Updating CAs on Kindle 3G

[LarBob]

How would I go about updating the CAs on a Kindle 3G? The script found here seems to only work in bash and also the Kindle only has OpenSSL 0.9.8j instead of OpenSSL 1.1.0f. Is there a way I could update the version of OpenSSL on the kindle and add these CAs?

[LarBob]

Okay, so I just copied certificates from an Ubuntu installation and it appears to have worked, but I'd still like to update this old version of OpenSSL. Any suggestions?

[NiLuJe]

There's a soname & sover change between OpenSSL 0.9.8 and OpenSSL 1.x, so I'm not terribly convinced nothing will blow up in strange and mysterious ways if you do.

(I'm not familiar with the details of OpenSSL's API/ABI [because it's hell], so this may be more feasible that I'm making it look).

I also don't know if the last 0.9.8 release, 0.9.8zh, is 'good enough' for what you hope to achieve.

What I can tell you is that I kept building my own stuff against 0.9.8 on those FWs to make my life easier and not have to deal with any of that kind of fallout .

[knc1]

Quote:

Originally Posted by LarBob

Okay, so I just copied certificates from an Ubuntu installation and it appears to have worked, but I'd still like to update this old version of OpenSSL. Any suggestions?

It would be very difficult to "get it right" and there is no point to doing it.

The March update (of several years ago) for the K3 was more than just new CA records.
When first released, it was a separate update but at sometime afterwards, Amazon rolled it into the 3.4.2, K3 update without changing the version number (or the URL link).

So now that you have put "foreign" files onto the system ...

*) remove them and restore the state of the file system to what it was before you made any changes or additions.
Why?
Because the files are manifested and checksummed for the "incremental" style of updates used by the 3.x series firmware.
The device will brick if updated when altered files exist on the system.

*) Follow the update directions for your model of device here:
https://www.amazon.com/gp/help/custo...deId=200529700
As I noted above, the image updates linked there already have the TLS changes and the CA certificate updates bundle into them.
Even though the firmware version was not changed from what is shown as install on your device!
or
just do it because I say so.
I.E: Just because your device says it is running 3.4.2 does not mean it is running what is NOW posted by Amazon as 3.4.2

*) Afterward, stop screwing with the system files, you don't have the required background on the Kindle system to be doing that (if you did, you would have never just stuffed the Ubuntu CA files onto it.)

[LarBob]

Quote:

Originally Posted by knc1

It would be very difficult to "get it right" and there is no point to doing it.

The March update (of several years ago) for the K3 was more than just new CA records.
When first released, it was a separate update but at sometime afterwards, Amazon rolled it into the 3.4.2, K3 update without changing the version number (or the URL link).

So now that you have put "foreign" files onto the system ...

*) remove them and restore the state of the file system to what it was before you made any changes or additions.
Why?
Because the files are manifested and checksummed for the "incremental" style of updates used by the 3.x series firmware.
The device will brick if updated when altered files exist on the system.

*) Follow the update directions for your model of device here:
https://www.amazon.com/gp/help/custo...deId=200529700
As I noted above, the image updates linked there already have the TLS changes and the CA certificate updates bundle into them.
Even though the firmware version was not changed from what is shown as install on your device!
or
just do it because I say so.
I.E: Just because your device says it is running 3.4.2 does not mean it is running what is NOW posted by Amazon as 3.4.2

*) Afterward, stop screwing with the system files, you don't have the required background on the Kindle system to be doing that (if you did, you would have never just stuffed the Ubuntu CA files onto it.)

I did think that it might cause some problems, but I backed up the old files beforehand. Even if it did brick, I got this kindle for $22 off of eBay to mess around with chrooting into Debian on it and just play around with it. It's not a big deal to me, and even if it were to brick if updating, that's fine because I'm not going to update it. I stuffed the Ubuntu CA files onto it to see if it would work (and it did), I already got enough enjoyment out of messing with this device to make the $22 USD worth it to me. Thanks though.

[knc1]

You will not be able to connect with anything using TLS until you fix that part of the system.
Which is why I gave you the directions which I did.

If you don't want help, then don't ask for it.

[LarBob]

Quote:

Originally Posted by knc1

You will not be able to connect with anything using TLS until you fix that part of the system.
Which is why I gave you the directions which I did.

If you don't want help, then don't ask for it.

Sorry if I came off that way. My Kindle did, however, still seem to be able to negotiate SSL/TLS connections with less complaint. At your suggestion I have restored it to how it was before. I did notice though that when I had the other files in place it stopped complaining when connecting to sites such as Wikipedia, but complained that places like Google had invalid certificates. If you don't mind, could you explain that to me please? Thanks.