Font, ScreenSaver & USBNetwork Hacks for Kindle 2.x, 3.x & 4.x

[eschwartz]

Try installing the latest version of the hack, from the Snapshots thread.

Or install it using the MobileRead Package Installer.

Problem: the old packager had a bug that made it only work for older versions/build numbers, and the recent firmware update bumped it over the threshold.

[jackieone]

thanks for your reply.
Unfortunately, I do not know what you are referencing. I have unsuccessfully attempted to install Update_jailbreak_0.13.N_k3g_install.bin, I thought that was the latest.
If you happen to have a link pointing me to the information you mentioned, I will use it and try to resolve this problem.
Again, thank you.

[knc1]

Quote:

Originally Posted by jackieone

thanks for your reply.
Unfortunately, I do not know what you are referencing. I have unsuccessfully attempted to install Update_jailbreak_0.13.N_k3g_install.bin, I thought that was the latest.
If you happen to have a link pointing me to the information you mentioned, I will use it and try to resolve this problem.
Again, thank you.

Ah, probably confused by your posting about problems with the jail break in a thread where it is off-topic.

Forum index page ;
Just below the blue bar ;
Set the prefix filter to "tools" ;
Click the "show threads" ;
Find the "Snapshots" thread near the top of those shown.

PS: The snapshot items always carry the current release number, it will not be increased until they are released.
So yes, the things in the snapshot thread **are newer** - unlike the impression the version number might give.

[Jedidiyah]

This may be off topic here but I couldn't find a better fit, I was told to ask in the "hack area". https://www.mobileread.com/forums/sho...20#post3122620

Twitter, Wikipedia, etc. recently disabled SSL 3.0 http://blog.fastmail.com/2014/10/15/...vulnerability/ which old kindles used to access them. Amazon apparently fixed it for Kindle Keyboard in the latest software update v3.4.1., but their tech support told me that they are unlikely to do it for Kindle DXG that I have. Is a there a user made hack that restores access to those sites?

[knc1]

Quote:

Originally Posted by Jedidiyah

This may be off topic here but I couldn't find a better fit, I was told to ask in the "hack area". https://www.mobileread.com/forums/sho...20#post3122620

Twitter, Wikipedia, etc. recently disabled SSL 3.0 http://blog.fastmail.com/2014/10/15/...vulnerability/ which old kindles used to access them. Amazon apparently fixed it for Kindle Keyboard in the latest software update v3.4.1., but their tech support told me that they are unlikely to do it for Kindle DXG that I have. Is a there a user made hack that restores access to those sites?

We have blue button at the top left of the index page that fits **ANY** situation.
It is labeled "New Thread".

- - - -

I think the only thing that v3.4.1 did was install a current set of trusted web certificates.
I.E: That would not change what TLS protocol was nogoiated by the client.

- - - -

You do not mention what browser you are using on the DX.
But if your using the Amazon provided one, you should consider using a different browser.
(After updating the trusted certificate set yourself - that may be the only thing you need to change.)

We have had alternate browsers posted here, I do not know if any of them work (or are supposed to work) on the DX/DXG.
You would have to do some search/research here to learn about what devices the various alternative browsers support.

[eschwartz]

re: alternate browsers, I am only aware of Midori and Skipstone, both of which only support the KT and on.

But I want to know when the heck update 3.4.2 came out for the K3. https://s3.amazonaws.com/G7G_Firmwar...3.4.2_B008.bin
Bunch of miscellaneous fixes all over the place, not just certs:

Spoiler:

Code:

000.busybox.patch
001.epoch.txt.patch
002.prettyversion.txt.patch
003.version.txt.patch
004.AudiblePlayer.jar.patch
005.AudioPlayer.jar.patch
006.Browser.jar.patch
007.Home.jar.patch
008.KindletBooklet-1.2.jar.patch
009.language.jar.patch
010.MobiReader.jar.patch
011.msp.jar.patch
012.PictureViewer.jar.patch
013.Search.jar.patch
014.XymlBooklet.jar.patch
015.ServerConfig.conf.patch
016.backport-util-concurrent-3.1.jar.patch
017.booklet.jar.patch
018.framework-api.jar.patch
019.framework-impl.jar.patch
020.HTMLReader-impl.jar.patch
021.jdbm.jar.patch
022.Journal-update.jar.patch
023.json.jar.patch
024.KindleDeviceServicesAbstraction-1.0.jar.patch
025.KindleDeviceServicesShasta-1.0.jar.patch
026.KindleGUIAbstraction-1.0.jar.patch
027.KindleGUIShasta-1.0.jar.patch
028.kindlePageNumbersDeviceReader.jar.patch
029.Kindlet-1.2.jar.patch
030.KindletBookletDRM-1.0.jar.patch
031.KindletImplementation-1.2.jar.patch
032.kxml2.jar.patch
033.mobi8sdk.jar.patch
034.MobiCore-impl.jar.patch
035.MobipocketCoreReader.jar.patch
036.PDFReader-impl.jar.patch
037.portability-impl.jar.patch
038.portability.jar.patch
039.ReaderSDK.jar.patch
040.SearchSDK.jar.patch
041.utilities.jar.patch
042.xyml.jar.patch
043.firmware.md5.patch
044.browserd.patch
045.curl.patch
046.curl-config.patch
047.fc-cache.patch
048.fc-cat.patch
049.fc-list.patch
050.fc-match.patch
051.kdb_static.patch
052.ntpdate.patch
053.pango-querymodules.patch
054.preload_static.patch
055.webreader.patch
056.xd.patch
057.xslt-config.patch
058.xsltproc.patch
059.cvm.patch
060.basis.jar.patch
061.charsets.jar.patch
062.sunjce_provider.jar.patch
063.jaas.jar.patch
064.jce.jar.patch
065.jsse-cdc.jar.patch
066.libdbusjni.so.patch
067.libjniaudible.so.patch
068.libmobi8sdkjni.so.patch
069.libTopaz.so.patch
070.localedata.jar.patch
071.java.security.patch
072.local_policy.jar.patch
073.US_export_policy.jar.patch
074.libasound_module_pcm_retune.so.0.0.0.patch
075.libcairo-trace.so.0.0.0.patch
076.libdirectfb_linux_input.so.patch
077.libidirectfbimageprovider_jpeg.so.patch
078.libidirectfbimageprovider_png.so.patch
079.libenchant_ispell.so.patch
080.libenchant_myspell.so.patch
081.libpixmap.so.patch
082.im-am-et.so.patch
083.im-cedilla.so.patch
084.im-cyrillic-translit.so.patch
085.im-inuktitut.so.patch
086.im-ipa.so.patch
087.im-multipress.so.patch
088.im-thai.so.patch
089.im-ti-er.so.patch
090.im-ti-et.so.patch
091.im-viqr.so.patch
092.libpixbufloader-ani.so.patch
093.libpixbufloader-bmp.so.patch
094.libpixbufloader-icns.so.patch
095.libpixbufloader-ico.so.patch
096.libpixbufloader-pcx.so.patch
097.libpixbufloader-pnm.so.patch
098.libpixbufloader-ras.so.patch
099.libpixbufloader-tga.so.patch
100.libpixbufloader-wbmp.so.patch
101.libpixbufloader-xbm.so.patch
102.libprintbackend-file.so.patch
103.libprintbackend-lpr.so.patch
104.libferret.so.patch
105.libgail.so.patch
106.libatk-1.0.so.0.2609.1.patch
107.libcairo-gobject.so.2.11000.2.patch
108.libcairo-script-interpreter.so.2.11000.2.patch
109.libcairo.so.2.11000.2.patch
110.libcurl.so.5.2.0.patch
111.libdirect-1.2.so.0.0.0.patch
112.libdirectfb-1.2.so.0.0.0.patch
113.libelektra-cpp.so.0.0.0.patch
114.libenchant.so.1.4.2.patch
115.libexslt.so.0.8.13.patch
116.libfontconfig.so.1.3.0.patch
117.libfreetype.so.6.3.20.patch
118.libfusion-1.2.so.0.0.0.patch
119.libgailutil.so.18.0.1.patch
120.libgcrypt.so.11.5.2.patch
121.libgdk-directfb-2.0.so.0.1600.5.patch
122.libgdk_pixbuf-2.0.so.0.1600.5.patch
123.libgnutls.so.26.14.11.patch
124.libgnutlsxx.so.26.14.11.patch
125.libgtk-directfb-2.0.so.0.1600.5.patch
126.libpango-1.0.so.0.2400.5.patch
127.libpangocairo-1.0.so.0.2400.5.patch
128.libpangoft2-1.0.so.0.2400.5.patch
129.libsoup-2.4.so.1.3.0.patch
130.libsqlite3.so.0.8.6.patch
131.libtag_c.so.0.0.0.patch
132.libtag.so.1.5.0.patch
133.libwebkit-1.0.so.2.5.0.patch
134.libwebkitgtk-1.0.so.0.0.1.patch
135.libxslt.so.1.1.17.patch
136.pango-arabic-fc.so.patch
137.pango-arabic-lang.so.patch
138.pango-basic-fc.so.patch
139.pango-hangul-fc.so.patch
140.pango-hebrew-fc.so.patch
141.pango-indic-fc.so.patch
142.pango-indic-lang.so.patch
143.pango-khmer-fc.so.patch
144.pango-syriac-fc.so.patch
145.pango-thai-fc.so.patch
146.pango-tibetan-fc.so.patch
147.pppd.patch
148.tmd.patch

As for the 3.4.1 update, as knc1 said, it only patched the certs (and libsoup and libcurl ).

[knc1]

Quote:

Originally Posted by eschwartz

re: alternate browsers, I am only aware of Midori and Skipstone, both of which only support the KT and on.

But I want to know when the heck update 3.4.2 came out for the K3. https://s3.amazonaws.com/G7G_Firmwar...3.4.2_B008.bin
Bunch of miscellaneous fixes all over the place, not just certs:
- - - -

Ah, so - touch screen only.
I should have known, twobob was doing nearly all of his work for the KT (last to have audio support).

Ah, right - I had forgotten about 3.4.2 - last winter sometime, it only got mentioned here a few times.

Amazon did post sources labeled 3.4.2 - which **should** contain the patched sources.
Not to say that it does, but with the labeling of the patches, it should be easy to know where to look.

Then to re-spin those source code changes for the K2/DX/DXG (they all run the same 2.5.8 build) -
that might be a bit ambitous - even for Amazon.

Hmm....
The 'magic' this poster seeks might be in that ...ssl... patch. (That would be a good place to disable a client protocol.)

[eschwartz]

I remember the 3.4.1 update, just mentioned a few times. Don't remember hearing a peep about 3.4.2 -- and I keep a close eye on the threads in this forum!

Anyway, agreed it will probably be somewhere in the SSL patches.

Could these be applied to the Frankenstein DX firmware?

[knc1]

Two thoughts occured to me after sleeping on the question -

Disabling a client protocol in the ssl libraries would do nothing for the non-encrypted clients.
There must be other places the change was made.
(If it is in the Amazon code, we are SoL.)

It might help if we knew what was common between 2.5.8, 3.4.1 and 3.4.2, after discarding identical files, it might be easier to judge if it is even worth looking deeper into the fix.

I will try to get some numbers on that question today by running the cataloging/audit scripts on a tree of the three source bundles.

- - - -

A third thought occured to me while writing this post.

If Amazon is still selling re-furbished DX/DXG devices, did they re-furbish the firmware also?

Perhaps some of our members who have recently purchased one of these re-furbished devices could tell us it the problem was 'fixed' by the re-furbisher.

I have at least one each, of each K2, DX and DXG model.
We could do a search for the "binary solution" if the re-furbished devices have been fixed and the owner will share a copy of the re-furbished firmware that is installed.
(I am certain that I still have the scripting to copy-out a DX image, the script I wrote for twobob.)

[eschwartz]

I suspect if Amazon had fixed refurbished the DXG firmware, they would be more than happy to offer it as an OTA upgrade.

[knc1]

Here is the catalog of 2.5.8, 3.4.1, and 3.4.2 source file releases.

Bottom line:
Looks like too many differences to find and fix 2.5.8

[Jedidiyah]

Quote:

Originally Posted by knc1

I think the only thing that v3.4.1 did was install a current set of trusted web certificates. I.E: That would not change what TLS protocol was nogoiated by the client.
- - - -
You do not mention what browser you are using on the DX. But if your using the Amazon provided one, you should consider using a different browser. (After updating the trusted certificate set yourself - that may be the only thing you need to change.)

We have had alternate browsers posted here, I do not know if any of them work (or are supposed to work) on the DX/DXG. You would have to do some search/research here to learn about what devices the various alternative browsers support.
-------------
If Amazon is still selling re-furbished DX/DXG devices, did they re-furbish the firmware also?

Perhaps some of our members who have recently purchased one of these re-furbished devices could tell us it the problem was 'fixed' by the re-furbisher.

I am using the provided browser, I did not even know about other ones. After your post I looked in the comprehensive list of hacks and did not find any there, there is a separate thread for SkipStone but it explicitly says there that it doesn't work for DX. The only thing I can think of is Yifan Lu's Kindle 3.1 software upgrade, but it requires another kindle and I am not sure if it would make a difference for web searching.

After some experimenting I found that while urls (www.m.wikipedia.org) and links from Google searches do not work, Wikipedia links from Yahoo searches do work, and once I am in internal Wikipedia links also work (?????). Unfortunately, this only works for Wikipedia and I have a feeling it won't last, some blogs and forums I used to read are now blinking out of access from saved urls, and both Google and Yahoo.

Customer service told me that they are not selling new DXs since 2013, and I remember reading a review back then which complained that Amazon did not bother to make even the most basic updates before they started reselling them.

[knc1]

I was wrong about the alternate browsers, none of them work on a (physical) keyboard device.

Do you have a few more example urls that do not work?
One is a sort of small sample.

I suspect the problem isn't usage of SSLv3, the only way that would fail is if the client (on DX) claimed to support **ONLY** SSLv3.
And since the built-in browser is a web-kit based browser, the chances of that are slim to none.

Note: The url in the post is http:// - - (port 80) which requires the browser to follow a redirect to https:// - - (port 443)
And the K2/DX/DXG browser has always had trouble with some redirects.

= = = = =
The following **is not** from a K2/DX/DXG -

Not working (limited to SSLv3 **only**):
Note: This may well be a IIS server (not Apache).

Code:

core2quad ~ $ openssl s_client -showcerts -ssl3 -connect www.m.wikipedia.org:443
CONNECTED(00000003)
3078097048:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1199:SSL alert number 40
3078097048:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:595:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1437074016
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Works (TLSv1/SSLv3 - client specifies TLSv1):

Code:

core2quad ~ $ openssl s_client -showcerts -tls1 -connect www.m.wikipedia.org:443
CONNECTED(00000003)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikipedia.org
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
Spoiler: 


-----BEGIN CERTIFICATE-----
MIIHCzCCBfOgAwIBAgISESHn39nPHF6a1Z9BX22pH+JLMA0GCSqGSIb3DQEBCwUA
MGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYD
VQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hB
MjU2IC0gRzIwHhcNMTUwNjIzMTgzNzA3WhcNMTcwMjE5MTIwMDAwWjB5MQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j
aXNjbzEjMCEGA1UEChMaV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYy4xGDAWBgNV
BAMMDyoud2lraXBlZGlhLm9yZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGs/
rQfolc/wmijswt03f30w2MaDcXO03N/FgJhKozJd2/XxFzJfDMC+lYrMFKBObLJN
mGWLafhF4+eSeAUlGtKjggRpMIIEZTAOBgNVHQ8BAf8EBAMCBaAwSQYDVR0gBEIw
QDA+BgZngQwBAgIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2ln
bi5jb20vcmVwb3NpdG9yeS8wggKuBgNVHREEggKlMIICoYIPKi53aWtpcGVkaWEu
b3Jngg8qLm1lZGlhd2lraS5vcmeCDyoud2lraWJvb2tzLm9yZ4IOKi53aWtpZGF0
YS5vcmeCDyoud2lraW1lZGlhLm9yZ4IZKi53aWtpbWVkaWFmb3VuZGF0aW9uLm9y
Z4IOKi53aWtpbmV3cy5vcmeCDyoud2lraXF1b3RlLm9yZ4IQKi53aWtpc291cmNl
Lm9yZ4IRKi53aWtpdmVyc2l0eS5vcmeCECoud2lraXZveWFnZS5vcmeCECoud2lr
dGlvbmFyeS5vcmeCESoubS5tZWRpYXdpa2kub3JnghEqLm0ud2lraXBlZGlhLm9y
Z4IRKi5tLndpa2lib29rcy5vcmeCECoubS53aWtpZGF0YS5vcmeCESoubS53aWtp
bWVkaWEub3JnghsqLm0ud2lraW1lZGlhZm91bmRhdGlvbi5vcmeCECoubS53aWtp
bmV3cy5vcmeCESoubS53aWtpcXVvdGUub3JnghIqLm0ud2lraXNvdXJjZS5vcmeC
EyoubS53aWtpdmVyc2l0eS5vcmeCEioubS53aWtpdm95YWdlLm9yZ4ISKi5tLndp
a3Rpb25hcnkub3JnghQqLnplcm8ud2lraXBlZGlhLm9yZ4INbWVkaWF3aWtpLm9y
Z4INd2lraWJvb2tzLm9yZ4IMd2lraWRhdGEub3Jngg13aWtpbWVkaWEub3Jnghd3
aWtpbWVkaWFmb3VuZGF0aW9uLm9yZ4IMd2lraW5ld3Mub3Jngg13aWtpcXVvdGUu
b3Jngg53aWtpc291cmNlLm9yZ4IPd2lraXZlcnNpdHkub3Jngg53aWtpdm95YWdl
Lm9yZ4IOd2lrdGlvbmFyeS5vcmeCDXdpa2lwZWRpYS5vcmcwCQYDVR0TBAIwADAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0fBEIwQDA+oDygOoY4
aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc29yZ2FuaXphdGlvbnZhbHNo
YTJnMi5jcmwwgaAGCCsGAQUFBwEBBIGTMIGQME0GCCsGAQUFBzAChkFodHRwOi8v
c2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc29yZ2FuaXphdGlvbnZhbHNo
YTJnMnIxLmNydDA/BggrBgEFBQcwAYYzaHR0cDovL29jc3AyLmdsb2JhbHNpZ24u
Y29tL2dzb3JnYW5pemF0aW9udmFsc2hhMmcyMB0GA1UdDgQWBBQIv82p7g/qMNMy
ay3f/2SkzIsj9zAfBgNVHSMEGDAWgBSW3mHxvRwWKVMcwMx9O4MAQOYafDANBgkq
hkiG9w0BAQsFAAOCAQEAA3V77aY1cA+RdRiC2Z+nZDYwF2VIDth/u1fAy2/46hzK
JvfP6UqvQW3ET1k/STKiFrLUdGht++PwxyN7JU2tPl4AbiY1c4x/zvUeY+s/vS2k
+ylBNyD0D+CO1w+RSUMla2VAZCpG+rdw0YLE9MOuB6lPDWRDnwBAIE0DyEXiy4EZ
f/cdExNQD9tegzQgLxMlgBZvxrSaIMkI3PcbVKEXrmPReGRxYavSppP/ep59rdCw
zm3/xJ+UrnPplc6BaiYwFr6Kcsv8FblQguqjjIXE+alriol94AddVB99ztUmgDNW
lH1Ofu1m2VAcAVZlTbxEodI0dT8qgFET7Zlvh6ic8Q==
-----END CERTIFICATE-----


In readable form:
Spoiler: 



	
Code:
	
core2quad KDX $ cat cert0.txt | openssl x509 -inform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            11:21:e7:df:d9:cf:1c:5e:9a:d5:9f:41:5f:6d:a9:1f:e2:4b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
        Validity
            Not Before: Jun 23 18:37:07 2015 GMT
            Not After : Feb 19 12:00:00 2017 GMT
        Subject: C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:6b:3f:ad:07:e8:95:cf:f0:9a:28:ec:c2:dd:37:
                    7f:7d:30:d8:c6:83:71:73:b4:dc:df:c5:80:98:4a:
                    a3:32:5d:db:f5:f1:17:32:5f:0c:c0:be:95:8a:cc:
                    14:a0:4e:6c:b2:4d:98:65:8b:69:f8:45:e3:e7:92:
                    78:05:25:1a:d2
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.2
                  CPS: https://www.globalsign.com/repository/

            X509v3 Subject Alternative Name: 
                DNS:*.wikipedia.org, DNS:*.mediawiki.org, DNS:*.wikibooks.org, \
                DNS:*.wikidata.org, DNS:*.wikimedia.org, DNS:*.wikimediafoundation.org, \
                DNS:*.wikinews.org, DNS:*.wikiquote.org, DNS:*.wikisource.org, \
                DNS:*.wikiversity.org, DNS:*.wikivoyage.org, DNS:*.wiktionary.org, \
                DNS:*.m.mediawiki.org, DNS:*.m.wikipedia.org, DNS:*.m.wikibooks.org, \
                DNS:*.m.wikidata.org, DNS:*.m.wikimedia.org, DNS:*.m.wikimediafoundation.org, \
                DNS:*.m.wikinews.org, DNS:*.m.wikiquote.org, DNS:*.m.wikisource.org, \
                DNS:*.m.wikiversity.org, DNS:*.m.wikivoyage.org, DNS:*.m.wiktionary.org, \
                DNS:*.zero.wikipedia.org, DNS:mediawiki.org, DNS:wikibooks.org, \
                DNS:wikidata.org, DNS:wikimedia.org, DNS:wikimediafoundation.org, \
                DNS:wikinews.org, DNS:wikiquote.org, DNS:wikisource.org, \
                DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org, DNS:wikipedia.org
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl

            Authority Information Access: 
                CA Issuers - URI:http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt
                OCSP - URI:http://ocsp2.globalsign.com/gsorganizationvalsha2g2

            X509v3 Subject Key Identifier: 
                08:BF:CD:A9:EE:0F:EA:30:D3:32:6B:2D:DF:FF:64:A4:CC:8B:23:F7
            X509v3 Authority Key Identifier: 
                keyid:96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C

    Signature Algorithm: sha256WithRSAEncryption
        03:75:7b:ed:a6:35:70:0f:91:75:18:82:d9:9f:a7:64:36:30:
        17:65:48:0e:d8:7f:bb:57:c0:cb:6f:f8:ea:1c:ca:26:f7:cf:
        e9:4a:af:41:6d:c4:4f:59:3f:49:32:a2:16:b2:d4:74:68:6d:
        fb:e3:f0:c7:23:7b:25:4d:ad:3e:5e:00:6e:26:35:73:8c:7f:
        ce:f5:1e:63:eb:3f:bd:2d:a4:fb:29:41:37:20:f4:0f:e0:8e:
        d7:0f:91:49:43:25:6b:65:40:64:2a:46:fa:b7:70:d1:82:c4:
        f4:c3:ae:07:a9:4f:0d:64:43:9f:00:40:20:4d:03:c8:45:e2:
        cb:81:19:7f:f7:1d:13:13:50:0f:db:5e:83:34:20:2f:13:25:
        80:16:6f:c6:b4:9a:20:c9:08:dc:f7:1b:54:a1:17:ae:63:d1:
        78:64:71:61:ab:d2:a6:93:ff:7a:9e:7d:ad:d0:b0:ce:6d:ff:
        c4:9f:94:ae:73:e9:95:ce:81:6a:26:30:16:be:8a:72:cb:fc:
        15:b9:50:82:ea:a3:8c:85:c4:f9:a9:6b:8a:89:7d:e0:07:5d:
        54:1f:7d:ce:d5:26:80:33:56:94:7d:4e:7e:ed:66:d9:50:1c:
        01:56:65:4d:bc:44:a1:d2:34:75:3f:2a:80:51:13:ed:99:6f:
        87:a8:9c:f1


1) elliptical curve (prime256v1) public key
2) TLS only

 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Spoiler: 


-----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
MDBaFw0yNDAyMjAxMDAwMDBaMGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMTwwOgYDVQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBW
YWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDHDmw/I5N/zHClnSDDDlM/fsBOwphJykfVI+8DNIV0yKMCLkZc
C33JiJ1Pi/D4nGyMVTXbv/Kz6vvjVudKRtkTIso21ZvBqOOWQ5PyDLzm+ebomchj
SHh/VzZpGhkdWtHUfcKc1H/hgBKueuqI6lfYygoKOhJJomIZeg0k9zfrtHOSewUj
mxK1zusp36QUArkBpdSmnENkiN74fv7j9R7l/tyjqORmMdlMJekYuYlZCa7pnRxt
Nw9KHjUgKOKv1CGLAcRFrW4rY6uSa2EKTSDtc7p8zv4WtdufgPDWi2zZCHlKT3hl
2pK8vjX5s8T5J4BO/5ZS5gIg4Qdz6V0rvbLxAgMBAAGjggElMIIBITAOBgNVHQ8B
Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlt5h8b0cFilT
HMDMfTuDAEDmGnwwRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0
dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCow
KKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYB
BQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNv
bS9yb290cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZI
hvcNAQELBQADggEBAEYq7l69rgFgNzERhnF0tkZJyBAW/i9iIxerH4f4gu3K3w4s
32R1juUYcqeMOovJrKV3UPfvnqTgoI8UV6MqX+x+bRDmuo2wCId2Dkyy2VG7EQLy
XN0cvfNVlg/UBsD84iOKJHDTu/B5GqdhcIOKrwbFINihY9Bsrk8y1658GEV1BSl3
30JAZGSGvip2CTFvHST0mdCF/vIhCPnG9vHQWe3WVjwIKANnuvD58ZAWR65n5ryA
SOlCdjSXVWkkDoPWoC209fN5ikkodBpBocLTJIg1MGCUF7ThBCIxPTsvFwayuJ2G
K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=
-----END CERTIFICATE-----


---
Server certificate
subject=/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikipedia.org
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3270 bytes and written 343 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-ECDSA-AES128-SHA
    Session-ID: 7CA2E0E040F3E49C218B80DEF26F048C1331240C0C56F27CB14CDE4EAB7DC0C2
    Session-ID-ctx: 
    Master-Key: BA7721F5DA578363DDE1A3EBDBC44A5DDF52F5DDB282B3A0B8D6B830FCFAA174DAF0348F97C237D3E5BB1606DDFB5438
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1437074083
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
^C

[Jedidiyah]

Twitter link was suggested in the original thread by Little.Egret, I tried and it didn't work https://twitter.com/abellio_surrey (he is the one who suggested that the reason was SSL 3.0)

Just a few days ago this blog stopped working https://www.washingtonpost.com/news/volokh-conspiracy Or rather I can still access the blog itself, but not the linked articles, e.g. not https://www.washingtonpost.com/news/...heir-property/

[knc1]

The person who suggested SSL 3.0 is (was) not sure what device they had.
See: https://www.mobileread.com/forums/sho...54&postcount=8
(PS: it was SSLv2 that was taken out of service - nearly a decade ago.)

The rest of that thread seems to agree - we just need to install a current trusted certificate store.

Tomorrow, time permitting, I will check those other links (and do an ascii dump of the certificates - in particular, the root certificate - which should be on the Kindle).

We can probably generate the required root certificate collection - but the K2/DX/DXG will have to be jail broken to install it (same firmware build on all three devices, the DX(G) are just large screen K2 models).