | kerio: but it is still a separate store in the ened |
09:37.51 | bencoh | end* |
09:51.39 | *** join/#maemo-ssu hashcore (~hashcore@unaffiliated/hashcore) |
09:59.03 | *** join/#maemo-ssu sparetire (~sparetire@unaffiliated/sparetire) |
10:19.31 | *** join/#maemo-ssu hashcore (~hashcore@unaffiliated/hashcore) |
10:38.45 | *** join/#maemo-ssu Sicelo009N (~sicelo@unaffiliated/sicelo) |
10:40.48 | *** join/#maemo-ssu Sicelo009N (~sicelo@unaffiliated/sicelo) |
11:03.51 | *** join/#maemo-ssu hashcore (~hashcore@unaffiliated/hashcore) |
11:55.40 | *** join/#maemo-ssu Sicelo009N (~sicelo@unaffiliated/sicelo) |
12:29.16 | *** join/#maemo-ssu RedM (~redw@89-76-164-87.dynamic.chello.pl) |
12:47.05 | *** join/#maemo-ssu hashcore (~hashcore@unaffiliated/hashcore) |
13:22.38 | *** join/#maemo-ssu Sicelo009N (~sicelo@unaffiliated/sicelo) |
13:56.31 | *** join/#maemo-ssu ruskie (~ruskie@sourcemage/mage/ruskie) |
14:00.39 | *** join/#maemo-ssu ruskie (ruskie@sourcemage/mage/ruskie) |
14:06.51 | *** join/#maemo-ssu NishanthMenon (~nmenon@unaffiliated/nishanthmenon) |
14:23.13 | *** join/#maemo-ssu ruskie (ruskie@sourcemage/mage/ruskie) |
14:58.28 | *** join/#maemo-ssu Milhouse (~Milhouse@kodi/staff/milhouse) |
15:20.41 | *** join/#maemo-ssu Sicelo009N (~sicelo@unaffiliated/sicelo) |
16:25.45 | *** join/#maemo-ssu LauRoman (~LauRoman@5-14-33-187.residential.rdsnet.ro) |
16:59.38 | *** join/#maemo-ssu Sicelo009N (~sicelo@unaffiliated/sicelo) |
17:25.30 | *** join/#maemo-ssu Sicelo009N (~sicelo@unaffiliated/sicelo) |
17:32.27 | *** join/#maemo-ssu futpib (~futpib@176.214.30.141) |
17:39.10 | *** join/#maemo-ssu Pali (~pali@Maemo/community/contributor/Pali) |
19:28.43 | *** join/#maemo-ssu arcean (~arcean@nat1-3.finemedia.pl) |
19:58.25 | *** join/#maemo-ssu M4rtinK2 (~M4rtinK@ip-78-102-146-111.net.upcbroadband.cz) |
20:06.24 | *** join/#maemo-ssu peterleinchen (~peterlein@Maemo/community/council/peterleinchen) |
21:30.22 | *** join/#maemo-ssu jonwil (~jonwil@27-33-80-219.tpgi.com.au) |
21:32.05 | *** join/#maemo-ssu luf_ (~luf@ip-89-103-184-51.net.upcbroadband.cz) |
22:00.09 | luf_ | freemangordon: ping |
23:28.44 | *** join/#maemo-ssu M4rtinK2 (~M4rtinK@ip-78-102-146-111.net.upcbroadband.cz) |