Skip to content

HTTPS and SSL

Jump to bottom Edit New page
Alexander Tauenis edited this page May 29, 2024 · 9 revisions

WebOne since version 0.16 is supporting work as HTTPS and TLS gateway. So you may open https:// websites through old browsers and WebOne, and get access SSL/TLS-based servers from applications that can work with HTTPS proxies.

For such software, the proxy server is able to downgrade security level to compatible.

Common

The HTTPS downgrade feature (which actually is TLS traffic decrypting and then new SSL/TLS encrypting via WebOne) replaces original server's certificate with WebOne's own certificate. All certificates are signed by proxy server's root certificate, so it must be imported to web browser's certificate authority store to made HTTPS working.

Proxy server's root certificate is unique for each WebOne installation, and gets generated on first run of WebOne. To download it, open Proxy's status page (http://localhost:8080/) and click the "WebOne CA root certificate" link.

Microsoft Internet Explorer, Apple Safari and Google Chrome (including other Chromium-based browsers such as Opera 15+, Yandex, Atom, Otter) are using operating system root certificate store. Mozilla-based applications and Opera browser are using own store, configurable via browser's preferences.

All internal pages like status page are available only via plain HTTP.

Client requirements

At this moment, the minimum level of SSL support is:

  • Protocol: SSL 2.0
  • Cipher strength: 40-bit RC4, MD5 hash
  • Certificate: X.509 V3, MD5 signature
  • All rely on Proxy Server OS version & configuration:
  • Windows 11 (default): TLS 1.2, AES 256-bit, SHA256
  • Windows 11 (tweaked): SSL 3.0, RC4 40-bit, MD5
  • Windows 8.1 (default): SSL 3.0, 3DES 128-bit, MD5
  • Windows 8.1 (tweaked): SSL 2.0, RC4 40-bit, MD5
  • Debian 12: TLS 1.2, AES 256-bit, SHA256
  • Ubuntu 24.04: SSL 3.0, AES 128-bit, MD5

The maximum available level is TLS 1.2 with 256-bit AES ciphers. It's compatible with Firefox 3, Internet Explorer 8 (on Windows 7), Chrome 47 and similar "modern" software. And these crypto algorithms are still assuming as secure.

✔️ So, HTTPS through WebOne is working with these apps or newer versions of them:

  • Microsoft Internet Explorer: 5.0 and up on Windows 95 or NT 4.0 or newer.
  • Mozilla: 1.7 and up.
  • Firefox, SeaMonkey: 1.0 and up.
  • Netscape: 7.2 and up.
  • Opera: 6.0 and up.
  • Microsoft Pocket Internet Explorer: 4.01 and up.
  • The list will be expanded in future.

✔️ In some cases (modern Linux servers) WebOne will use only SHA2 certificates and AES ciphers, so this will enlarge system requirements for client browsers to:

  • Microsoft Internet Explorer: any version on Windows XP SP3 or Vista or newer.
  • Mozilla: 1.7 and up.
  • Netscape: 7.2 and up.
  • Firefox, SeaMonkey: 1.0 and up. Sometimes Firefox 3.0/SeaMonkey 2.0 is a minimum.
  • Opera: 9.0 and up.
  • Safari: 3.0 and up on MacOS X 10.5+ or Windows XP SP3 or Vista+.
  • Windows SSL applications: Windows XP SP3 or Vista+.
  • Linux SSL applications: all which use OpenSSL 0.9.8o or newer.
  • MacOS X SSL applications: MacOS X 10.5+.
  • Konqueror: 3.5.6 and up.
  • iPhone/iPad applications: iOS 3.0+.
  • Windows Phone applications: 7.0+.
  • Google Chrome: 38+ on Windows XP SP2 and all versions on SP3 or Vista+.
  • (There also were a bug in WebOne v0.16.x, fixed in v0.17 and up, which always sets SHA256 for certificates.)

❌ HTTPS don't work at all with (for unknown reasons):

  • Microsoft Internet Explorer 2.x, 3.x.
  • Microsoft Internet Explorer for Macintosh.
  • Opera 5.x and earlier.
  • Netscape Navigator.

Server OS-specific notes

WebOne is looking to system-wide configuration to enable or disable cryptography technologies used to communicate with clients (and this cannot be fully overridden by WebOne developers). By default, on modern systems most of retro technologies such as SSL3 40-bit are disabled or even removed. This prevents work of some older browsers via HTTPS with the proxy without server reconfiguration.

Windows Server hosts

The lists of enabled SSL/TLS versions and cipher sets are configuring via HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 and HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL registry hives. By default on Windows 11 23H2, SSL 3.0 and most of TLS 1.0 ciphers are disabled. Connections from browsers like Internet Explorer 6 will result in a 36871/10011 SChannel error. However, it's possible to enable anything up to SSL 3.0 40-bit RC4 MD5 via registry. Support for SSL 2.0 is dropped since Windows 10 v1607. Actual list of cipher suites on Windows can be found here.

Always backup the registry hives listed above before editing. To enable all available SSL and TLS ciphers in Windows 7/8.1/10/11, Server 2016-2022, import the registry file and reboot. Note that it will affect all SSL/TLS applications on the system, which may became less secure.

Linux and macOS hosts

On UNIX-like systems, WebOne is using OpenSSL libraries and their configuration to establish SSL/TLS connections. Since WebOne 0.17, it's using a custom OpenSSL configuration file located at /etc/webone.conf.d/openssl_webone.cnf. It's enabling all possible cryptography algorithms, which are built in used OpenSSL version. Sadly, but latest OpenSSL 1.1.x, 3.x.x libraries supplied with most of Linux distributions have been built without legacy ciphers. So even with this custom configuration, pre-2008 browsers won't connect to WebOne proxies. It's need to do some magic about rebuilding OpenSSL from sources to made SSL 3.0/TLS 1.0 working again.

Errors FAQ:

  • Using SSL certificate failed with OpenSSL error - ca md too weak: OpenSSL bans MD5 or SHA1 certificate(s) used by WebOne. Set SslHashAlgorithm to SHA256 in WebOne [SecureProxy] configuration.
  • SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL: There are no common ciphers between retro client and used OpenSSL version. Try to specify some older ciphers in [SecureProxy]/SslCipherSuites option, but probably all of need cipher suites are banned at OpenSSL compile time.
  • I'm see these errors under console-run of WebOne, but don't see when run it as systemd service. Try export OPENSSL_CONF=/etc/webone.conf.d/openssl_webone.cnf before starting of WebOne.

Client-specific notes

Windows clients

In some cases, the certificate does not installing properly with automatically detected settings. So it's need to specify store location:

Root Certificate

Browsers like Mozilla or Opera are using their own separate certificate storages, and don't rely on Windows possibilities or configuration. But MSIE and some software like MSN Messenger are using Windows certificate storage.

If you're experiencing problems, try to install these updates (Windows XP 32-bit only): SSL Updates XP.zip. On Server 2003, try to install KB968730 update.

Windows Mobile clients

Windows Mobile have very strange way of installing CA certificates to PDA. They're installing from CAB files, not CER/CRT.

  1. Create an XML file, called _setup.xml, with the following contents:
<wap-provisioningdoc>
   <characteristic type="CertificateStore">
     <characteristic type="ROOT">
       <characteristic type="certhash">
          <parm name="EncodedCertificate" value="base64encodedcert"/>
       </characteristic>
     </characteristic>
   </characteristic>
</wap-provisioningdoc>
  1. Open the WebOne CA certificate file, and look to Thumbprint in the Field property (at Details tab). Copy the contents.
  2. Replace certhash in XML with the certificate thumbprint without spaces.
  3. Open the WebOne CA certificate file using a text editor, and copy its content except BEGIN CERTIFICATE and END CERTIFICATE lines.
  4. Replace base64encodedcert in XML with the root certificate body.
  5. Compile the CAB package using command prompt: makecab _setup.xml <filename>.cab (you may specify any name of the CAB file).
  6. Copy the CAB file to PDA, and install it by opening in Explorer application.
  7. Result of installation can be checked by looking to Start>Settings>Security>Certificates>Root control panel of PDA.

The certificate will be used by Pocket Internet Explorer and some other applications that use system certificate storage.

OS/2 clients

The IBM Web Browser included in OS/2 Warp 4.52 is based on a early build of Mozilla Suite (rv:0.9.2 aka Netscape 6.1). It have many bugs in SSL support, so does not work with HTTPS via WebOne. You need to install a newer version of Mozilla or Firefox.

E-Mail SSL support

WebOne currently does not have support for processing STARTTLS method for E-Mail protocols (POP3, IMAP, SMTP, etc).

Server configuring

Options of HTTPS/SSL proxy are configuring via [SecureProxy] section of configuration file(s). Note that the SslProtocols option still rely on OS configuration. It will not accept SSL 2.0 unless it (and the corresponding cipher suites) is enabled by OS configuration and is supported by OpenSSL/SChannel on proxy server OS.

Custom certificate generator

Also you may specify custom root certificate and even an external utility which will produce sites certificates, instead of using built-in certificate generator. With custom certificate generator, it will be possible to work with strange (buggy) clients.

Both the CA and site certificates must be in PEM format, splitted to 2 files: the certificate itself (.crt) and its private key (.key). The root certificate/key files are expected to be found at specified paths. If these files are absent, they will be generated by WebOne. If they're present, they will be loaded. The sites certificates & keys are looking at paths specified in SslSiteCerts, and if not present, SslSiteCertGenerator-specified app or built-in generator will be invoked to generate them. The built-in generator is storing the certificates in RAM-cache only.

Add a custom footer

Usage:

Web standards timeline:

Troubleshooting guides:

Developer corner:

Clone this wiki locally