Download Latest Version
test-sslfix_wi-150.zip (2.8 MB)
Get an email when there's a new version of Chumby SSL-fix
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README | 2017-08-26 | 4.9 kB | |
| Chumby_SSLfix.zip | 2017-08-26 | 901.9 kB | |
| Chumby_SSLfix.zip.md5 | 2017-08-26 | 32 Bytes | |
| Chumby_SSLfix.tar.md5 | 2017-08-26 | 32 Bytes | |
| Chumby_SSLfix.tar.gz | 2017-08-26 | 945.7 kB | |
| Totals: 5 Items | 1.9 MB | 0 | |
SSL fix for Chumby - release beta 0.9.0 - 20 Aug 2017 - by francesco
-------------------------------------------------------------------------------
0.0 Introduction and Disclaimer
This software fixes an issue of the Chumby One which makes impossibile to connect to some
servers via a secure channel (SSL).
It has been designed and tested on the Chumby One device running FW 1.0.3454 SW 1.0.7.
(from the Settings > Info screen)
This software comes with no warranty.
The authors, developers, packagers, distributors and anyone else cannot be held responsible
for any damage it may cause.
Use it at your own risk.
-------------------------------------------------------------------------------
1.0 Release notes
First release V0.9.0 still in Beta.
Output from curl -V
curl 7.16.2 (arm-none-linux-gnueabi) libcurl/7.16.2 OpenSSL/1.0.0s zlib/1.2.3 c-ares/1.3.2
Protocols: tftp ftp dict http file https ftps
Features: AsynchDNS NTLM SSL libz
List of files
README
curl
curl-ca-bundle.crt
libcurl.so.4.0.0
readme.txt
Uppercase readme is for Unix
-------------------------------------------------------------------------------
2.0 Install procedure
First unpack the archive and store all the files on an usb key.
Turn off the chumby, insert the key and turn it on.
Connect to the chumby using SSH on linux or putty on windows.
Stop the control panel
stop_control_panel
and remount the file system as read/write
mount -o remount,rw /
Change directory to /lib , make a copy of libcurl
cd /lib
mv libcurl.so.4.0.0 libcurl.so.4.0.0_bkp
copy the new one from the usb key
cp -p /mnt/usb/libcurl.so.4.0.0 .
and fix the permissions (if needed)
chmod 755 libcurl.4.0.0
Check the files
ls -l libcurl.so*
lrwxrwxrwx 1 root root 16 Aug 20 00:24 libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx 1 root root 16 Aug 20 00:23 libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x 1 root root 2373688 Aug 19 17:26 libcurl.so.4.0.0
-rwxr-xr-x 1 root root 1184988 Nov 6 2010 libcurl.so.4.0.0_bkp
Then by following a similar procudure, install curl itself:
cd /usr/bin
mv curl curl_bkp
cp -p /mnt/usb/curl .
chmod 755 curl
permissions included. Check results:
ls -l curl*
-rwxr-xr-x 1 root root 59740 Aug 19 17:26 curl
-rwxr-xr-x 1 root root 59784 Nov 6 2010 curl_bkp
Then fix the certificates store (CA)
cd /usr/share/certs/
mv curl-ca-bundle.crt curl-ca-bundle.crt_bkp
cp -p /mnt/usb/curl-ca-bundle.crt .
fix permissions (if needed)
chmod 644 curl-ca-bundle.crt
and check the results
ls -l
-rwxr-xr-x 1 root root 256008 Aug 12 18:09 curl-ca-bundle.crt
-rw-r--r-- 1 root root 229223 Nov 6 2010 curl-ca-bundle.crt_bkp
Finally make the file system read only again
mount -o remount,ro /
To verify whether the new library is correctly installed, print the openSSL version:
curl -V
OpenSSL should be 1.0.0 not 0.9.7.
The xkcd rss feed can be used to check an https URL:
curl https://xkcd.com/rss.xml
will print the rss feed, after a little while.
Restart the control panel
start_control_panel
Before cheering and dancing and rebooting, make sure everything works fine.
Let it run for a few minutes (even half an hour) and verify that https actually works
(for instance by running the xkcd widget...)
Old files can be removed but backup them just in case.
To restore the previous configuration just undo the steps above.
-------------------------------------------------------------------------------
3.0 Brief technical description
Only one application was actually updated: OpenSSL, which was bumped to version 1.0.0s (last
working release available now). Since it is statically linked to libcurl (hence its hefty size)
this upgrade shouldn't have any impact on the rest of the system.
The other trick is the certificate store, which was updated to the lastest version.
This ensures that all the certificates can be succesfully verified. Further information is
available at:
https://curl.haxx.se/docs/caextract.html
This file should also be updated every year or so.
Note: cacert.pem was renamed to curl-ca-bundle.crt
-------------------------------------------------------------------------------
4.0 Known issues
Size of binaries did increase but getting a recent version of OpenSSL mostly fixed initial speed
issues. Further updates will try to trim the size of libcurl
With some sites the SSL session fails because of a "bug" in older version of libcurl.
Fixing this will require a deeper update of the curl library.
Hopefully this will remain a minor issue (I know... it won't).
An installer is not available for now, which may prevent some users from updating their chumby.
This should be fixed in a future release.