-
Notifications
You must be signed in to change notification settings - Fork 14
HTTPS and SSL
WebOne since version 0.16 is supporting work as HTTPS and TLS gateway. So you may open https://
websites through old browsers and WebOne, and get access SSL/TLS-based servers from applications that can work with HTTPS proxies.
For such software, the proxy server is able to downgrade security level to compatible.
The HTTPS downgrade feature (which actually is TLS traffic decrypting and then new SSL/TLS encrypting via WebOne) replaces original server's certificate with WebOne's own certificate. All certificates are signed by proxy server's root certificate, so it must be imported to web browser's certificate authority store to made HTTPS working.
Proxy server's root certificate is unique for each WebOne installation, and gets generated on first run of WebOne. To download it, open Proxy's status page (http://localhost:8080/) and click the "WebOne CA root certificate" link.
Microsoft Internet Explorer, Apple Safari and Google Chrome (including other Chromium-based browsers such as Opera 15+, Yandex, Atom, Otter) are using operating system root certificate store. Mozilla-based applications and Opera browser are using own store, configurable via browser's preferences.
All internal pages like status page are available only via plain HTTP.
At this moment, the minimum level of SSL support is:
- Protocol: SSL 2.0
- Cipher strength: 40-bit RC4, MD5 hash
- Certificate: X.509 V3, MD5 signature
- All rely on Proxy Server OS version & configuration:
- Windows 11 (default): TLS 1.2, AES 256-bit, SHA256
- Windows 11 (tweaked): SSL 3.0, RC4 40-bit, MD5
- Windows 8.1 (default): SSL 3.0, 3DES 128-bit, MD5
- Windows 8.1 (tweaked): SSL 2.0, RC4 40-bit, MD5
- Debian 12: TLS 1.2, AES 256-bit, SHA256
- Ubuntu 24.04: SSL 3.0, AES 128-bit, MD5
The maximum available level is TLS 1.2 with 256-bit AES ciphers. It's compatible with Firefox 3, Internet Explorer 8 (on Windows 7), Chrome 47 and similar "modern" software. And these crypto algorithms are still assuming as secure.
✔️ So, HTTPS through WebOne is working with these apps or newer versions of them:
- Microsoft Internet Explorer: 5.0 and up on Windows 95 or NT 4.0 or newer.
- Mozilla: 1.7 and up.
- Firefox, SeaMonkey: 1.0 and up.
- Netscape: 7.2 and up.
- Opera: 6.0 and up.
- Microsoft Pocket Internet Explorer: 4.01 and up.
- The list will be expanded in future.
✔️ In some cases (modern Linux servers) WebOne will use only SHA2 certificates and AES ciphers, so this will enlarge system requirements for client browsers to:
- Microsoft Internet Explorer: any version on Windows XP SP3 or Vista or newer.
- Mozilla: 1.7 and up.
- Netscape: 7.2 and up.
- Firefox, SeaMonkey: 1.0 and up. Sometimes Firefox 3.0/SeaMonkey 2.0 is a minimum.
- Opera: 9.0 and up.
- Safari: 3.0 and up on MacOS X 10.5+ or Windows XP SP3 or Vista+.
- Windows SSL applications: Windows XP SP3 or Vista+.
- Linux SSL applications: all which use OpenSSL 0.9.8o or newer.
- MacOS X SSL applications: MacOS X 10.5+.
- Konqueror: 3.5.6 and up.
- iPhone/iPad applications: iOS 3.0+.
- Windows Phone applications: 7.0+.
- Google Chrome: 38+ on Windows XP SP2 and all versions on SP3 or Vista+.
- (There also were a bug in WebOne v0.16.x, fixed in v0.17 and up, which always sets SHA256 for certificates.)
❌ HTTPS don't work at all with (for unknown reasons):
- Microsoft Internet Explorer 2.x, 3.x.
- Microsoft Internet Explorer for Macintosh.
- Opera 5.x and earlier.
- Netscape Navigator.
WebOne is looking to system-wide configuration to enable or disable cryptography technologies used to communicate with clients (and this cannot be fully overridden by WebOne developers). By default, on modern systems most of retro technologies such as SSL3 40-bit are disabled or even removed. This prevents work of some older browsers via HTTPS with the proxy without server reconfiguration.
The lists of enabled SSL/TLS versions and cipher sets are configuring via HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
and HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
registry hives. By default on Windows 11 23H2, SSL 3.0 and most of TLS 1.0 ciphers are disabled. Connections from browsers like Internet Explorer 6 will result in a 36871/10011 SChannel error. However, it's possible to enable anything up to SSL 3.0 40-bit RC4 MD5
via registry. Support for SSL 2.0
is dropped since Windows 10 v1607. Actual list of cipher suites on Windows can be found here.
Always backup the registry hives listed above before editing. To enable all available SSL and TLS ciphers in Windows 7/8.1/10/11, Server 2016-2022, import the registry file and reboot. Note that it will affect all SSL/TLS applications on the system, which may became less secure.
On UNIX-like systems, WebOne is using OpenSSL libraries and their configuration to establish SSL/TLS connections. Since WebOne 0.17, it's using a custom OpenSSL configuration file located at /etc/webone.conf.d/openssl_webone.cnf
. It's enabling all possible cryptography algorithms, which are built in used OpenSSL version. Sadly, but latest OpenSSL 1.1.x, 3.x.x libraries supplied with most of Linux distributions have been built without legacy ciphers. So even with this custom configuration, pre-2008 browsers won't connect to WebOne proxies. It's need to do some magic about rebuilding OpenSSL from sources to made SSL 3.0/TLS 1.0 working again.
Errors FAQ:
-
Using SSL certificate failed with OpenSSL error - ca md too weak: OpenSSL bans MD5 or SHA1 certificate(s) used by WebOne. Set
SslHashAlgorithm
toSHA256
in WebOne[SecureProxy]
configuration. -
SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL: There are no common ciphers between retro client and used OpenSSL version. Try to specify some older ciphers in
[SecureProxy]
/SslCipherSuites
option, but probably all of need cipher suites are banned at OpenSSL compile time. -
I'm see these errors under console-run of WebOne, but don't see when run it as systemd service. Try
export OPENSSL_CONF=/etc/webone.conf.d/openssl_webone.cnf
before starting of WebOne.
In some cases, the certificate does not installing properly with automatically detected settings. So it's need to specify store location:
Browsers like Mozilla or Opera are using their own separate certificate storages, and don't rely on Windows possibilities or configuration. But MSIE and some software like MSN Messenger are using Windows certificate storage.
If you're experiencing problems, try to install these updates (Windows XP 32-bit only): SSL Updates XP.zip. On Server 2003, try to install KB968730 update.
Windows Mobile have very strange way of installing CA certificates to PDA. They're installing from CAB files, not CER/CRT.
- Create an XML file, called
_setup.xml
, with the following contents:
<wap-provisioningdoc>
<characteristic type="CertificateStore">
<characteristic type="ROOT">
<characteristic type="certhash">
<parm name="EncodedCertificate" value="base64encodedcert"/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
- Open the WebOne CA certificate file, and look to Thumbprint in the Field property (at Details tab). Copy the contents.
- Replace
certhash
in XML with the certificate thumbprint without spaces. - Open the WebOne CA certificate file using a text editor, and copy its content except
BEGIN CERTIFICATE
andEND CERTIFICATE
lines. - Replace
base64encodedcert
in XML with the root certificate body. - Compile the CAB package using command prompt:
makecab _setup.xml <filename>.cab
(you may specify any name of the CAB file). - Copy the CAB file to PDA, and install it by opening in Explorer application.
- Result of installation can be checked by looking to Start>Settings>Security>Certificates>Root control panel of PDA.
The certificate will be used by Pocket Internet Explorer and some other applications that use system certificate storage.
The IBM Web Browser included in OS/2 Warp 4.52 is based on a early build of Mozilla Suite (rv:0.9.2 aka Netscape 6.1). It have many bugs in SSL support, so does not work with HTTPS via WebOne. You need to install a newer version of Mozilla or Firefox.
WebOne currently does not have support for processing STARTTLS method for E-Mail protocols (POP3, IMAP, SMTP, etc).
Options of HTTPS/SSL proxy are configuring via [SecureProxy]
section of configuration file(s). Note that the SslProtocols
option still rely on OS configuration. It will not accept SSL 2.0 unless it (and the corresponding cipher suites) is enabled by OS configuration and is supported by OpenSSL/SChannel on proxy server OS.
Also you may specify custom root certificate and even an external utility which will produce sites certificates, instead of using built-in certificate generator. With custom certificate generator, it will be possible to work with strange (buggy) clients.
Both the CA and site certificates must be in PEM format, splitted to 2 files: the certificate itself (.crt
) and its private key (.key
). The root certificate/key files are expected to be found at specified paths. If these files are absent, they will be generated by WebOne. If they're present, they will be loaded. The sites certificates & keys are looking at paths specified in SslSiteCerts
, and if not present, SslSiteCertGenerator
-specified app or built-in generator will be invoked to generate them. The built-in generator is storing the certificates in RAM-cache only.
- Release Archive
- Websites edits / Syntax of traffic edits
- Known bugs / Report a new bug
- Windows installation
- Linux installation
- macOS installation
- Android installation
- Configuration file
- Command line arguments
Usage:
- YouTube playback
- Using with ViewTube
- Using with virtual machines
- Using with FTP servers
- Using with MSN Messenger
Web standards timeline:
Troubleshooting guides:
Developer corner: