Difference between revisions of "Luxtrust"

From LiluxWiki
Jump to navigationJump to search
Line 22: Line 22:
 
Which means that BCEE's SNET now works neither in 32 bits, nor in 64 bits.
 
Which means that BCEE's SNET now works neither in 32 bits, nor in 64 bits.
  
A [http://prophecy.lu/pipermail/lilux-help/2012-June/001622.html workaround] exists though:
+
A workaround exists though, using the following bookmarklet:
  
1. In <code>/etc/hosts</code> , add the following line:
+
javascript:(function(){oslib=navigator.platform.toLowerCase();if(/^lin.*64/.exec(oslib)){oslib='64';}else{oslib='32'};sel=document.querySelector('applet');txt=sel.archive;txt=txt.replace(/[^,]*LIN32_[a-z0-9.]*.jar/,'https://managing.luxtrust.lu/applets/public/LuxTrust_Gemalto_CryptoTI_Adapter_LIN'+oslib+'_1.4.1.jar');sel.setAttribute('archive',txt);sel.outerHTML+='';})()]
  
127.0.0.1      bcee.snet.lu
+
This replaces the pointer to the faulty copy of the Luxtrust jar on the bank site with a pointer to the original on Luxtrust's own site.
  
2. If not yet there, install Apache.
+
To install, right-click on your bookmark folder, chose <code>New Bookmark</code> and set the above string as the <code>Location</code>.
  
3. Create a file with the following contents in <code>/etc/apache2/sites-available/bcee</code> :
+
Alternatively, you may also go to http://www.alain.knaff.lu/Luxtrust/bookmarklet.html and simply drag the Fix homebanking link to your bookmark folder.
  
  <VirtualHost *:443>
+
Then go to bcee.lu and navigate to SNET normally. When the error message pops up, click the bookmark.
        ServerName bcee.snet.lu
 
 
        SSLEngine on
 
        SSLCertificateFile /etc/apache2/ssl/server.crt
 
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
 
 
        ProxyPreserveHost on
 
        ProxyPass /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar !
 
        ProxyPass / https://195.46.224.5/
 
 
        Redirect /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar https://managing.luxtrust.lu/applets/public/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.1.jar
 
  </VirtualHost>
 
  
 
+
Incidentally, this also works for Raiffeisen and CCP, but not for BGL (who resign the Luxtrust applet jars with their own key)
For 64 bit, the redirect line should be as follows instead:
 
        Redirect /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar https://managing.luxtrust.lu/applets/public/LuxTrust_Gemalto_CryptoTI_Adapter_LIN64_1.4.1.jar
 
 
 
(note: we're still redirecting LIN32 due to BCEE's other error...)
 
 
 
The SSL certifcates in <code>/etc/apache2/ssl/server.crt</code> and <code>server.key</code> should exist (but don't need to be valid, just add them as an exception into firefox when prompted).
 
 
 
4. Activate the site:
 
 
 
a2ensite bcee
 
service apache2 reload
 
 
 
5. Now, connect to SNET as usual, add the certificate to Apache as an exception when prompted, and off you go!
 
 
 
A note of CAUTION: Apache doesn't check whether the certificate for 195.46.224.5 is authentic, theoretically making your connection to BCEE vulnerable to snooping. So don't use this if you don't trust your ISP, or any other ISP between you and BCEE. It is possible to secure the connection from your Apache proxy to BCEE using SSLProxyVerify on, but this is too complex to fit into this short note.
 

Revision as of 20:36, 15 June 2012

As of June 2012, Luxtrust now fully supports 64 bit systems.

A 64-bit middleware is available from their site, and moreover they've made available a "wrapper" to allow bank applets to call this middleware.

As an end user, you only need to download and install the middleware. Banks install the wrapper jar on their site, as an end user you do normally not need to worry about this, unless banks did a mistake setting up the wrapper.

The following versions of the wrapper are relevant to the discussions below:

  • 1.3 : last version without 64 bit support
  • 1.4 : first version with 64 bit support, but with buggy 32 bit support
  • 1.4.1 : 64 bit support, bug with 32 bit support fixed.

BGL, CCP, Raiffeisen

As of June 13th 2012, BGL, CCP and Raiffeisen still use the 1.3 version of the Luxtrust wrapper, which does not yet support 32 bit.

However, this mail explains how to set up a program which automatically replaces the 32 bit JNI with a 64 bit version downloaded from Luxtrust's site.

BCEE

As of June 13th 2012, BCEE has deployed the buggy 1.4 version of the wrapper. Moreover, their javascript responsible for detecting the browser's architecture and loading the appropriate wrapper does not distinguish between Linux 32 bit and Linux 64 bit, and always loads the 32 bit version.

Which means that BCEE's SNET now works neither in 32 bits, nor in 64 bits.

A workaround exists though, using the following bookmarklet:

javascript:(function(){oslib=navigator.platform.toLowerCase();if(/^lin.*64/.exec(oslib)){oslib='64';}else{oslib='32'};sel=document.querySelector('applet');txt=sel.archive;txt=txt.replace(/[^,]*LIN32_[a-z0-9.]*.jar/,'https://managing.luxtrust.lu/applets/public/LuxTrust_Gemalto_CryptoTI_Adapter_LIN'+oslib+'_1.4.1.jar');sel.setAttribute('archive',txt);sel.outerHTML+=;})()]

This replaces the pointer to the faulty copy of the Luxtrust jar on the bank site with a pointer to the original on Luxtrust's own site.

To install, right-click on your bookmark folder, chose New Bookmark and set the above string as the Location.

Alternatively, you may also go to http://www.alain.knaff.lu/Luxtrust/bookmarklet.html and simply drag the Fix homebanking link to your bookmark folder.

Then go to bcee.lu and navigate to SNET normally. When the error message pops up, click the bookmark.

Incidentally, this also works for Raiffeisen and CCP, but not for BGL (who resign the Luxtrust applet jars with their own key)