Logo

Forums | Reviews | Search | Full Version

Root Certs Update
by frantid on 10/30/2015 | ; Tags: - none - | 0 comments

 This is mainly maintenance, but does remove 6 or 7 expired certs from the root certs installed on the various webOS devices.  It should work on everything. Should not require a reboot, but it might if the file indexer doesn't notice right away.  

I got the original roots off the emulator. Removed the expired certs. Then added certs via:

https://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html

which gets it's certs from mozilla
https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt

It won't remove expired certs from the certificate manager app.  I encourage everyone to go through their installed certs, check details and the expired dates. Delete the expired ones.

This is especially important for those testing the new openssl that have any old expired certs, like hotmail.com installed.  From the openssl.org pages:

"If several CA certificates matching the name, key identifier, and serial number condition are available, only the first one will be examined. This may lead to unexpected results if the same CA certificate is available with different expiration dates. If a "certificate expired" verification error occurs, no other certificate will be searched. Make sure to not have expired certificates mixed with valid ones."

On 1.4.5 devices it runs really quickly, since it only copies 2 files.

On 2.x and 3.x it takes a couple of minutes as it has to go through all the certs and links in /var/ssl/certs; /var/ssl/trustedcerts; /etc/ssl/certs/trustedcerts

for those interested the scripts are posted on github:
https://github.com/frantid/webos-openssl-0.9.8zg/tree/master/rootcerts