**** BEGIN LOGGING AT Tue Feb 09 02:59:59 2016 Feb 09 03:40:04 No closer to finding a way to get NSS to give me more info on why it isn't working with certain domains/CAs (e.g. entrust) Feb 09 03:48:16 bencoh: ok Feb 09 03:49:06 DocScrutinizer05: I got it from phone control wiki page. Should i add that method-call to script? Feb 09 03:51:59 * jonwil wishes this community had someone who knew stuff about microb-engine, gecko, nss, certs, ssl etc :( Feb 09 03:53:08 Someday. What's the package with certificates, what's the package using them and complaining about them, and what change started the complaints? Feb 09 03:55:49 * Oksana wonders why so many people do not register with NickServ; is it such a hardship? It's not like they don't give their email to curious minds on silver platter... Feb 09 03:58:47 bug #7357 Feb 09 03:58:49 04Bug https://bugs.maemo.org/7357 MfE is missing some CA cert symlinks on some devices (NuevaSync) Feb 09 03:59:44 I updated the root CA store in maemo-security-certman to the latest Mozilla root set and now a bunch of different sites (for example any site using entrust as a CA including the entrust website itself) returns a "secure connection failed" error code sec_error_unknown_issuer. These sites all worked fine with the previous set of root CAs. Feb 09 03:59:50 Also other sites (e.g. google) do work fine Feb 09 04:00:55 And I would bet that the same "failing" sites would work just fine on a build of Firefox with the same set of root CA certificates that I imported into Maemo Feb 09 04:01:46 Not sure... http://stackoverflow.com/questions/275878/firefox-and-ssl-sec-error-unknown-issuer Feb 09 04:03:38 https://support.mozilla.org/en-US/questions/984505 Feb 09 04:04:21 In short: there is a chain of certificates, and if there is a link (intermediary) missing, you get an error? Feb 09 04:05:00 * Oksana does not know how to pick through them and figure out which one is problematic and how Feb 09 04:09:36 keep in mind bug #6211 Feb 09 04:09:37 04Bug https://bugs.maemo.org/6211 Installed root certificates not used until browser restarted. Feb 09 04:11:07 lets reboot just in case that somehow does something Feb 09 04:11:15 not that it will of course Feb 09 04:12:09 nope, nothing Feb 09 04:12:22 Oksana: I am guessing you dont know what maemo-security-certman actually is Feb 09 04:12:27 or what it does Feb 09 04:16:12 Manages SSL certificates for secure connection in everything, like microb, probably telepathy too? Feb 09 04:16:47 yes it holds the master root certificate store that microb uses (and other things too although not telepathy) Feb 09 04:16:55 well maybe telepathy does I dont know Feb 09 04:17:05 but definatly microb uses it for its root store Feb 09 04:18:13 And hence Maps and Conversations, too Feb 09 04:18:48 well conversations doesn't ever use ssl or certificates for the web browser part Feb 09 04:19:39 Likely, yes Feb 09 04:52:34 jonwil: Rebooting did not help? Feb 09 04:52:42 nope Feb 09 04:52:55 I wasn't expecting it to given how maemo-security-certman works Feb 09 04:53:14 Any way to trace error to what exactly is wrong? To figure out the certificate it struggles with? Feb 09 04:54:12 Even just a visual tree of certificates depending on each other would help to pinpoint exactly what node is responsible for cascade, though having exact logs from program would be preferable Feb 09 05:02:09 I dont know but I am digging further into whether its possible to import a newer nss into microb or not Feb 09 05:02:29 Good Feb 09 05:02:31 that would in theory give us support for the latest tls standards Feb 09 05:02:40 Nice :-D Feb 09 05:03:07 As long as it's not a memory-eater ;-) Or CPU-eater. Or space-eater Feb 09 05:07:22 hmmm maybe we wont get that support, that code seems to live elsewhere Feb 09 05:50:15 jonwil, does openssl on maemo use the same cert store? Feb 09 05:50:30 no idea Feb 09 05:50:43 openssl can be handy tool to check such things Feb 09 05:51:01 let me google the magic line Feb 09 05:51:24 I am using openssl s_client already Feb 09 05:51:32 right Feb 09 05:51:54 does it work or fail on that problematic site? Feb 09 05:53:57 that works Feb 09 05:54:51 what is your openssl version? Feb 09 05:55:37 also, can you pastebin openssl s_client -connect your.site:443 ? Feb 09 05:59:33 its not just the one site, its a whole bunch of sites including www.microsoft.com Feb 09 06:08:10 ms site works on stock certs Feb 09 06:14:39 the fact that openssl s_client gives correct output when talking to failing sites with the new set of CAs installed means that the root CAs themselves aren Feb 09 06:14:42 aren't broken Feb 09 06:14:43 or missing Feb 09 06:14:54 and its something in nss or microb that is at fault Feb 09 06:15:14 or it uses different set Feb 09 06:15:21 nope it doesn't Feb 09 06:15:29 openssl and microb are using exactly the same set Feb 09 06:15:58 since I used -CApath argument to openssl to point it at the set in maemo-security-certman (which is what microb is also using) Feb 09 06:24:38 so its definatly got something to do with nss or microb-engine code and not the set of root certs Feb 09 06:27:53 Nice... Feb 09 06:41:51 At this point we need to find someone that understands nss and gecko and stuff Feb 09 06:42:16 Finding someone who understands that will help us get a newer version of all that stuff into microb-engine as well... Feb 09 11:58:51 jonwil: did you already add a 144 printf() lines? Feb 09 11:59:59 I at times had programs that were half their original size after I cleaned out all printfs Feb 09 12:00:37 ancient programming schemes ;-) Feb 09 12:03:28 bah, I cant properly debug browserd with gdb :( Feb 09 12:14:05 why? Feb 09 12:18:08 no matter why, that's exactly the age old rationale behind ancient printf() 'debugging' Feb 09 12:23:30 moin :) Feb 09 12:53:18 adding debug printfs is a pain when it takes 20 minutes to rebuild microb-engine every time Feb 09 13:00:03 sometimes its the easiest way Feb 09 13:20:03 hmm, it took up to 30 minutes back when I used that technique, thus I added a *lot* of them so probability was high I would have one at the right place anyway. However it took a 2 or 3 spins to refine the printfs where stuff turned out te get more interesting Feb 09 13:20:42 jonwil, also, add printf as a function or definition Feb 09 13:20:49 so you can disable it easily later Feb 09 13:20:57 (without removing everything) Feb 09 13:29:31 Why would gdb not be possible? Feb 09 14:19:38 shodan is awesome ;-P so are some fools e.g. in USA http://98.213.179.248/nobody/mobile320.htm?Login=Quick Feb 09 14:20:31 admin admin Feb 09 14:21:21 lmao Feb 09 14:22:27 someone parking car. Owner coming home? Feb 09 14:23:00 hmm no Feb 09 14:28:17 http://wstaw.org/m/2016/02/09/plasma-desktopCm3616.png Feb 09 14:39:09 of course the geolocation is mostly bogus Feb 09 20:08:43 Oh... just noticed why modest was refusing to download last messages without any error notification... syslog: GLIB WARNING ** camel-imap-provider - Unexpected response from IMAP server: A00001 NO [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure) Feb 09 20:10:39 xes: I have been having trouble with hotmail for a few weeks no idea why. Feb 09 20:11:11 ..these gmail (security) warnings are really annoying Feb 09 20:15:56 anyway, it would be nice if modest could report such kind of imap "[ALERT]" messages Feb 09 20:17:54 I actually can't get any e-mails now by the looks of it, the other accounts have stopped updating. Feb 09 21:59:54 Everything about bugs.maemo.org seems very outdated. Does it mean we don't want change it? Feb 09 22:01:19 we don't want bugs Feb 09 22:02:04 same goes for the mailing-list, I wonder if we could go back to using it Feb 09 22:02:35 but I think that's because TMO has always had a preponderant part in the communication inside the community Feb 09 22:03:12 well a bugtracker could be handy Feb 09 22:03:51 yeah, but people tend to use TMO as a bug reporting tool Feb 09 22:04:06 (not really a bugtracker, but kindof) Feb 09 22:04:33 the average person doesn't know how to submit bugs in a bug-tracker. hence forums end up bug-trackers :) Feb 09 22:04:48 yeah Feb 09 22:05:58 still more knowledgeable users can fill the reports as bugs Feb 09 22:06:10 at least for the Maemo infrastructure for example Feb 09 22:06:19 otherwise it is very easy to loose track of bugs Feb 10 01:17:19 xes__: there's a whole lot of mess in all those DUI programs that doesn't handle errors properly. And there's a bazillion nonsensical error messages even during otherwise flawless operation Feb 10 01:17:44 s/DUI/GUI/ Feb 10 01:17:45 DocScrutinizer05 meant: xes__: there's a whole lot of mess in all those GUI programs that doesn't handle errors properly. And there's a bazillion nonsensical error messages even during otherwise flawless operation Feb 10 01:18:33 the devels never really care about what's the fallout on STDOUT/STDERR Feb 10 01:19:12 most programs are supposed to run $app &>/dev/null Feb 10 01:19:51 and then all but the most common errors simply don't show up in any meaningful way Feb 10 01:20:36 you're just lucky that this time GLIB bothered to do a syslog Feb 10 01:23:03 ((Everything about bugs.maemo.org seems very outdated)) I guess Abdre Klapper doesn't really care anymore about maemo bugs, and nobody took over the role of bugmaster Feb 10 01:23:11 Andre even Feb 10 01:24:45 * jonwil is no closer to figuring out whats wrong with NSS Feb 10 01:25:03 dang, a nasty critter, jonwil Feb 10 01:25:11 There are some command line tools that might be useful included in the NSS/microb-engine source code but I cant figure out how to get them to compile Feb 10 01:25:28 :-( Feb 10 01:26:05 did that Nokia guy answer your mail? Feb 10 01:29:08 Been going back and forth with Juhani Feb 10 01:29:43 At least we know for sure that the new set of root CA certificates is good because cmcli -T common-ca -v ib.boq.mobi:443 verifies correctly Feb 10 01:29:49 same with other sites that are broken in microb Feb 10 01:30:12 So that proves its NSS/Microb at fault and not maemo-security-certman Feb 10 01:36:31 but yeah I am determined to get it working (possibly by importing a newer NSS version if I can ever figure out how) Feb 10 01:45:31 https://www.youtube.com/watch?v=NXoW-TDzcFU **** ENDING LOGGING AT Wed Feb 10 02:59:59 2016