**** BEGIN LOGGING AT Thu Jun 07 03:00:04 2018 Jun 07 04:11:21 I think I got a solution now. Jun 07 04:30:55 Sounds nice. Will it help with getting MicroB to work with some of those stubborn websites? Jun 07 04:33:43 Nope, this is OpenSSL and QT, not microb-engine Jun 07 04:33:47 which uses NSS Jun 07 04:34:07 The work to get Firefox 24 going is a different project Jun 07 04:34:25 i wonder if there is a way to make nss use openssl Jun 07 04:34:31 Nope Jun 07 04:35:16 Getting FF24 to work is still the best option. Jun 07 04:35:26 I need to go back and see about grabbing debug symbols for Firefox 24 on Linux and see if those debug symbols contain any useful info about how FF24 was compiled. Jun 07 04:35:39 Official Mozilla FF24 that is Jun 07 04:36:24 https://rcritten.fedorapeople.org/nss_compat_ossl.html Jun 07 04:36:33 but thats backwards Jun 07 04:39:47 Getting FF24 going will give you more than just TLS 1.2 Jun 07 04:39:51 https://roumenpetrov.info/e_nss/ Jun 07 04:39:52 hmm Jun 07 04:40:58 That's an engine to allow OpenSSL to read NSS certificate databases and such Jun 07 04:41:02 So that doesn't do anything useful. Jun 07 04:41:15 uhhum Jun 07 04:42:01 trust me when I say getting FF24 going is the best hope for a browser that supports TLS 1.2 Jun 07 04:42:25 unless you find some weird hacky webkit fork that can be compiled properly on the ancient versions of the libraries the N900 is stuck at Jun 07 04:48:52 Firefox 24 does sound nice. Jun 07 04:57:55 Getting Fahrplan going again is important to me so I can do transport journey planning when I am out and about :) Jun 07 04:58:06 hence why I am putting the effort into OpenSSL and QT Jun 07 05:05:19 Nice :-) Would Gtk+ applications be able to use the OpenSSL? Or would it require specific adaptation, like Qt does? Jun 07 05:06:03 i dont think gtk is the same level of toolkitness as qt Jun 07 05:06:21 maybe glib has some connectivity functions Jun 07 05:49:56 jonwil: the QT thing, I did something to it to use openssl1.0 Jun 07 05:50:03 you have that on my repos too Jun 07 05:51:12 https://github.com/agamez/qt-x11-maemo/commits/RemoveSSL3 this branch should have been merged on maemo's n900, but i think nobody finally did it, even though it was approved Jun 07 05:51:23 approved or whatever the process is to have patches applied to maemo repos Jun 07 05:51:29 i don't remember the bureaucracy of that Jun 07 05:51:35 jonwil: You do realize FF24 has like, a hundred CVEs? Jun 07 05:51:38 and also you have https://github.com/agamez/qt-x11-maemo/commits/UpgradeSSL Jun 07 05:51:51 which does compile against newer openssl Jun 07 05:52:10 and backports support for new protocols: tlsv1_1, tlsv1_2 Jun 07 05:56:50 Could always just write some tun-based proxy that everything is routed to. Jun 07 05:58:54 Browser just has some self-signed certificate that matches every host, gets routed through the tun proxy, using its old version of OpenSSL, tun proxy then connects to the actual IP address using its newer version of OpenSSL, doing host verification, etc Jun 07 06:03:57 GTK doesn't have any networking code at all Jun 07 06:04:03 Its just a UI toolkit Jun 07 06:04:19 Any GTK app can use OpenSSL 1.1.0h no problems Jun 07 06:05:55 The removessl thing is already on the cssu version of QT and already in CSSU Jun 07 06:06:00 So nothing needs to happen there Jun 07 06:08:28 The upgradessl stuff is for 1.0.x, the debian patch makes everything work for 1.1.0h (much better to use 1.1.0 with less bugs etc than 1.0.x) Jun 07 06:08:38 And I see nothing specific that makes it hard to get that going Jun 07 06:09:38 As for FF24, I bet the 1.9.2 based microb-engine has a lot of security flaws as well Jun 07 06:10:01 I doubt upgrading to FF24 is going to make things any LESS secure Jun 07 06:10:39 ¯\_(ツ)_/¯ Jun 07 06:10:45 i just hope it will be usable Jun 07 06:10:58 not that many exploits would work on n900 Jun 07 06:11:01 ';) Jun 07 06:13:24 ah, so debian already has patches for qt4+openssl1.1? Jun 07 06:13:27 didn't know that Jun 07 06:13:30 Yes they do Jun 07 06:14:10 well, so much better then Jun 07 06:14:29 They have a patch for OpenSSL 1.1 support on QT 4.8.7 which I need to get going on the QT 4.7.4 we have Jun 07 06:14:43 No-one is going to write something that targets an exploit in an ancient version of Firefox that has been fixed for years now, let alone one running on a linux armel target (as opposed to android) Jun 07 06:15:07 Not when they can write an exploit for Windoze and get far more machines infected Jun 07 06:15:27 i suspect even static arm binaries might fail because of old kernel Jun 07 06:16:28 I already have the results of compiling the FF24 tree running on my device (so libxul.so etc) with http://conkeror.org/ as the front end. Jun 07 06:16:39 So its definitely working. Jun 07 06:16:55 A long way from where I need it to be but its definitely at least working. Jun 07 06:17:12 So we know its ok in regards to dependencies, kernel, libc, gtk etc Jun 07 06:17:14 not to be confused with https://konqueror.org/ Jun 07 06:18:10 I did have to turn off a bunch of stuff though including gstreamer, WebRTC, WebM and a bunch of audio stuff like ogg. Jun 07 06:18:19 But other than that its definitely usable and working :) Jun 07 06:18:31 i don't think i've ever run any of those things on my pc Jun 07 06:18:47 You will have if you are running a recent browser and e.g. accessed YouTube Jun 07 06:18:52 jonwil, most people need functionality for utility sites Jun 07 06:19:03 so audio isnt on top of the needed features Jun 07 06:19:22 and might even be good because it will use fewer resources Jun 07 06:20:05 but not in microb/rtcom-messaging-ui, right? Jun 07 06:20:51 i would like functioning browser, no need for device wide engine Jun 07 06:22:05 Can already do that with a debian root (oldstable's xulrunner is also version 24 iirc) Jun 07 06:26:08 My end goal is to hopefully replace microb-engine without breaking anything (except possibly support for the piece of garbage known as Flash) Jun 07 06:29:13 Although given how slow conkeror was when I tried it, I think I need to see if there are more optimization flags I can turn on (either mozilla config options or compiler/linker flags) Jun 07 06:29:26 thumb? Jun 07 06:29:27 ;) Jun 07 06:29:50 Anything that doesn't require a new kernel is an option I will consider :) Jun 07 06:30:20 i think all kernels in any cssu support thumb binaries Jun 07 06:30:33 Except that CSSU doesn't install a new kernel Jun 07 06:31:09 I have everything from CSSU-testing running on my phone right now and I am still running the stock Nokia kernel Jun 07 06:31:10 Nothing should install a new kernel except the user. Jun 07 06:31:16 ho hum Jun 07 06:31:35 but cssu does have custom kernels. Jun 07 06:32:28 CSSU-thumb does Jun 07 06:32:32 CSSU-devel does Jun 07 06:32:43 But cssu-testing and cssu-stable do not Jun 07 06:33:46 I know for sure cssu-devel has a custom kernel since I accidentally screwed up my phone by installing the modules for it by mistake without installing the kernel itself (thankfully I ended up finding a solution) Jun 07 07:40:48 CSSU -devel is just a repo of random devel packages, it's not a "standard" repo to pull everything from. Jun 07 07:43:08 You can install KP or "kernel-cssu" from thumb repo for thumb support. Jun 07 08:31:38 Yeah I learned from that mistake pretty quickly and now I know to be more careful in what I install from cssu-devel Jun 07 13:46:50 wrap the damn browser into a chroot Jun 07 13:51:51 for messing with repos: http://maemo.cloud-7.de/maemo5/usr/local/sbin/enable-catalogs Jun 07 13:52:44 even speedyham is a PITA to enable/disable repos Jun 07 13:54:51 enable-catalogs all&&apt-get update&&apt-get install foobar-devel;enable-catalogs standard at very least runs unattended, though also several minutes Jun 07 13:55:00 or Jun 07 13:56:07 enable-catalogs save tmp&&enable-catalogs all&&apt-get update&&apt-get install foobar-devel;enable-catalogs tmp&&enable-catalogs delete tmp Jun 07 13:57:17 might make a wrapper out of this, s/foobar-devel/\$1/ Jun 07 14:00:11 install_X_with(){ enable-catalogs save tmp&&enable-catalogs ${2:-all}&&apt-get update&&apt-get install $1;enable-catalogs tmp&&enable-catalogs delete tmp } Jun 07 14:01:13 install_X_with foobar-devel allPlusThumb Jun 07 22:14:08 Finally getting somewhere with QT Jun 07 22:15:24 I found 3 changes to the SSL code in upstream QT 4.7.4 that we dont have in our copy so I will apply those and then after that I will start looking at and applying patches going forward until we hit 4.8.7 and then after that I can apply the OpenSSL 1.1 patch from Debian Jun 07 22:22:33 great! Jun 07 23:06:09 ok, new plan: Grab a "git log" of the ssl code from our QT tree and one from qt 4.8.7 then compare the 2. Any patches we have in our tree that aren't in 4.8.7 (i.e. backports for SNI and blacklisted certificates and etc) remove those since they will be comming back later. Then once we have something with no local patches to the ssl directory, start applying patches one by one to get to 4.8.7... Jun 07 23:06:11 ...followed by the OpenSSL 1.1 patch. Jun 08 00:15:22 or just apply `git diff maemo-base..v4.8.7` Jun 08 00:15:55 instead of trying to apply each patch individually (which could easily be more work, depending on the nature of the changes) Jun 08 00:16:42 Except that I only want to apply specific changes to one folder and not the entire tree (which git diff can't do) Jun 08 00:16:51 (`maemo-base` being the commit in the actual qt repo that corresponds to maemo before the maemo-specific patches) Jun 08 00:17:14 sure, `git diff maemo-base..v4.8.7 -- ./some/particular/tree` Jun 08 00:17:33 I also need to review all the changes since I already know there are some patches I do not want to apply to this tree Jun 08 00:18:31 Then you might want to interactively rebase the v4.8.7 commit onto the maemo-base commit beforehand. Jun 08 00:19:27 or just revert those changes afterwards. Jun 08 00:22:16 though fwiw, this is the sort of stuff that makes it really hard to upgrade in the future. Jun 08 00:22:55 having trees with random sets of patches applied .. sounds like that's what maemo already has. Jun 08 00:22:55 If it was easy to just upgrade QT right to 4.8.7 I would definitely do that Jun 08 00:31:24 Maybe I should do a log compare of 4.7.4 stock vs current maemo tree and see what's different there... Jun 08 00:51:31 jonwil : Regarding Firefox 24, Pale Moon web browser may be of interest. It was forked from Firefox 24, retains XUL, XPCOM and NPAPI compatibility, and updates other parts of browser with newer Firefox source code Jun 08 01:05:35 Granted, Pale Moon expects Gtk+ 2.24 and Glibc 2.17. And I am not sure if it would be faster or slower than Firefox 24. **** ENDING LOGGING AT Fri Jun 08 03:00:18 2018