1 (edited by francesco 2017-08-20 08:02:17)

Topic: Fix SSL on Chumby One

I think I found a fix for the SSL issue, which is preventing some widgets to work.

Basically I've recompiled libcurl using the same version installed on the chumby but linked it to an upgraded OpenSSL library (1.0.0s). Everything else (gnutls,  hair raising c-ares, zlib etc.) stays the same.
Since the OpenSSL library is statically linked to libcurl, the impact on the rest of the system should be minimal.

This makes the update relatively simple.
It's made of three files: libcurl, curl (an executable) and an updated CA store. These files should just be copied on the Chumby file system.

Archives are available here:
tar.gz archive: http://fpalab.com/download/Chumby_SSLfix.tar.gz
zip archive: http://fpalab.com/download/Chumby_SSLfix.zip

Checksum (md5):
tar.gz archive:http://fpalab.com/download/Chumby_SSLfix.tar.md5
zip archive:http://fpalab.com/download/Chumby_SSLfix.zip.md5

Detailed instructions are in README (Unix) or readme.txt (win).

The installation does require some basic Unix knowledge and Chumby hacking and does modify the internal OS: beware as mistakes can prevent the device from booting.
And no, there is no installer yet but if the update proves to be useful I will add one.

Enjoy
Francesco

Re: Fix SSL on Chumby One

We have a similar fix working for all of the mSD-card based chumby devices, and we were working on an installer when we had to put it aside to deal with the dash situation.

The solution for the chumby Classic is to update the firmware to version 1.7.3

We're back working on the installer.

Re: Fix SSL on Chumby One

francesco wrote:

I think I found a fix for the SSL issue, which is preventing some widgets to work.

Community participation, awesome stuff smile

Cleaning up any loose bits and bytes.

Re: Fix SSL on Chumby One

That's awesome. I wanted to look into this a couple years ago and never found the time. Thanks for sharing! Now I need to see if this will fix the issues I was having with pianobar.

Linux Guy - Occasional Chumby Hacker

Re: Fix SSL on Chumby One

Great, just let us know if that helped you.

In the meantime I've done two things.

First I've put the files on sourceforge with additional details (compile options are coming soon). 
The link is: https://chumby-ssl-fix.sourceforge.io/

Second I uploaded a new version, V2.0 This one supports sites that were giving problems during SSL negotiations.
Also, it comes with an installer, both manual and automatic (for the braves).

The automatic setup should work like this: extract all the files and directories on an USB key, rename

_debugchumby

to

debugchumby

turn off the Chumby, insert the key, turn it back on and wait......

Manual installation is also supported and is simpler than the previous one.
Further details are in the README (readme.txt for win), which should be read before doing anything.

Enjoy.

6 (edited by ccchuck 2017-08-31 14:41:17)

Re: Fix SSL on Chumby One

francesco wrote:

    I think I found a fix for the SSL issue.....


Duane wrote:

We have a similar fix working for a.......
.......We're back working on the installer.


While I am intrigued by francesco's possible solution, I think I will wait for yours...

eh... which might be coming... soon?

Re: Fix SSL on Chumby One

I have released Version 3 of the SSL fix for the Chumby One.

This update addresses the performance issues of the previous versions: it drops support of OpenSSL and uses mbedTLS instead.
Improvements are quite satisfying and until now I haven't had any compatibility issues.

Probably this is going to be the last release and only bug fixes or minor tweaks will follow.

If anyone wants to try it out go to https://sourceforge.net/projects/chumby-ssl-fix/

Re: Fix SSL on Chumby One

For those who don't have the Chumby One but still want to try the fix, there's a utility which can check the compatibility of their Chumby with the fix.

It's available here: https://sourceforge.net/projects/chumby … st-SSLfix/

Read the readme file, but usage is simple.

Unpack the archive and save all files and directories in a USB key, insert the key in the Chumby, turn on the Chumby and wait until the widgets are displayed.
If you can find the picture of a nice Swiss mountain in the key src directory, the test was successful.
(technical stuff is in the install.log)

For further information see the wiki.

Re: Fix SSL on Chumby One

Does this "fix" the "out of date" problem with  widget like local weather, NOAA, etc.?

Re: Fix SSL on Chumby One

Sorry for taking so long to answer.

I don't know if the SSL fix can fix that problem. However I suspect it's more related to the time settings, namely the time zone.

Re: Fix SSL on Chumby One

Has anyone tried this fix?
I am aware that it would probably not impact local weather since the app has been modified, but was hoping it might allow loading jpgs etc., via URLimage from sites using SSL.

Re: Fix SSL on Chumby One

I tried the compatibility test on a Chumby 8 and did not find the photo of the swiss mountain in the SRC folder of the USB stick...  so it seems it will not work on a Chumby 8...

Re: Fix SSL on Chumby One

Hello. Sorry for the late feedback but I rarely come back to the chumby site.

Unfortunately I don't a Chumby 8 and neither do know anybody who does. Therefore testing and adapting the fix requires some creative thinking.

There are several reasons why the test may fail and some of them might be benign. Therefore it might be helpful to post the install.log file (from the usb key) since it may hint at what actually went wrong.

Re: Fix SSL on Chumby One

Hello.  Thank you for your reply.   I can verify that this works nicely on the Chumby One and the Infocast 3.5" units.
There is a widget called WGraph that doesn't work on the CHumby One or the Infocast 3.5 unless this SSL fix is installed.
WGraph does already run on the soft (original) chumby because the firmware 1.7.3 seems to have corrected the SSL issue on that unit.
When I ran the test-SSLfix on the Chumby 8, there was no install.log file on the usb stick...   so perhaps the debugchumby program was not run during boot?   Should it be renamed to something else on the 8? 
Thanks again for making this fix available.

Re: Fix SSL on Chumby One

First of all thanks for your precious feedback.

As far I know the Chumby 8 should execute the debugchumby script too. Maybe it's something on the Chumby side that is preventing this.

Did the Chumby recognize the usb stick? Are there any additional settings that might interfere?

Re: Fix SSL on Chumby One

The USB stick light came on and flashed on/off during the boot process.
I tried both USB slots 1 and 2.
I've even named the stick itself "debugchumby" to see if that made a difference.
The firmware upgrade for a C8 requires a file named update.zip.  Do you think we need to zip this accordingly for it to work?

Another thought...if you are interested, I would be willing to loan you my Red C8 (I'll ship it to you if you will promise to ship it back).
Then we can figure out how to do good for a large segment of the Chumby community (everyone with C8's or Insignia 8's which have been upgraded to the Chumby firmware would benefit from this fix).

What do you think?

Re: Fix SSL on Chumby One

Francesco,
I decided to try some different memory sticks and formats.
I had an old one that was FAT16 and tried the contents of SSL-Fix-V3uni.zip on the Chumby 8 running:
control panel 5.0.38b2
Software Ver: 1.8.2
Firmware Ver: 1.8.3883

The Items I found in "install.log" afterwards are shown below.
Was this a successful installation?  Is there anything else for me to do?

I did check and now the Chumby 8 displays the widget called WGraph.  Am going to do a little more experimenting.

Let me know what you think...

---------------------

Starting install
Checking installation
Recoverable installation
V1 not installed
V2 not installed
V3 installed
mbedtls (already) updated to V3
Unable to perform install/recover command
Installer finished

Re: Fix SSL on Chumby One

Francesco,
Further analysis.
On an Insignia 8, which was flashed with the Chumby 8 firmware. 
Control Panel: 5.0.38b2
Software Ver: 1.8.2
Firmware Ver: 1.8.3883
Model # 9.7

I ran the test-fix code and the created install.log file says this:

---------------------

Checking installation
Not recoverable installation
Update will not be installed because the system wasn't recognized
Was the SSL fix already applied?
End of test

19 (edited by francesco 2018-03-11 10:09:01)

Re: Fix SSL on Chumby One

Hello chankla.
The first log (Chumby 8) shows that the installation was already done and it was a valid and working one.

I admit the last line:

Unable to perform install/recover command

is a bit confusing. What it means in this context is that the installation was not repeated because it was already done before.

This is what I think happened. The first time you tried to install the fix, the usb key was mounted as readonly by the OS: the installation went smoothly but had no way to report it. Therefore the missing install.log .

My usb keys are fat32 and do work fine in the Chumby One: so maybe it's the Chumby 8 that handles them differently? Or maybe your keys were NTFS?

By the way this Saturday I've been working on a version of the test-fix that does not rely on the USB key being writable to report the compatibility of the system. It's almost ready.

Regarding the Insignia 8.

That is a bit more tricky.
Lack of the "Original installation" message means that it did not recognize the default library files.
My gut feeling is that there is a subtle difference in this firmware: I will send you a link to a modified version of debugchumby which will put in the log the list of the installed libcurl libraries.

Update:
Here's a version of test-sslfix that adds to install.log a list of the relevant files

https://beta.fpalab.com/public/d4alpq7o … ix-101.zip

(Only debugchumby was modified)

20 (edited by chankla 2018-03-11 22:33:42)

Re: Fix SSL on Chumby One

Hello Francesco,

That's exciting news about the new test-fix program.
I'll be glad to test it out for you on all the different chubby models I have.

Regarding TestFix 101, I ran it on both the Insignia 8 (I've mentioned before) and on the Chumby-ized Sony Dash.

Let me know what you think about the results:
My litmus test widget (WGraph) is not working on the Insignia 8 or the Sony.  Which points to it not being installed - so perhaps you will find the contents of the install log interesting...  Here are the logs:

Infocast 8:

---------------------

Sun Mar 11 22:10:47 PDT 2018
silvermoon

/lib/libcurl
lrwxrwxrwx    1 root     root            16 Mar  7 12:27 /lib/libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx    1 root     root            16 Mar  7 12:27 /lib/libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x    1 root     root        241272 Jul  6  2011 /lib/libcurl.so.4.0.0

/usr/bin/curl
-rwxr-xr-x    1 root     root         59784 Jul  6  2011 /usr/bin/curl

/usr/share/certs/
total 225
-rw-r--r--    1 root     root        229223 Jul  6  2011 curl-ca-bundle.crt

Checking installation
Not recoverable installation
Update will not be installed because the system wasn't recognized
Was the SSL fix already applied?
End of test

Sony Dash:

---------------------

Sun Mar 11 23:19:39 PDT 2018
yume

/lib/libcurl
lrwxrwxrwx    1 root     root           16 Dec 31  1969 /lib/libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx    1 root     root           16 Dec 31  1969 /lib/libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x    1 root     root      1424372 Dec 31  1969 /lib/libcurl.so.4.0.0

/usr/bin/curl
-rwxr-xr-x    1 root     root        66572 Dec 31  1969 /usr/bin/curl

/usr/share/certs/
-rwxr-xr-x    1 root     root       244600 Dec 31  1969 cacert.pem
-rw-r--r--    1 root     root       229223 Dec 31  1969 curl-ca-bundle.crt

Checking installation
Not recoverable installation
Update will not be installed because the system wasn't recognized
Was the SSL fix already applied?
End of test

Re: Fix SSL on Chumby One

I am following your discussion  with hope, it would be so great to get SLL back.

22 (edited by francesco 2018-03-14 06:33:25)

Re: Fix SSL on Chumby One

Hello I'm back.

I found a bug in the test which would make it report false negatives.
The fix seems to be more compatible than I thought. In particular with the Chumby 8.

There are two new tests for the fix


https://beta.fpalab.com/public/d4alpq7o … ix-102.zip
This is just an update of the previous test and reports by writing an install.log file to key. If the key is mounted as readonly, no report is available.


https://beta.fpalab.com/public/d4alpq7o … wi-150.zip
This is the new version of the fix. It's still a beta since it wasn't tested on an actual Chumby 8.

In addition to write a log file, this test reports the success of the test by using images (with text) and should be giving a more effective feedback.

If needed, access to the log is available through the internal web server of the Chumby.
More details are in the readme-wi.txt file (wi >> with images).


Finally, I think both the Insignia and the Dash (Update: the Dash not, as Duane points out below.)are compatible but I'm waiting for an actual test by chankla. Thank you for your help.

Post updated: Mistake caused by late hours and excess of optimism.

23 (edited by chankla 2018-03-13 17:40:49)

Re: Fix SSL on Chumby One

Gentlemen,
I ran the 102.zip on the Insignia 8 running C8 code and received this log:

---------------------

Tue Mar 13 18:18:02 PDT 2018
silvermoon

/lib/libcurl
lrwxrwxrwx    1 root     root            16 Mar  7 12:27 /lib/libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx    1 root     root            16 Mar  7 12:27 /lib/libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x    1 root     root        241272 Jul  6  2011 /lib/libcurl.so.4.0.0

/usr/bin/curl
-rwxr-xr-x    1 root     root         59784 Jul  6  2011 /usr/bin/curl

/usr/share/certs/
total 225
-rw-r--r--    1 root     root        229223 Jul  6  2011 curl-ca-bundle.crt

Checking installation
Not recoverable installation
Original installation
curl 7.30.0 (arm-none-linux-gnueabi) libcurl/7.30.0 OpenSSL/1.0.2l zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile NTLM SSL libz
Test of update successfull
Update can be successfully installed
/lib:/usr/lib:/usr/local/lib:/mnt/storage/lib:/mnt/storage/local/lib
End of test

Then I wiped & reloaded the USB and ran it on the Sony Dash Chumby and received this log:

---------------------

Tue Mar 13 18:25:27 PDT 2018
yume

/lib/libcurl
lrwxrwxrwx    1 root     root           16 Dec 31  1969 /lib/libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx    1 root     root           16 Dec 31  1969 /lib/libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x    1 root     root      1424372 Dec 31  1969 /lib/libcurl.so.4.0.0

/usr/bin/curl
-rwxr-xr-x    1 root     root        66572 Dec 31  1969 /usr/bin/curl

/usr/share/certs/
-rwxr-xr-x    1 root     root       244600 Dec 31  1969 cacert.pem
-rw-r--r--    1 root     root       229223 Dec 31  1969 curl-ca-bundle.crt

Checking installation
Not recoverable installation
Original installation
Test failed: unable to load secured content
Unfortunately update will not work and should not be installed
/usr/local/dcchd/directfb/lib:/usr/local/mrua/MRUA_src/../lib:/usr/local/dcchd/dcchd/core:/usr/local/dcchd/dcchd/brd:/usr/local/dcchd/dcchd/dvdvr:/usr/local/dcchd/dcchd/mono:/usr/local/dcchd/dcchd/curacao:/usr/local/dcchd/dcchd/curacao/lib:/usr/local/dcchd/dcchd/dtv/tuner:/usr/local/dcchd/dcchd/dtv/capture:/usr/local/dcchd/dcchd/dtv/network:/usr/local/dcchd/dcchd/dtv:/usr/local/dcchd/dcchd/dtv/hal:/usr/local/dcchd/dcchd/dtv/capture:/usr/local/dcchd/dcchd/dcchd:/usr/local/dcchd/dcchd/dtv/acap:/usr/local/mrua/MRUA_src/lib:/lib:/usr/lib:/usr/local/mrua/lib:/usr/local/dcchd/directfb/lib:/usr/local/dcchd/dcchd/dcchd:/usr/local/dcchd/dcchd/core:/usr/local/dcchd/dcchd/mono:/usr/local/dcchd/dcchd/dtv:/usr/local/dcchd/dcchd/dtv/capture:/usr/local/dcchd/dcchd/dtv/network
End of test

Then finally, as a benchmark, I repeated on a Chumby 8 and received this log:

---------------------

Tue Mar 13 18:30:18 PDT 2018
silvermoon

/lib/libcurl
lrwxrwxrwx    1 root     root            16 Mar 10 11:37 /lib/libcurl.so -> libcurl.so.4.4.0
lrwxrwxrwx    1 root     root            16 Mar 10 11:37 /lib/libcurl.so.4 -> libcurl.so.4.4.0
-rwxr-xr-x    1 root     root        241272 Jul  6  2011 /lib/libcurl.so.4.0.0_bkp
-rwxr-xr-x    1 root     root        667652 Oct 19 10:29 /lib/libcurl.so.4.4.0

/usr/bin/curl
-rwxr-xr-x    1 root     root         85808 Oct 19 10:29 /usr/bin/curl
-rwxr-xr-x    1 root     root         59784 Jul  6  2011 /usr/bin/curl_bkp

/usr/share/certs/
total 477
-rwxr-xr-x    1 root     root        256008 Aug 12  2017 curl-ca-bundle.crt
-rw-r--r--    1 root     root        229223 Jul  6  2011 curl-ca-bundle.crt_bkp

Checking installation
Recoverable installation
SSL fix already installed.
End of test

Finally, to check it another way, I tried it on a Chumby One (white one with blue trim), which I have previously upgraded with your SSL fix.
The logs I received were:

---------------------

Tue Mar 13 18:35:45 PDT 2018
falconwing

/lib/libcurl
lrwxrwxrwx    1 root     root            16 Mar  6 22:21 /lib/libcurl.so -> libcurl.so.4.4.0
lrwxrwxrwx    1 root     root            16 Mar  6 22:21 /lib/libcurl.so.4 -> libcurl.so.4.4.0
-rwxr-xr-x    1 root     root       1184988 Nov  5  2010 /lib/libcurl.so.4.0.0_bkp
-rwxr-xr-x    1 root     root        667652 Oct  3 16:03 /lib/libcurl.so.4.4.0

/usr/bin/curl
-rwxr-xr-x    1 root     root         85808 Oct  3 16:03 /usr/bin/curl
-rwxr-xr-x    1 root     root         59784 Nov  5  2010 /usr/bin/curl_bkp

/usr/share/certs/
total 477
-rwxr-xr-x    1 root     root        256008 Aug 12  2017 curl-ca-bundle.crt
-rw-r--r--    1 root     root        229223 Nov  5  2010 curl-ca-bundle.crt_bkp

Checking installation
Recoverable installation
SSL fix already installed.
End of test

---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
Francesco, based on these results, what would you like me to try next?
I think I'll try the ssl-fix_wi-150 on the Insignia 8...

Re: Fix SSL on Chumby One

After running the new sslfix_wi-150 fix on the Insignia 8 with the Chumby firmware, I received the following install log:

---------------------

Tue Mar 13 18:42:15 PDT 2018
silvermoon
/lib/libcurl
lrwxrwxrwx    1 root     root            16 Mar  7 12:27 /lib/libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx    1 root     root            16 Mar  7 12:27 /lib/libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x    1 root     root        241272 Jul  6  2011 /lib/libcurl.so.4.0.0
/usr/bin/curl
-rwxr-xr-x    1 root     root         59784 Jul  6  2011 /usr/bin/curl
/usr/share/certs/
total 225
-rw-r--r--    1 root     root        229223 Jul  6  2011 curl-ca-bundle.crt
Showing intro
Checking installation
Not recoverable installation
Original installation
curl 7.30.0 (arm-none-linux-gnueabi) libcurl/7.30.0 OpenSSL/1.0.2l zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile NTLM SSL libz
Test of update successfull
Update can be successfully installed
/lib:/usr/lib:/usr/local/lib:/mnt/storage/lib:/mnt/storage/local/lib
Showing result
End of test

but my litmust test Wgraph widgets are not running...
Hmmm.....

Re: Fix SSL on Chumby One

francesco wrote:

Hello I'm back.
Finally, I think both the Insignia and the Dash are compatible....

The dash uses a MIPS processor, so ARM binaries won't work on it.  In any case, the dash already supports SSL, however it has a redirect bug in the Flash Player with can't be resolved with a library update - redirects from http to https stay on port 80 instead of switching to 443.

Note also that we're testing an "official" chumby One firmware release that updates the Flash Player to 4.0.2 and adds SSL support - see http://forum.chumby.com/viewtopic.php?id=10035