Dear
knc1,
Thank you so much for your detailed instructions!
Today I finally got my hands on this issue and updated the certificates.
After a bit of investigation, here is a recap for those who would like to repeat this on their Kindle 4 Non-Touch:
1) Download a debian package from
here (I used jessie, which is stable);
2) Copy all the archive's content to Kindle's root (/usr to /usr, /etc to /etc);
3) Create ca-certificates.conf in /mnt/us/ , containing only comments from
this example. Make sure it has LF type of new line (for Unix), not CR LF (for Windows). Otherwise the update script cannot read it properly (yes, first time I did it wrong);
4) Update this conf:
$ cd /usr/share/ca-certificates/
$ find -type f -name '*.crt' >> /mnt/us/ca-certificates.conf
5) Copy it to /etc/ folder (I removed ./ starting symbols, but I think it optional, but didn't test). Don't forget to do
mntroot rw first;
6) Run (from Putty cmd):
$ update-ca-certificates
It should show:
Updating certificates in /etc/ssl/certs...
and then an update on how it did.
This script created symbolic links in /etc/ssl/certs/ folder (however they have a .pem extension and L777 attribute at the same time, never seen such links before on Ubuntu, Nook or Kindle) and completely replaced ca-certificates.cert in there.
Outcomes:
1) Wikipedia is doing it all smoothly, without any warnings!
2) WSJ.com is not loading, or even trying. However, even open ssl cannot connect to it from PC:
Code:
> openssl s_client -showcerts -connect www.wsj.com:443
Loading 'screen' into random state - done
CONNECTED(00000200)
15692:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:./ssl/s23_clnt.c:580:
Then I found that probably, due to Kindle browser's User Agent that says 'Kindle', WSJ is blocking it. The reason is that for Kindle Unlimited & WSJ subscribers there is a
dedicated channel to receive WSJ news.
So I just dropped it accessing from the browser.
3) NYTimes is doing better than before. Now it loading OK until the last point, where it complains that it cannot establish a secure connection with something else, other than nytimes itself (I didn't remember the link) and suggests 'yes' to continue. Then says that Kindle cannot load the requested page, but this time it refers not to nytimes - it doesn't disappear, - but to that last bit. I checked from PC and I think it is a pop-up banner that shows up upon loading, I am 99% confident that popups are not supported in Kindle 4's browser.
4) Unencrypted websites like the-ebook.org or readrate.com just ask once whether I would like to say 'yes' like before, but that's OK! They are still readable.
Finally, the certificates and security issue was resolved all the way until it reaches the boundaries of the ancient Kindle browser's bottleneck. I am very glad to see that the browser was designed wise enough (thanks lab126!) to pick up this
Unix-type structure of certificates.
Thank you
knc1 again! That was a wonderful journey to Unix world's security country.
P.S. Since I mentioned it above, hope this detail does not fall into off-topic. In order to get 'zoomed in' readable websites, we can use mobile versions of some website, for example, m.nytimes.com (I guess somebody already suggested that thing here, but sorry I don't remember) along with Readability css tweak (I believe it is tweakable since its css is available in /usr/share/browser/readability_min_utf16.css):
Spoiler:
Readability css (separated to make it readable. Word play, huh)
Code:
#readOverlay{display:block;position:absolute;top:0;left:0;width:100%;}
#readInner{line-height:1.4em;max-width:800px;margin:1em auto;}
#readInner a{color:#039;text-decoration:none;}
#readInner a:hover{text-decoration:underline;}
#readInner img{float:left;clear:both;margin:0 12px 12px 0;}
#readInner h1{display:block;width:100%;border-bottom:1px solid #333;font-size:1.2em;padding-bottom:.5em;margin-bottom:.75em;}
#readInner blockquote{margin-left:3em;margin-right:3em;}
#readability-inner *{margin-bottom:16px;border:none;background:none;}
#readFooter{display:block;border-top:1px solid #333;text-align:center;clear:both;overflow:hidden;}
.size-x-small{font-size:12px;}
.size-small{font-size:15px;}
.size-medium{font-size:18px;}
.size-large{font-size:22px;}
.size-x-large{font-size:28px;}
.style-newspaper{font-family:"Times New Roman",Times,serif;background:#fbfbfb;color:#080000;}
.style-newspaper h1{text-transform:capitalize;font-family:Georgia,"Times New Roman",Times,serif;}
.style-newspaper #readInner a{color:#0924e1;}
.style-novel{font-family:"Palatino Linotype","Book Antiqua",Palatino,serif;background:#f4eed9;color:#1d1916;}
.style-novel #readInner a{color:#1856ba;}
.style-ebook{font-family:Arial,Helvetica,sans-serif;background:#edebe8;color:#2c2d32;}
.style-ebook #readInner a{color:#187dc9;}
.style-ebook h1{font-family:"Arial Black",Gadget,sans-serif;font-weight:400;}
.style-terminal{font-family:"Lucida Console",Monaco,monospace;background:#1d4e2c;color:#c6ffc6;}
.style-terminal #readInner a{color:#093;}
.margin-x-narrow{width:95%;}
.margin-narrow{width:85%;}
.margin-medium{width:75%;}
.margin-wide{width:55%;}
.margin-x-wide{width:35%;}
table,tr,td{background-color:transparent!important;}
Important Update
I had some problems with delivering purchased books.
Tried to revert the old certificates - the delivery worked.
Then I just copied the first three certificate blocks from old cert file to new one - and it worked!