| *** Kabouik has joined #maemo | 00:08 | |
| *** dafox has quit IRC | 00:25 | |
| *** Pali has quit IRC | 00:42 | |
| *** Kabouik has quit IRC | 00:47 | |
| *** Kabouik has joined #maemo | 00:48 | |
| *** Kabouik_ has joined #maemo | 00:56 | |
| *** Kabouik has quit IRC | 00:57 | |
| *** Konsieur has joined #maemo | 00:58 | |
| *** Kabouik_ has quit IRC | 01:01 | |
| *** Kilroo has joined #maemo | 01:29 | |
| *** hurrian has quit IRC | 01:32 | |
| *** hurrian_ has joined #maemo | 01:32 | |
| *** Konsieur has quit IRC | 01:32 | |
| *** atk has quit IRC | 02:00 | |
| *** atk has joined #maemo | 02:00 | |
| *** atk has quit IRC | 02:00 | |
| *** atk has joined #maemo | 02:00 | |
| *** florian has quit IRC | 02:18 | |
| *** infobot has quit IRC | 02:19 | |
| *** infobot has joined #maemo | 04:18 | |
| *** ChanServ sets mode: +v infobot | 04:18 | |
| *** tm has quit IRC | 05:07 | |
| *** l_bratch has quit IRC | 05:09 | |
| *** juiceme has joined #maemo | 05:21 | |
| *** juiceme is now known as Guest50877 | 05:21 | |
| *** Guest14302 has quit IRC | 05:22 | |
| *** tm has joined #maemo | 05:26 | |
| *** BitEvil has joined #maemo | 05:29 | |
| *** SpeedEvil is now known as Guest97175 | 05:29 | |
| *** Guest97175 has quit IRC | 05:31 | |
| *** lukedashjr has joined #maemo | 05:45 | |
| *** luke-jr has quit IRC | 05:46 | |
| *** lukedashjr is now known as luke-jr | 05:50 | |
| *** Kilroo has quit IRC | 06:36 | |
| *** pagurus` has joined #maemo | 06:51 | |
| *** pagurus has quit IRC | 06:54 | |
| *** lukedashjr has joined #maemo | 06:55 | |
| *** luke-jr has quit IRC | 06:56 | |
| *** lukedashjr is now known as luke-jr | 07:00 | |
| Maxdamantus | Okay, so luckily that certificate expired at Apr 24 14:09:34 2009. | 07:16 |
|---|---|---|
| Maxdamantus | but if maemo has a clock set to a time before that, any SSL connection could be intercepted. | 07:17 |
| Maxdamantus | Presumably it's unused, unless there's something else in maemo that doesn't check the issuer expiry. | 07:18 |
| Maxdamantus | Ah, actually, it's not used by microb. I guess it just tests the expiry time before checking that a certificate is in the store (since I was getting an "expired" error before setting my clock back) | 07:20 |
| *** spiiroin has quit IRC | 07:28 | |
| *** spiiroin has joined #maemo | 08:18 | |
| *** mavhc has quit IRC | 08:59 | |
| *** hurrian_ has quit IRC | 09:00 | |
| *** mavhc has joined #maemo | 09:06 | |
| *** l_bratch has joined #maemo | 09:07 | |
| *** Venemo has joined #maemo | 09:20 | |
| *** dafox has joined #maemo | 09:21 | |
| *** dafox has quit IRC | 09:49 | |
| *** chfoo has quit IRC | 09:56 | |
| *** chfoo has joined #maemo | 09:56 | |
| *** hurrian has joined #maemo | 09:57 | |
| *** jskarvad has joined #maemo | 10:03 | |
| *** florian_kc has joined #maemo | 10:11 | |
| *** florian_kc has quit IRC | 10:17 | |
| *** hurrian has quit IRC | 10:22 | |
| *** r00t|home has quit IRC | 10:43 | |
| *** hurrian has joined #maemo | 10:48 | |
| *** Venemo has quit IRC | 11:09 | |
| *** ceene has quit IRC | 11:18 | |
| *** ceene has joined #maemo | 11:18 | |
| *** florian_kc has joined #maemo | 11:25 | |
| *** florian_kc is now known as florian | 11:29 | |
| *** Konsieur has joined #maemo | 11:44 | |
| *** Konsieur has quit IRC | 11:47 | |
| *** Kabouik has joined #maemo | 11:48 | |
| *** Kabouik has quit IRC | 12:10 | |
| Maxdamantus | Damn, turns out Opera Mobile doesn't use SNI. | 12:23 |
| Maxdamantus | I thought I saw the host it was connecting to before. | 12:23 |
| Maxdamantus | microb uses it though. | 12:24 |
| bencoh | SNI support sounds quite mandatory to me nowadays ... | 12:24 |
| Maxdamantus | Anyway, this is what I've made so far: https://gist.github.com/Maxdamantus/e32ab94dbc5d9d43298428400020620e | 12:25 |
| bencoh | Maxdamantus: silly question, but why not use one of the already available small-footprint proxies? | 12:25 |
| Maxdamantus | bencoh: such as? | 12:25 |
| bencoh | tinyproxy or polipo | 12:26 |
| Maxdamantus | tinyproxy is an HTTP proxy | 12:26 |
| Maxdamantus | Nothing to do with SSL | 12:26 |
| bencoh | (tinyproxy might not have proper support for ssl, I don't quite remember) | 12:26 |
| * Maxdamantus looks at polipo | 12:26 | |
| Maxdamantus | Again sounds like an HTTP proxy. | 12:26 |
| bencoh | Tinyproxy is a light-weight HTTP/HTTPS proxy daemon | 12:26 |
| Maxdamantus | That's a fairly misleading description. | 12:27 |
| KotCzarny | you can have https proxy without any ssl | 12:27 |
| KotCzarny | just copy data as is | 12:27 |
| KotCzarny | i do it in my own proxy | 12:27 |
| KotCzarny | you need a proxy that does ssl management if you want to interact in any way | 12:27 |
| Wizzup | a thread for every socket? | 12:28 |
| Maxdamantus | Yes, that's the intention of my program above. | 12:28 |
| Maxdamantus | Wizzup: for now, yes. | 12:28 |
| Wizzup | well, looks lke you're having fun :) | 12:28 |
| Maxdamantus | I don't expect to be maintaining a large number of connections. | 12:28 |
| bencoh | you might be right about tinyproxy | 12:28 |
| *** eMHa has quit IRC | 12:28 | |
| Wizzup | I'd personally do it in go - since it links statically with the latest tls support and does all of this multiplexing easily, but I guess there's no point to suggesting it :P | 12:28 |
| Maxdamantus | also note that the program above is agnostic about a particular protocol. | 12:29 |
| Wizzup | sure, just tls + sni | 12:29 |
| bencoh | polipo caches content, so it probably handles ssl properly, though | 12:29 |
| bencoh | Maxdamantus: you can't really be protocol-agnostic when it comes to starttls | 12:29 |
| bencoh | and you'll eventually have to handle that as well | 12:29 |
| bencoh | (same goes for SNI, actually) | 12:30 |
| Maxdamantus | bencoh: well, it assumes that the entire socket is encapsulated in TLS. | 12:30 |
| Maxdamantus | otherwise it's protocol agnostic. | 12:30 |
| Maxdamantus | (though atm it doesn't forward ALPN) | 12:30 |
| Maxdamantus | also regarding proxying, opera mobile doesn't seem to have the option to use a proxy. | 12:31 |
| Maxdamantus | and I'm guessing if microb/firefox has that option, it will still want to use SSL over the proxy. | 12:31 |
| Wizzup | what if you set the env variables? | 12:31 |
| KotCzarny | in the worst case you have iptables | 12:32 |
| Maxdamantus | (ie, it'd rely on something like `CONNECT google.com:443`) | 12:32 |
| Wizzup | Maxdamantus: yes, indeed, it will do it's own tls over the proxy. | 12:32 |
| Maxdamantus | Wizzup: right, in which case polipo won't help, unless polipo actually does the funky TLS stuff that my program does. | 12:32 |
| Wizzup | Maxdamantus: but you can intercept it | 12:32 |
| Wizzup | yes | 12:32 |
| Maxdamantus | (funky stuff = generating/signing certificates on the fly) | 12:32 |
| Wizzup | why do you need to do that, though? | 12:33 |
| Wizzup | if you have your own CA, you can just install a wildcard cert, no? | 12:33 |
| Maxdamantus | Because if the browser makes a request to "google.com", the certificate used needs to have CN=google.com | 12:33 |
| Wizzup | (plus, generating keys + certs takes a -long- time) | 12:33 |
| Wizzup | Maxdamantus: wildcard should work? | 12:33 |
| Maxdamantus | TLD wildcards are illegal. | 12:34 |
| Wizzup | how do you think mitm proxies work? | 12:34 |
| Maxdamantus | ie, *.com and * are illegal. | 12:34 |
| Maxdamantus | Wizzup: they have to do what I do. | 12:34 |
| Wizzup | really? | 12:34 |
| Wizzup | mhm | 12:34 |
| Maxdamantus | Wizzup: that's almost certainly what "mitmproxy" does. | 12:34 |
| Wizzup | well, I guess you can re-use the same key | 12:34 |
| Wizzup | then it doesn't take long | 12:34 |
| Maxdamantus | (mitmproxy being some debugging utility written in Python, seems unsuitable for running locally on N900) | 12:34 |
| Maxdamantus | Yes, I use the same key. | 12:34 |
| Maxdamantus | but have to generate different certificates. | 12:35 |
| Wizzup | maybe I'll do it in go for fun some time | 12:35 |
| Maxdamantus | The "CAKEY.pem" passed in to my program is meant to be the key for the CA certificate, and it also uses that same key for all generated certificates. | 12:36 |
| Maxdamantus | It could theoretically take in a second key for the latter, but that seems unnecessary. | 12:37 |
| KotCzarny | generating certs is not a big problem if you just need it for few frequent sites | 12:37 |
| Wizzup | you could use transparent socks proxy if n900 supports it | 12:37 |
| Wizzup | (with iptables) | 12:37 |
| Maxdamantus | and when/if I get it working properly, I'd rather just keep the key in memory instead of storing it on the filesystem, so don't want to generate too many keys on boot. | 12:37 |
| Wizzup | Maxdamantus: just generate a new intermediate? | 12:38 |
| Maxdamantus | Wizzup: there's no intermediate. | 12:38 |
| Wizzup | then generate one ;) | 12:38 |
| Maxdamantus | How does an intermediate help? | 12:38 |
| Wizzup | if you want to keep the keys in memory... | 12:38 |
| Wizzup | eh, whatever :) | 12:39 |
| Maxdamantus | The intermediate would need to be signed by the trusted certificate's key. | 12:39 |
| sicelo | opera mobile *can* use a proxy. it's in about:opera, or some such | 12:39 |
| sicelo | opera:config | 12:40 |
| Maxdamantus | Oh, cool. | 12:40 |
| Maxdamantus | Okay, guess I'll adapt it to use that tomorrow. | 12:41 |
| Maxdamantus | That should solve the lacking SNI issue too. | 12:41 |
| Maxdamantus | since whatever it sends to the proxy should have the hostname. | 12:41 |
| Maxdamantus | and yeah, that treats the proxy as an HTTP proxy and just uses "CONNECT github.com:443 HTTP/1.1 | 12:44 |
| Maxdamantus | " | 12:44 |
| Maxdamantus | eh, spaces. | 12:44 |
| *** jskarvad has quit IRC | 12:45 | |
| *** jskarvad has joined #maemo | 12:46 | |
| bencoh | hmm, mitmproxy looks pretty handy for android app REing | 12:47 |
| *** BitEvil is now known as SpeedEvil | 12:49 | |
| Maxdamantus | also simplifies getting the browser to actually connect to the proxy. | 12:53 |
| Maxdamantus | was intending on adding netfilter rules that did something like forward all :443 traffic to the proxy, unless the source is some particular address, which the proxy would bind to for outgoing connections. | 12:54 |
| Maxdamantus | btw, https://github.com/kr/mitm might already be a sufficient Go implementation. | 12:58 |
| Maxdamantus | Have to be careful with all these things though, given how explicit you have to be in OpenSSL to actually get validation to work. | 13:01 |
| Maxdamantus | eg, checking that the certificate is valid and checking that the CN in the certificate matches what you're connecting to are different things. | 13:03 |
| Maxdamantus | even though the hostname is specified in two places already (`BIO_set_conn_hostname` (for DNS lookup) and `SSL_set_tlsextl_host_name` (SNI)) | 13:05 |
| *** eMHa has joined #maemo | 13:10 | |
| *** mavhc has quit IRC | 13:19 | |
| *** mavhc has joined #maemo | 13:24 | |
| *** Venemo has joined #maemo | 13:42 | |
| *** troulouliou_div2 has joined #maemo | 14:11 | |
| *** spiiroin has quit IRC | 15:24 | |
| *** ceene has quit IRC | 15:38 | |
| *** ceene has joined #maemo | 15:45 | |
| *** spiiroin has joined #maemo | 15:52 | |
| *** keithzg_ has quit IRC | 15:56 | |
| *** keithzg_ has joined #maemo | 15:56 | |
| DocScrutinizer05 | BYEBYE Merkel | 16:59 |
| DocScrutinizer05 | hurry up a bit! don't forget to take you rocks with you | 16:59 |
| KotCzarny | dont worry, refugees are there to stay | 17:00 |
| DocScrutinizer05 | I don't care too much about any refugees | 17:01 |
| KotCzarny | well, not refugees, hostile tools of national identity disintegration | 17:01 |
| KotCzarny | also, 2021? is that a joke? | 17:10 |
| KotCzarny | 2 more years of the fun | 17:13 |
| DocScrutinizer05 | alas you got a few points there | 17:29 |
| * DocScrutinizer05 is tempted to run the streets shouting "HURRY UP! GET LOST!" | 17:30 | |
| DocScrutinizer05 | "I WONT SURVIVE ANOTHER 2 YEARS OF THAT NARCOTIC" | 17:30 |
| DocScrutinizer05 | there's hope she can't pull off the chancellorship 2 years as lame duck | 17:34 |
| *** troulouliou_div2 has quit IRC | 18:18 | |
| *** rysiek|pl has joined #maemo | 18:38 | |
| *** DocScrutinizer05 is now known as up-quark | 18:40 | |
| *** up-quark is now known as DocScrutinizer05 | 18:40 | |
| *** dafox has joined #maemo | 18:43 | |
| *** dafox has quit IRC | 19:30 | |
| *** Pali has joined #maemo | 19:38 | |
| *** dafox has joined #maemo | 19:39 | |
| *** eMHa has quit IRC | 19:49 | |
| *** dafox has quit IRC | 19:54 | |
| *** ced117 has quit IRC | 19:56 | |
| *** ced117 has joined #maemo | 19:58 | |
| *** ced117 has joined #maemo | 19:58 | |
| *** eMHa has joined #maemo | 20:17 | |
| *** florian_kc has joined #maemo | 20:40 | |
| *** florian has quit IRC | 20:41 | |
| *** florian_kc is now known as florian | 20:41 | |
| *** florian_kc has joined #maemo | 20:41 | |
| *** jskarvad has quit IRC | 21:17 | |
| *** florian has quit IRC | 21:20 | |
| *** halftux has joined #maemo | 21:48 | |
| halftux | does somebody know where I could find these automated generated maemo diff files to debian source packages? | 21:51 |
| sicelo | which ones? | 21:52 |
| *** florian has joined #maemo | 21:55 | |
| halftux | libsoup2.4 | 21:55 |
| halftux | from original maemo source | 21:56 |
| halftux | there was an url were you could generate diff files from debian to maemo but I forget | 21:57 |
| sicelo | no idea. :-/ | 22:12 |
| *** Kabouik has joined #maemo | 23:07 | |
| *** halftux has quit IRC | 23:10 | |
| *** M4rtinK has joined #maemo | 23:48 | |
| *** Venemo has joined #maemo | 23:56 | |
Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!