SSL error loading HTTPS page - "ca md too weak"

[callumgare]

I'm trying to get a dockerized version of webone setup but when sending a request via the proxy for a https page (curl -v --proxy http://192.168.1.1:8080 https://example.com/) I get an SSL failure and the logs show this:

WebOne HTTP Proxy Server 0.17.0
https://github.com/atauenis/webone
Using configuration file /usr/local/webone/webone.conf.
Cannot use log file /var/log/webone.log: Access to the path '/var/log/webone.log' is denied..
Configuration load complete.
Supported protocols: HTTP, HTTPS, FTP via Web browser.
Listening for HTTP 1.x on port 8080.
04.06.2024 12:07:08.036+658851  >CONNECT example.com:443 (192.168.1.2)
04.06.2024 12:07:08.036+3543681 !SSL Handshake failed: Using SSL certificate failed with OpenSSL error - ca md too weak. (-2146233087)
04.06.2024 12:07:08.036+3597548 <Done (connection closed by client).
04.06.2024 12:09:10.059+37208   >GET http://example.com/ (192.168.1.2)
04.06.2024 12:09:10.059+560623  >Downloading content...
04.06.2024 12:09:10.059+3663164  200 OK. Body ?K of text/html; charset=utf-8 [Text].
04.06.2024 12:09:10.059+3806220 <Done.

I believe version 0.17.0 of webone is ment to address this issue specifically (https://github.com/atauenis/webone/discussions/125) and you can see from the logs it's running version 0.17.0 (I'm using the "0.17.0" docker tag).

Any idea if it's something I'm going on my end, a problem with how the image is build or a problem with webone itself?

Thanks for your efforts maintaining a docker version of such a useful program :)

[atauenis]

I've solved the problem in deb-packaged releases by enabling custom OpenSSL configuration via https://github.com/atauenis/webone/blob/master/openssl_webone.cnf . By a quick look to dockerfile, the openssl_webone.cnf is not listed in it.

Also I have tested WebOne on few distributions, and on Debian 12 the configuration is still ignored. Probably it have too strong OpenSSL build, even stronger that used in Ubuntu 24.04 (it's correctly working with SHA1 certificates). So, may be need to use a custom OpenSSL build in docker environment with right compile-time options (I'm don't know which) if Alpine contanined something such. Also OpenSSL have by default disabled at compile time (but not really removed) support for older SSL3 ciphers (RC4, 3DES-128, etc), which can be re-enabled by recompiling OpenSSL with right options.

[way5]

Hey @atauenis ! Thanks for the hint.

• docker image at DockerHub has been updated
• missing config added to repository docker-webone

@callumgare, this seems to be working fine now.

[callumgare]

Thanks for that @way5. Unfortunately I'm still running into the issue. I've re-pulled 0.17.0 and confirmed I'm definably using the new image as it matches the hash on docker hub (e68808ca5d1a) from the image pushed 5 days ago.

$ docker image inspect u306060/webone:0.17.0 | jq .[].RepoDigests
[
  "u306060/webone@sha256:e68808ca5d1a03463b2f9448e795ff9422b0287ad4019a010a8e46936a2f08db"
]

Then I deleted all my config mounted into the container at /home/webone and replaced it with the last config from https://github.com/way5/docker-webone/tree/main/webone.config. But alas I still get the cursed "OpenSSL error - ca md too weak" :(

[way5]

@callumgare, alright, it took me awhile rebuilding images. I am using new 0.17.0 image (not latest). That is what I get:

$ curl -vvv --proxy http://127.0.0.1:8080 https://google.com/
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/8.4.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Via: 1.1 WebOne/0.17.1.0
< Connection: Keep-Alive
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

WebOne log:

 >CONNECT google.com:443 (192.168.65.1)
 !SSL Handshake failed: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. (-2146233087)
      <Done (connection closed by client).

And if I disable SSL certificate check:

$ curl -vvv -k --proxy http://127.0.0.1:8080 https://google.com/
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/8.4.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Via: 1.1 WebOne/0.17.1.0
< Connection: Keep-Alive
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=google.com
*  start date: Jun  6 01:24:33 2024 GMT
*  expire date: Jun 20 01:24:33 2024 GMT
*  issuer: CN=WebOne Certificate Authority [510]; OU=This is not really secure connection; O=MITM Proxy; C=SU
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/1.x
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Location: http://www.google.com/
< Date: Thu, 13 Jun 2024 01:24:36 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< Expires: Sat, 13 Jul 2024 01:24:36 GMT
< Content-Length: 219
< Via: HTTP/1.0 WebOne/0.17.1.0
< Content-Type: text/html; charset=utf-8
< Connection: Keep-Alive
< 
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host 127.0.0.1 left intact

WebOne log:

        >CONNECT google.com:443 (192.168.65.1)
       >[google.com] GET / (192.168.65.1)
        Carousel detected.
       >Downloading content...
      301 Moved. Body 0K of text/html; charset=utf-8 [Text].
     <Done (connection close).
     <Close SSL.
     <Done.
Oops: The output char buffer is too small to contain the decoded characters, encoding 'Unicode (UTF-8)' fallback 'System.Text.DecoderReplacementFallback'. (Parameter 'chars').

Is that what you looking for?

[way5]

@atauenis , since version 0.17.0 we have OPENSSL_CONF variable set in linux ENV. That supposedly makes use of custom openssl config while webone is running.

[Service]
Environment="OPENSSL_CONF=/etc/webone.conf.d/openssl_webone.cnf"

I have a doubts that this path being used. When I deleted/replaced openssl_webone.cnf it looks that nothing have changed, so webone doesn't change its behavior.

Do I miss something or how WebOne make use of openssl except setting ENV variable?

[way5]

@callumgare, there is webone-0.17.0-ssl image, where:

$ openssl list --cipher-algorithms
Legacy:
  RC5 => RC5-CBC
  AES-128-CBC
  AES-128-CBC-HMAC-SHA1
  AES-128-CBC-HMAC-SHA256
  id-aes128-CCM
  AES-128-CFB
  AES-128-CFB1
  AES-128-CFB8
  AES-128-CTR
  AES-128-ECB
  id-aes128-GCM
  AES-128-OCB
  AES-128-OFB
  AES-128-XTS
  AES-192-CBC
  id-aes192-CCM
  AES-192-CFB
  AES-192-CFB1
  AES-192-CFB8
  AES-192-CTR
  AES-192-ECB
  id-aes192-GCM
  AES-192-OCB
  AES-192-OFB
  AES-256-CBC
  AES-256-CBC-HMAC-SHA1
  AES-256-CBC-HMAC-SHA256
  id-aes256-CCM
  AES-256-CFB
  AES-256-CFB1
  AES-256-CFB8
  AES-256-CTR
  AES-256-ECB
  id-aes256-GCM
  AES-256-OCB
  AES-256-OFB
  AES-256-XTS
  aes128 => AES-128-CBC
  aes128-wrap => id-aes128-wrap
  aes128-wrap-pad => id-aes128-wrap-pad
  aes192 => AES-192-CBC
  aes192-wrap => id-aes192-wrap
  aes192-wrap-pad => id-aes192-wrap-pad
  aes256 => AES-256-CBC
  aes256-wrap => id-aes256-wrap
  aes256-wrap-pad => id-aes256-wrap-pad
  ARIA-128-CBC
  ARIA-128-CCM
  ARIA-128-CFB
  ARIA-128-CFB1
  ARIA-128-CFB8
  ARIA-128-CTR
  ARIA-128-ECB
  ARIA-128-GCM
  ARIA-128-OFB
  ARIA-192-CBC
  ARIA-192-CCM
  ARIA-192-CFB
  ARIA-192-CFB1
  ARIA-192-CFB8
  ARIA-192-CTR
  ARIA-192-ECB
  ARIA-192-GCM
  ARIA-192-OFB
  ARIA-256-CBC
  ARIA-256-CCM
  ARIA-256-CFB
  ARIA-256-CFB1
  ARIA-256-CFB8
  ARIA-256-CTR
  ARIA-256-ECB
  ARIA-256-GCM
  ARIA-256-OFB
  aria128 => ARIA-128-CBC
  aria192 => ARIA-192-CBC
  aria256 => ARIA-256-CBC
  bf => BF-CBC
  BF-CBC
  BF-CFB
  BF-ECB
  BF-OFB
  blowfish => BF-CBC
  CAMELLIA-128-CBC
  CAMELLIA-128-CFB
  CAMELLIA-128-CFB1
  CAMELLIA-128-CFB8
  CAMELLIA-128-CTR
  CAMELLIA-128-ECB
  CAMELLIA-128-OFB
  CAMELLIA-192-CBC
  CAMELLIA-192-CFB
  CAMELLIA-192-CFB1
  CAMELLIA-192-CFB8
  CAMELLIA-192-CTR
  CAMELLIA-192-ECB
  CAMELLIA-192-OFB
  CAMELLIA-256-CBC
  CAMELLIA-256-CFB
  CAMELLIA-256-CFB1
  CAMELLIA-256-CFB8
  CAMELLIA-256-CTR
  CAMELLIA-256-ECB
  CAMELLIA-256-OFB
  camellia128 => CAMELLIA-128-CBC
  camellia192 => CAMELLIA-192-CBC
  camellia256 => CAMELLIA-256-CBC
  cast => CAST5-CBC
  cast-cbc => CAST5-CBC
  CAST5-CBC
  CAST5-CFB
  CAST5-ECB
  CAST5-OFB
  ChaCha20
  ChaCha20-Poly1305
  des => DES-CBC
  DES-CBC
  DES-CFB
  DES-CFB1
  DES-CFB8
  DES-ECB
  DES-EDE
  DES-EDE-CBC
  DES-EDE-CFB
  des-ede-ecb => DES-EDE
  DES-EDE-OFB
  DES-EDE3
  DES-EDE3-CBC
  DES-EDE3-CFB
  DES-EDE3-CFB1
  DES-EDE3-CFB8
  des-ede3-ecb => DES-EDE3
  DES-EDE3-OFB
  DES-OFB
  des3 => DES-EDE3-CBC
  des3-wrap => id-smime-alg-CMS3DESwrap
  desx => DESX-CBC
  DESX-CBC
  id-aes128-CCM
  id-aes128-GCM
  id-aes128-wrap
  id-aes128-wrap-pad
  id-aes192-CCM
  id-aes192-GCM
  id-aes192-wrap
  id-aes192-wrap-pad
  id-aes256-CCM
  id-aes256-GCM
  id-aes256-wrap
  id-aes256-wrap-pad
  id-smime-alg-CMS3DESwrap
  idea => IDEA-CBC
  IDEA-CBC
  IDEA-CFB
  IDEA-ECB
  IDEA-OFB
  rc2 => RC2-CBC
  rc2-128 => RC2-CBC
  rc2-40 => RC2-40-CBC
  RC2-40-CBC
  rc2-64 => RC2-64-CBC
  RC2-64-CBC
  RC2-CBC
  RC2-CFB
  RC2-ECB
  RC2-OFB
  RC4
  RC4-40
  RC4-HMAC-MD5
  RC5-CBC
  RC5-CFB
  RC5-ECB
  RC5-OFB
  seed => SEED-CBC
  SEED-CBC
  SEED-CFB
  SEED-ECB
  SEED-OFB
  sm4 => SM4-CBC
  SM4-CBC
  SM4-CFB
  SM4-CTR
  SM4-ECB
  SM4-OFB
Provided:
  { 1.2.392.200011.61.1.1.1.4, CAMELLIA-256-CBC, CAMELLIA256 } @ default
  { 1.2.156.10197.1.104.2, SM4, SM4-CBC } @ default
  { 1.2.410.200046.1.1.12, ARIA-256-CBC, ARIA256 } @ default
  { 2.16.840.1.101.3.4.1.22, AES-192-CBC, AES192 } @ default
  { 2.16.840.1.101.3.4.1.4, AES-128-CFB } @ default
  { 1.2.410.200046.1.1.38, ARIA-192-CCM } @ default
  { 1.2.410.200046.1.1.1, ARIA-128-ECB } @ default
  { 2.16.840.1.101.3.4.1.2, AES-128-CBC, AES128 } @ default
  { 2.16.840.1.101.3.4.1.24, AES-192-CFB } @ default
  { 1.2.392.200011.61.1.1.1.2, CAMELLIA-128-CBC, CAMELLIA128 } @ default
  { 1.2.410.200046.1.1.35, ARIA-192-GCM } @ default
  { 2.16.840.1.101.3.4.1.42, AES-256-CBC, AES256 } @ default
  { 2.16.840.1.101.3.4.1.28, AES-192-WRAP-PAD, AES192-WRAP-PAD, id-aes192-wrap-pad } @ default
  { 1.2.410.200046.1.1.36, ARIA-256-GCM } @ default
  { 1.3.111.2.1619.0.1.2, AES-256-XTS } @ default
  { 2.16.840.1.101.3.4.1.8, AES-128-WRAP-PAD, AES128-WRAP-PAD, id-aes128-wrap-pad } @ default
  { 1.2.840.113549.1.9.16.3.6, DES3-WRAP, id-smime-alg-CMS3DESwrap } @ default
  { 2.16.840.1.101.3.4.1.48, AES-256-WRAP-PAD, AES256-WRAP-PAD, id-aes256-wrap-pad } @ default
  { 1.2.156.10197.1.104.3, SM4-OFB, SM4-OFB128 } @ default
  { 2.16.840.1.101.3.4.1.25, AES-192-WRAP, AES192-WRAP, id-aes192-wrap } @ default
  { 2.16.840.1.101.3.4.1.41, AES-256-ECB } @ default
  { 0.3.4401.5.3.1.9.49, CAMELLIA-256-CTR } @ default
  { 1.2.410.200046.1.1.2, ARIA-128-CBC, ARIA128 } @ default
  { 2.16.840.1.101.3.4.1.6, aes-128-gcm, id-aes128-GCM } @ default
  { 0.3.4401.5.3.1.9.41, CAMELLIA-256-ECB } @ default
  { 2.16.840.1.101.3.4.1.44, AES-256-CFB } @ default
  { 1.2.156.10197.1.104.4, SM4-CFB, SM4-CFB128 } @ default
  { 0.3.4401.5.3.1.9.4, CAMELLIA-128-CFB } @ default
  { 1.2.410.200046.1.1.39, ARIA-256-CCM } @ default
  { 1.2.410.200046.1.1.14, ARIA-256-OFB } @ default
  { 2.16.840.1.101.3.4.1.46, aes-256-gcm, id-aes256-GCM } @ default
  { 0.3.4401.5.3.1.9.9, CAMELLIA-128-CTR } @ default
  { 2.16.840.1.101.3.4.1.23, AES-192-OFB } @ default
  { 1.2.156.10197.1.104.1, SM4-ECB } @ default
  { 2.16.840.1.101.3.4.1.7, aes-128-ccm, id-aes128-CCM } @ default
  { 2.16.840.1.101.3.4.1.47, aes-256-ccm, id-aes256-CCM } @ default
  { 1.2.410.200046.1.1.7, ARIA-192-CBC, ARIA192 } @ default
  { 2.16.840.1.101.3.4.1.45, AES-256-WRAP, AES256-WRAP, id-aes256-wrap } @ default
  { 1.2.410.200046.1.1.15, ARIA-256-CTR } @ default
  { 1.2.410.200046.1.1.3, ARIA-128-CFB } @ default
  { 1.2.410.200046.1.1.34, ARIA-128-GCM } @ default
  { 1.2.410.200046.1.1.6, ARIA-192-ECB } @ default
  { 2.16.840.1.101.3.4.1.26, aes-192-gcm, id-aes192-GCM } @ default
  { 0.3.4401.5.3.1.9.29, CAMELLIA-192-CTR } @ default
  { 0.3.4401.5.3.1.9.43, CAMELLIA-256-OFB } @ default
  { 1.2.410.200046.1.1.37, ARIA-128-CCM } @ default
  { 2.16.840.1.101.3.4.1.27, aes-192-ccm, id-aes192-CCM } @ default
  { 1.3.14.3.2.17, DES-EDE, DES-EDE-ECB } @ default
  { 1.2.410.200046.1.1.11, ARIA-256-ECB } @ default
  { 1.3.111.2.1619.0.1.1, AES-128-XTS } @ default
  { 2.16.840.1.101.3.4.1.5, AES-128-WRAP, AES128-WRAP, id-aes128-wrap } @ default
  { 2.16.840.1.101.3.4.1.3, AES-128-OFB } @ default
  { 0.3.4401.5.3.1.9.3, CAMELLIA-128-OFB } @ default
  { 0.3.4401.5.3.1.9.1, CAMELLIA-128-ECB } @ default
  { 1.2.840.113549.3.7, DES-EDE3-CBC, DES3 } @ default
  { 0.3.4401.5.3.1.9.44, CAMELLIA-256-CFB } @ default
  { 1.2.410.200046.1.1.10, ARIA-192-CTR } @ default
  { 0.3.4401.5.3.1.9.23, CAMELLIA-192-OFB } @ default
  { 0.3.4401.5.3.1.9.24, CAMELLIA-192-CFB } @ default
  { 1.2.410.200046.1.1.9, ARIA-192-OFB } @ default
  { 1.2.410.200046.1.1.13, ARIA-256-CFB } @ default
  { 2.16.840.1.101.3.4.1.1, AES-128-ECB } @ default
  { 1.2.410.200046.1.1.8, ARIA-192-CFB } @ default
  { 1.2.156.10197.1.104.7, SM4-CTR } @ default
  { 2.16.840.1.101.3.4.1.43, AES-256-OFB } @ default
  { 1.2.410.200046.1.1.4, ARIA-128-OFB } @ default
  { 1.2.392.200011.61.1.1.1.3, CAMELLIA-192-CBC, CAMELLIA192 } @ default
  { 0.3.4401.5.3.1.9.21, CAMELLIA-192-ECB } @ default
  { 1.2.410.200046.1.1.5, ARIA-128-CTR } @ default
  { 2.16.840.1.101.3.4.1.21, AES-192-ECB } @ default
  NULL @ default
  AES-128-CBC-CTS @ default
  AES-192-CBC-CTS @ default
  AES-256-CBC-CTS @ default
  AES-256-CFB1 @ default
  AES-192-CFB1 @ default
  AES-128-CFB1 @ default
  AES-256-CFB8 @ default
  AES-192-CFB8 @ default
  AES-128-CFB8 @ default
  AES-256-CTR @ default
  AES-192-CTR @ default
  AES-128-CTR @ default
  AES-256-OCB @ default
  AES-192-OCB @ default
  AES-128-OCB @ default
  AES-128-SIV @ default
  AES-192-SIV @ default
  AES-256-SIV @ default
  AES-128-GCM-SIV @ default
  AES-192-GCM-SIV @ default
  AES-256-GCM-SIV @ default
  { AES-256-WRAP-INV, AES256-WRAP-INV } @ default
  { AES-192-WRAP-INV, AES192-WRAP-INV } @ default
  { AES-128-WRAP-INV, AES128-WRAP-INV } @ default
  { AES-256-WRAP-PAD-INV, AES256-WRAP-PAD-INV } @ default
  { AES-192-WRAP-PAD-INV, AES192-WRAP-PAD-INV } @ default
  { AES-128-WRAP-PAD-INV, AES128-WRAP-PAD-INV } @ default
  AES-128-CBC-HMAC-SHA1 @ default
  AES-256-CBC-HMAC-SHA1 @ default
  AES-128-CBC-HMAC-SHA256 @ default
  AES-256-CBC-HMAC-SHA256 @ default
  ARIA-256-CFB1 @ default
  ARIA-192-CFB1 @ default
  ARIA-128-CFB1 @ default
  ARIA-256-CFB8 @ default
  ARIA-192-CFB8 @ default
  ARIA-128-CFB8 @ default
  CAMELLIA-128-CBC-CTS @ default
  CAMELLIA-192-CBC-CTS @ default
  CAMELLIA-256-CBC-CTS @ default
  CAMELLIA-256-CFB1 @ default
  CAMELLIA-192-CFB1 @ default
  CAMELLIA-128-CFB1 @ default
  CAMELLIA-256-CFB8 @ default
  CAMELLIA-192-CFB8 @ default
  CAMELLIA-128-CFB8 @ default
  { DES-EDE3, DES-EDE3-ECB } @ default
  DES-EDE3-OFB @ default
  DES-EDE3-CFB @ default
  DES-EDE3-CFB8 @ default
  DES-EDE3-CFB1 @ default
  DES-EDE-CBC @ default
  DES-EDE-OFB @ default
  DES-EDE-CFB @ default
  { 1.2.156.10197.1.104.8, SM4-GCM } @ default
  { 1.2.156.10197.1.104.9, SM4-CCM } @ default
  { 1.2.156.10197.1.104.10, SM4-XTS } @ default
  ChaCha20 @ default
  ChaCha20-Poly1305 @ default

$ openssl list --disabled
Disabled algorithms:
SCTP
SSL3
BROTLI
ZSTD

You may try this image also.

[atauenis]

@atauenis , since version 0.17.0 we have OPENSSL_CONF variable set in linux ENV. That supposedly makes use of custom openssl config while webone is running.

[Service]
Environment="OPENSSL_CONF=/etc/webone.conf.d/openssl_webone.cnf"

I have a doubts that this path being used. When I deleted/replaced openssl_webone.cnf it looks that nothing have changed, so webone doesn't change its behavior.

Do I miss something or how WebOne make use of openssl except setting ENV variable?

It only uses the environment variable, and nothing more. There also two webone.conf options (SslProtocols, SslCipherSuites in [SecureProxy] section), but all of them are ignored by OpenSSL (exactly, OpenSSL is able to disable some protocols&ciphers by application configuration, but cannot enable them if they're not manually enabled via OpenSSL own configuration before).

Also there is a strange thing in OpenSSL (I don't know reasons): on some distributions the OPENSSL_CONF does working and on some does not. Probably they have differently compiled versions of this library. Or it is not fully ignored, but even lowest level (CipherString = ALL@SECLEVEL=0) does not meaning enable of SHA1 certificates in these builds due to unknown (compile-time?) reasons.

[way5]

The problem could have a real measure when someone is installing WebOne onto a machine (ex. a server) which has specific openssl version. This may lead to user denial of WebOne just because it's impossible to create required env.

I want to propose to use built-in openssl. There is no problem to set custom paths for openssl and install it side by side with WebOne and specifically to its use by WebOne.

---

I also want to suggest to begin managing development with different branches. There are many installations already that use master branch as the source of latest stable release. Downloading sources from releases has many inconveniences, ex: automatic scripts could not be changed every release, but git clone is always there. So I propose to maintain dev branch and commit into master only for a release. ;)

[atauenis]

I want to propose to use built-in openssl. There is no problem to set custom paths for openssl and install it side by side with WebOne and specifically to its use by WebOne.

This may be possible only via Docker images or something. I'm using .NET SDK to build WebOne, and it doesn't allow managing linking with non-.NET libraries. Even it self manages the choice between OpenSSL on Linux and SChannel on Windows (I've linked with System.Security.Cryptography.X509Certificates & System.Net.Security classes from .NET and they're doing everything cross-platform).

I also want to suggest to begin managing development with different branches. There are many installations already that use master branch as the source of latest stable release. Downloading sources from releases has many inconveniences, ex: automatic scripts could not be changed every release, but git clone is always there. So I propose to maintain dev branch and commit into master only for a release. ;)

It's an good idea. After v0.17.1 I can split to two branches, and keep them in parallel with merges before each release. And it will not require me to commit only stable things (currently the master branch is something like "beta" channel).

[way5]

I want to propose to use built-in openssl. There is no problem to set custom paths for openssl and install it side by side with WebOne and specifically to its use by WebOne.

This may be possible only via Docker images or something. I'm using .NET SDK to build WebOne, and it doesn't allow managing linking with non-.NET libraries. Even it self manages the choice between OpenSSL on Linux and SChannel on Windows (I've linked with System.Security.Cryptography.X509Certificates & System.Net.Security classes from .NET and they're doing everything cross-platform).

This may also be possible with "compile from sources" installation (ex. using autoinstall script) ;) My setup for instance is automatically reinstall WebOne on every release, so it is frustrating to put my hands on it every time since 0.17.0. Well, you're an architect here, in this case my concerns are "on your shoulders" :)

--- UPD: Does .NET SDK allow to run scripts while building or after that? Most people are using Docker image or pre-compiled deb or rpm, almost no one would use NET SDK to build their own copy. By built-in solution I meant that it may just dwell side by side with WebOne in its directory as utility.

[atauenis]

Does .NET SDK allow to run scripts while building or after that?

Only scripts in own XML-based format, putted inside CSPROJ file. The build-time scripts are considered as cross-platform. There's no equivalent of make install.

I've made build.bat/build.sh only to simplify build of all ~10 packages for each architecture. Just only dotnet run or dotnet publish -c "Release" is enough to make binaries from sources. And this makes an half-portable version (it still makes log file, but using local configuration). And just only dotnet deb is enough to build from sources to a regular deb package, identical to published at Release archive.

[atauenis]

So I propose to maintain dev branch and commit into master only for a release. ;)

Performed the split. Now master is containing latest version, and dev will contain the head of development progress.

[way5]

So I propose to maintain dev branch and commit into master only for a release. ;)

Performed the split. Now master is containing latest version, and dev will contain the head of development progress.

Good news! 👍

Still, what do we do with openssl issue? The problem is that it's impossible to use openssl system instance sometimes, se we'd need to reinvent the method WebOne does its business. If you have an idea, would you mind to share it please? 😉

----- UPD: Yet, I am not able to make it work, even with CipherString = ALL@SECLEVEL=0 and all the legacy cyphers built-in. I've tested it with openssl-3.0 and higher.

[atauenis]

It's possible to use WebOne with OpenSSL 3.x by enabling SHA2 certificates.

[SecureProxy]
SslHashAlgorithm=SHA256

This will limit old browser support to Firefox 4+ (and some Opera, Chrome versions from ~2010 and newer). So HTTPS will be not fully functional. MSIE, for example, will work only via HTTP like older WebOne versions.

To add SHA1/MD5 & SSL3 support, it's need to somewhy rebuild OpenSSL with right compile-time options. Probably even downgrade it to OpenSSL 1.1, as I'm not sure are OpenSSL 3.x have the required code even in disabled form or the code is removed at all.

[way5]

For the sake of research and testing I published Docker image which has openssl-1.0.1 on board, based on Ubuntu 16.04.