Hello,

Anyone know if exist an update SSL Certificate for AOS 3.X?. I frecuently navigate on my A1200 OS 3.0, using Ibrowse, but some sites show this message (as Twitter or Wikipedia): "SSL Connect error. Ther remote server is using an encryption protocol not supported by IBrowse.", and some time ago, work without problems.

Any suggest or comment are welcome.

Regards.

_________________
Amiga 1000, 500, 600, 2000, 1200, 4000...

C= VIC 20 / 64 / SX64/ 128

Atari 600XL (SIC Cartdridge)
Atari 800XL (SIO2SD Unit)

Jay Miner`s Atari 2600 - Wood front -

"Amiga, this Computer have a Own Live"

@Drummerboy

Quote:

Drummerboy wrote: Hello, Anyone know if exist an update SSL Certificate for AOS 3.X?. I frecuently navigate on my A1200 OS 3.0, using Ibrowse, but some sites show this message (as Twitter or Wikipedia): "SSL Connect error. Ther remote server is using an encryption protocol not supported by IBrowse.", and some time ago, work without problems. Any suggest or comment are welcome. Regards.

Hmmm - I am having problems with YAM and accessing securepop and securesmtp Servers with SSL/TLS. I'm getting similar error messages.
Someone on Amiga-News.de suggested to update yam:Resources/Certificates/ca-bundle.crt with the latest version of the certificates from here:

ca-bundle.crt

There's also a link "Related: SSL Certs" - perhaps that's what you're looking for...

_________________
Ciao

Dandy
__________________________________________
If someone enjoys marching to military music, then I already despise him.
He got his brain accidently - the bone marrow in his back would have been sufficient for him!
(Albert Einstein)

@Dandy

Same issue here.. :-/

@Amigo1

Quote:

Amigo1 wrote: @Dandy Same issue here.. :-/

The guy who suggested to update the certs also mentioned that German ISP T-Online.de "switched off the elder SSLv3 encryption method" and that he would "use YAM2.10 beta until the new AmiSSL will be released", as it offers the possibility to disable the server certificate warnings.

Up to now the latest release seems to be AmiSSL v3.6 release of 07-Mar-2006 - no idea when a new version will be released for m68k.

_________________
Ciao

Dandy
__________________________________________
If someone enjoys marching to military music, then I already despise him.
He got his brain accidently - the bone marrow in his back would have been sufficient for him!
(Albert Einstein)

@Dandy


Looking at this topic I quickly became confused by the different version numberings of AmiSSL, OpenSSL, SSL and TLS.

What I understsood so far is:

- AmiSSL is a shared library package port of OpenSSL version 0.9.4 (August
9th,1999): AmiSSL info

- Latest AmiSSL version is AmiSSL v3.6, downloadable from here: AmiSSL v3.6

- Latest OpenSSL version mentioned in the AmiSSL v3.6 docs is OpenSSL v0.9.7h

- AmiSSL v3.7 mentioned here - but with label "10 years ago" (???)
This could mean it will be based on OpenSSL v0.9.8 of July 5th, 2005 - but this is just my guess.

- OpenSSL version 1.0.2, Suite B, has support for TLS 1.2 and DTLS 1.2

- actual OpenSSL version 1.0.2d of July 9th, 2015

- OpenSSL version 1.1.0 is expected to release on April 28th 2016

- As of 2014 the 3.0 version of SSL (dating back to 1996) is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL; and RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.

- TLS 1.0 (SSL v3.1) was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0.

- TLS 1.1 was defined in RFC 4346 in April 2006.

- TLS 1.2 was defined in RFC 5246 in August 2008.

- As of October 2015, TLS 1.3 is a working draft, and details are provisional and incomplete. It is based on the earlier TLS 1.2 specification.


So I assume the latest AmiSSL v3.6 is based on OpenSSL v0.9.7g of 2005. This is the version that does not work with YAM 2.9p1, e.g. accessing securepop and securesmtp servers always results in error messages.

So what we would urgently need for our classic AmigaOS 3.x systems is something based on at least TLS 1.2 / OpenSSL v1.0.2d .

As far as I found out on the web today (23-Nov-2015), AmiSSL v.3.7 has only been mentioned so far and would best be based on OpenSSL v0.9.8 of July 5th, 2005.

_________________
Ciao

Dandy
__________________________________________
If someone enjoys marching to military music, then I already despise him.
He got his brain accidently - the bone marrow in his back would have been sufficient for him!
(Albert Einstein)

@Dandy

You understood correctly.

@Drummerboy

The OWB browser and Odyssey (if it's possible to use with 3.x) should both have TLS 1.2 support built-in so you have a fallback for problematic websites, and even WGet for direct downloads.
But IBrowse and any other software depending on AmiSSL will have to wait until the AmiSSL library gets updated, I don't know when that will be but it appeared to be worked on last time I checked the AmiSSL SVN activity on sourceforge.

The compatibility issue is mostly due to overzealous webmasters who disabled SSL completely instead of only V3/RC4/TLS1.0 (which are vulnerable to exploits like POODLE and hearbleed), while keeping V2 as a fallback for clients without TLS 1.2 support.

Unless you log into a site handling financial/private data, most secure connections don't even need to be all that secure for the mere sake of privacy, it's usually enough if packet sniffers can't read the communication in clear text.

Some webmasters managed to make it even worse for old clients like IBrowse, as for example Wikipedia (and many popular websites) now force the client to use https and thus TLS 1.2, so any client which can't be upgraded gets locked out completely. For read-only sites where no login is required, it makes no sense at all to force the client to use encryption.

_________________
AlexC's free OS4 software collection

AmigaOne XE/X1000/X5000/UAE-PPC OS4 laptop/X-10 Home Automation

@AlexC

Quote:

AlexC wrote: @Dandy You understood correctly. @Drummerboy The OWB browser and Odyssey (if it's possible to use with 3.x) should both have TLS 1.2 support built-in so you have a fallback for problematic websites, and even WGet for direct downloads. But IBrowse and any other software depending on AmiSSL will have to wait until the AmiSSL library gets updated, I don't know when that will be but it appeared to be worked on last time I checked the AmiSSL SVN activity on sourceforge.

I can only look at https://github.com/jens-maus/amissl:

dist AmiSSL v3.7 changes. 10 years ago

include - applied some compiler warning fixeѕ and applied some AMISSL_COMMON_… 2 months ago

libcmt - added some more debug output to continue to debug why amissl_v101i_… 2 months ago

openssl minor modifications and more debug output to track down some more OS4… 11 days ago

Last edited by Dandy on 23-Nov-2015 at 01:51 PM.

_________________
Ciao

Dandy
__________________________________________
If someone enjoys marching to military music, then I already despise him.
He got his brain accidently - the bone marrow in his back would have been sufficient for him!
(Albert Einstein)

@Dandy

Right, it's has been moved to github.

I haven't looked at the source but I would guess that 101i is based on OpenSSL 1.0.1i, which by now should be patched to 1.0.1p or 1.0.2d.

It looks like the goal is to release the same version for OS3, OS4 and MorphOS.

_________________
AlexC's free OS4 software collection

AmigaOne XE/X1000/X5000/UAE-PPC OS4 laptop/X-10 Home Automation