| *** Pali has joined #maemo | 00:42 | |
| Sicelo | freemangordon, DocScrutinizer05 ... 'solved' the problem with AGPS - *maemosec* packages from devel have problem of some sort. will report on devel thread | 01:08 |
|---|---|---|
| freemangordon | hmm | 01:12 |
| freemangordon | some certificate problem again I guess | 01:12 |
| Sicelo | possibly, but 2nd N900 using CSSU-T (no devel) worked perfectly the whole time. no idea what's up with the devel ones | 01:13 |
| freemangordon | Sicelo: https://github.com/community-ssu/maemo-security-certman/commits/master | 01:14 |
| freemangordon | we should wait fo jonwil to appear | 01:15 |
| freemangordon | but yeah, report the problem on cssu-devel thread | 01:15 |
| Sicelo | i've done, https://talk.maemo.org/showpost.php?p=1522850&postcount=510 :-) | 01:15 |
| freemangordon | Sicelo: could you try to connect with openssl instead of cmcli? | 01:19 |
| freemangordon | ah, you already did it | 01:20 |
| Sicelo | i did both | 01:20 |
| Sicelo | yeah | 01:20 |
| Sicelo | weird thing is .. exactly the same output for both devices for cmcli and openssl | 01:21 |
| freemangordon | mhm | 01:21 |
| freemangordon | I wonder why cmcli gives self-signed error | 01:21 |
| freemangordon | Sicelo: are you sure you did cmcli on both devices? | 01:24 |
| freemangordon | as it does not fail on mine | 01:24 |
| freemangordon | "Verified OK" | 01:24 |
| freemangordon | for the same command as yours | 01:24 |
| Sicelo | yes, yes | 01:25 |
| Sicelo | but now that i've downgraded maemosec-certman-tools one the one to 0.2.3, it verifies ok | 01:25 |
| freemangordon | Sicelo: what is the version on your second device? | 01:26 |
| Sicelo | the 2nd N900 (which has had consisted quick fixes), has 0.2.4 .. didn't downgraded, and that ones still 'sees' self-signed | 01:26 |
| freemangordon | weird | 01:26 |
| Sicelo | 0.2.4 doesn't seem to be in any repo now though :-/ | 01:26 |
| Sicelo | what version do you have? | 01:27 |
| freemangordon | 0.2.3 | 01:27 |
| freemangordon | Sicelo: what is the output from dpkg -L maemosec-certman-common-ca | grep 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 | 01:34 |
| freemangordon | on that device with 0.2.4 | 01:34 |
| Sicelo | /etc/certs/common-ca/00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1.pem | 01:37 |
| Sicelo | /etc/certs/common-ca/00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61.pem | 01:37 |
| Sicelo | problem is the duplicate? | 01:37 |
| freemangordon | no, most probably it is in the order | 01:37 |
| Sicelo | yes .. by the way the 0.2.4 device is 'fine' :) | 01:38 |
| freemangordon | what do you mean? | 01:38 |
| freemangordon | if cmcli fails to verify, it is not fine | 01:38 |
| freemangordon | see https://github.com/community-ssu/maemo-security-certman/commit/2cbd96e89d7529e1ce25801824fb76f39b05b836 | 01:39 |
| Sicelo | ah yes .. meant from the POV of A-GPS | 01:39 |
| freemangordon | I suspect same/similar problem | 01:39 |
| Sicelo | i remember those fixes back then | 01:39 |
| freemangordon | Sicelo: but then, why cmcli fails? | 01:39 |
| Sicelo | i really have no idea about that | 01:40 |
| Sicelo | maybe jonwil will have idea, but | 01:40 |
| Sicelo | not sure if this is related .. https://talk.maemo.org/showthread.php?t=96433 .. seems to be the only place 0.2.4 is mentioned | 01:41 |
| freemangordon | yep, lets wait for him to appear. If not, tomorrow I'll install the latest from -devel and will check | 01:41 |
| Sicelo | the thread seems to have ended without anything specific | 01:42 |
| * freemangordon goes afk | 01:42 | |
| freemangordon | night | 01:42 |
| Sicelo | sure .. at least you'll probably be able to understand it better than I | 01:42 |
| Sicelo | night | 01:42 |
| *** cyphase has quit IRC | 01:43 | |
| *** NeKit has quit IRC | 01:49 | |
| *** NeKit has joined #maemo | 01:50 | |
| *** jonwil has joined #maemo | 02:02 | |
| Sicelo | jonwil: we were just talking about you :) | 02:07 |
| jonwil | hi | 02:07 |
| * jonwil reads logs | 02:07 | |
| Sicelo | see last two posts in cssu devel thread .. a-gps problem that can be attributed to maemosec-certman packages | 02:08 |
| jonwil | ok, what exactly is the problem? | 02:08 |
| jonwil | So the problem is what exactly? | 02:09 |
| DocScrutinizer05 | maybe supl format changed and results in modem GPS engine hanging now? | 02:09 |
| jonwil | that the new set of root CAs doesn't work properly for AGPS? | 02:09 |
| Sicelo | a-gps does not work with maemo-security-certman (0.2.7) | 02:09 |
| Sicelo | yes | 02:09 |
| jonwil | which version is the last one that works? | 02:10 |
| Sicelo | i downgraded to 0.2.3 and i get instant fix | 02:10 |
| Sicelo | 0.2.4 gets good fix too .. but fails cmcli verification | 02:10 |
| Sicelo | 0.2.3 has good fix, and cmcli verifes supl.nokia.com OK | 02:11 |
| *** dafox has quit IRC | 02:15 | |
| DocScrutinizer05 | sorry now that sounds like bogus heissenbug, aka unrelated | 02:16 |
| DocScrutinizer05 | you're aware BB5 probably stores ephem/alm internally too? there been even a tiny tool to clear that stuff in modem, back when. sorry can't spot it anymore, I *think* it was an attachment by our Nokia FOSS ambassador to tmo | 02:18 |
| *** rZr has quit IRC | 02:19 | |
| *** RzR has joined #maemo | 02:20 | |
| Sicelo | DocScrutinizer05: when it works - Socket to supl.nokia.com opened, fd=13, verify_res=0 | 02:20 |
| Sicelo | when it doesn't, Socket to supl.nokia.com opened, fd=12, verify_res=19 | 02:20 |
| DocScrutinizer05 | meh, gimme tcpdump/whireshark! | 02:22 |
| *** dafox has joined #maemo | 02:22 | |
| DocScrutinizer05 | even tshark | 02:22 |
| DocScrutinizer05 | anyway, you clarified that now, so it looks less unrelated | 02:24 |
| jonwil | Could it be that the " | 02:24 |
| jonwil | the " Change the order of VerSign root certificates, so "newer" certificate to appear first. Fixes supl server not working." change in maemo-security-certman is related | 02:25 |
| jonwil | That change was made in 0.2.3 | 02:25 |
| jonwil | Its possible my total reimport of the certificates in later versions caused the order to change again somehow | 02:25 |
| Sicelo | most likely, yes | 02:25 |
| jonwil | I have no real way to verify that though | 02:25 |
| DocScrutinizer05 | yes | 02:25 |
| jonwil | speaking of which, I need to update maemo-security-certman to the latest set of mozilla root certificates, haven't done it for a while :) | 02:26 |
| Sicelo | :) | 02:26 |
| DocScrutinizer05 | of course >>Fixes supl server not working."<< is related ;-D | 02:26 |
| * DocScrutinizer05 has absulute faith in Ivo fixing that | 02:30 | |
| DocScrutinizer05 | I think cert management is your daily warmup, freemangordon. Right? ;-) | 02:31 |
| DocScrutinizer05 | ~trump | 02:32 |
| infobot | well, trump is NULL | 02:32 |
| DocScrutinizer05 | wow | 02:32 |
| DocScrutinizer05 | ~factinfo trump | 02:32 |
| infobot | trump -- created by fungus <fungus@delta.myfungus.net> at Tue Aug 9 22:29:09 2016 (179 days); it has been requested 5 times, last by DocScrutinizer05, 20s ago. | 02:32 |
| DocScrutinizer05 | https://www.youtube.com/watch?v=zP7RbhfcV7o | 02:39 |
| *** cyphase_eviltwin has joined #maemo | 02:50 | |
| *** xorly has quit IRC | 02:50 | |
| jonwil | ok, the root CA store is updated | 02:50 |
| *** Pali has quit IRC | 02:50 | |
| DocScrutinizer05 | please keep in mind that it took quite some investigation and WTF-moments to make a _working_ cert store back when patching it | 02:51 |
| DocScrutinizer05 | I think there are some undocumented non-intuitive (aka flaw) sequence/sortorder issues with the cert store | 02:52 |
| DocScrutinizer05 | iirc | 02:52 |
| DocScrutinizer05 | took the one who meddled with it (fmg?) quite a bit of trial&error to 'fix a perfectly correct cert store' so it works with some broken apps/libs in maemo | 02:53 |
| *** florian has quit IRC | 02:54 | |
| jonwil | in that case we should modify the maemosec-certman tools and stuff to correctly order the certs rather than try and manually patch the store every time. | 02:54 |
| DocScrutinizer05 | I think if that option had existed, it would have been taken back when | 02:54 |
| jonwil | anyhow, let me see what I get now with maemo-security-certman 0.2.8 on my phone when I try to access the various supl servers out there... | 02:55 |
| DocScrutinizer05 | when a closed process fails on your absolutely corect data, based on mystery criteria (moon phase and md5sum of all words with a prime number of chars) then you can't fix much | 02:56 |
| DocScrutinizer05 | note that certs are not only relevant for supl | 02:56 |
| DocScrutinizer05 | you have quite a few apps to check | 02:57 |
| DocScrutinizer05 | I suggest you read the historical tickets and tmo threads regarding that stuff | 02:57 |
| DocScrutinizer05 | or wait for fmg (and/or pali?) to chime in | 02:57 |
| *** dafox has quit IRC | 02:58 | |
| DocScrutinizer05 | I really can't recall details | 02:59 |
| DocScrutinizer05 | only kbnow it been a PITA | 02:59 |
| jonwil | ok, so location-test-gui can definatly see satellites but it cant get a lock | 02:59 |
| jonwil | I wish it displayed more info about the actual connections to the supl server | 02:59 |
| DocScrutinizer05 | hmm, such a statement is pretty generic. Did you make sure the signal of sats is OK? | 03:00 |
| jonwil | wireshark logs wont help since you cant wireshark an SSL connection unless you can peek into memory and get the keys | 03:00 |
| DocScrutinizer05 | did you make sure you have correct system time? | 03:00 |
| DocScrutinizer05 | did you reset BB5 GPS? | 03:00 |
| DocScrutinizer05 | (SSL) right :-/ | 03:00 |
| jonwil | system time is comming from network so it should be correct | 03:01 |
| jonwil | it says ept, eph, epv, epd, eps and epc are all NAN | 03:02 |
| jonwil | I am connected to both 3G and WiFi here | 03:02 |
| jonwil | as for resetting bb5 GPS I dont know how | 03:02 |
| DocScrutinizer05 | 'not getting a fix' might be everything from cloudy sky to hickup in hardware that needs power down & battery out for 60s, to wrong system time, to Trolland Dump deciding not to share GPS to Europe anymore | 03:03 |
| jonwil | If there was a problem with GPS here in Australia I would have heard of it | 03:03 |
| jonwil | About to go outside and see if that makes a difference :) | 03:03 |
| DocScrutinizer05 | ohmy, you expected a GPS fix indoors? :-o | 03:04 |
| jonwil | I have gotten such fixes before in this place | 03:04 |
| DocScrutinizer05 | prolly not, most like was no first fix and maybe no GPS fix at all | 03:05 |
| DocScrutinizer05 | see | 03:05 |
| jonwil | maybe | 03:05 |
| DocScrutinizer05 | ~gsm-ahps | 03:05 |
| DocScrutinizer05 | ~gsm-agps | 03:05 |
| infobot | i guess rrlp is the Radio Resource LCS (Location Service) Protocol as specified first in GSM TS 04.31, or http://security.osmocom.org/trac/wiki/RRLP | 03:05 |
| jonwil | ok, let me try this outside and see what I get. | 03:05 |
| DocScrutinizer05 | U-TDOA is more accurate and faster than any (A)GPS | 03:05 |
| DocScrutinizer05 | and works indoors, as long as you got a network signal | 03:06 |
| DocScrutinizer05 | ~u-tdoa | 03:06 |
| infobot | well, u-tdoa is http://en.wikipedia.org/wiki/U-TDOA | 03:06 |
| DocScrutinizer05 | standard on pretty much all 3G nowadays | 03:07 |
| DocScrutinizer05 | note that RRLP is network layer and thus totally opaque to userland | 03:11 |
| jonwil | going outside didn't get me a lock even though I could see the sats | 03:12 |
| DocScrutinizer05 | did they have signal? | 03:12 |
| jonwil | location-test-gui didn't show me anything to suggest they did one way or the other | 03:12 |
| jonwil | It said there were lots of sats visible but none in use | 03:12 |
| jonwil | as high as 5 visible | 03:13 |
| DocScrutinizer05 | "sats in sight" only means what almanach tells you are supposed to be able to see under optimal conditions | 03:13 |
| DocScrutinizer05 | it suggests you received somewhat working almanach data | 03:14 |
| DocScrutinizer05 | *if* the sats shown as "visible" are actually correct | 03:14 |
| jonwil | No idea then why its not working if I select either "GNSS" or "AGNSS" in location-test-gui | 03:14 |
| DocScrutinizer05 | maybe because it has a totally off idea where you are? | 03:15 |
| jonwil | ok, sounds like a reset of bb5 might help | 03:15 |
| jonwil | should I try this bb5 data reset thing or should I just try a power down and reboot? | 03:16 |
| DocScrutinizer05 | to guess what sats are visible (and thus search for them) the algo needs your position first. To some +-few 100s of miles | 03:16 |
| jonwil | i.e. power down for a minute then reboot? | 03:16 |
| DocScrutinizer05 | try both. Did you find that reset thing? where? | 03:16 |
| jonwil | I didn't find the reset thing | 03:16 |
| jonwil | powered down my phone now, will wait a minute or two then power up again | 03:17 |
| DocScrutinizer05 | remove battery | 03:17 |
| jonwil | I did | 03:17 |
| jonwil | if I get the "enter date/time" screen then I will know its reset the bb5 I guess | 03:17 |
| DocScrutinizer05 | so modem definitely doesn't store shit in RTC or cmos storage | 03:17 |
| jonwil | ok, that should be long enough, lets try it now | 03:19 |
| jonwil | see if it resets any stuff the bb5 might be confused about | 03:19 |
| jonwil | ok, I got welcome screen so that means things got reset | 03:20 |
| jonwil | although that didn't help | 03:23 |
| jonwil | I strongly suspect its a certificate problem talking to the SUPL server | 03:24 |
| jonwil | cmcli says "verification failed, self signed certificate" | 03:26 |
| jonwil | downgrading maemosec-certman-common-ca to the version with the fix in it didn't help either | 03:36 |
| jonwil | still no lock | 03:36 |
| jonwil | Nothing I do seems to get a GPS lock on my N900 | 03:37 |
| DocScrutinizer05 | even without any connectivity, GPS should get a fix after 15min the latest, as long as there's a strong enough sat signal | 03:39 |
| *** cyphase_eviltwin is now known as cyphase | 03:40 | |
| DocScrutinizer05 | actually should be faster since every sat sends its own orbit data faster than the complete almanac/ephemeral | 03:40 |
| DocScrutinizer05 | but you need a iirc 30dB higher signal than needed to *keep* a fix | 03:41 |
| DocScrutinizer05 | and correct system time and at least country you're in will prolly also help a lot | 03:42 |
| DocScrutinizer05 | system time is easily obtained from SAT data. Location not that easily | 03:43 |
| DocScrutinizer05 | the better your initial guess of location, the faster TTFF | 03:43 |
| DocScrutinizer05 | basically | 03:43 |
| DocScrutinizer05 | and that's partially what A in AGPS is all about | 03:44 |
| jonwil | ok so the only explanations I have are bogus data being held somewhere (e.g. bb5), that I cant see any sats even when outside (for some reason, there are clouds but they are light clouds and not the heavy stuff that gets in the away) or that the n900 is doing something wrong somewhere (e.g. wrong library version being a problem). | 03:44 |
| DocScrutinizer05 | when you get bogus assistance data, I'm pretty sure you're better off with none at all | 03:44 |
| jonwil | This is after trying it for ages with "GNSS" selected in location-test-gui and disconnected from wifi/cellular data to make sure its not trying to download anything | 03:45 |
| jonwil | My gut says bogus stored data is the likely answer | 03:45 |
| DocScrutinizer05 | you got a SIM? | 03:45 |
| jonwil | Yep, I have a sim in the phone | 03:46 |
| jonwil | and it returns the correct country code | 03:46 |
| DocScrutinizer05 | see RRLP!!! | 03:46 |
| jonwil | and I am connected to 3G voice | 03:46 |
| jonwil | "CWP" seems to have given me a lock | 03:47 |
| jonwil | although I think that's just cell tower positioning and nothing to do with GPS | 03:47 |
| DocScrutinizer05 | yes, and cell towers send "supl" | 03:47 |
| jonwil | I think I need to find that tool to remove whatever crap bb5 is holding | 03:48 |
| DocScrutinizer05 | you need to remove SIM first of all | 03:48 |
| DocScrutinizer05 | or at least go airplane mode | 03:48 |
| DocScrutinizer05 | though I'm still not sure if it *receives* RRLP nevertheless | 03:49 |
| jonwil | gone to offline mode | 03:49 |
| jonwil | offline mode plus GNSS in location-test-gui should mean it uses 100% no cellmo works-like-standalone-GPS offline mode to get a lock | 03:50 |
| jonwil | with nothing taken from the cellmo or networks of any kind | 03:50 |
| jonwil | Looks like finding that tool to erase stored GPS data in bb5 would help | 03:52 |
| *** luke-jr has quit IRC | 03:55 | |
| *** luke-jr has joined #maemo | 03:57 | |
| DocScrutinizer05 | https://bugs.maemo.org/show_bug.cgi?id=7026#c35 | 04:01 |
| povbot | Bug 7026: Can't get a GPS lock with several satellites at view | 04:01 |
| DocScrutinizer05 | "should mean" HAHA | 04:01 |
| DocScrutinizer05 | please read about RRLP | 04:02 |
| DocScrutinizer05 | ~gsm-agps | 04:02 |
| infobot | from memory, rrlp is the Radio Resource LCS (Location Service) Protocol as specified first in GSM TS 04.31, or http://security.osmocom.org/trac/wiki/RRLP | 04:02 |
| DocScrutinizer05 | BB5 prolly has not even a means to NOT use RRLP when it's available | 04:02 |
| DocScrutinizer05 | RRLP is 911-related and completely outside of user control | 04:03 |
| DocScrutinizer05 | and obviously not even the Nokia maemo gurus knew about that when they made maemo5 | 04:04 |
| DocScrutinizer05 | BB5 is largely opaque to them as well | 04:04 |
| *** geaaru has quit IRC | 04:05 | |
| Juesto | o_O | 04:06 |
| DocScrutinizer05 | please understand that CWP and SUPL etc is basically only userland, with a defined API to send the SUPL data to modem aka GPS chip. But that modem-GPS-chip has its own "SUPL" (called RRLP) and maemo devels didn't know | 04:07 |
| DocScrutinizer05 | FFS! | 04:09 |
| DocScrutinizer05 | ~literal gsm-agps | 04:09 |
| infobot | "gsm-agps" is "<reply>see rrlp" | 04:09 |
| DocScrutinizer05 | ~literal rrlp | 04:09 |
| infobot | "rrlp" is "the Radio Resource LCS (Location Service) Protocol as specified first in GSM TS 04.31, or http://security.osmocom.org/trac/wiki/RRLP" | 04:09 |
| DocScrutinizer05 | infobot: no, rrlp is <reply>RRLP is the Radio Resource LCS (Location Service) Protocol as specified first in GSM TS 04.31, or http://osmocom.org/projects/security/wiki/RRLP | 04:11 |
| infobot | DocScrutinizer05: okay | 04:11 |
| DocScrutinizer05 | >>In all known phones, RRLP operation is completely invisible to the user of the phone<< | 04:12 |
| DocScrutinizer05 | >> Contrary to the user-plane based SUPL, RRLP works entirely in the signaling plane of the network. As such, the RRLP protocol level is not accessible to user applications on a phone.<< | 04:13 |
| DocScrutinizer05 | >>Most RRLP capable phones will request GPS assistance data from the network.<< | 04:14 |
| DocScrutinizer05 | bottom line: when your cellular carrier sends bogus "assistance data" via RRLP, there's nothing you could do about it and your GPS will mist likely fail. You _probably_ could cure this by removing the SIM all together or by at least switching to airplane mode | 04:17 |
| * DocScrutinizer05 heads out coughing a bit more, and probing own Core temperature | 04:18 | |
| DocScrutinizer05 | http://maemo.cloud-7.de/maemo5/usr/local/sbin/clear-gps-cache but also see http://maemo.cloud-7.de/maemo5/usr/sbin/cmt-reset (NFC what that does) | 04:26 |
| jonwil | I tried clear-gps-cache but that didn't help | 04:26 |
| jonwil | I do see SNR values for a bunch of satellites (as many as 6 when I stand outside away from buildings) | 04:27 |
| jonwil | Values ranging from the high 20s to 40+ | 04:27 |
| jonwil | In terms of the weather its very hot and very humid with light clouds in the sky, maybe the humidity or heat is causing interference | 04:27 |
| jonwil | ok, wtf, I got a lock!!! | 04:29 |
| jonwil | on AGNSS | 04:29 |
| jonwil | and now of course I get a lock again straight away because my phone hasn't moved | 04:29 |
| jonwil | so its definatly not broken GPS hardware or bogus data stored by bb5 | 04:33 |
| jonwil | now I need to go somewhere away and see if GPS still gets a lock or something. | 04:33 |
| jonwil | and how long it takes | 04:33 |
| jonwil | not sure how far away I should go to be far enough away from current pos to test that | 04:34 |
| DocScrutinizer05 | 30+ is fine, should result in a fix after some time | 04:39 |
| DocScrutinizer05 | and seems it did :-) | 04:40 |
| DocScrutinizer05 | glad it finally worked for you | 04:43 |
| DocScrutinizer05 | did you have SIM/network enabled? | 04:43 |
| *** pagurus has quit IRC | 04:48 | |
| *** pagurus has joined #maemo | 04:49 | |
| jonwil | yes I did at that point | 04:52 |
| jonwil | I suspect the way to be sure whats going on is to head a couple km away from where I am now and try it again and see what happens. | 04:53 |
| jonwil | If I move a couple km away it will invalidate any old position data GPS chip holds | 04:53 |
| jonwil | maybe run the clear-gps-cache tool as well | 04:53 |
| jonwil | and reboot the phone to clear anything held in bb5 ram | 04:53 |
| *** spiiroin has quit IRC | 05:05 | |
| *** M4rtinK has quit IRC | 05:16 | |
| *** spiiroin has joined #maemo | 05:18 | |
| *** lxp1 has quit IRC | 06:04 | |
| jonwil | My guess is that with the cert issues preventing connectivity to the supl server it takes many minutes to get a lock because it has to download full data from sats over slow link | 06:04 |
| DocScrutinizer05 | yes | 06:05 |
| DocScrutinizer05 | sprt of, though I learned a *good* GPS driver (like we finally had in Neo Freerunner) can download the relevant data from sats it actually receives in less than 60s and then get a first fix | 06:07 |
| DocScrutinizer05 | aiui each sat sends its own orbit parameters and the current time once every 40s or somesuch | 06:08 |
| DocScrutinizer05 | as long as the GPS chip has enough correlators to receive all possible sats concurrently, it should get a first fix in pretty short time | 06:09 |
| DocScrutinizer05 | I almost forgot the details, GPS is complex and I last time looked into it several years ago | 06:10 |
| DocScrutinizer05 | http://www.colorado.edu/geography/gcraft/notes/gps/gps_f.html recommended | 06:12 |
| DocScrutinizer05 | http://www.colorado.edu/geography/gcraft/notes/gps/gps.html#SVData | 06:14 |
| DocScrutinizer05 | >>The GPS Navigation Message consists of time-tagged data bits marking the time of transmission of each subframe at the time they are transmitted by the SV. A data bit frame consists of 1500 bits divided into five 300-bit subframes. A data frame is transmitted every thirty seconds. Three six-second subframes contain orbital and clock data. SV Clock corrections are sent in subframe one and precise SV orbital data sets (ephemeris data | 06:15 |
| DocScrutinizer05 | parameters) for the transmitting SV are sent in subframes two and three<< | 06:15 |
| DocScrutinizer05 | full almanac however takes some 12 or 15min of glitch free reception for complete download | 06:21 |
| DocScrutinizer05 | "full" as in "has all data of all sats for the next week or so" | 06:21 |
| DocScrutinizer05 | aah >>Subframes four and five are used to transmit different pages of system data. An entire set of twenty-five frames (125 subframes) makes up the complete Navigation Message that is sent over a 12.5 minute period.<< | 06:23 |
| DocScrutinizer05 | http://www.colorado.edu/geography/gcraft/notes/gps/gif/databits.gif | 06:24 |
| DocScrutinizer05 | >>Signal acquisition time on receiver start-up can be significantly aided by the availability of current almanacs<< | 06:28 |
| DocScrutinizer05 | only useful when you already have a rough idea of where you are and what's the time, otherwise you don't know which sats are visible and on which doppler shift, even with absolutely complete and up-to-date almanac# | 06:30 |
| DocScrutinizer05 | rough idea here means like +-500km and +´1min I guess | 06:31 |
| *** geaaru has joined #maemo | 06:31 | |
| DocScrutinizer05 | nice: http://www.colorado.edu/geography/gcraft/notes/gps/gif/bitsanim.gif | 06:32 |
| DocScrutinizer05 | corellator | 06:32 |
| DocScrutinizer05 | >>Receiver position is computed from the SV positions, the measured pseudo-ranges (corrected for SV clock offsets, ionospheric delays, and relativistic effects), ****and a receiver position estimate (usually the last computed receiver position)****.<< | 06:38 |
| DocScrutinizer05 | the complete almanac is 37500 bit in size | 06:41 |
| DocScrutinizer05 | so ~5kB | 06:42 |
| DocScrutinizer05 | it describes the orbits of all SV (aka SAT) and stays valid until reality differs from clean math | 06:43 |
| DocScrutinizer05 | the ephem are obviously per SV and describe its current position, so this is all a GPS chip needs when actually receiving the SV. Those are sent every 30s | 06:45 |
| DocScrutinizer05 | so with 4 corellators locked to 4 sats (which are sufficiently distant from each other) you should get a first fix in 30s. Locking to a sat depends on using the right code and right doppler frequency shift, and given both are correct it shouldn't take longer than a second or 2 maybe. so with an unlimited number of corellators so you can search for all possibe sats/codes at all possible doppler shifts, you always get TTFF <40s | 06:51 |
| DocScrutinizer05 | unless no sufficiently good sat signals available | 06:51 |
| DocScrutinizer05 | almanac helps to pick the right code (aka SV) and doppler correction, from estimation of point in time and space | 06:53 |
| DocScrutinizer05 | when your almanac is bogus or your time or location guess is totally off, and the GPS chip has no smart handling of that, you might find the chip trying forever to receive SVs that don't exist where amd when you are | 06:55 |
| DocScrutinizer05 | it's like staring west on a ship heading north, to find that island, and you never will see it since you're a tad further to the west than you thought you were and the island shows up in the east of your position | 06:57 |
| DocScrutinizer05 | you'll recover from that as late as seeing another random island west of you, maybe days later | 06:59 |
| DocScrutinizer05 | in case of GPS it never will recover since it not only looks for any island but for a very particular one, and it ignores resp doesn't even see any others that come by | 07:01 |
| DocScrutinizer05 | that's why I think in certain situations disabling AGPS **and RRLP** might actually yield better results | 07:02 |
| jonwil | So it looks like we need to find out just what certs supl.nokia.com actually needs and why it needs old/obsolete certs that Mozilla no longer ships or whatever (or if there is something else going on) | 07:03 |
| jonwil | And then if we really need old certs we need to add back just the one cert needed | 07:03 |
| DocScrutinizer05 | yep | 07:04 |
| DocScrutinizer05 | I *guess* the CA of those Nokia SUPL certs is expired or revoked, and Nokia didn't bother to get a new cert | 07:05 |
| jonwil | I dont know enough about certificates or SSL to know how to do this | 07:06 |
| DocScrutinizer05 | or the cert uses an encryption or whatever that has been deprecated since | 07:06 |
| jonwil | I think from something I saw is one cert that uses MD2 signing (which is obsolete and | 07:07 |
| jonwil | obsolete and easily broken | 07:07 |
| jonwil | well the certificate for supl.nokia.com is current and valid from Feb 18 2016 to May 15 2017 so its definitely not some old obsolete job | 07:11 |
| jonwil | Need someone who knows more about SSL (or maybe someone who knows more about VeriSign certificates in particular) | 07:27 |
| *** DocScrutinizer05 has quit IRC | 07:37 | |
| *** DocScrutinizer05 has joined #maemo | 07:37 | |
| jonwil | Finding someone that knows about SSL certs is going to be hard though... | 08:26 |
| *** Michael_a320 has joined #maemo | 08:46 | |
| KotCzarny | regarding gps fix, i've just tested on my n900, cellmo: on, wifi: off, method: gnss | 09:49 |
| KotCzarny | it took ~10 minutes, all sats are in 19-31dB range | 09:50 |
| KotCzarny | started with a few (1-3) now seeing 8 | 09:50 |
| KotCzarny | accuracy 40-140m | 09:51 |
| KotCzarny | stock fw | 09:51 |
| Vajb | but does it differ from place to place? | 10:16 |
| KotCzarny | that's a question for me? | 10:16 |
| Vajb | i mean are those satellites spread evenly on sky | 10:16 |
| Vajb | KotCzarny: for no one especially | 10:16 |
| Vajb | more of a rethoric q :) | 10:17 |
| KotCzarny | yeah, they should be all over the globe | 10:17 |
| KotCzarny | but in geostationary positions, ie. not moving tiny bit relative to earth | 10:18 |
| KotCzarny | what differs is visibility (clouds, buildings) and noise/interferences (e-m noise) | 10:19 |
| *** florian has joined #maemo | 10:22 | |
| bencoh | KotCzarny: not geostationary no | 10:27 |
| KotCzarny | no? | 10:32 |
| bencoh | nope | 10:34 |
| KotCzarny | fun | 10:35 |
| KotCzarny | how do they calculate their own position? | 10:35 |
| KotCzarny | or is it done from earth observatories? | 10:35 |
| bencoh | known/corrected from earth I suppose | 10:43 |
| bencoh | or adjusted according to star visibility/positions, or most likely both | 10:44 |
| KotCzarny | perfect way to confuse receivers in case of war | 10:44 |
| KotCzarny | :) | 10:44 |
| *** Kabouik has joined #maemo | 10:54 | |
| freemangordon | jonwil: the naming order of certificates matter | 11:00 |
| freemangordon | verisign cert used by supl is in the logs ^^^ | 11:01 |
| freemangordon | jonwil: 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 | 11:01 |
| freemangordon | there are two of those, one with -1 appended to the name | 11:01 |
| freemangordon | and - you don;t need sats at all to get fix when using AGPS | 11:02 |
| jonwil | What I have found is that with the latest mozilla cert store, openssl returns X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN | 11:02 |
| freemangordon | :nod: | 11:02 |
| freemangordon | could you dump cert chain? | 11:03 |
| freemangordon | and pastebin it | 11:03 |
| freemangordon | openssl s_client has an option to dup cert chain and certs used | 11:03 |
| freemangordon | *dump | 11:03 |
| freemangordon | jonwil: ah, it seems ilew found the missing one | 11:04 |
| freemangordon | just add it back to cert store and we should be fine | 11:04 |
| jonwil | anyone know how to get GDB to print the address at which the binary you are debugging is actually loaded at? | 11:04 |
| *** Kabouik has quit IRC | 11:05 | |
| *** Kabouik_ has joined #maemo | 11:05 | |
| freemangordon | jonwil: info modules? | 11:05 |
| freemangordon | no, wait | 11:05 |
| freemangordon | it is "info something", but I cant remember that exactly | 11:06 |
| freemangordon | jonwil: try with "info shared" | 11:06 |
| jonwil | found it, "info files" gives me the address I need | 11:08 |
| freemangordon | ok | 11:08 |
| freemangordon | good to know | 11:08 |
| Maxdamantus | Presumably you could just look at /proc/*/maps | 11:08 |
| * Maxdamantus suspects `info files` pretty much does that. | 11:09 | |
| freemangordon | jonwil: however, may i have a cert chain dump? | 11:09 |
| jonwil | how do I get a cert chain dump? | 11:09 |
| freemangordon | jonwil: add "-showcerts" to openssl s_client command | 11:10 |
| jonwil | Will do that soon and see what I get on the N900 | 11:11 |
| jonwil | I ran nss tstclient.exe locally earlier (built NSS on my windows box) and the chain that I got from there was http://pastebin.com/RZ0z259R | 11:12 |
| jonwil | So that's what supl.nokia.com servers to tstclient.exe on my w7 box | 11:13 |
| jonwil | The last one in the chain implies that its signed with MD2 (very strange) | 11:13 |
| jonwil | I suspect whats going on is that one of the 3 VeriSign certs in the chain has been replaced with something newer that has the same public key and name and that somehow openssl (which is what location-proxy uses to do its SSL) is using the old version in the certificate chain rather than the newer version in the root CA store. | 11:17 |
| jonwil | Going to run the s_client test now | 11:17 |
| freemangordon | jonwil: yes, this is what happens | 11:17 |
| freemangordon | but, s_client test will pass on n900 | 11:17 |
| freemangordon | iirc | 11:18 |
| freemangordon | as openssl is smart enough to use the correct certificate | 11:18 |
| jonwil | http://pastebin.com/TeE3jF3m | 11:19 |
| jonwil | That;s the openssl certificate chain dump | 11:19 |
| freemangordon | mhm | 11:20 |
| freemangordon | but, cmcli will fail; | 11:20 |
| jonwil | I wonder if its poossible to use IDA to do remote debugging on a N900 via gdb or something | 11:21 |
| freemangordon | yes, but you need to set sysroot | 11:22 |
| freemangordon | which means to copy rootfs to a local dir on your pc | 11:22 |
| bencoh | and gdbserver on n900 I guess? | 11:22 |
| freemangordon | yes | 11:23 |
| freemangordon | jonwil: I guess you can use ScratchBox directories for that | 11:23 |
| jonwil | ok, so I established the IDA remote debugger doesn't run on the N900 so that's definitely out | 11:26 |
| freemangordon | hmm? | 11:26 |
| freemangordon | do you run gdbserver on n900? | 11:26 |
| jonwil | I dont think I have a gdbserver binary | 11:26 |
| jonwil | wait I do | 11:26 |
| freemangordon | well, no way then | 11:27 |
| jonwil | not sure how to run it though | 11:27 |
| freemangordon | install gdbserver, and run it with --attach parameter | 11:27 |
| jonwil | what do I pass for the parameters to --attach? | 11:27 |
| freemangordon | "gdbserver --attach $pid :1234" | 11:27 |
| freemangordon | 1234 is the port it listens on | 11:27 |
| freemangordon | change it as you wish | 11:28 |
| freemangordon | jonwil: also, if the process you want to debug is started via maemo-launcher, make sure to attach to the pid with larger id, from the bothe you have for the same binary | 11:29 |
| *** TriztAway is now known as Trizt | 11:31 | |
| jonwil | ok, well that didn't tell me much other than that openssl is returning that X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN | 11:38 |
| jonwil | i.e. it confirmed what I already knew about how the function worked | 11:39 |
| freemangordon | jonwil: which function? | 11:40 |
| jonwil | the function I was studying was sub_CF90 | 11:40 |
| freemangordon | which binary ? :) | 11:40 |
| jonwil | location-proxy | 11:40 |
| * freemangordon tries to find where his lication-proxy IDA db is | 11:41 | |
| jonwil | It looks like if SSL_get_verify_result returns non-zero, it prints the "host: %s not verified, result: %ld" error | 11:42 |
| jonwil | via g_log | 11:42 |
| freemangordon | yes, it returns 19 (self-signed cert) | 11:42 |
| jonwil | and it passes 2 as the first parameter to las_socket_open_response_ntf | 11:42 |
| freemangordon | it is visible in the syslog | 11:42 |
| jonwil | otherwise it skips that error and passes 0 for the parameter to las_socket_open_response_ntf | 11:42 |
| freemangordon | jonwil: I suspect it is SSL_connect that fails | 11:43 |
| freemangordon | "Socket to %s opened, fd=%d, verify_res=%ld" | 11:43 |
| jonwil | ok, so I am playing some more with the nss tools on Windows. | 11:44 |
| freemangordon | how's that going to help? | 11:44 |
| jonwil | which btw have the same set of root CAs built into them as my n900 | 11:44 |
| jonwil | I am playing more to see just what the chain looks like | 11:44 |
| jonwil | and how it validates | 11:44 |
| jonwil | using vftserv.exe from those tools I get 4 certificate files (cert.000, cert.001, cert.002, cert.003) which match the 4 certs in our chain | 11:45 |
| freemangordon | mhm | 11:45 |
| jonwil | If I then run vfychain.exe on those files and pass it just cert.000, it says the chain is bad | 11:45 |
| jonwil | If I pass it cert.000 and cert.001, it says "chain is good" | 11:45 |
| freemangordon | jonwil: did you pass -CApath to openssl s_client command? | 11:46 |
| jonwil | same if I pass it 000, 001, 002 | 11:46 |
| jonwil | yes I did pass -CApath | 11:46 |
| freemangordon | and it fails? | 11:46 |
| jonwil | Ok so we have 4 certificates in this chain | 11:46 |
| jonwil | supl.nokia.com | 11:46 |
| freemangordon | sorry | 11:46 |
| jonwil | Symantec Class 3 Secure Server CA - G4 | 11:46 |
| jonwil | VeriSign Class 3 Public Primary Certification Authority - G5 | 11:47 |
| jonwil | Class 3 Public Primary Certification Authority | 11:47 |
| jonwil | I think that there is a new version of the cert named "VeriSign Class 3 Public Primary Certification Authority - G5" in the current root CA store | 11:48 |
| freemangordon | yes, there is | 11:48 |
| freemangordon | it seems ssl tries to verify only against the first certificate in the store | 11:49 |
| freemangordon | and when it is the old one, it fails | 11:49 |
| jonwil | I think what's happening is that in the case of this particular chain OpenSSL will only verify the last CA in the chain. | 11:52 |
| jonwil | i.e. it sees the last cert in the chain (the one with issuer "OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US" and subject "OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US" | 11:54 |
| jonwil | then it says "do I have a match for that cert in my root CA store" | 11:54 |
| jonwil | since the answer is no, it says "it must be self signed then" and returns the error | 11:54 |
| freemangordon | but there is a match | 11:55 |
| freemangordon | ok, there is a cert | 11:55 |
| jonwil | there is no match for the last cert in the chain in the root CA store as of the latest Mozilla certificate set. | 11:55 |
| freemangordon | why it is removed? | 11:56 |
| freemangordon | or it has never been there | 11:57 |
| jonwil | ok, I am looking at maemo-security-certman now | 12:01 |
| freemangordon | jonwil: if we miss a certificate, how's that related to maemo-security-certman? | 12:03 |
| jonwil | maemo-security-certman contains the root CA store | 12:03 |
| jonwil | hence why its where I need to look | 12:03 |
| jonwil | ok, so I am looking at the last Nokia commit to this repo and I see 2 different certificates with the 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 value | 12:07 |
| jonwil | They have identical values for most of the fields (including issuer and subject) | 12:09 |
| jonwil | The differences are a difference in the not-after date | 12:09 |
| jonwil | and a difference in the serial number | 12:10 |
| jonwil | and a difference in the signature | 12:10 |
| jonwil | One uses md2WithRSAEncryption | 12:10 |
| jonwil | the other uses sha1WithRSAEncryption | 12:10 |
| jonwil | The one named 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61.pem in this particular repo revision is the md2 version | 12:11 |
| jonwil | and the one named 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1.pem is the sha1 version | 12:11 |
| freemangordon | jonwil: you're reinventing the wheel :) https://github.com/community-ssu/maemo-security-certman/commit/2cbd96e89d7529e1ce25801824fb76f39b05b836 | 12:11 |
| jonwil | I know about that commit, I am just chasing up the entire history of the repo | 12:11 |
| freemangordon | jonwil: https://talk.maemo.org/showpost.php?p=1370304&postcount=122 | 12:12 |
| freemangordon | jonwil: it might be a bug in c_rehash actually | 12:13 |
| jonwil | there are 2 different issues here, the first has to do with the order in which certificates appear when there are multiple versions of the same cert | 12:14 |
| jonwil | That one is what the commit you linked to is aiming to fix | 12:14 |
| jonwil | or rather it fixed | 12:14 |
| freemangordon | :nod: | 12:14 |
| jonwil | The right fix is to properly fix maemo-security-certman so it orders them correctly | 12:14 |
| freemangordon | mhm | 12:15 |
| freemangordon | jonwil: so, we should add code on top of https://github.com/community-ssu/maemo-security-certman/commit/5b66292b9d705f9e9613490aafc074bfeef6a622 right? | 12:16 |
| freemangordon | jonwil: also, what means "orders them correctly" do we know the rule? | 12:16 |
| freemangordon | the newest should become last? or what? | 12:17 |
| jonwil | what I am trying to figure out now is how it determines whether to use the 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61.pem or the 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1.pem file | 12:19 |
| freemangordon | mhm | 12:19 |
| freemangordon | but isn't it ssl that makes the decision, not certman? | 12:20 |
| *** dafox has joined #maemo | 12:21 | |
| *** Pali has joined #maemo | 12:23 | |
| freemangordon | jonwil: do you have an idea *who* decides on which cert file to use? | 12:23 |
| jonwil | Either the code in maemosec_storage.cpp decides when it builds the file list or the file list contains both and therefore both get passed to SSL_CTX_set_cert_store from maemosec_certman_collect | 12:26 |
| jonwil | maemosec_certman_collect just returns the contents of the storage as set up by the code in maemosec_storage.cpp | 12:26 |
| freemangordon | jonwil: ok, it seems I am not very helpful with my question :). Will leave you digging in it as I have to run anyways | 12:29 |
| freemangordon | *questions | 12:29 |
| freemangordon | good luck, bbl | 12:29 |
| *** florian has quit IRC | 12:32 | |
| *** xorly has joined #maemo | 12:37 | |
| jonwil | Ok so as of now Mozilla doesn't ship either version of the 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61 certificate | 12:40 |
| Juesto | hmm | 12:50 |
| Juesto | too old? | 12:50 |
| *** florian has joined #maemo | 12:54 | |
| KotCzarny | jonwil: update cert package and let sicelo test it? | 12:58 |
| Juesto | tbh, some things should be pushed straight away | 13:02 |
| Juesto | like updated system certificates, etc | 13:02 |
| *** xorly has quit IRC | 13:08 | |
| Juesto | minor updates that are done so the OS is up to date | 13:14 |
| Juesto | things that do not affect stability | 13:14 |
| Juesto | or usability | 13:14 |
| *** mp107 has joined #maemo | 13:28 | |
| Sicelo | Juesto: certs do affect stability though :-) | 13:31 |
| Juesto | oh really? | 13:32 |
| Sicelo | or usabiltiy then | 13:33 |
| Juesto | nah | 13:33 |
| Juesto | by usability i mean user experience | 13:33 |
| Sicelo | it wasn't nice to need Maps, and have to wait 10 mins for GNSS fix, as A-GNSS was broken by 'new' certs | 13:34 |
| Juesto | Oh :/ | 13:34 |
| Juesto | well something like a timezone update | 13:34 |
| Juesto | isnt a big deal either | 13:34 |
| Juesto | but i guess certificates is a breaker | 13:34 |
| Juesto | sorry to hear | 13:35 |
| Sicelo | maemo's devs are doing super good job though :-) | 13:36 |
| Juesto | heh | 13:38 |
| KotCzarny | you can be a dev too! | 13:39 |
| Juesto | who knows | 13:39 |
| Juesto | Depends on your talent/skill | 13:39 |
| Sicelo | my skills is talking too much :p | 13:40 |
| Juesto | you would serve well for reporting then | 13:40 |
| Juesto | hehe | 13:40 |
| KotCzarny | yeah, maemo needs more testers | 13:49 |
| *** Michael_a320 has quit IRC | 13:50 | |
| Juesto | i wish i have a n900 | 13:55 |
| Juesto | really | 13:55 |
| Sicelo | buy usb broken one (that has not been fixed before) | 13:58 |
| Sicelo | then fix yourself | 13:59 |
| Juesto | hmm, perhaps i'll just take from oksana :) | 14:01 |
| Juesto | (yes she lets me) | 14:01 |
| Juesto | AFAIK | 14:01 |
| *** mp107 has quit IRC | 14:45 | |
| *** mp107 has joined #maemo | 14:45 | |
| *** florian has quit IRC | 14:49 | |
| *** xorly has joined #maemo | 14:49 | |
| *** florian has joined #maemo | 15:06 | |
| *** florian has quit IRC | 15:15 | |
| freemangordon | well, the package that broke certs in is cssu-dev, so everything is as it should be - we devs screw something in unstable repo, users test and report, we fix it | 15:27 |
| freemangordon | jonwil: if neither certs are in mozilla store, then we should add it by hand | 15:28 |
| freemangordon | I see no other option | 15:28 |
| freemangordon | maybe we should not use mozilla, but debian | 15:29 |
| KotCzarny | fmg: or make a script that will repackage what's needed | 15:32 |
| freemangordon | mhm | 15:32 |
| KotCzarny | i would trust mozilla more than debian to be honest too | 15:33 |
| freemangordon | KotCzarny: hmm, actually all the certs I have on my Ubuntu are from mozilla :) | 15:34 |
| freemangordon | so yeah, mozilla it is | 15:36 |
| Juesto | hehe | 15:39 |
| *** pagurus has quit IRC | 16:11 | |
| jonwil | I am testing a fix now | 16:40 |
| jonwil | involving a 2-byte patch to location-proxy and installing the certificate into a separate private certificate store. | 16:40 |
| jonwil | the fix works :) | 16:41 |
| jonwil | http://talk.maemo.org/showthread.php?p=1522859&highlight=00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61#post1522859 | 16:44 |
| freemangordon | jonwil: I am not sure I like the idea of binary patching the location proxy | 16:48 |
| jonwil | we binary patch libsms.so for the cell broadcast stuff already | 16:48 |
| jonwil | thats in CSSU | 16:48 |
| *** dafox has quit IRC | 16:48 | |
| freemangordon | that doesn;t mean I like it :). however, see: | 16:48 |
| freemangordon | what about including those 2 certs until I RE location-proxy. anyway I will do it sooner or later, because of the fremantle porting. it is some 30k binary I guess I'll need a month or less to finish | 16:49 |
| freemangordon | those 2 certs been there forever a month more will not do that much harm | 16:50 |
| freemangordon | if any | 16:50 |
| freemangordon | jonwil: ^^^? | 16:51 |
| jonwil | except the whole point of keeping the root CA store up to date is to not ship insecure broken certs using insecure broken cryptography | 16:51 |
| freemangordon | how's that related? | 16:51 |
| freemangordon | that we'll use those 2 presumably broken certs for a month or so? | 16:52 |
| freemangordon | jonwil: also, I don;t get it why lokation-proxy fails while openssl does not | 16:53 |
| freemangordon | *location-proxy | 16:53 |
| freemangordon | what is this special thing it does that makes it fail? | 16:54 |
| freemangordon | jonwil: any idea? ^^^ | 16:55 |
| jonwil | no idea | 16:55 |
| freemangordon | because this is the actual problem imo. I tested openssl tu supl.nokia.com on my Ubuntu and there is no problem | 16:56 |
| freemangordon | *to | 16:56 |
| *** M4rtinK has joined #maemo | 16:56 | |
| *** florian has joined #maemo | 16:58 | |
| jonwil | The reason openssl works is because at some point you had the relavent root CA (the old insecure one) in your CA store but now you dont anymore.. Its no longer in /etc/secure/s/certman.common-ca and wont be used by anything that uses libmaemosec-certman0 to get certificates (including NSS and location-proxy) but will still be found by openssl when you pass -CApath in the verify command | 17:15 |
| jonwil | since openssl doesn't read certman.common-ca, it just uses whatever is in the passed in capath | 17:16 |
| freemangordon | jonwil: read it again - it doesn't fail *on my Ubuntu* | 17:16 |
| jonwil | Your ubuntu must also be shippnig the cert | 17:17 |
| jonwil | for some reason | 17:17 |
| freemangordon | it ships the mozilla stuff | 17:17 |
| jonwil | what does the certificate chain look like on your ubuntu install? | 17:17 |
| freemangordon | just a second | 17:17 |
| jonwil | and what openssl version is it? | 17:17 |
| jonwil | Its possible that you have a newer version of something somewhere that properly says "hey, dont use this old root CA in the certificate chain, use the newer correct replacement in the root CA store" | 17:18 |
| freemangordon | jonwil: well, lets identify it and port it to maemo then | 17:20 |
| freemangordon | jonwil: http://pastebin.com/EZcxfFjp | 17:20 |
| jonwil | What's the contents of /etc/ssl/certs/? | 17:21 |
| freemangordon | it is huge | 17:22 |
| freemangordon | lots of files there | 17:22 |
| freemangordon | do you want me to pastebin it? | 17:22 |
| jonwil | yes please do | 17:22 |
| freemangordon | ok | 17:22 |
| freemangordon | jonwil: http://pastebin.com/b3WHxKk3 | 17:24 |
| *** cyphase has quit IRC | 17:25 | |
| jonwil | Can you pastebin Verisign_Class_3_Public_Primary_Certification_Authority.pem? | 17:26 |
| jonwil | I bet it (or Verisign_Class_3_Public_Primary_Certification_Authority_2.pem) will be the certificate from the chain | 17:26 |
| jonwil | the self-signed one | 17:26 |
| freemangordon | it is a link to /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt so I'll pastebin the .crt file | 17:27 |
| jonwil | ok | 17:27 |
| freemangordon | jonwil: http://pastebin.com/acjQ3EgK | 17:27 |
| jonwil | yep, just as I suspected, its exctly the root CA in question | 17:28 |
| jonwil | the one with the outdated crypto | 17:28 |
| jonwil | the one in the chain from supl.nokia.com\ | 17:29 |
| jonwil | and no I dont know why its on your Ubuntu system in that place | 17:29 |
| jonwil | you would have to ask the maintainer of whatever package claims ownership of the relavent files... | 17:29 |
| freemangordon | well, if it is good enough for my Ubuntu, it is good enough for my Maemo as well :) | 17:29 |
| freemangordon | I don;t really see what is the problem with that certificate, besides weak hash | 17:30 |
| *** cyphase has joined #maemo | 17:30 | |
| freemangordon | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> :) | 17:31 |
| jonwil | Its the fact that its using a very weak 1024 bit RSA key, something that all the browser vendors and other sane people have stopped shipping for ages now | 17:31 |
| freemangordon | 1024 bit RSA is weak? O.o | 17:32 |
| freemangordon | jonwil: who told you that? | 17:32 |
| *** louisdk has joined #maemo | 17:35 | |
| KotCzarny | https://supportforums.cisco.com/discussion/11320131/https-ssl-certificate-signed-using-weak-hashing-algorithm | 17:36 |
| jonwil | The CAB forum (which sets rules that CAs need to follow if they want to be in the major browsers) has declared that all CAs must use RSA keys of at least 2048 bits if they want to remain in the browsers | 17:37 |
| jonwil | And there was a big effort to get all the old certificates retired | 17:37 |
| jonwil | including the VeriSign one at the heart of this discussion | 17:37 |
| KotCzarny | fmg, see the description there and it has more reading too if you want to pursue further details | 17:37 |
| jonwil | That discussion means nothing in the context of this discussion | 17:38 |
| KotCzarny | it describes why weak hashing algos are bad | 17:38 |
| jonwil | There is nothing wrong with the hashing algorithm of the certificate in question since its a root CA | 17:38 |
| *** agomez{M} has quit IRC | 17:38 | |
| KotCzarny | and why it's bad to have such CAs | 17:38 |
| freemangordon | see, as part of my job I am dealing with PCI-DSS stuff on a regular basis, so I have a clue | 17:38 |
| jonwil | in this case we are interested in why 1024-bit RSA is bad | 17:39 |
| freemangordon | yes, exactly | 17:39 |
| *** platicus has quit IRC | 17:39 | |
| jonwil | and why shipping a cert in the root CA store that has a 1024 bit public key is bad | 17:39 |
| freemangordon | jonwil: but, this is when it omes to new certificates | 17:39 |
| jonwil | If all the major CAs AND all the major browser vendors all say that a 1024 bit RSA key is too weak, I am inclined to trust them | 17:39 |
| freemangordon | *comes | 17:39 |
| jonwil | All of them got rid of 1024 bit certificates | 17:39 |
| jonwil | and no 1024 bit certificates (old, new or otherwise) will be treated as trusted by any of the major browsers in whatever version it is | 17:40 |
| freemangordon | jonwil: ever thought that it is all about the money? | 17:40 |
| freemangordon | there is no evidence so far that 1024 bit RSA was ever broken | 17:41 |
| KotCzarny | ..yet | 17:41 |
| freemangordon | yes, yet | 17:41 |
| freemangordon | jonwil: and I bet all the stable releases of all the major distribution have the certificate in question included | 17:42 |
| freemangordon | *distributions | 17:43 |
| freemangordon | so, lets not overengineer Maemo and let simply include that(those) certificate(s) | 17:43 |
| DocScrutinizer05 | NSA will crack them easily ;-) | 17:46 |
| freemangordon | from the CAs POV it looks like - dammit, we've issued root certs that expire in more than 10 years from now...hmm...how to fill the budget for the next couple of years? aah, BINGO, lets tell them that all the 1024 bit certs have to be replaced because in a couple of years quantum computers most probably will be powerful enough to factor 1024bit RSA. | 17:46 |
| KotCzarny | :) | 17:47 |
| DocScrutinizer05 | or that, yes | 17:47 |
| KotCzarny | fmg, what if they are crackable by invering in big farm? | 17:47 |
| freemangordon | DocScrutinizer05: I doubt breaking RSA can be kept secret for long | 17:47 |
| freemangordon | KotCzarny: no way | 17:47 |
| KotCzarny | in similar way there are 'sploits running on black market | 17:48 |
| KotCzarny | so maybe there is such black farm or more than one? | 17:48 |
| freemangordon | KotCzarny: afaik, anything > 512 is not feasible | 17:48 |
| *** agomez{M} has joined #maemo | 17:48 | |
| freemangordon | or maybe anything > 768 | 17:48 |
| DocScrutinizer05 | 1024 sounds *very* long, didn't they crack 56bit or sth, with distributed computing, in years? | 17:49 |
| freemangordon | you know, exponential | 17:49 |
| DocScrutinizer05 | yeah | 17:50 |
| jonwil | Even the long term stable versions of browsers like firefox have removed the 1024 bit certificates. | 17:50 |
| DocScrutinizer05 | but how do *we* care about that? | 17:50 |
| DocScrutinizer05 | for supl | 17:51 |
| freemangordon | DocScrutinizer05: the same certs are used | 17:51 |
| freemangordon | for supl and www | 17:51 |
| DocScrutinizer05 | yes, and aiui Nokia didn't update their supl cert | 17:51 |
| jonwil | my point is that there IS a way to store the certificate so that it can be used by location-proxy but not by anything else | 17:51 |
| *** platicus has joined #maemo | 17:51 | |
| DocScrutinizer05 | so should we, simply don't touch it | 17:51 |
| freemangordon | jonwil: doesn;t make sense, that cert anyway expires in 3 months | 17:52 |
| DocScrutinizer05 | how900: makes sense | 17:52 |
| DocScrutinizer05 | haha, ok then not | 17:52 |
| DocScrutinizer05 | damn, jonwil^^^ - sorry how900 | 17:53 |
| DocScrutinizer05 | let's take bets what gonna gappen to Nokia SUPL in 3 months? | 17:54 |
| DocScrutinizer05 | happen* | 17:54 |
| KotCzarny | o.o | 17:54 |
| *** Eezer has joined #maemo | 17:54 | |
| freemangordon | Not After : May 15 23:59:59 2017 GMT | 17:54 |
| freemangordon | :) | 17:54 |
| DocScrutinizer05 | you rather find a way to convince proxy(?) to use an expired cert | 17:54 |
| KotCzarny | oh so much less traffic | 17:54 |
| freemangordon | thay'll fix it, all symbian devices depend on that as well | 17:55 |
| KotCzarny | winwin | 17:55 |
| DocScrutinizer05 | ooh | 17:55 |
| DocScrutinizer05 | I don't know | 17:55 |
| KotCzarny | but how would they redistribute it? | 17:55 |
| freemangordon | KotCzarny: distribute?!? | 17:55 |
| freemangordon | this is server cert | 17:55 |
| DocScrutinizer05 | they might not be interested in sybian anymore | 17:55 |
| KotCzarny | arent ca certs part of os? | 17:56 |
| freemangordon | only root ones | 17:56 |
| DocScrutinizer05 | and maybe symbian doest't care about cert expiry? | 17:56 |
| freemangordon | no way | 17:56 |
| freemangordon | they were in the same shit as maemo when the old cert expired | 17:56 |
| freemangordon | the current one is "Not Before: Feb 18 00:00:00 2016 GMT" | 17:57 |
| jonwil | The root problem is that supl.nokia.com sends an obsolete VeriSign root certificate as part of its certificate chain | 17:57 |
| jonwil | why they send that obsolete certificate I haven't a clue | 17:57 |
| freemangordon | jonwil: could you find the mozilla bug for removing that certificate? | 17:57 |
| KotCzarny | fmg, that would be probably part of the remove 1024 certs | 17:58 |
| jonwil | https://bugzilla.mozilla.org/show_bug.cgi?id=986005 is the bug where the root certificate in question was removed | 17:59 |
| povbot | Bug 986005: was not found. | 17:59 |
| jonwil | or where the decision to remove it was made anyway | 17:59 |
| jonwil | it ultimately got removed in https://bugzilla.mozilla.org/show_bug.cgi?id=1021967 | 17:59 |
| povbot | Bug 1021967: was not found. | 17:59 |
| *** Eezer has quit IRC | 18:01 | |
| DocScrutinizer05 | ((<jonwil> why they send that obsolete certificate I haven't a clue)) you _really_ need to guess on _why_ here? | 18:01 |
| DocScrutinizer05 | simply same reason why maemo keys expired and thus locked nokia out to update them | 18:02 |
| DocScrutinizer05 | nokia NEVER got cert stuff right | 18:02 |
| freemangordon | because they use some symantec intermediate which has that verisign cert in its chain | 18:02 |
| freemangordon | anyway, IMO we should just include those 2 until 15th of May comes and see what certificate, if any will be used after | 18:04 |
| DocScrutinizer05 | exactly | 18:04 |
| freemangordon | in the meanwhile I will be hopefully ready with location-proxy RE, so we'll be able to use whatever cert store needed, without compromising the browser security | 18:05 |
| freemangordon | jonwil: ^^^ | 18:05 |
| freemangordon | what do you think | 18:05 |
| DocScrutinizer05 | or we use jonwil's 2byte patch until you're ready then ;-) | 18:06 |
| DocScrutinizer05 | in 3 months | 18:06 |
| freemangordon | this is too hackish to my taste | 18:06 |
| DocScrutinizer05 | oh, I love that when we have no source | 18:07 |
| DocScrutinizer05 | did it in mce and it vanished a 4 times now | 18:07 |
| *** at1as has joined #maemo | 18:07 | |
| bencoh | REed location-proxy would be great anyway | 18:10 |
| jonwil | I think I see whats going on | 18:16 |
| jonwil | We have the certificate for supl.nokia.com | 18:17 |
| jonwil | the parent of that is the Symantec Trust Network certificate | 18:17 |
| freemangordon | yes | 18:18 |
| jonwil | then there exist 2 possible parents for that one | 18:18 |
| freemangordon | and it is signed by verisugn cert | 18:18 |
| jonwil | The first one is what is in the current Mozilla cert set | 18:18 |
| jonwil | That first one is itself a root CA | 18:18 |
| jonwil | and trusted by Mozilla at this point | 18:19 |
| jonwil | The second parent for the Symantec cert has identical keys and things but is NOT a root CA | 18:19 |
| DocScrutinizer05 | oh? | 18:19 |
| jonwil | Its the third certificate in the chain that supl.nokia.com returns | 18:20 |
| jonwil | That one chains up to the old "Class 3 Public Primary Certification Authority" | 18:20 |
| *** clopez has quit IRC | 18:21 | |
| jonwil | My guess is that there are devices out there talking to supl.nokia.com that were shipped with the "Class 3 Public Primary Certification Authority" (issued 1996) in their root CA stores but NOT the newer issued-2006 "VeriSign Class 3 Public Primary Certification Authority - G5" root certificate | 18:22 |
| jonwil | So Nokia has to make supl.nokia.com return a certificate chain that those old devices will trust | 18:22 |
| DocScrutinizer05 | of course, yes. sounds 100% plausible to me | 18:22 |
| freemangordon | makes sense | 18:22 |
| jonwil | which means it needs the special "VeriSign Class 3 Public Primary Certification Authority - G5" certificate that isn't a root certificate itself | 18:22 |
| KotCzarny | i wonder why bother with ssl at that point | 18:23 |
| DocScrutinizer05 | in the end it's the maintainer of the cert cache who decides what's a trusted root cert | 18:24 |
| jonwil | The fact that both "VeriSign Class 3 Public Primary Certification Authority - G5" certificates (the one that chains up to the older root CA and the one that itself is a root CA) have identical start dates supports this hypothesis | 18:24 |
| *** clopez has joined #maemo | 18:24 | |
| freemangordon | jonwil: what will happen if we leave only the new cert in the store? | 18:24 |
| freemangordon | aren't both old and new 1024 bit? | 18:25 |
| jonwil | nope | 18:25 |
| freemangordon | ah | 18:25 |
| DocScrutinizer05 | the new isn't used by the old SUPL? | 18:25 |
| jonwil | We have a certificate for supl.nokia.com with a 2048 bit key | 18:25 |
| jonwil | We have the | 18:25 |
| jonwil | the Symantec Trust Network cert with a 2048 bit key | 18:26 |
| freemangordon | so we should remove 1024bit simatec? | 18:26 |
| freemangordon | *symantec | 18:26 |
| freemangordon | or, what shall be done? | 18:26 |
| jonwil | We have both versions of the VeriSign Class 3 Public Primary Certification Authority - G5 cert with an identical 2048 bit key | 18:26 |
| jonwil | Then we have the Class 3 Public Primary Certification Authority with the 1024 bit key | 18:26 |
| jonwil | The certificates currently in maemo-security-certman repo are all fine | 18:27 |
| jonwil | Its what we should be shipping at this point | 18:27 |
| freemangordon | maybe we should just reorder them, so the stronger cert to be used? | 18:27 |
| freemangordon | the same what I did before? | 18:28 |
| jonwil | no | 18:28 |
| freemangordon | I am lost :) | 18:28 |
| DocScrutinizer05 | "we have" isn't relevant. cert-c has a attached crypto-signature by owner of cert-B. Cert-B then has a signature made by cert-ALPA. And Cert-ALPHA has no / selfsigned signature and is in cert store of browsers as trusted root cert | 18:28 |
| jonwil | yeah | 18:28 |
| jonwil | The one you re-ordered before was the "Class 3 Public Primary Certification Authority" and neither version of that cert exists anymore in Mozilla trust store or any VeriSign "these are the root certificates we want people to actually ship" official list | 18:29 |
| freemangordon | ah, I see | 18:29 |
| jonwil | i.e. VeriSign has said "do not ship that cert going forward" | 18:29 |
| DocScrutinizer05 | the links are bottom-up by the attached signatures which point to the parent cert | 18:29 |
| jonwil | Hence my suggestion to put that one cert that we need into the private certificate store just for location-proxy | 18:30 |
| jonwil | actually, I just thought of a possible fix that doesn't involve patching location-proxy | 18:30 |
| jonwil | Let me try something | 18:30 |
| DocScrutinizer05 | I never heard how a cert could have two parent certs though of course it's logically possible | 18:30 |
| freemangordon | env var? | 18:30 |
| jonwil | no | 18:31 |
| DocScrutinizer05 | why don't we simply trust the SUPL cert itself, so we don't need to care about any friggin broken parent/root certs? | 18:32 |
| freemangordon | jonwil: maemosec_certman_collect("location-proxy", 1, my_cert_store); ? | 18:33 |
| jonwil | yeah thats it | 18:33 |
| jonwil | The patch was to change the 1 into an 0 | 18:33 |
| bencoh | 18:32 < DocScrutinizer05> why don't we simply trust the SUPL cert itself, so we don't need to care about any friggin broken parent/root certs? | 18:33 |
| jonwil | but I found a way to avoid the need to do that | 18:33 |
| bencoh | +1 | 18:33 |
| *** platicus has quit IRC | 18:33 | |
| bencoh | still need to make sure trusting this cert doesn't mean trusting every cert signed by it | 18:33 |
| *** agomez{M} has quit IRC | 18:34 | |
| freemangordon | bencoh: supl cert cannot be used for signing anyways | 18:34 |
| bencoh | why? | 18:34 |
| freemangordon | because it cannot, it is neither root nor ntermediate | 18:34 |
| bencoh | huh? | 18:34 |
| jonwil | From what I have seen in the openssl source code it will only look in the trust store when it finds a self-signed cert at the end of the chain (in which case it looks for an exact match) or when it finds a certificate where the issuer is not in the chain (in which case it looks for that issuer in the root CA store) | 18:35 |
| KotCzarny | what if they (or mitm) start sending something else? | 18:35 |
| jonwil | i.e. if we added the cert for supl.nokia.com to the root CA store, openssl will never even see it | 18:35 |
| jonwil | It will see that the first certificate in the chain has a parent that is also in the chain and never check the supl.nokia.com cert against the root CA store | 18:36 |
| DocScrutinizer05 | bencoh: aiui cert have certain pirposes what they can be used for, you can set this while creating them | 18:36 |
| jonwil | And yes the cert for supl.nokia.com doesn't have the flags set to allow it to be used to sign other certs | 18:37 |
| jonwil | anyhow, let me try the idea I have for loading the root cert in a way location-proxy can use it but other things cant | 18:37 |
| bencoh | DocScrutinizer05: the fact is I dont remember doing anything special when generating (custom) CAs, but maybe | 18:37 |
| jonwil | and if that works we can ship that in another maemosec-certman-common-ca update and not need to patch lication-proxy at all | 18:38 |
| jonwil | location-proxy | 18:38 |
| *** dafox has joined #maemo | 18:38 | |
| freemangordon | bencoh: http://pastebin.com/HrmRetbm | 18:38 |
| jonwil | not need to patch it nor need to do anything special when updating the regular root CA store from the mozilla cert store | 18:39 |
| freemangordon | bencoh: " Â TLS Web Server Authentication, TLS Web Client Authentication" | 18:39 |
| *** geaaru has quit IRC | 18:40 | |
| *** agomez{M} has joined #maemo | 18:41 | |
| DocScrutinizer05 | ((supl cert cannot be used for signing)) that's a good thing then and we should simply set dupl cert to "trsuted" in cert store | 18:41 |
| jonwil | no need for messing with that | 18:41 |
| jonwil | The fix I have requires no patching to location-proxy | 18:42 |
| *** platicus has joined #maemo | 18:42 | |
| DocScrutinizer05 | that's not messing, that's the simplest approach for a cert that expires in 3 months | 18:42 |
| jonwil | All that is needed (assuming my test works) is to put the missing root cert (the insecure one) into maemosec-certman-common-ca in the right place so location-proxy will find it | 18:42 |
| freemangordon | mhm | 18:43 |
| DocScrutinizer05 | yes, obviously | 18:43 |
| freemangordon | in location-proxy domain | 18:43 |
| jonwil | Its an easy job and assuming my test works I will do that myself | 18:43 |
| jonwil | yes location-proxy domain | 18:43 |
| KotCzarny | do it, test it, yay for teamwork! | 18:43 |
| bencoh | freemangordon: oh, okay | 18:45 |
| jonwil | Time to reboot my phone for the billionth time today :) | 18:46 |
| freemangordon | reboot? why? | 18:47 |
| jonwil | to get the right location-proxy binary loaded and running :) | 18:47 |
| freemangordon | ah | 18:47 |
| freemangordon | :) | 18:47 |
| sixwheeledbeast | I have no idea about certs but is it definitely the cert at fault? as per Pali's post on TMO. | 18:53 |
| sixwheeledbeast | http://talk.maemo.org/showpost.php?p=1522878&postcount=242 | 18:56 |
| *** at1as has quit IRC | 18:56 | |
| freemangordon | jonwil: iiuc, we just need /etc/certs/location-proxy with the certs in there and /etc/secure/location-proxy with the hashes, right? | 18:58 |
| jonwil | yeah I am updating maemo-security-certman now | 18:59 |
| jonwil | with the right bits | 18:59 |
| freemangordon | cool | 18:59 |
| freemangordon | did it work? | 18:59 |
| jonwil | building new packages now | 19:01 |
| jonwil | then I will test it on my phone | 19:01 |
| freemangordon | ok | 19:01 |
| *** at1as has joined #maemo | 19:01 | |
| jonwil | unpacking new package on my phone then I test it | 19:05 |
| *** Vajb_ has joined #maemo | 19:05 | |
| *** Vajb has quit IRC | 19:05 | |
| *** at1as has quit IRC | 19:06 | |
| jonwil | helps if I update the correct debian packaging so it will pull the right files in | 19:08 |
| *** Oksanaa has joined #maemo | 19:10 | |
| Oksanaa | Strongly recommend https://github.com/Unode/firefox_decrypt for recovering forgotten passwords from MicroB. Unless there is a better one somewhere? | 19:11 |
| Oksanaa | Works with python2.7 ^ | 19:11 |
| *** louisdk has quit IRC | 19:15 | |
| Juesto | Password manager? | 19:17 |
| Juesto | interesting | 19:17 |
| jonwil | The fix is up | 19:17 |
| jonwil | The latest maemo-security-certman contains all the right bits | 19:17 |
| jonwil | as of 0.2.9 supl will work 100% with supl.nokia.com | 19:18 |
| jonwil | Someone should probably stick 0.2.9 into the appropriate repos | 19:19 |
| jonwil | so everyone can get it | 19:19 |
| jonwil | I would do it but I dont think its a good idea to try and upload packages to repos when its 3:30am in the morning and you need to spend ages remembering how the hell you put packages in the repos :) | 19:21 |
| Oksanaa | :) | 19:21 |
| KotCzarny | sicelo: ^^^ | 19:22 |
| KotCzarny | jonwil: that's what scripts are for | 19:22 |
| jonwil | :) | 19:22 |
| KotCzarny | and always were, even in middle ages | 19:23 |
| KotCzarny | i wouldnt remember how to upload to extras if i didnt made the scripts | 19:23 |
| *** platicus has quit IRC | 19:23 | |
| Oksanaa | make* | 19:23 |
| KotCzarny | :) | 19:23 |
| *** agomez{M} has quit IRC | 19:24 | |
| *** Oksanaa has left #maemo | 19:24 | |
| KotCzarny | to be completely correct it should be: haven't made | 19:24 |
| freemangordon | jonwil: I will do it either later today or tomorrow | 19:24 |
| jonwil | nice :) | 19:24 |
| freemangordon | oh, you fixed changelog as well, great | 19:25 |
| jonwil | anyhow, its a nice elegant fix in the end (thanks to Nokia already using the location-proxy domain for certman) | 19:26 |
| freemangordon | :nod: | 19:27 |
| freemangordon | way better than patching the binary | 19:27 |
| *** mp107 has quit IRC | 19:28 | |
| jonwil | yeah I miss-understood what the code was doing | 19:29 |
| jonwil | but then I figured it out | 19:29 |
| *** louisdk has joined #maemo | 19:31 | |
| jonwil | Now that we fixed this there is no reason for a location-proxy clone | 19:31 |
| jonwil | We dont need one for Neo900 or other platforms either | 19:31 |
| freemangordon | we need, for x86-64 | 19:32 |
| freemangordon | but there is no hurry | 19:32 |
| *** platicus has joined #maemo | 19:32 | |
| jonwil | no we dont, its only ever useful for a device with the N900 GPS chip | 19:32 |
| jonwil | it makes direct calls to liblas (low level interface to n900 bb5 gps chip) | 19:32 |
| freemangordon | not sure, n900 supports BT GPS as well | 19:33 |
| jonwil | for x86 or other platforms we just need to replace/clone/substitute liblocation | 19:33 |
| freemangordon | ah, ok | 19:33 |
| jonwil | n900 BT GPS doesn't do supl | 19:33 |
| freemangordon | yep, right | 19:33 |
| *** agomez{M} has joined #maemo | 19:33 | |
| jonwil | with the fix in place I can get <50m accuracy even with the N900 sitting on my desk in my apartment | 19:36 |
| jonwil | and picking up 10 or more sats with many in use | 19:36 |
| jonwil | and maps locks on no problems | 19:37 |
| jonwil | now maps is useful again :) | 19:37 |
| KotCzarny | yay? | 19:38 |
| KotCzarny | i should update to cssu one day | 19:38 |
| jonwil | ok, its nearly 4am here and I should probably get some zzz :) | 19:41 |
| jonwil | later :) | 19:41 |
| *** jonwil has quit IRC | 19:41 | |
| Juesto | great | 19:44 |
| Juesto | x86 first freemangordon | 19:45 |
| *** agomez{M} has quit IRC | 20:04 | |
| *** platicus has quit IRC | 20:04 | |
| DocScrutinizer05 | ((We dont need one [location-proxy] for Neo900 or other platforms either)) good call. need quite some discussion in devel peergrpup | 20:04 |
| DocScrutinizer05 | oh, seems you covered it comprehensively | 20:05 |
| *** agomez{M} has joined #maemo | 20:13 | |
| *** platicus has joined #maemo | 20:15 | |
| *** platicus has quit IRC | 20:44 | |
| *** agomez{M} has quit IRC | 20:44 | |
| *** agomez{M} has joined #maemo | 20:54 | |
| *** platicus has joined #maemo | 20:54 | |
| *** at1as has joined #maemo | 21:04 | |
| Sicelo | let's take bets what gonna gappen to Nokia SUPL in 3 months? <<<< FMG is right. they will most likely fix it .. they always have .. it's not 1st time that it 'expires' /// < KotCzarny> i wonder why bother with ssl at that point <<< because the protocol (or clients) require it? /// | 21:15 |
| Sicelo | i'll test 0.2.9 shortly :) | 21:15 |
| *** at1as has quit IRC | 21:16 | |
| Sicelo | Oksana: MicroB supports the 'address' *chrome://passwordmgr/content/passwordManager.xul* | 21:18 |
| Sicelo | so no need for any script | 21:18 |
| bencoh | ooh, good to know | 21:20 |
| Sicelo | :-) | 21:22 |
| Sicelo | of course it also means someone can steal your passwords too | 21:23 |
| bencoh | indeed | 21:23 |
| *** platicus has quit IRC | 21:24 | |
| Sicelo | but even on my pc, the same thing applies .. | 21:24 |
| *** agomez{M} has quit IRC | 21:24 | |
| bencoh | unless you use a master password | 21:26 |
| Sicelo | ah yes | 21:26 |
| *** platicus has joined #maemo | 21:35 | |
| *** agomez{M} has joined #maemo | 21:35 | |
| Sicelo | jonwil didn't share 0.2.9 yet, did he? | 21:46 |
| KotCzarny | he have said something about being late and not thinking straight | 21:47 |
| KotCzarny | *has | 21:47 |
| Sicelo | cool .. i'm in no rush .. 0.2.3 doing the job good enough for present needs | 21:47 |
| *** xorly has quit IRC | 21:50 | |
| *** xorly has joined #maemo | 21:58 | |
| *** eMHa__ has quit IRC | 21:58 | |
| *** agomez{M} has quit IRC | 22:01 | |
| *** platicus has quit IRC | 22:02 | |
| *** dafox has quit IRC | 22:08 | |
| DocScrutinizer05 | Sicelo: you're aware Nokia basically is no more? | 22:12 |
| *** platicus has joined #maemo | 22:12 | |
| *** spiiroin has quit IRC | 22:13 | |
| *** agomez{M} has joined #maemo | 22:14 | |
| DocScrutinizer05 | so >>they will most likely fix it .. they always have ..<< doesn't exactly sound right | 22:14 |
| DocScrutinizer05 | particularly second half is incorrect | 22:14 |
| DocScrutinizer05 | Nokia failed apically to update the repo keys while they still could, and they failed to make use of alternative ways/keys the community (Pali iirc) found for them, to fix the issue after it's been too late for 'normal' fix | 22:16 |
| Pali | yes, they failed to resign nokia ssu apt repos with /correct/ pgp key | 22:17 |
| DocScrutinizer05 | so no, absolutely not >>they always have ..<< | 22:17 |
| Pali | even they got instructions how... | 22:17 |
| DocScrutinizer05 | they even are notorious for their simple HTTPS certs expiring before they bother about renewal | 22:19 |
| Sicelo | when did those expired? | 22:20 |
| Sicelo | but yes, it's not first time the supl cert expires (as FMG also noted) ... of course i can't know for sure if they will fix it this time (hence "most likely"), nor can anyone say for sure that they won't | 22:21 |
| Sicelo | maybe jonwil will have to hack liblocation-proxy after all .. or FMG RE's it .. then we can possibly use supl.google.com (which for some reason doesn't work so well for N900) | 22:23 |
| Sicelo | s/have to/could eventually/ | 22:24 |
| infobot | Sicelo meant: maybe jonwil will could eventually hack liblocation-proxy after all .. or FMG RE's it .. then we can possibly use supl.google.com (which for some reason doesn't work so well for N900) | 22:24 |
| DocScrutinizer05 | any citation for any of that? | 22:24 |
| Sicelo | citation for? | 22:24 |
| DocScrutinizer05 | any of that | 22:25 |
| DocScrutinizer05 | [2017-02-05 Sun 18:26:46] <jonwil> anyhow, its a nice elegant fix in the end (thanks to Nokia already using the location-proxy domain for certman) Now that we fixed this there is no reason for a location-proxy clone | 22:26 |
| Sicelo | heh ... aren't we talking about what *might* happen when the cert finally expires? | 22:26 |
| *** spiiroin has joined #maemo | 22:26 | |
| bencoh | apart from reducing the number of blobs in the porting process | 22:27 |
| DocScrutinizer05 | [2017-02-05 Sun 18:31:51] <jonwil> We dont need one for Neo900 or other platforms either | 22:27 |
| Sicelo | ... yes .. but the cert expires in May .. there won't be a Neo900 then | 22:28 |
| DocScrutinizer05 | how's that related? | 22:28 |
| * Sicelo doesn't get what DocScrutinizer05 is on about | 22:28 | |
| DocScrutinizer05 | did you get what jonwil said? | 22:28 |
| Sicelo | yes | 22:28 |
| DocScrutinizer05 | or how his patch works? | 22:28 |
| Sicelo | yes to that too | 22:29 |
| DocScrutinizer05 | so why do you think he's incorrect about no need for RE of location-proxy? | 22:29 |
| Sicelo | i don't think that .. | 22:30 |
| DocScrutinizer05 | o.O | 22:30 |
| DocScrutinizer05 | sorry, I'm roo wasted from flu to continue this discussion | 22:31 |
| DocScrutinizer05 | too* | 22:31 |
| Sicelo | i'm just saying that if supl.nokia.com every completely stops working for us (due to cert of whatever else), maybe RE can help us with other SUPL servers ... will it really help? i don't know, but that's a maybe. curently supl.google.com doesn't really work for us | 22:31 |
| Sicelo | yeah you need some rest :) | 22:31 |
| DocScrutinizer05 | don't you tell me what I need | 22:31 |
| DocScrutinizer05 | I also can't recall maemo per se had issues with supl.google.com | 22:32 |
| *** platicus has quit IRC | 22:34 | |
| Sicelo | well there are .. http://talk.maemo.org/showthread.php?p=1468151#post1468151 | 22:34 |
| *** agomez{M} has quit IRC | 22:35 | |
| DocScrutinizer05 | hmm | 22:37 |
| DocScrutinizer05 | anyway I guess it's maybe time for a supl.maemo.org service | 22:37 |
| Sicelo | that'd be nice .. i think someone suggested that (Ulle) | 22:38 |
| DocScrutinizer05 | O mean, it's a pathetic 5kB of data basically | 22:38 |
| DocScrutinizer05 | I* | 22:38 |
| DocScrutinizer05 | we just need a GPS chipset that allows download of the almanac from sats and storing that almanac to a file | 22:39 |
| DocScrutinizer05 | alternatively we need a data source of almanac in the intarwebs | 22:40 |
| Sicelo | maybe run a supl server on the N900 itself .. wonder how good/bad that would be | 22:41 |
| DocScrutinizer05 | https://www.navcen.uscg.gov/?pageName=gpsAlmanacs maybe? | 22:41 |
| bencoh | Sicelo: not on n900 then | 22:42 |
| DocScrutinizer05 | Sicelo: err what? | 22:42 |
| bencoh | (as DocScrutinizer05 said actually) | 22:42 |
| Sicelo | ok | 22:44 |
| DocScrutinizer05 | http://git.osmocom.org/osmocom-lcs/ along that line maybe | 22:44 |
| *** agomez{M} has joined #maemo | 22:45 | |
| DocScrutinizer05 | uBlox chipset allows downloading eph and alm from GPS, after receiving it from SVs | 22:46 |
| *** platicus has joined #maemo | 22:47 | |
| DocScrutinizer05 | actually I'm not sure if SUPL is supposed to provide more than just almanac, maybe also ephemeris for the location the client asked for in supl request? | 22:47 |
| DocScrutinizer05 | maybe even support for geolocation bnased on BTS cellIDs seen, AP names etc? | 22:48 |
| bencoh | both iirc yeah | 22:48 |
| *** louisdk has quit IRC | 22:48 | |
| bencoh | hm no cellid-based geoloc doesn't depend on supl afaiu | 22:48 |
| bencoh | but supl client can choose to get eph in addition to alm | 22:49 |
| DocScrutinizer05 | well, for a first quick and dirty approach, supl.maemo.org could be a proxy asking supl.google.com and whatnot else to gather the needed data | 22:49 |
| bencoh | there is a commandline supl client available in extras-devel | 22:49 |
| bencoh | absolutely | 22:50 |
| bencoh | and there is already an opensource supl proxy implementation out there | 22:50 |
| DocScrutinizer05 | :-) | 22:50 |
| bencoh | not ready for production though, but still handy | 22:50 |
| DocScrutinizer05 | so go ahead hackers! hack that stuff into shape and let our brilliant techstaff run it on maemo servers :-) | 22:51 |
| DocScrutinizer05 | excellent task. very convenient testing on your own local infra, until it goes productive | 22:52 |
| Sicelo | OT: what is a good kmz viewer for Linux? | 22:54 |
| bencoh | I suppose marble reads kmz | 22:54 |
| Sicelo | oh wow .. should look at that | 22:55 |
| bencoh | someone recently ported gpxsee to maemo | 22:56 |
| DocScrutinizer05 | I just fail to believe there's no official source for current almanac data from gps.gov or whatever | 22:58 |
| bencoh | DocScrutinizer05: well ... :) | 22:59 |
| DocScrutinizer05 | sure, maybe you need to ask for them sending it in an email, or whatever hoops they may invent to avoid DDoS attacks | 22:59 |
| bencoh | they probably wont provide it either | 23:00 |
| DocScrutinizer05 | bencoh: almanac is prolly the most widespread ubiquitous data available via RF on this globe | 23:00 |
| DocScrutinizer05 | can't think of any sane reason why it wouldn't be avaolable via internet too | 23:01 |
| bencoh | it's available through supl servers | 23:02 |
| DocScrutinizer05 | yes, and where from those get it? | 23:02 |
| bencoh | gps | 23:02 |
| DocScrutinizer05 | no way | 23:02 |
| DocScrutinizer05 | that's insane | 23:02 |
| bencoh | wanna bet? :p | 23:02 |
| DocScrutinizer05 | not really, need my rear for other things ;-D | 23:03 |
| DocScrutinizer05 | >> Almanacs, Operational Advisories, and NANUs are available for download in two formats: the original format in which the files are produced (.alm, .al3., .nnu, and .oa1) plain text (txt)<< | 23:07 |
| DocScrutinizer05 | https://www.navcen.uscg.gov/?pageName=currentAlmanac&format=yuma-txt | 23:08 |
| *** agomez{M} has quit IRC | 23:09 | |
| *** platicus has quit IRC | 23:09 | |
| DocScrutinizer05 | bencoh: really bet now? ;-) | 23:10 |
| DocScrutinizer05 | https://www.navcen.uscg.gov/?pageName=currentAlmanac&format=sem-txt | 23:10 |
| bencoh | huhu, nice :) | 23:11 |
| bencoh | and https://igscb.jpl.nasa.gov/components/prods_cb.html | 23:11 |
| DocScrutinizer05 | ugh, what's that? a historical log? | 23:13 |
| bencoh | not really | 23:13 |
| DocScrutinizer05 | Final: 12 days latency; Rapid: 17h; UltraRapid; 8h | 23:14 |
| bencoh | well, kindof | 23:14 |
| bencoh | yeah | 23:14 |
| bencoh | not "historical" but yeah | 23:14 |
| DocScrutinizer05 | I'm not really interested in almanac or ephemeral of 13 days ago | 23:14 |
| DocScrutinizer05 | UltraRapid *might* be useful, with 8h delay and 48h validity span | 23:15 |
| DocScrutinizer05 | umm nope, 24h future, 24h past | 23:16 |
| DocScrutinizer05 | and they are 4 times a day, so 6h delay | 23:16 |
| DocScrutinizer05 | those are derived AIUI, (see "24h past from observation") so if not even NASA has a way to download that shite from internet... :-S | 23:17 |
| *** platicus has joined #maemo | 23:19 | |
| *** agomez{M} has joined #maemo | 23:22 | |
| DocScrutinizer05 | http://www.igs.org/products/data >>IGS Ultra-rapid products (IGU) | 23:24 |
| DocScrutinizer05 | To reduce the age of the prior, discontinued Predicted orbits, the IGS started the Ultra-rapid products officially week 1087 in November 2000 (see IGSMAIL-3088) . Like the former IGS Predicted products, the Ultra-rapid products are available for real time and near real time use. The Ultra-rapid products are released four times per day, at 03:00, 09:00, 15:00, and 21:00 UTC. (Until week 1267 they were released twice daily.) In this way the | 23:24 |
| DocScrutinizer05 | average age of the predictions is reduced to 6 hours (compared to 36 hours for the old IGS Predicted products and 9 hours for the twice-daily Ultra-rapids). The shorter latency should lead to significantly improved orbit predictions and reduced errors for user application<< | 23:24 |
| *** lxp has joined #maemo | 23:25 | |
| DocScrutinizer05 | the sat positions are with a precision <100cm :-) | 23:26 |
| DocScrutinizer05 | >>Geocentric Coordinates of IGS Tracking Stations -- Final velocities: Accuracy horizontal 2 mm/yr vertical 3 mm/yr<< :-> | 23:32 |
| DocScrutinizer05 | hmmmm ftp://ftp.igs.org/pub/gps/1935 | 23:40 |
| *** Milhouse has quit IRC | 23:41 | |
| *** agomez{M} has quit IRC | 23:44 | |
| *** platicus has quit IRC | 23:44 | |
| DocScrutinizer05 | what damn compression/archive format is .Z? like in ftp://ftp.igs.org/pub/gps/1935/igu19350_18.sp3.Z Doesn't look like it's plain text as (aiui) suggested in ftp://igs.org/pub/data/format/sp3c.txt | 23:46 |
| KotCzarny | man compress | 23:46 |
| *** Milhouse has joined #maemo | 23:52 | |
| *** agomez{M} has joined #maemo | 23:55 | |
| *** platicus has joined #maemo | 23:55 | |
| DocScrutinizer05 | gzip -dkvc <(wget ftp://ftp.igs.org/pub/gps/1935/igu19350_18.sp3.Z -O -)|less | 23:57 |
Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!
