Closed D3vil0p3r closed 3 months ago
FWIW, OpenSSL 1.1.x is EOL in September.
Any updates on this fix?
@mglogowski1 I don't think anything in the winrm
gem will change until Ruby's openssl
supports OpenSSL 3
If I've caught up correctly, Ruby's openssl
has supported OpenSSL 3.x for a while. But the main/lingering problem with openssl-3.x for winrm was a need for an interface by which to enable non-default providers (to get access to md4
). That seems to have been added here: https://github.com/ruby/openssl/pull/635, included in v3.2.0
released a few months ago: https://github.com/ruby/openssl/releases/tag/v3.2.0
So, I think it should be possible to update winrm
to work with OpenSSL 3.x providing you're using v3.2.0
of the openssl gem?
While using Ruby 3.3, I was able to resolve the issue with the gem by following these steps:
OpenSSL::Provider.load("legacy")
to enable legacy certificates.This process made the gem functional again for me.
@smallfield i need to test this with the new AWS Codebuild Images.
This should be addressed in rubyntlm v0.6.4 which was released yesterday. Thanks
Hello @pmorton @sneal @mwrock after the latest update of OpenSSL version to OpenSSL 3.0.x, WinRM component is not working anymore as intended. It occurs because with the latest OpenSSL version, maintainers decided to keep disable by default legacy protocols.
In particular, for some tools leveraging WinRM, as Evil-WinRM, when they call the WinRM component, an OpenSSL error arises.
The detailed explanation and reproduction of the issue is here: https://github.com/BlackArch/blackarch/issues/3593
According to https://bugs.archlinux.org/task/76653?project=1&order=dateopened&sort=desc the user "loqs" states the following:
"NTLM v1 Authentication uses md4 [1]. The ruby ntlm gem as used by winrm uses the openssl gem to provide md4 [2]. With OpenSSSL 3 md4 in the legacy provider which is not enabled by default. The ruby openssl gem does not currently provide a method to load a provider [3] so the provider has to be loaded using OpenSSL's configuration file. Assuming evil-winrm / winrm are not run set-user-ID or set-group-ID the environment variable the environment variable OPENSSL_CONF can be used to specify an alternate location for OpenSSL's config. This avoids changing the default configuration. The variable can in set in a script file that then calls the real executable.
[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/464551a8-9fc4-428e-b3d3-bc5bfb2e73a5?redirectedfrom=MSDN [2] https://github.com/macks/ruby-ntlm/blob/323ef447c04e130a31940fa6dabe96607677c22b/lib/ntlm/util.rb#L77 [3] https://github.com/ruby/openssl/issues/567"
Could you please add the support to OpenSSL 3.0.x for WinRM component please?
Thank you in advance.