jonwil | hmmm, getting newer OpenSSL to work on Maemo QT isn't as easy as I thought. There is a Debian patch for QT4 but that's for 4.8.7, we only have 4.7.4 | 04:13 |
---|---|---|
jonwil | I think I got a solution now. | 06:11 |
Oksana | Sounds nice. Will it help with getting MicroB to work with some of those stubborn websites? | 06:30 |
jonwil | Nope, this is OpenSSL and QT, not microb-engine | 06:33 |
jonwil | which uses NSS | 06:33 |
jonwil | The work to get Firefox 24 going is a different project | 06:34 |
KotCzarny | i wonder if there is a way to make nss use openssl | 06:34 |
jonwil | Nope | 06:34 |
jonwil | Getting FF24 to work is still the best option. | 06:35 |
jonwil | I need to go back and see about grabbing debug symbols for Firefox 24 on Linux and see if those debug symbols contain any useful info about how FF24 was compiled. | 06:35 |
jonwil | Official Mozilla FF24 that is | 06:35 |
KotCzarny | https://rcritten.fedorapeople.org/nss_compat_ossl.html | 06:36 |
KotCzarny | but thats backwards | 06:36 |
jonwil | Getting FF24 going will give you more than just TLS 1.2 | 06:39 |
KotCzarny | https://roumenpetrov.info/e_nss/ | 06:39 |
KotCzarny | hmm | 06:39 |
jonwil | That's an engine to allow OpenSSL to read NSS certificate databases and such | 06:40 |
jonwil | So that doesn't do anything useful. | 06:41 |
KotCzarny | uhhum | 06:41 |
jonwil | trust me when I say getting FF24 going is the best hope for a browser that supports TLS 1.2 | 06:42 |
jonwil | unless you find some weird hacky webkit fork that can be compiled properly on the ancient versions of the libraries the N900 is stuck at | 06:42 |
Oksana | Firefox 24 does sound nice. | 06:48 |
jonwil | Getting Fahrplan going again is important to me so I can do transport journey planning when I am out and about :) | 06:57 |
jonwil | hence why I am putting the effort into OpenSSL and QT | 06:58 |
Oksana | Nice :-) Would Gtk+ applications be able to use the OpenSSL? Or would it require specific adaptation, like Qt does? | 07:05 |
KotCzarny | i dont think gtk is the same level of toolkitness as qt | 07:06 |
KotCzarny | maybe glib has some connectivity functions | 07:06 |
ceene | jonwil: the QT thing, I did something to it to use openssl1.0 | 07:49 |
ceene | you have that on my repos too | 07:50 |
ceene | https://github.com/agamez/qt-x11-maemo/commits/RemoveSSL3 this branch should have been merged on maemo's n900, but i think nobody finally did it, even though it was approved | 07:51 |
ceene | approved or whatever the process is to have patches applied to maemo repos | 07:51 |
ceene | i don't remember the bureaucracy of that | 07:51 |
parazyd | jonwil: You do realize FF24 has like, a hundred CVEs? | 07:51 |
ceene | and also you have https://github.com/agamez/qt-x11-maemo/commits/UpgradeSSL | 07:51 |
ceene | which does compile against newer openssl | 07:51 |
ceene | and backports support for new protocols: tlsv1_1, tlsv1_2 | 07:52 |
Maxdamantus | Could always just write some tun-based proxy that everything is routed to. | 07:56 |
Maxdamantus | Browser just has some self-signed certificate that matches every host, gets routed through the tun proxy, using its old version of OpenSSL, tun proxy then connects to the actual IP address using its newer version of OpenSSL, doing host verification, etc | 07:58 |
jonwil | GTK doesn't have any networking code at all | 08:03 |
jonwil | Its just a UI toolkit | 08:04 |
jonwil | Any GTK app can use OpenSSL 1.1.0h no problems | 08:04 |
jonwil | The removessl thing is already on the cssu version of QT and already in CSSU | 08:05 |
jonwil | So nothing needs to happen there | 08:06 |
jonwil | The upgradessl stuff is for 1.0.x, the debian patch makes everything work for 1.1.0h (much better to use 1.1.0 with less bugs etc than 1.0.x) | 08:08 |
jonwil | And I see nothing specific that makes it hard to get that going | 08:08 |
jonwil | As for FF24, I bet the 1.9.2 based microb-engine has a lot of security flaws as well | 08:09 |
jonwil | I doubt upgrading to FF24 is going to make things any LESS secure | 08:10 |
parazyd | ¯\_(ツ)_/¯ | 08:10 |
KotCzarny | i just hope it will be usable | 08:10 |
KotCzarny | not that many exploits would work on n900 | 08:10 |
KotCzarny | ';) | 08:11 |
ceene | ah, so debian already has patches for qt4+openssl1.1? | 08:13 |
ceene | didn't know that | 08:13 |
jonwil | Yes they do | 08:13 |
ceene | well, so much better then | 08:14 |
jonwil | They have a patch for OpenSSL 1.1 support on QT 4.8.7 which I need to get going on the QT 4.7.4 we have | 08:14 |
jonwil | No-one is going to write something that targets an exploit in an ancient version of Firefox that has been fixed for years now, let alone one running on a linux armel target (as opposed to android) | 08:14 |
jonwil | Not when they can write an exploit for Windoze and get far more machines infected | 08:15 |
KotCzarny | i suspect even static arm binaries might fail because of old kernel | 08:15 |
jonwil | I already have the results of compiling the FF24 tree running on my device (so libxul.so etc) with http://conkeror.org/ as the front end. | 08:16 |
jonwil | So its definitely working. | 08:16 |
jonwil | A long way from where I need it to be but its definitely at least working. | 08:16 |
jonwil | So we know its ok in regards to dependencies, kernel, libc, gtk etc | 08:17 |
ceene | not to be confused with https://konqueror.org/ | 08:17 |
jonwil | I did have to turn off a bunch of stuff though including gstreamer, WebRTC, WebM and a bunch of audio stuff like ogg. | 08:18 |
jonwil | But other than that its definitely usable and working :) | 08:18 |
ceene | i don't think i've ever run any of those things on my pc | 08:18 |
jonwil | You will have if you are running a recent browser and e.g. accessed YouTube | 08:18 |
KotCzarny | jonwil, most people need functionality for utility sites | 08:18 |
KotCzarny | so audio isnt on top of the needed features | 08:19 |
KotCzarny | and might even be good because it will use fewer resources | 08:19 |
Maxdamantus | but not in microb/rtcom-messaging-ui, right? | 08:20 |
KotCzarny | i would like functioning browser, no need for device wide engine | 08:20 |
Maxdamantus | Can already do that with a debian root (oldstable's xulrunner is also version 24 iirc) | 08:22 |
jonwil | My end goal is to hopefully replace microb-engine without breaking anything (except possibly support for the piece of garbage known as Flash) | 08:26 |
jonwil | Although given how slow conkeror was when I tried it, I think I need to see if there are more optimization flags I can turn on (either mozilla config options or compiler/linker flags) | 08:29 |
KotCzarny | thumb? | 08:29 |
KotCzarny | ;) | 08:29 |
jonwil | Anything that doesn't require a new kernel is an option I will consider :) | 08:29 |
KotCzarny | i think all kernels in any cssu support thumb binaries | 08:30 |
jonwil | Except that CSSU doesn't install a new kernel | 08:30 |
jonwil | I have everything from CSSU-testing running on my phone right now and I am still running the stock Nokia kernel | 08:31 |
Maxdamantus | Nothing should install a new kernel except the user. | 08:31 |
KotCzarny | ho hum | 08:31 |
Maxdamantus | but cssu does have custom kernels. | 08:31 |
jonwil | CSSU-thumb does | 08:32 |
jonwil | CSSU-devel does | 08:32 |
jonwil | But cssu-testing and cssu-stable do not | 08:32 |
jonwil | I know for sure cssu-devel has a custom kernel since I accidentally screwed up my phone by installing the modules for it by mistake without installing the kernel itself (thankfully I ended up finding a solution) | 08:33 |
sixwheeledbeast^ | CSSU -devel is just a repo of random devel packages, it's not a "standard" repo to pull everything from. | 09:40 |
sixwheeledbeast^ | You can install KP or "kernel-cssu" from thumb repo for thumb support. | 09:43 |
jonwil | Yeah I learned from that mistake pretty quickly and now I know to be more careful in what I install from cssu-devel | 10:31 |
DocScrutinizer05 | wrap the damn browser into a chroot | 15:46 |
DocScrutinizer05 | for messing with repos: http://maemo.cloud-7.de/maemo5/usr/local/sbin/enable-catalogs | 15:51 |
DocScrutinizer05 | even speedyham is a PITA to enable/disable repos | 15:52 |
DocScrutinizer05 | enable-catalogs all&&apt-get update&&apt-get install foobar-devel;enable-catalogs standard at very least runs unattended, though also several minutes | 15:54 |
DocScrutinizer05 | or | 15:55 |
DocScrutinizer05 | enable-catalogs save tmp&&enable-catalogs all&&apt-get update&&apt-get install foobar-devel;enable-catalogs tmp&&enable-catalogs delete tmp | 15:56 |
DocScrutinizer05 | might make a wrapper out of this, s/foobar-devel/\$1/ | 15:57 |
DocScrutinizer05 | install_X_with(){ enable-catalogs save tmp&&enable-catalogs ${2:-all}&&apt-get update&&apt-get install $1;enable-catalogs tmp&&enable-catalogs delete tmp } | 16:00 |
DocScrutinizer05 | install_X_with foobar-devel allPlusThumb | 16:01 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!