SSL Funambol on Android without adding Certificates
Recently I wrote a blog entry about how to add a root certificate to your rooted android keystore for using SSL funambol.
This works perfectly as long as you have root access to the device.
Sometimes you come into the situation where you cannot root the device, eg. in a corporate environment or if you just don’t want to crack a new device just to make the funambol client working, like me for now.
I’ve got a new Motorola Xoom and needed funambol to sync my contacts and calendar entries.
After asking Mr. Google there are only 2 ways till Android 4.x is ready:
- Using http without ssl
- Using ssl and recode the funambol client to accept all cert’s
I decided to use the 2nd solution – this also refreshes my java a little bit :-)
Of course i want to share everything with you – if you’re too lazy to read all the stuff you can point your Android client here to install my compiled Funambol 10.0.8 client without the certificate check:
Adding Root Certificates to Android Phone with root access
Yeah, after being really busy with my real life, here is another intresting trick for you:
How to get some more root certificates on an android phone where you have root acces (or, at least, you can start & use root explorer).
Some background info:
I use a funabol community server to keep my phone’s and outlook’s in sync and recently my colleague sven did a great job converting my HTC HD2 with winmobile to Android 2.x (kudo’s to him! thanks!).
Update on 2011-12-27: I changed the client to allow self-signed certificates: here
The challenge is that if you use funabol with self signed ssl certificates you need to get those recognized by android which is a really complicated task if you don’t know how. But here we go:
What you need before (and what i don’t describe):
- a rooted phone + root explorer. You NEED to be able to write to /etc/security/ in “RW” mode.
- a working funambol installation with ssl configured (see here: http://wiki.ow2.org/sync4j/Wiki.jsp?page=HowtouseHttps)
Our steps include:
- Export the certificate out of the funambol java keystore
- Get the cacert.bks from the android device
- modify the cacerts.bks of android
- reboot and finished
Step 1 – Export the funambol certificate
- Execute “%JAVA_HOME%\bin\keytool -export -alias tomcat -file myroot.cer” (in-detail like here)
- copy the myroot.cer to the SD-Card of the android device (or download to another computer)
Step 2
- insert the SD-Card to the android device, startup root explorer and navigate to /etc/security/
- copy the file cacert.bks
- navigate to /sd-card and paste the file
- insert to another computer
- Go and execute the Portecle Keytool and open the cacerts.bks from your SD-Card
- When promtes for a password, just hit enter
- go to Tools -> Import Key Pair and select your myroot.cer, give it any name you want
- save the cacerts.bks
- re-insert the SD-Card to android device
- open up root explorer, head to /sd-card, copy, paste to /etc/security/
- make sure root explorer show “mounted as r/w” in the header of the program.
- set permissions of the newly copied cacert.bks to rw-r–r– (owner,group,other: read owner:write)
Step 3
- double check if the permissions of cacerts.bks are set correctly to rw-r–r–
- restart the phone
- funambol sync should now complete.
Have phun to be in sync!
P.S. Keep in touch! the next xbee’s blogpost’s are half-way written, but i really don’t have time ATM… sry
QuickFix: IE8 hangup opening intranet pages
Something that i always hate is when there is no update and a product stop’s working so i cannot do my work anymore.
In this case i (am forced to) use Internet Explorer to open up several intranet pages that allowed me to do my administration work.
The problem sums like this:
- Google, and everything else on “the internet” works seemless
- opening something internal just hang up IE8 for a couple of minutes and then just stop loading without an error
- Same in FireFox with IETab installed
- same in IE 7 + IE 8 64 bit and 32 bit
The solution is as easy as stupid:
In “Internet Options” -> “Security” the “Local Intranet” is set up with disabled “Protected Mode”.
Enabling it fixed the Problem instantly for IE8, IE7 and Firefox with IETab.
Weekend Project: Connect a letterbox to Jabber with XBee
As i promised this is my first XBee Project. I just needed a more or less useful application i can “test” the XBee’s in a real environment.
It is in my nature to do crazy things, so i thought it would be really cool to have a notification Jabber Message to my Phone when someone put some letters for me in my letterbox. Here it is ;)
01-08-2010 Update:
The FTDI Chip gives me A fscking LOT PAIN more to come in the next Post. DO NOT USE IT :)
This is my Setup:
- XBee “Coordinator” API Mode connected through a FTDI USB Chip to a linux box
- XBee “End Device” Interfaced with an Atmel ATTiny13v power by two 1.5v AA Batteries
- Perl XBee Module API.pm from Thomas Jager
- Jabber Perl Modules to enable sending messages
- Siemens S685IP DECT Phone that can recieve Jabber messages
Before you read further you should note that i flashed the ZIGBEE firmware (XB24-ZB) API on my XBee’s because i don’t want to miss the mesh feature.
This Setup now runs with 2x Alkaline Batterys in the End-Device for 4 weeks now, and is still running!
Evening Project: The Brain Machine
Recently, well 1 year ago, i readed in The Make Zine about a Project called “The Brain Machine”.
This is a modified Atmel circuit that claims: “Get altered states of consciousness with this microcontroller-driven sound and light device.” by Mitch Altman.
Sick My XBEE
This is the Story i had the last weekend with some cool Chips named “XBEE”.
These Chips are intelligent RS-232 -> Wireless sender and reciever who can stickt together to a so called mesh network.
First i have to tell the terminology:
“Coordinator” – is the Main Boss of the Network, who coordinates everything – and let routers and endpoints connect
“Router” – is a endpoint but can route packets and other endpoints can connect to it.
“End Device” – is a endpoint but noone can conenct to it – it is designed to save energy and run from batteries.
Mesh Networking is really fantastic because you can have a coordinator (“middle”) which is connected to routers and end devices, and is “self-healing” this means if a router is powered off, packets get automatically routed through another reachable router – so packets can arrive to their destination.
If a Enddevice don’t have a connection to a router or the coordinator, put a router in between and it will connect seamless without configuring routing or anything manually.
More about the theory you can find in the references section at the end of my Post.
Okay, first a Picture of my actual “Setup” then the painful story :)
Multi-Boot USB Thumb Drive
Ever thought it might be cool to only have an USB-Stick where all your individual security / pentest / recovery / hack-a-tack bootdiscs can be booted?
I thought so!
Crawling the Internet looks promising and shows two different ways how to get an bootdisc on your USB thumbdrive:
- Booting a bootdisc as ISO stored on the drive (which is not compatible to most bootdisc’s)
- Booting abootdisc ISO extracted to a extra Partition on the USB-Drive (which is more compatible)
Remember: both ways are possible on a single Stick, so you can have ISO’s there AND extra partitions with the contents of the original ISO.
Microsoft, please get a XBOX QA-Responsible!
Lol lol lol…
What i really like when i hear ”Microsoft” is that they want to make good products but they always manages to make a very uber big FAIL.
I must say im not a fan of this company - but i use, like a lot of people, some of their products.
Today i started playing XBOX360 () in a free time schedule i had between my job and my familiy…
Playing playing pla, – zzzz – Freeze
Damn. Ok no prob. Console turned off and on again.
But what the heck is that?! 3 red lights?
Fuck! This is the red ring of death.
SipToSis with Asterisk
I was little busy these days, had a lot of work to do like re-waterproofing my bathtub..
2010-02-17 Edit: Please Read the references i shown on the end of this Post to have an HowTo how to exactly install SipToSis! If i find the Time i can write a detailed Howto with Display environment variables etc, but only if i get some comments to do so :)
Nevertheless i finally managed to Get a working Skype <-> Asterisk connection via SipToSis. Hurray!
I didn’t get Skypeiax to work..
This is how i did it - with Asterisk 1.4.x branch on the same machine skype should also do – running Debian 5.0
Windows 7, Windows XP and the strange Active Directory
Windows 7 and Windows XP just give different errormessages for the same Problem, mainly when you are in MANY AD Groups (like me) and you want to work with that System:
Windows XP says most time:
“Not enough Storage is availible to Complete this command”
Windows 7 says:
”Naming information cannot be located because:
The system detected a possible attempt to compromise security.
Please ensure that you can contact the server that authenticated you.
Contact your system administrator to verify that your domain is properly configured and is currently online.”
Under Win7 even Outlook 2007 didn’t wanted to start!
Win7 Kerberos Problem
Here is the detailed cause and solution to the Problem:
Cause:
The user is not able to authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size.
Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original released version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Microsoft Windows Server 2003, the MaxTokenSize value is 12,000 bytes.
If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. As a result, users cannot authenticate, and they may receive an “out of memory” error message. Before you apply the hotfix that is described in this article, every group that is added to a user account increases this buffer by 40 bytes.
NOTE: In many scenarios, Windows NTLM authentication works as expected; you may not see the Kerberos authentication problem without analysis. However, scenarios in which Group Policy settings are applied may not work as expected.
Solution:
A registry parameter is available after you apply this hotfix that you can use to increase the Kerberos token size. For example, increasing the token size to 65 KB allows a user to be present in more than 900 groups. Because of the associated SID information, this number may vary.
To use this parameter:
- Start Registry Editor (Regedt32.exe).
- Locate and click the following key in the registry: HK_Local_Machine\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters*
- If this key is not present, create the key. To do so:
- Click the following key in the registry: System\CurrentControlSet\Control\Lsa\Kerberos
- On the Edit menu, click Add Key.
- Create a Parameters key.
- Click the new Parameters key.
- On the Edit menu, click Add Value, and then add the following registry value:
- Value name: MaxTokenSize
- Data type: REG_DWORD
- Radix: Decimal
- Value data: 65535
- Quit Registry Editor.
The default value for MaxTokenSize is 12000 decimal. We recommend that you set this value to 65535 decimal, FFFF hexadecimal. If you set this value incorrectly to 65535 hexadecimal (an extremely large value) Kerberos authentication operations may fail, and programs may return errors.
