"Web Browser is unable to establish a secure connection to this web site"

[knc1]

Quote:

Originally Posted by mergen3107

So we need to do something like this but on Kindle itself and with Amazon-specific parts too, right?

*) Similar.
That only adds the root certificates for cacert.org, certificate authority.
You want to replace current with the entire set of current ca root certificates.

*) Need not be done on the Kindle, only the end result needs to be on the Kindle.

*) Do not expect the Kindle to have the Debian/Ubunta certificate installer command available.

*) There is no "Amazon specific" parts.
Amazon is not a root ca, so they purchase the use of an existing certificate authority's root. Just like normal people have to.

= = = = =

Your first step is to do as I advised you to do, download the current Debian package:
https://packages.debian.org/jessie/ca-certificates
(So scroll to the bottom of that page for the link. Click the list of files on the right to see what you will be getting in the package.)
or
https://packages.debian.org/jessie/a...cates/download
(Ignore the advice in the big red box, Kindles are not that similar to Debian/Jessie.)

Download to a directory, your choice of name, for this specific purpose.

Now, in that same directory which now has ONLY the ca-certificates package, make a new directory, your choice of name, to hold the contents.

Open the Debian package with your archive handling tool, and extract the contents to the directory which you just made for the purpose.

On my machine, I just used the path:
ca-cert/20170517-deb/
for the two directories - they don't have to be that name, but that name path will remind you of what to expect when you reach the end.
The lowest level path directory name includes the most recent update date of the package.

Now you archiver will have created the paths included in the archive. In:
ca-cert/20170517-deb/usr/bin
You will find a script file that installs the package on a Debian system.
Use that as a guide to what needs to be translated to a set of Kindle directions, DO NOT use something you stumbled upon on the 'net as your guide.

in ca-cert/20170517-deb/etc/ssl/certs - that is where the symbolic links are at in a Debian system, I expect that in a Amazon system that has not been change.
But it might have, so check it (I don't have a current K4 running so that I can give you specific directions).

in ca-cert/20170517-deb/usr/share/ca-certificates
you will find two directories -
Those have the new content you want to use to replace the existing, out-dated, content on your Kindle.

They probably will not need any processing other than moving.
But first find the location on the Kindle that holds things of similar filename, just to be sure.

Do whatever you find necessary to make what you have, fit into the directory tree structure that the Kindle uses.

For instance: in ca-cert/20170517-deb/usr/share/ca-certificates/mozilla
directory (at end of file tree) has 173 current certificate authority root certificates.
You don't want to rename those files, but you do have to put them on the Kindle's file system (where the old ones now are at) and put symbolic links to them (wherever the Kindle's file system has the links to the old ones currently installed).

Code:

 Downloads $ tree ca-cert
ca-cert
├── 20170517-deb
│   ├── DEBIAN
│   │   ├── config
│   │   ├── control
│   │   ├── md5sums
│   │   ├── postinst
│   │   ├── postrm
│   │   ├── templates
│   │   └── triggers
│   ├── etc
│   │   ├── ca-certificates
│   │   │   └── update.d
│   │   └── ssl
│   │       └── certs
│   └── usr
│       ├── sbin
│       │   └── update-ca-certificates
│       └── share
│           ├── ca-certificates
│           │   ├── mozilla
│           │   │   ├── ACCVRAIZ1.crt
│           │   │   ├── ACEDICOM_Root.crt
│           │   │   ├── AC_Raíz_Certicámara_S.A..crt
│           │   │   ├── Actalis_Authentication_Root_CA.crt
│           │   │   ├── AddTrust_External_Root.crt
│           │   │   ├── AddTrust_Low-Value_Services_Root.crt
│           │   │   ├── AddTrust_Public_Services_Root.crt
│           │   │   ├── AddTrust_Qualified_Certificates_Root.crt
│           │   │   ├── AffirmTrust_Commercial.crt
│           │   │   ├── AffirmTrust_Networking.crt
│           │   │   ├── AffirmTrust_Premium.crt
│           │   │   ├── AffirmTrust_Premium_ECC.crt
│           │   │   ├── ApplicationCA_-_Japanese_Government.crt
│           │   │   ├── Atos_TrustedRoot_2011.crt
│           │   │   ├── Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
│           │   │   ├── Baltimore_CyberTrust_Root.crt
│           │   │   ├── Buypass_Class_2_CA_1.crt
│           │   │   ├── Buypass_Class_2_Root_CA.crt
│           │   │   ├── Buypass_Class_3_Root_CA.crt
│           │   │   ├── CA_Disig_Root_R1.crt
│           │   │   ├── CA_Disig_Root_R2.crt
│           │   │   ├── Camerfirma_Chambers_of_Commerce_Root.crt
│           │   │   ├── Camerfirma_Global_Chambersign_Root.crt
│           │   │   ├── CA_WoSign_ECC_Root.crt
│           │   │   ├── Certification_Authority_of_WoSign_G2.crt
│           │   │   ├── Certigna.crt
│           │   │   ├── Certinomis_-_Autorité_Racine.crt
│           │   │   ├── Certinomis_-_Root_CA.crt
│           │   │   ├── Certplus_Class_2_Primary_CA.crt
│           │   │   ├── Certplus_Root_CA_G1.crt
│           │   │   ├── Certplus_Root_CA_G2.crt
│           │   │   ├── certSIGN_ROOT_CA.crt
│           │   │   ├── Certum_Root_CA.crt
│           │   │   ├── Certum_Trusted_Network_CA_2.crt
│           │   │   ├── Certum_Trusted_Network_CA.crt
│           │   │   ├── CFCA_EV_ROOT.crt
│           │   │   ├── Chambers_of_Commerce_Root_-_2008.crt
│           │   │   ├── China_Internet_Network_Information_Center_EV_Certificates_Root.crt
│           │   │   ├── CNNIC_ROOT.crt
│           │   │   ├── Comodo_AAA_Services_root.crt
│           │   │   ├── COMODO_Certification_Authority.crt
│           │   │   ├── COMODO_ECC_Certification_Authority.crt
│           │   │   ├── COMODO_RSA_Certification_Authority.crt
│           │   │   ├── Comodo_Secure_Services_root.crt
│           │   │   ├── Comodo_Trusted_Services_root.crt
│           │   │   ├── ComSign_CA.crt
│           │   │   ├── Cybertrust_Global_Root.crt
│           │   │   ├── Deutsche_Telekom_Root_CA_2.crt
│           │   │   ├── DigiCert_Assured_ID_Root_CA.crt
│           │   │   ├── DigiCert_Assured_ID_Root_G2.crt
│           │   │   ├── DigiCert_Assured_ID_Root_G3.crt
│           │   │   ├── DigiCert_Global_Root_CA.crt
│           │   │   ├── DigiCert_Global_Root_G2.crt
│           │   │   ├── DigiCert_Global_Root_G3.crt
│           │   │   ├── DigiCert_High_Assurance_EV_Root_CA.crt
│           │   │   ├── DigiCert_Trusted_Root_G4.crt
│           │   │   ├── DST_ACES_CA_X6.crt
│           │   │   ├── DST_Root_CA_X3.crt
│           │   │   ├── D-TRUST_Root_Class_3_CA_2_2009.crt
│           │   │   ├── D-TRUST_Root_Class_3_CA_2_EV_2009.crt
│           │   │   ├── EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
│           │   │   ├── EC-ACC.crt
│           │   │   ├── EE_Certification_Centre_Root_CA.crt
│           │   │   ├── Entrust.net_Premium_2048_Secure_Server_CA.crt
│           │   │   ├── Entrust_Root_Certification_Authority.crt
│           │   │   ├── Entrust_Root_Certification_Authority_-_EC1.crt
│           │   │   ├── Entrust_Root_Certification_Authority_-_G2.crt
│           │   │   ├── ePKI_Root_Certification_Authority.crt
│           │   │   ├── Equifax_Secure_CA.crt
│           │   │   ├── Equifax_Secure_eBusiness_CA_1.crt
│           │   │   ├── Equifax_Secure_Global_eBusiness_CA.crt
│           │   │   ├── E-Tugra_Certification_Authority.crt
│           │   │   ├── GeoTrust_Global_CA_2.crt
│           │   │   ├── GeoTrust_Global_CA.crt
│           │   │   ├── GeoTrust_Primary_Certification_Authority.crt
│           │   │   ├── GeoTrust_Primary_Certification_Authority_-_G2.crt
│           │   │   ├── GeoTrust_Primary_Certification_Authority_-_G3.crt
│           │   │   ├── GeoTrust_Universal_CA_2.crt
│           │   │   ├── GeoTrust_Universal_CA.crt
│           │   │   ├── Global_Chambersign_Root_-_2008.crt
│           │   │   ├── GlobalSign_ECC_Root_CA_-_R4.crt
│           │   │   ├── GlobalSign_ECC_Root_CA_-_R5.crt
│           │   │   ├── GlobalSign_Root_CA.crt
│           │   │   ├── GlobalSign_Root_CA_-_R2.crt
│           │   │   ├── GlobalSign_Root_CA_-_R3.crt
│           │   │   ├── Go_Daddy_Class_2_CA.crt
│           │   │   ├── Go_Daddy_Root_Certificate_Authority_-_G2.crt
│           │   │   ├── Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
│           │   │   ├── Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
│           │   │   ├── Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
│           │   │   ├── Hongkong_Post_Root_CA_1.crt
│           │   │   ├── IdenTrust_Commercial_Root_CA_1.crt
│           │   │   ├── IdenTrust_Public_Sector_Root_CA_1.crt
│           │   │   ├── IGC_A.crt
│           │   │   ├── ISRG_Root_X1.crt
│           │   │   ├── Izenpe.com.crt
│           │   │   ├── Juur-SK.crt
│           │   │   ├── Microsec_e-Szigno_Root_CA_2009.crt
│           │   │   ├── Microsec_e-Szigno_Root_CA.crt
│           │   │   ├── NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
│           │   │   ├── Network_Solutions_Certificate_Authority.crt
│           │   │   ├── OISTE_WISeKey_Global_Root_GA_CA.crt
│           │   │   ├── OISTE_WISeKey_Global_Root_GB_CA.crt
│           │   │   ├── OpenTrust_Root_CA_G1.crt
│           │   │   ├── OpenTrust_Root_CA_G2.crt
│           │   │   ├── OpenTrust_Root_CA_G3.crt
│           │   │   ├── PSCProcert.crt
│           │   │   ├── QuoVadis_Root_CA_1_G3.crt
│           │   │   ├── QuoVadis_Root_CA_2.crt
│           │   │   ├── QuoVadis_Root_CA_2_G3.crt
│           │   │   ├── QuoVadis_Root_CA_3.crt
│           │   │   ├── QuoVadis_Root_CA_3_G3.crt
│           │   │   ├── QuoVadis_Root_CA.crt
│           │   │   ├── Root_CA_Generalitat_Valenciana.crt
│           │   │   ├── RSA_Security_2048_v3.crt
│           │   │   ├── Secure_Global_CA.crt
│           │   │   ├── SecureSign_RootCA11.crt
│           │   │   ├── SecureTrust_CA.crt
│           │   │   ├── Security_Communication_EV_RootCA1.crt
│           │   │   ├── Security_Communication_RootCA2.crt
│           │   │   ├── Security_Communication_Root_CA.crt
│           │   │   ├── Sonera_Class_2_Root_CA.crt
│           │   │   ├── Staat_der_Nederlanden_EV_Root_CA.crt
│           │   │   ├── Staat_der_Nederlanden_Root_CA_-_G2.crt
│           │   │   ├── Staat_der_Nederlanden_Root_CA_-_G3.crt
│           │   │   ├── Starfield_Class_2_CA.crt
│           │   │   ├── Starfield_Root_Certificate_Authority_-_G2.crt
│           │   │   ├── Starfield_Services_Root_Certificate_Authority_-_G2.crt
│           │   │   ├── StartCom_Certification_Authority_2.crt
│           │   │   ├── StartCom_Certification_Authority.crt
│           │   │   ├── StartCom_Certification_Authority_G2.crt
│           │   │   ├── S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt
│           │   │   ├── S-TRUST_Universal_Root_CA.crt
│           │   │   ├── Swisscom_Root_CA_1.crt
│           │   │   ├── Swisscom_Root_CA_2.crt
│           │   │   ├── Swisscom_Root_EV_CA_2.crt
│           │   │   ├── SwissSign_Gold_CA_-_G2.crt
│           │   │   ├── SwissSign_Platinum_CA_-_G2.crt
│           │   │   ├── SwissSign_Silver_CA_-_G2.crt
│           │   │   ├── SZAFIR_ROOT_CA2.crt
│           │   │   ├── Taiwan_GRCA.crt
│           │   │   ├── TC_TrustCenter_Class_3_CA_II.crt
│           │   │   ├── TeliaSonera_Root_CA_v1.crt
│           │   │   ├── thawte_Primary_Root_CA.crt
│           │   │   ├── thawte_Primary_Root_CA_-_G2.crt
│           │   │   ├── thawte_Primary_Root_CA_-_G3.crt
│           │   │   ├── Trustis_FPS_Root_CA.crt
│           │   │   ├── T-TeleSec_GlobalRoot_Class_2.crt
│           │   │   ├── T-TeleSec_GlobalRoot_Class_3.crt
│           │   │   ├── TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt
│           │   │   ├── TURKTRUST_Certificate_Services_Provider_Root_2007.crt
│           │   │   ├── TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt
│           │   │   ├── TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.crt
│           │   │   ├── TWCA_Global_Root_CA.crt
│           │   │   ├── TWCA_Root_Certification_Authority.crt
│           │   │   ├── USERTrust_ECC_Certification_Authority.crt
│           │   │   ├── USERTrust_RSA_Certification_Authority.crt
│           │   │   ├── UTN_USERFirst_Email_Root_CA.crt
│           │   │   ├── UTN_USERFirst_Hardware_Root_CA.crt
│           │   │   ├── Verisign_Class_1_Public_Primary_Certification_Authority.crt
│           │   │   ├── Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
│           │   │   ├── Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt
│           │   │   ├── Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
│           │   │   ├── Verisign_Class_3_Public_Primary_Certification_Authority.crt
│           │   │   ├── Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
│           │   │   ├── VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
│           │   │   ├── VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
│           │   │   ├── VeriSign_Universal_Root_Certification_Authority.crt
│           │   │   ├── Visa_eCommerce_Root.crt
│           │   │   ├── WellsSecure_Public_Root_Certificate_Authority.crt
│           │   │   ├── WoSign_China.crt
│           │   │   ├── WoSign.crt
│           │   │   └── XRamp_Global_CA_Root.crt
│           │   └── spi-inc.org
│           │       └── spi-cacert-2008.crt
│           ├── doc
│           │   └── ca-certificates
│           │       ├── changelog.gz
│           │       ├── copyright
│           │       ├── examples
│           │       │   └── ca-certificates-local
│           │       │       ├── debian
│           │       │       │   ├── ca-certificates-local.triggers
│           │       │       │   ├── changelog
│           │       │       │   ├── compat
│           │       │       │   ├── control
│           │       │       │   ├── copyright
│           │       │       │   ├── postrm
│           │       │       │   ├── rules
│           │       │       │   └── source
│           │       │       │       └── format
│           │       │       ├── local
│           │       │       │   ├── Local_Root_CA.crt
│           │       │       │   └── Makefile
│           │       │       ├── Makefile
│           │       │       └── README
│           │       ├── NEWS.Debian.gz
│           │       └── README.Debian
│           └── man
│               └── man8
│                   └── update-ca-certificates.8.gz
└── ca-certificates_20141019+deb8u3_all.deb

You can see by the names that the package has human readable examples, scripts, and other information that may be helpful.

So read them.

Like I posted above, I don't have a K4 running on which to invent a set of key-stroke by key-stroke directions for you.

Note:
If your archive tool can't un-archive a *.deb package -
They are just an ar archive that contain other archives (you will recognize them by name).

[mergen3107]

Thank you knc1! I'll try

[knc1]

Quote:

Originally Posted by mergen3107

Thank you knc1! I'll try

You should probably check what certificate chain is being sent by the site you are having trouble with (easier from your pc than from Kindle, but this will work from Kindle also).

Then see if the required root certificate (the one not in the chain) is in the collection of root certificates.
No sense in going to all of that work if it isn't going to fix the problem.
Note: Sometime servers are configured to not send all intermediate certificates, which is wrong, but what can you do? (unless you are the server admin )

Ref:
https://langui.sh/2009/03/14/checkin...-with-openssl/

A worked example, just substitute the domain name you are having trouble with:
(If your PC does not have OpenSSL installed, discard it, it is a junk system your Kindle does have it installed.)

Spoiler:

Code:

~ $ openssl s_client -showcerts -connect www.amazon.com:443
CONNECTED(00000003)
3077437592:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1199:SSL alert number 40
3077437592:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:595:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1495477646
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
core2quad ~ $ openssl s_client -showcerts -tls1 -connect www.amazon.com:443
CONNECTED(00000003)
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=www.amazon.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
-----BEGIN CERTIFICATE-----
MIIGmzCCBYOgAwIBAgIQHUq9qnjQmv55nUG863p2YjANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MTAzMTAwMDAwMFoX
DTE3MTIzMTIzNTk1OVowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0
b24xEDAOBgNVBAcMB1NlYXR0bGUxGTAXBgNVBAoMEEFtYXpvbi5jb20sIEluYy4x
FzAVBgNVBAMMDnd3dy5hbWF6b24uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAwlooZ3Wf+B8c1nTZj/14wCPIjyhcOV5ytEZQDbtftWixOxTpG2Sl
k2GI1pztESpopBmbY/haM5YNWDYDHr01AQvzAqwsNyz5sX4rytkIEWI92DomKbvx
QKry0m0Zuj9MzabZb2vHb0dbWwUl2yXn5nlfHJSfmD0TS3UFNaQzXExFnlKU/i7V
omLEB/O9OtfJ0V2XZzbzOx3RfvTy5wmn4AxCC7nGRklNBKVa+npRl0zj+loyCaM+
AF5YV9ZbURIuxYiZOW3u2a66VzYwCRa2EdtIbPALO/dSrFNAuaAhKqpFN0OB42d1
6IWUOKiMiHDJL512YAJJBmfQPI7fVQtXJwIDAQABo4IDKTCCAyUwgdQGA1UdEQSB
zDCByYIKYW1hem9uLmNvbYIIYW16bi5jb22CEXVlZGF0YS5hbWF6b24uY29tgg11
cy5hbWF6b24uY29tgg53d3cuYW1hem9uLmNvbYIMd3d3LmFtem4uY29tghRjb3Jw
b3JhdGUuYW1hem9uLmNvbYIRYnV5Ym94LmFtYXpvbi5jb22CEWlwaG9uZS5hbWF6
b24uY29tgg15cC5hbWF6b24uY29tgg9ob21lLmFtYXpvbi5jb22CFW9yaWdpbi13
d3cuYW1hem9uLmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwYQYDVR0gBFowWDBWBgZngQwBAgIwTDAj
BggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIw
GQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgwFoAUX2DPYZBV34RD
FIpgKrL1evRDGO8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NzLnN5bWNiLmNv
bS9zcy5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc3Mu
c3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc3Muc3ltY2IuY29tL3NzLmNy
dDCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AN3rHSt6DU+mIIuBrYFocH4ujp0B
1VyIjT0RxM227L7MAAABWBifyfEAAAQDAEgwRgIhAOnxZYIIOlu0L1nvY3+yk8Ay
gYzt3RsoZD1Wcs5Tl+W/AiEArj03tMyYoSa1I25zrqujXDQp5GnMXoI0MHAXINWc
EV0AdwBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVgYn8oaAAAE
AwBIMEYCIQDRlQQ8KC2R/bvOeWJr0FGedxbjE4OglejZEYKSCHekRQIhALbGyJPw
AagwlRnFD5iqE1ZzSTO6uadnKEazPJcW2sRnMA0GCSqGSIb3DQEBCwUAA4IBAQA6
5KlsAxxtgfs05qV0ywTqM6qGzBkMIgJzJpCh9OR+X+STrfjphnLQlOwIuHxiF0oV
phsf9oYW6TYQimBIKoFpP94WbG2ojsr39YJ6kiDhudt3ef24QnZ3AtnXM5OLVv46
iwZst4TwdwO3/Ialn7ql3sVX7+13yscEXfwfMT0JI1yzl+vZ8tR6bc5X9HqwjuAD
JelImPs/TxshDt3JRhbUuKcFxjaEcEtRqoGemgZgEpRnifUSBvnl01IVzb71DGWu
Bpx0qrpruMAUU1lOJrg/rwQMSXC2lSZDiDn1cjK0z+XLi7x86N/7jW6zKh5RjSgr
r6H7ZhiwtwpJzLsjT1CX
-----END CERTIFICATE-----
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=www.amazon.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 3698 bytes and written 343 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: C58E762E373E62BEE8A3C3C0FAC6603A9920FAFAEABC5AD2AD7DB736F29CEB90
    Session-ID-ctx: 
    Master-Key: FBB5A672AC618550ADAD2AC310982F87AD5399631D504ED2ED20334DB4A85FEC7C41B03449D9129FA316A2AB8E5F99B8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 10800 (seconds)
    TLS session ticket:
    0000 - 3c c8 ae 09 0c 74 45 f2-a4 59 98 34 5b fb 7b aa   <....tE..Y.4[.{.
    0010 - df aa 04 01 c9 7b f8 20-2e 10 4d bc 59 65 b7 97   .....{. ..M.Ye..
    0020 - 50 b8 89 6d e5 45 52 2b-9e 56 4c e3 67 70 27 b1   P..m.ER+.VL.gp'.
    0030 - f4 17 96 ef 8a 5f 57 e9-6c 94 65 5a 2c 78 31 e7   ....._W.l.eZ,x1.
    0040 - b1 34 dd 55 d6 ab 4e 3d-ed 1e d4 13 6f a3 25 b4   .4.U..N=....o.%.
    0050 - cf aa 08 5b 3b 99 92 dc-04 0c cd e9 96 53 5e d7   ...[;........S^.
    0060 - 12 b4 fb 32 7d 53 fb a4-82 ef cd cd ab 47 50 02   ...2}S.......GP.
    0070 - 32 c4 dd 02 ba f2 55 d7-aa 1d 66 15 fe 5b dc 9b   2.....U...f..[..
    0080 - 03 28 22 3b 48 3b ea bf-b9 54 fb 04 db 76 f9 39   .(";H;...T...v.9
    0090 - 3e 8f 73 d4 45 4c 1b cb-09 32 d5 e3 db ad 4c 82   >.s.EL...2....L.

    Start Time: 1495477711
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Terminate the session with a ctrl-d

Note the sample above has two attempts, only the second one uses tls1 (which is what that March 2016 update added to your Kindle).
You can see that Amazon is no longer accepting anything other than tls1 (see first attempt in the spoiler - which failed).

[mergen3107]

Dear knc1,

Thank you so much for your detailed instructions!
Today I finally got my hands on this issue and updated the certificates.
After a bit of investigation, here is a recap for those who would like to repeat this on their Kindle 4 Non-Touch:

1) Download a debian package from here (I used jessie, which is stable);
2) Copy all the archive's content to Kindle's root (/usr to /usr, /etc to /etc);
3) Create ca-certificates.conf in /mnt/us/ , containing only comments from this example. Make sure it has LF type of new line (for Unix), not CR LF (for Windows). Otherwise the update script cannot read it properly (yes, first time I did it wrong);
4) Update this conf:
$ cd /usr/share/ca-certificates/
$ find -type f -name '*.crt' >> /mnt/us/ca-certificates.conf
5) Copy it to /etc/ folder (I removed ./ starting symbols, but I think it optional, but didn't test). Don't forget to do mntroot rw first;
6) Run (from Putty cmd):
$ update-ca-certificates
It should show:
Updating certificates in /etc/ssl/certs...
and then an update on how it did.

This script created symbolic links in /etc/ssl/certs/ folder (however they have a .pem extension and L777 attribute at the same time, never seen such links before on Ubuntu, Nook or Kindle) and completely replaced ca-certificates.cert in there.

Outcomes:
1) Wikipedia is doing it all smoothly, without any warnings!
2) WSJ.com is not loading, or even trying. However, even open ssl cannot connect to it from PC:

Code:

> openssl s_client -showcerts -connect www.wsj.com:443
Loading 'screen' into random state - done
CONNECTED(00000200)
15692:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:./ssl/s23_clnt.c:580:

Then I found that probably, due to Kindle browser's User Agent that says 'Kindle', WSJ is blocking it. The reason is that for Kindle Unlimited & WSJ subscribers there is a dedicated channel to receive WSJ news.
So I just dropped it accessing from the browser.

3) NYTimes is doing better than before. Now it loading OK until the last point, where it complains that it cannot establish a secure connection with something else, other than nytimes itself (I didn't remember the link) and suggests 'yes' to continue. Then says that Kindle cannot load the requested page, but this time it refers not to nytimes - it doesn't disappear, - but to that last bit. I checked from PC and I think it is a pop-up banner that shows up upon loading, I am 99% confident that popups are not supported in Kindle 4's browser.
4) Unencrypted websites like the-ebook.org or readrate.com just ask once whether I would like to say 'yes' like before, but that's OK! They are still readable.

Finally, the certificates and security issue was resolved all the way until it reaches the boundaries of the ancient Kindle browser's bottleneck. I am very glad to see that the browser was designed wise enough (thanks lab126!) to pick up this Unix-type structure of certificates.

Thank you knc1 again! That was a wonderful journey to Unix world's security country.

P.S. Since I mentioned it above, hope this detail does not fall into off-topic. In order to get 'zoomed in' readable websites, we can use mobile versions of some website, for example, m.nytimes.com (I guess somebody already suggested that thing here, but sorry I don't remember) along with Readability css tweak (I believe it is tweakable since its css is available in /usr/share/browser/readability_min_utf16.css):

Spoiler:

Readability css (separated to make it readable. Word play, huh)

Code:

#readOverlay{display:block;position:absolute;top:0;left:0;width:100%;}
#readInner{line-height:1.4em;max-width:800px;margin:1em auto;}
#readInner a{color:#039;text-decoration:none;}
#readInner a:hover{text-decoration:underline;}
#readInner img{float:left;clear:both;margin:0 12px 12px 0;}
#readInner h1{display:block;width:100%;border-bottom:1px solid #333;font-size:1.2em;padding-bottom:.5em;margin-bottom:.75em;}
#readInner blockquote{margin-left:3em;margin-right:3em;}
#readability-inner *{margin-bottom:16px;border:none;background:none;}
#readFooter{display:block;border-top:1px solid #333;text-align:center;clear:both;overflow:hidden;}
.size-x-small{font-size:12px;}
.size-small{font-size:15px;}
.size-medium{font-size:18px;}
.size-large{font-size:22px;}
.size-x-large{font-size:28px;}
.style-newspaper{font-family:"Times New Roman",Times,serif;background:#fbfbfb;color:#080000;}
.style-newspaper h1{text-transform:capitalize;font-family:Georgia,"Times New Roman",Times,serif;}
.style-newspaper #readInner a{color:#0924e1;}
.style-novel{font-family:"Palatino Linotype","Book Antiqua",Palatino,serif;background:#f4eed9;color:#1d1916;}
.style-novel #readInner a{color:#1856ba;}
.style-ebook{font-family:Arial,Helvetica,sans-serif;background:#edebe8;color:#2c2d32;}
.style-ebook #readInner a{color:#187dc9;}
.style-ebook h1{font-family:"Arial Black",Gadget,sans-serif;font-weight:400;}
.style-terminal{font-family:"Lucida Console",Monaco,monospace;background:#1d4e2c;color:#c6ffc6;}
.style-terminal #readInner a{color:#093;}
.margin-x-narrow{width:95%;}
.margin-narrow{width:85%;}
.margin-medium{width:75%;}
.margin-wide{width:55%;}
.margin-x-wide{width:35%;}
table,tr,td{background-color:transparent!important;}

Important Update
I had some problems with delivering purchased books.
Tried to revert the old certificates - the delivery worked.
Then I just copied the first three certificate blocks from old cert file to new one - and it worked!

[knc1]

I just checked the home page of nytimes.com - - -
At the moment it has 182 external links on that page, all of them HTTPS
(not 182 different sites, but 182 external links, plus 2 web-beacons)

= = = =

In the sample openssl command, add:
-tls1
to the options you show, then it should connect and that is the protocol the update a year ago last march should have added to your K4 browser.

[stassk8]

hello, Wikipedia currently working in Kindle browser's on 3G?
Updated ca-certificates (2019 year), but - "Web Browser is unable to establish a secure connection to this web site" and only button "Close".
Site Amazon work correct in Kindle browser (https).

[knc1]

What device?
(and what is a "Kindle p3" ?)

[stassk8]

Quote:

Originally Posted by knc1

What device?
(and what is a "Kindle p3" ?)

kindle dxg (free 3G) update 3.4.3 (firmware kindle keyboard).
About half a year ago dxg 3.4.2 and old ca-certificate deb package worked wiki, update on 3.4.3 - stopped working and new ca-certificate not resolve problem.

Now only amazon work through 3G or certificate unsuitable?

"Kindle p3" -> pw3 -)

[knc1]

Quote:

Originally Posted by stassk8

kindle dxg (free 3G) update 3.4.3 (firmware kindle keyboard).
About half a year ago dxg 3.4.2 and old ca-certificate deb package worked wiki, update on 3.4.3 - stopped working and new ca-certificate not resolve problem.

Now only amazon work through 3G or certificate unsuitable?

"Kindle p3" -> pw3 -)

Any changes made by your 3G provider?
(Some companies are dropping 3G (and 2G) with the advent of 4G&5G)

Only Amazon site(s) are working?
Sounds like they made changes to their proxy system.

You might have to revert to 3.4.2

[stassk8]

Quote:

Originally Posted by knc1

Only Amazon site(s) are working?
Sounds like they made changes to their proxy system.

probably yes, because test ssh connected to kindle - ping or traceroute work only amazon (wiki - browser is unable to establish secure connection, others url - is not available in all countries).

In this case, a rollback to 3.4.2 I think does not affect, thx.

[PiGeonCZ]

Hi there,
I have run into the same issue, where the experimental browser is complaining that it is unable to establish a secure connection. On some pages quite a lot of times.

I have just finished JB in the hope I could update the root certificates, but either I have missed something, or in the case of newer devices the OS filesystem is not accessible.

I have also installed the KUAL, because it looked like the extensions could be the right path. I have tried to study the "GNU Awk Installer" extension, but I got lost in the code.

So, there are two options either I am blind and there is a way to access the filesystem on newer devices or there is somebody here who will not get lost and will be able to write an extension which will update the certs.
Hopefully, this is just an issue of the root certs and not an issue of the TLS version.


Thanks for any answer!


regards

PiGeon
Kindle Voyage v5.13.6 with JB

[katadelos]

Quote:

Originally Posted by PiGeonCZ

Hi there,
I have run into the same issue, where the experimental browser is complaining that it is unable to establish a secure connection. On some pages quite a lot of times.

I have just finished JB in the hope I could update the root certificates, but either I have missed something, or in the case of newer devices the OS filesystem is not accessible.

I have also installed the KUAL, because it looked like the extensions could be the right path. I have tried to study the "GNU Awk Installer" extension, but I got lost in the code.

So, there are two options either I am blind and there is a way to access the filesystem on newer devices or there is somebody here who will not get lost and will be able to write an extension which will update the certs.
Hopefully, this is just an issue of the root certs and not an issue of the TLS version.


Thanks for any answer!


regards

PiGeon
Kindle Voyage v5.13.6 with JB

Use USBNet + SSH to access the FS

There's 2 places where SSL certificates are stored, /etc/ssl/ca-certificates.crt and /usr/java/lib/security/cacerts. The first is a plaintext file where the certificates can just be appended and the second is a standard Java keystore which can be edited by keytool using either changeit or passwordchanged as the password (the latter in your case, I think). keytool isn't included on the actual device so you'd need to copy the file to a PC with keytool installed, make changes, then push it back to the device.

[bugmen00t]

Quote:

Originally Posted by katadelos

Use USBNet + SSH to access the FS

There's 2 places where SSL certificates are stored, /etc/ssl/ca-certificates.crt and /usr/java/lib/security/cacerts. The first is a plaintext file where the certificates can just be appended and the second is a standard Java keystore which can be edited by keytool using either changeit or passwordchanged as the password (the latter in your case, I think). keytool isn't included on the actual device so you'd need to copy the file to a PC with keytool installed, make changes, then push it back to the device.

Is it technically possible to create MRPI-compatible update or KUAL plugin that could be used to backup/update/remove/replace certificates on jailbroken Kindles?

[j.p.s]

Quote:

Originally Posted by bugmen00t

Is it technically possible to create MRPI-compatible update or KUAL plugin that could be used to backup/update/remove/replace certificates on jailbroken Kindles?

Yes. The KUAL extension would probably require a lot less effort.

[paperscreen]

I am trying to update certs for K3 and I am getting this error:

/etc/ssl/certs$ update-ca-certificates
-sh: update-ca-certificates: Permission denied

Using WinSCP and it looks like I am log in as a root.

/etc/ssl/certs$ ls -l $(which update-ca-certificates)
-rw-r--r-- 1 root root 13831 Jan 19 14:27 ca-certificates.conf

Am I doing something wrong?