Freenet.de FreeMail IMAP Access with SSL/TLS Encryption on Sony Ericsson K750i Mobile

The CA certificate of freenet.de‘s certificate used for encrypted mailbox access was missing on my K750i. Trying to access my IMAP mailbox with SSL/TLS activated, it aborted with an error about untrusted certificate or something like that.

I found out by sniffing my PC mail client Evolution with tcpdump/Wireshark that the needed CA certificate is “TC TrustCenter Class 2 CA” by http://trustcenter.de/.
The K750i expects uploaded certificate files to be in DER format with the file extension cer. Download the DER file http://trustcenter.de/certservices/cacerts/tcclass2-2011.der as found at http://trustcenter.de/root_certificates.htm and rename it to tcclass2-2011.cer. Then upload the file to your mobile for example via Bluetooth and enjoy secure E-Mail access!

If you want to check the certificate being correctly installed, go to Settings > Connectivity: Internet settings > Security > Trusted cert. and you should find it at the bottom of the list.

This solution should most likely also cover POP3/SMTP access as well as paid freenet mail accounts and should be working on similar Sony Ericsson mobile phones.

I tried to do the same for the GMX.net‘s CA “Thawte Premium Server CA” found in the Zip file available here: http://www.thawte.com/roots/index.html. But sadly the included ThawtePremiumServerCA.cer (resp. identical ThawtePremiumServerCA.509) were not installable. After accepting the file transfer the phone kept flashing between white and black screen with backlights on and off and finally returned to the contacts menu after some message like “loading contacts…”.
I had the same effect when I first uploaded the PEM file from TrustCenter to the phone. But PEM files are base64 encoded and DER files are “binary”. Probably the certificate has to be converted with something like OpenSSL. Eventually I’ll try to get this working, but it isn’t that important for me now.

UPDATE

I finally got this Thawte certificate installed. But I haven’t tested yet, if it’s working.

My first attempt was to convert the base64 certificate to DER format with the command below, which resulted in an identical file as already provided.

openssl x509 -in ThawtePremiumServerCA_b64.txt -inform PEM -out ThawtePremiumServerCA_conv.cer -outform DER

Looking at the plain text certificate, I only found the X509v3 extensions to be different from the TrustCenter certificate. To see the plan text cert I did this:

[scheff@p512o downloads]$ openssl x509 -in ThawtePremiumServerCA_b64.txt -inform PEM -text
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
         Validity
             Not Before: Aug  1 00:00:00 1996 GMT
             Not After : Dec 31 23:59:59 2020 GMT
         Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
         Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d2:36:36:6a:8b:d7:c2:5b:9e:da:81:41:62:8f:
                    38:ee:49:04:55:d6:d0:ef:1c:1b:95:16:47:ef:18:
                    48:35:3a:52:f4:2b:6a:06:8f:3b:2f:ea:56:e3:af:
                    86:8d:9e:17:f7:9e:b4:65:75:02:4d:ef:cb:09:a2:
                    21:51:d8:9b:d0:67:d0:ba:0d:92:06:14:73:d4:93:
                    cb:97:2a:00:9c:5c:4e:0c:bc:fa:15:52:fc:f2:44:
                    6e:da:11:4a:6e:08:9f:2f:2d:e3:f9:aa:3a:86:73:
                    b6:46:53:58:c8:89:05:bd:83:11:b8:73:3f:aa:07:
                    8d:f4:42:4d:e7:40:9d:1c:37
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        26:48:2c:16:c2:58:fa:e8:16:74:0c:aa:aa:5f:54:3f:f2:d7:
        c9:78:60:5e:5e:6e:37:63:22:77:36:7e:b2:17:c4:34:b9:f5:
        08:85:fc:c9:01:38:ff:4d:be:f2:16:42:43:e7:bb:5a:46:fb:
        c1:c6:11:1f:f1:4a:b0:28:46:c9:c3:c4:42:7d:bc:fa:ab:59:
        6e:d5:b7:51:88:11:e3:a4:85:19:6b:82:4c:a4:0c:12:ad:e9:
        a4:ae:3f:f1:c3:49:65:9a:8c:c5:c8:3e:25:b7:94:99:bb:92:
        32:71:07:f0:86:5e:ed:50:27:a6:0d:a6:23:f9:bb:cb:a6:07:
        14:42
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----
[scheff@p512o downloads]$ openssl x509 -in tcclass2-2011.pem -inform PEM -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1002 (0x3ea)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 2 CA/emailAddress=certificate@trustcenter.de
        Validity
            Not Before: Mar  9 11:59:59 1998 GMT
            Not After : Jan  1 11:59:59 2011 GMT
        Subject: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 2 CA/emailAddress=certificate@trustcenter.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:da:38:e8:ed:32:00:29:71:83:01:0d:bf:8c:01:
                    dc:da:c6:ad:39:a4:a9:8a:2f:d5:8b:5c:68:5f:50:
                    c6:62:f5:66:bd:ca:91:22:ec:aa:1d:51:d7:3d:b3:
                    51:b2:83:4e:5d:cb:49:b0:f0:4c:55:e5:6b:2d:c7:
                    85:0b:30:1c:92:4e:82:d4:ca:02:ed:f7:6f:be:dc:
                    e0:e3:14:b8:05:53:f2:9a:f4:56:8b:5a:9e:85:93:
                    d1:b4:82:56:ae:4d:bb:a8:4b:57:16:bc:fe:f8:58:
                    9e:f8:29:8d:b0:7b:cd:78:c9:4f:ac:8b:67:0c:f1:
                    9c:fb:fc:57:9b:57:5c:4f:0d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            Netscape CA Policy Url:
                http://www.trustcenter.de/guidelines
            Netscape Cert Type:
                SSL CA, S/MIME CA, Object Signing CA
    Signature Algorithm: md5WithRSAEncryption
        84:52:fb:28:df:ff:1f:75:01:bc:01:be:04:56:97:6a:74:42:
        24:31:83:f9:46:b1:06:8a:89:cf:96:2c:33:bf:8c:b5:5f:7a:
        72:a1:85:06:ce:86:f8:05:8e:e8:f9:25:ca:da:83:8c:06:ac:
        eb:36:6d:85:91:34:04:36:f4:42:f0:f8:79:2e:0a:48:5c:ab:
        cc:51:4f:78:76:a0:d9:ac:19:bd:2a:d1:69:04:28:91:ca:36:
        10:27:80:57:5b:d2:5c:f5:c2:5b:ab:64:81:63:74:51:f4:97:
        bf:cd:12:28:f7:4d:66:7f:a7:f0:1c:01:26:78:b2:66:47:70:
        51:64
-----BEGIN CERTIFICATE-----
MIIDXDCCAsWgAwIBAgICA+owDQYJKoZIhvcNAQEEBQAwgbwxCzAJBgNVBAYTAkRF
MRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFU
QyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJI
MSIwIAYDVQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAyIENBMSkwJwYJKoZIhvcN
AQkBFhpjZXJ0aWZpY2F0ZUB0cnVzdGNlbnRlci5kZTAeFw05ODAzMDkxMTU5NTla
Fw0xMTAxMDExMTU5NTlaMIG8MQswCQYDVQQGEwJERTEQMA4GA1UECBMHSGFtYnVy
ZzEQMA4GA1UEBxMHSGFtYnVyZzE6MDgGA1UEChMxVEMgVHJ1c3RDZW50ZXIgZm9y
IFNlY3VyaXR5IGluIERhdGEgTmV0d29ya3MgR21iSDEiMCAGA1UECxMZVEMgVHJ1
c3RDZW50ZXIgQ2xhc3MgMiBDQTEpMCcGCSqGSIb3DQEJARYaY2VydGlmaWNhdGVA
dHJ1c3RjZW50ZXIuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANo46O0y
AClxgwENv4wB3NrGrTmkqYov1YtcaF9QxmL1Zr3KkSLsqh1R1z2zUbKDTl3LSbDw
TFXlay3HhQswHJJOgtTKAu33b77c4OMUuAVT8pr0VotanoWT0bSCVq5Nu6hLVxa8
/vhYnvgpjbB7zXjJT6yLZwzxnPv8V5tXXE8NAgMBAAGjazBpMA8GA1UdEwEB/wQF
MAMBAf8wDgYDVR0PAQH/BAQDAgGGMDMGCWCGSAGG+EIBCAQmFiRodHRwOi8vd3d3
LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwEQYJYIZIAYb4QgEBBAQDAgAHMA0G
CSqGSIb3DQEBBAUAA4GBAIRS+yjf/x91AbwBvgRWl2p0QiQxg/lGsQaKic+WLDO/
jLVfenKhhQbOhvgFjuj5Jcrag4wGrOs2bYWRNAQ29ELw+HkuCkhcq8xRT3h2oNms
Gb0q0WkEKJHKNhAngFdb0lz1wlurZIFjdFH0l7/NEij3TWZ/p/AcASZ4smZHcFFk
-----END CERTIFICATE-----

So I simply added the missing X509v3 extensions to the text file and converted it to DER like this:

$ openssl x509 -in ThawtePremiumServerCA_b64.txt -inform PEM -text > ThawtePremiumServerCA_text.txt
$ vi ThawtePremiumServerCA_text.txt 
$ openssl x509 -in ThawtePremiumServerCA_b64.txt -inform PEM -text | diff - ThawtePremiumServerCA_text.txt
27a28,33
>             X509v3 Key Usage: critical
>                 Digital Signature, Certificate Sign, CRL Sign
>             Netscape CA Policy Url:
>                 http://www.thawte.com/en/ssl-digital-certificates/free-guides-whitepapers
>             Netscape Cert Type:
>                 SSL CA, S/MIME CA, Object Signing CA
$ openssl x509 -in ThawtePremiumServerCA_text.txt -inform PEM -outform DER -out ThawtePremiumServerCA_text.cer

You can download the edited certificate in text and DER format here.

ChangeLog

[070429 Further attempts with Thawte Premium Server CA certs. Add photo.]
[2009-04-26: Fix box.net links.]

Amarok Bluetooth Remote for Sony Ericsson K750i Mobile Phone

A few weeks ago I purchased a shiny new mobile phone, the Sony Ericsson K750i, to replace my good ole Sony Ericsson T610. A nice feature of the K750i are the freely configurable Bluetooth Remotes via BT HID, which are also available on other models.

So I wanted to remote control my favoured music player Amarok. I found a ready made HID configuration by tnt, but unfortunately the keystrokes where not the default Amarok global hotkeys’ ones and also conflict with the default Gnome shortcuts. With the help of Stefan Tomanek’s great website and the HID Usage Tables Reference (page 53) I modified the Remote Control keys to match the Amarok defaults.

A ready to use .hid file is now available from my Box.net share.

If I wasn’t lazy right now, I would provide the new HID profile ready to use – an uncompressed tar archive containing the GUI screen as JPEG image and the HID configuration as a UNIX style XML file. But I’ll have to add the GPL stuff first. So for now here’s the diff of the key codes:

[scheff@p512o amarok-hid]$ diff *kcf*
6c6
<         <KEYBOARD MODIFIERS = "0A" USAGEID = "56"/> <!-- REWIND -->
---
>         <KEYBOARD MODIFIERS = "05" USAGEID = "50"/> <!-- REWIND -->
11c11
<         <KEYBOARD MODIFIERS = "08" USAGEID = "06"/> <!-- PLAY -->
---
>         <KEYBOARD MODIFIERS = "05" USAGEID = "4A"/> <!-- PLAY -->
16c16
<         <KEYBOARD MODIFIERS = "0A" USAGEID = "57"/> <!-- FAST FORWARD -->
---
>         <KEYBOARD MODIFIERS = "05" USAGEID = "4F"/> <!-- FAST FORWARD -->
21c21
<         <KEYBOARD MODIFIERS = "08" USAGEID = "1D"/> <!-- PREV -->
---
>         <KEYBOARD MODIFIERS = "05" USAGEID = "4B"/> <!-- PREV -->
26c26
<         <KEYBOARD MODIFIERS = "08" USAGEID = "19"/> <!-- STOP -->
---
>         <KEYBOARD MODIFIERS = "05" USAGEID = "16"/> <!-- STOP -->
31c31
<         <KEYBOARD MODIFIERS = "08" USAGEID = "05"/> <!-- NEXT -->
---
>         <KEYBOARD MODIFIERS = "05" USAGEID = "4E"/> <!-- NEXT -->
36c36
<         <KEYBOARD MODIFIERS = "08" USAGEID = "10"/> <!-- MUTE -->
---
>         <KEYBOARD MODIFIERS = "05" USAGEID = "10"/> <!-- MUTE -->
41c41
<         <KEYBOARD MODIFIERS = "08" USAGEID = "57"/> <!-- VOL UP -->
---
>         <KEYBOARD MODIFIERS = "01" USAGEID = "57"/> <!-- VOL UP -->
46c46
<         <KEYBOARD MODIFIERS = "08" USAGEID = "56"/> <!-- VOL DOWN -->
---
>         <KEYBOARD MODIFIERS = "01" USAGEID = "56"/> <!-- VOL DOWN -->
50c50
< </SONY_ERICSSON_REMOTE_CONTROL_CONFIGURATION>
---
> </SONY_ERICSSON_REMOTE_CONTROL_CONFIGURATION>
\ Kein Zeilenumbruch am Dateiende.

To get this running on my Fedora Core 5 box, all I had to do was uploading the HID configuration to my mobile:

obex_push 5 00:11:22:33:44:55 AmaroK.hid

Then on the phone start the remote choosing my FC5 box as target and connect my HID Server with:

hidd --connect 00:11:22:33:44:55

To remove the connection again, use:

hidd --unplug 00:11:22:33:44:55

Don’t know if that’s necessary, but I had paired phone and PC before.

Have fun! And may the power-source be with you! :]

ChangeLog

[070429 Fix minor typo. Add download link. Add photo.]