[OE] Getting the curl-based apps (Webkit browsers!) working with HTTPS

"Marco Trevisan (Treviño)" mail at 3v1n0.net
Tue Jan 27 05:05:05 CET 2009

The biggest itch I had when using my Openmoko for browsing the Net was
that I wasn't unable to connect to the greatest part of the https pages.
Only Minimo (sometimes), dillo (if recompiled with ssl support, and if
the page was good for it) and fennec (after some minutes for loading it
:|) could give me some chances; but this was all absolutely un-usable.

I wanted a working Webkit-based browser!
This is very important to me since, in many circumstances I can navigate
only after that I've established an https connection (i.e.: at my
University I must log-in to the WiFi network by accessing to an https page).

Some time ago I researched a little about this issue [1]; at the
beginning I thought that the problem was in Webkit itself, but then I
found that the problem was in the libcurl library provided by
OpenEmbedded (since the same webkit library was working fine in debian).

This evening I tried to understand more about the Openmoko/OE issue;
practically the libcurl4 library provided by our main distributions has
not compiled with any ssl support (at least this happens in Om2008, but
it _should_ be fixed using the latest Angstrom feeds).
So, as a first step I've compiled libcurl with gnutls support by
configuring it with:
 --with-random=/dev/urandom --with-gnutls=${OM_PATH}/usr --without-ssl

BTW, also after this step I didn't have the https links working...

The problem was that I didn't provide to libcurl any certificate; so
I've copied from my PC the file /etc/ssl/certs/ca-certificates.crt and I
finally got the https protocol working with curl!
I've tested both the curl client and all the webkit-based browsers I've
(Midori, Openmoko-browser2 and mostly eWWW [2]).

Not to worry too much about certificates (well, there are greater
security issues around :|), I've made also a small patch to avoid always
the ssl verification (so also with no ca-certificates.crt file in your
phone, you should be able to get any https site) [3].

However, to get all this simply working in your phone you've only to:
 - opkg install libgnutls13 libgcrypt11 libgpg-error0
 - unpack from your phone root libcurl-gnutls.tar.bz2 [4] or
   libcurl-gnutls-unsafe.tar.bz2  [5] (if you want to use the patched
   libcurl to trust to any ssl host by default - this package includes
   the unneeded ca-certificates.crt anyway).
 - you can upgrade your webkit library with this one [6] (optional) that
   includes the SquirrelFish extreme javascript engine.
 - Play with any webkit browser you want :)

It's not needed to backup (mine is called libcurl-gnutls.so.5.1.1). To
switch back to your previous libcurl library you simply need to:
 - ln -sf libcurl.so.4.1.0 /usr/lib/libcurl.so.4

Sorry for the long prelude, but I like to tell "stories"... :P


PS: for Openmoko packagers, I figure that to fix this issue in every
Openmoko device you should simply compile curl to use gnutls and provide
some certificates.

[1] http://lists.openmoko.org/nabble.html#nabble-td1383309|a1450113
[2] http://3v1n0.net/openmoko/ewww-gmail-ssl.png
[3] http://3v1n0.net/openmoko/curl-always-avoid-ssl-verification.patch
[4] http://downloads.tuxfamily.org/3v1deb/openmoko/libcurl-gnutls.tar.bz2

Treviño's World - Life and Linux

More information about the community mailing list