Jornada 680 (WinCE 2.11 / H/PC 3.0) - SSL not working

As I said in the subject. I use an Orinoco Silver (PC24E-H-FC) WLAN card (operating tethered to my Android phone).
When I try visiting any site via HTTPS, IE just fails: "Unable to establish secure connection".
I've already installed the 128-bit SSL driver which did not change anything.
I've even found an obscure utility called rootcert (from MS SQL Server CE 1.1), which can import certificates into the registry.
It successfully imported my DER-encoded root certificates (I was using the GeoTrust Global CA for testing), I verified that in regedit (from Power Toys 3.0).

Still, nothing else happened, and I am quite disappointed.
Any ideas?

Edited by SopaXorzTaker 2017-06-29 2:32 PM

Most secure sites require browsers far newer than those that were shipped with CE prior to the .net versions. Your best bet is an HPC2000 or CE.net device with RedGear/Opera 8.65.

I'm sure you're aware that versions prior to CE.net only support WEP encryption for Wi-Fi, which is known to be insecure.

What hash is the DER using?

A follow up to the post by Paianni...
My experience with HPC2000 with RedGear and Opera 8.65 has been disappointing. I have been unable to establish secure connections to most https sites. There are a few rare exceptions... but they are usually sites where security is not essential. Unfortunately, I've had the same experience with the browsers available under Jlime for these devices.

I suspect it's because the older OS doesn't know how to compute the hash required by modern SSL, it's been recommended since 2011 and mandatory since last year to use SHA2 or higher. Old CE didn't even support SHA1, just up to MD5. Let alone the algorithms necessary to perform the asymmetric encryption bit...

I think that the major issue is that neither SSLv2 nor SSLv3 (the only secure protocols supported by SChannel in this version of WinCE) are used anymore.
When badssl.com fixes their SSLv2/3 test pages, I'll give them a check to see if that's the case.

This is quite sad, but we still have JLime
Maybe there's some kind of a replacement schannel DLL which would support TLS v1.1+?

Edited by SopaXorzTaker 2017-07-01 8:26 AM

Not without also implementing the hashes or asymmetric key protocols necessary to fulfil modern standards. schannel piggy backs on a whole stack of work that is missing in CE, DH, RSA, TKIP etc. It would be a rather monumental effort for someone, but I suppose they could at least borrow most of the principles from somewhere like Bouncy Castle.

... or the SChannel from later versions of WinCE shipped under shared-source.

SChannel.dll is not the only DLL that you will have to recompile and if you do it from CE7 you have to deal with all of the missing resource dependencies and unimplemented hooks from across the OS (Kernel and Shell). I imagine it would be easier to create a SChannel.dll stub that hooks onto someone else's runtime framework (or .net of course) and just do a clean break of the CE code.