Some Steam games require unbundled/hashed ca-certs for TLS handshake

[seirl]

Describe the bug

Some Steam games (Drawful 2, Jackbox Party Pack 2, Crusader Kings 3) are statically linked with a version of OpenSSL that requires individual CA certificates to be exposed unbundled (as a dedicated file) at a hashed path (e.g., /etc/ssl/certs/f081611a.0).

Most other distributions provide the unbundled certs in /etc/ssl/certs out of the box, so the issue doesn't show up.

Steps To Reproduce

Steps to reproduce the behavior:

1. Install one of the aforementioned games on Steam, for instance Drawful 2
2. Play > [enter] > Play
3. Game gets stuck on "Connecting to jackbox games services".

Expected behavior

Games like Drawful2 and Crusader Kings should work out of the box on Steam without having to manually copy certificates to their hashed path.

Additional context

Examples of workarounds for this issue:

• https://github.com/seirl/seirl-nixos/commit/19b72feed085bb3b38ec0573bc8196363a149ca9
• https://gitea.nyanlout.re/nyanloutre/nixos-config/src/commit/eb1161768f0d30ef413c24de4d033b373ebb99b7/systems/common-gui.nix#L126-L129 (by @nyanloutre )

Strace of Drawful 2 during the TLS handshake:

readv(104, [{iov_base="\26\3\3\0P", iov_len=5}], 1) = 5
readv(104, [{iov_base="\2\0\0L\3\3\7q\270\4=\26If\201\374dhi\266p\2156\2250R\302\22:'I{"..., iov_len=80}], 1) = 80
readv(104, [{iov_base="\26\3\3\20\22", iov_len=5}], 1) = 5
readv(104, [{iov_base="\v\0\20\16\0\20\v\0\6\2550\202\6\2510\202\5\221\240\3\2\1\2\2\t\0\322>\375;\10\n"..., iov_len=4114}], 1) = 4114
stat("/usr/local/ssl/certs/27eb7704.0", 0x7ffee7b4a5c0) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/certs/27eb7704.0", 0x7ffee7b4a5c0) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs", 0x7ffee7b4a470) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs/cbf06781.0", 0x7ffee7b4a5c0) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/certs/cbf06781.0", 0x7ffee7b4a5c0) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs", 0x7ffee7b4a470) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs/f081611a.0", 0x7ffee7b4a5c0) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/certs/f081611a.0", 0x7ffee7b4a5c0) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs", 0x7ffee7b4a470) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs/f081611a.0", 0x7ffee7b4a5c0) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/certs/f081611a.0", 0x7ffee7b4a5c0) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs", 0x7ffee7b4a470) = -1 ENOENT (No such file or directory)
write(104, "\25\3\3\0\2\0020", 7)       = 7
close(104)                              = 0

Notify maintainers

@jagajaga @jonri for the Steam package, although I'm not sure if that's the place it should be fixed.

Metadata

• system: "x86_64-linux"
• host os: Linux 6.2.12, NixOS, 23.05 (Stoat), 23.05pre-git
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.13.3
• channels(seirl): ""
• channels(root): "nixos-22.11"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

[RaitoBezarius]

It should be fixed in security.ca I believe. Last committers: @lukegb @fpletz

[eclairevoyant]

Seems to still be an issue - strace excerpt from Drawful 2 seems to indicate the same issue:

poll([{fd=25, events=POLLIN}], 1, 0)    = 0 (Timeout)
poll([{fd=43, events=POLLIN}, {fd=44, events=POLLIN}], 2, 0) = 1 ([{fd=44, revents=POLLIN}])
readv(44, [{iov_base="\26\3\3\0P", iov_len=5}], 1) = 5
readv(44, [{iov_base="\2\0\0L\3\3Z[&\f\362\3\235\316;K3\376\\\312\251\373\305\202\3Er\235Z=a\263"..., iov_len=80}], 1) = 80
readv(44, [{iov_base="\26\3\3\20\22", iov_len=5}], 1) = 5
readv(44, [{iov_base="\v\0\20\16\0\20\v\0\6\2550\202\6\2510\202\5\221\240\3\2\1\2\2\t\0\322>\375;\10\n"..., iov_len=4114}], 1) = 4114
stat("/usr/local/ssl/certs/27eb7704.0", 0x7ffd92edd690) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/certs/27eb7704.0", 0x7ffd92edd690) = -1 ENOENT (No such file or directory)
futex(0x13d248c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x13d249c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
stat("/usr/local/ssl/certs", 0x7ffd92edd540) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs/cbf06781.0", 0x7ffd92edd690) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/certs/cbf06781.0", 0x7ffd92edd690) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs", 0x7ffd92edd540) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs/f081611a.0", 0x7ffd92edd690) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/certs/f081611a.0", 0x7ffd92edd690) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs", 0x7ffd92edd540) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs/f081611a.0", 0x7ffd92edd690) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/certs/f081611a.0", 0x7ffd92edd690) = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl/certs", 0x7ffd92edd540) = -1 ENOENT (No such file or directory)
write(44, "\25\3\3\0\2\0020", 7)        = 7
close(44)                               = 0