Open callumgare opened 4 months ago
I've solved the problem in deb-packaged releases by enabling custom OpenSSL configuration via https://github.com/atauenis/webone/blob/master/openssl_webone.cnf . By a quick look to dockerfile, the openssl_webone.cnf is not listed in it.
Also I have tested WebOne on few distributions, and on Debian 12 the configuration is still ignored. Probably it have too strong OpenSSL build, even stronger that used in Ubuntu 24.04 (it's correctly working with SHA1 certificates). So, may be need to use a custom OpenSSL build in docker environment with right compile-time options (I'm don't know which) if Alpine contanined something such. Also OpenSSL have by default disabled at compile time (but not really removed) support for older SSL3 ciphers (RC4, 3DES-128, etc), which can be re-enabled by recompiling OpenSSL with right options.
Hey @atauenis ! Thanks for the hint.
@callumgare, this seems to be working fine now.
Thanks for that @way5. Unfortunately I'm still running into the issue. I've re-pulled 0.17.0 and confirmed I'm definably using the new image as it matches the hash on docker hub (e68808ca5d1a) from the image pushed 5 days ago.
$ docker image inspect u306060/webone:0.17.0 | jq .[].RepoDigests
[
"u306060/webone@sha256:e68808ca5d1a03463b2f9448e795ff9422b0287ad4019a010a8e46936a2f08db"
]
Then I deleted all my config mounted into the container at /home/webone and replaced it with the last config from https://github.com/way5/docker-webone/tree/main/webone.config. But alas I still get the cursed "OpenSSL error - ca md too weak" :(
@callumgare, alright, it took me awhile rebuilding images. I am using new 0.17.0 image (not latest). That is what I get:
$ curl -vvv --proxy http://127.0.0.1:8080 https://google.com/
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/8.4.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Via: 1.1 WebOne/0.17.1.0
< Connection: Keep-Alive
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
WebOne log:
>CONNECT google.com:443 (192.168.65.1)
!SSL Handshake failed: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. (-2146233087)
<Done (connection closed by client).
And if I disable SSL certificate check:
$ curl -vvv -k --proxy http://127.0.0.1:8080 https://google.com/
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/8.4.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Via: 1.1 WebOne/0.17.1.0
< Connection: Keep-Alive
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: CN=google.com
* start date: Jun 6 01:24:33 2024 GMT
* expire date: Jun 20 01:24:33 2024 GMT
* issuer: CN=WebOne Certificate Authority [510]; OU=This is not really secure connection; O=MITM Proxy; C=SU
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/1.x
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: http://www.google.com/
< Date: Thu, 13 Jun 2024 01:24:36 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< Expires: Sat, 13 Jul 2024 01:24:36 GMT
< Content-Length: 219
< Via: HTTP/1.0 WebOne/0.17.1.0
< Content-Type: text/html; charset=utf-8
< Connection: Keep-Alive
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host 127.0.0.1 left intact
WebOne log:
>CONNECT google.com:443 (192.168.65.1)
>[google.com] GET / (192.168.65.1)
Carousel detected.
>Downloading content...
301 Moved. Body 0K of text/html; charset=utf-8 [Text].
<Done (connection close).
<Close SSL.
<Done.
Oops: The output char buffer is too small to contain the decoded characters, encoding 'Unicode (UTF-8)' fallback 'System.Text.DecoderReplacementFallback'. (Parameter 'chars').
Is that what you looking for?
@atauenis , since version 0.17.0 we have OPENSSL_CONF variable set in linux ENV. That supposedly makes use of custom openssl config while webone is running.
[Service]
Environment="OPENSSL_CONF=/etc/webone.conf.d/openssl_webone.cnf"
I have a doubts that this path being used. When I deleted/replaced openssl_webone.cnf it looks that nothing have changed, so webone doesn't change its behavior.
Do I miss something or how WebOne make use of openssl except setting ENV variable?
@callumgare, there is webone-0.17.0-ssl
image, where:
$ openssl list --cipher-algorithms
Legacy:
RC5 => RC5-CBC
AES-128-CBC
AES-128-CBC-HMAC-SHA1
AES-128-CBC-HMAC-SHA256
id-aes128-CCM
AES-128-CFB
AES-128-CFB1
AES-128-CFB8
AES-128-CTR
AES-128-ECB
id-aes128-GCM
AES-128-OCB
AES-128-OFB
AES-128-XTS
AES-192-CBC
id-aes192-CCM
AES-192-CFB
AES-192-CFB1
AES-192-CFB8
AES-192-CTR
AES-192-ECB
id-aes192-GCM
AES-192-OCB
AES-192-OFB
AES-256-CBC
AES-256-CBC-HMAC-SHA1
AES-256-CBC-HMAC-SHA256
id-aes256-CCM
AES-256-CFB
AES-256-CFB1
AES-256-CFB8
AES-256-CTR
AES-256-ECB
id-aes256-GCM
AES-256-OCB
AES-256-OFB
AES-256-XTS
aes128 => AES-128-CBC
aes128-wrap => id-aes128-wrap
aes128-wrap-pad => id-aes128-wrap-pad
aes192 => AES-192-CBC
aes192-wrap => id-aes192-wrap
aes192-wrap-pad => id-aes192-wrap-pad
aes256 => AES-256-CBC
aes256-wrap => id-aes256-wrap
aes256-wrap-pad => id-aes256-wrap-pad
ARIA-128-CBC
ARIA-128-CCM
ARIA-128-CFB
ARIA-128-CFB1
ARIA-128-CFB8
ARIA-128-CTR
ARIA-128-ECB
ARIA-128-GCM
ARIA-128-OFB
ARIA-192-CBC
ARIA-192-CCM
ARIA-192-CFB
ARIA-192-CFB1
ARIA-192-CFB8
ARIA-192-CTR
ARIA-192-ECB
ARIA-192-GCM
ARIA-192-OFB
ARIA-256-CBC
ARIA-256-CCM
ARIA-256-CFB
ARIA-256-CFB1
ARIA-256-CFB8
ARIA-256-CTR
ARIA-256-ECB
ARIA-256-GCM
ARIA-256-OFB
aria128 => ARIA-128-CBC
aria192 => ARIA-192-CBC
aria256 => ARIA-256-CBC
bf => BF-CBC
BF-CBC
BF-CFB
BF-ECB
BF-OFB
blowfish => BF-CBC
CAMELLIA-128-CBC
CAMELLIA-128-CFB
CAMELLIA-128-CFB1
CAMELLIA-128-CFB8
CAMELLIA-128-CTR
CAMELLIA-128-ECB
CAMELLIA-128-OFB
CAMELLIA-192-CBC
CAMELLIA-192-CFB
CAMELLIA-192-CFB1
CAMELLIA-192-CFB8
CAMELLIA-192-CTR
CAMELLIA-192-ECB
CAMELLIA-192-OFB
CAMELLIA-256-CBC
CAMELLIA-256-CFB
CAMELLIA-256-CFB1
CAMELLIA-256-CFB8
CAMELLIA-256-CTR
CAMELLIA-256-ECB
CAMELLIA-256-OFB
camellia128 => CAMELLIA-128-CBC
camellia192 => CAMELLIA-192-CBC
camellia256 => CAMELLIA-256-CBC
cast => CAST5-CBC
cast-cbc => CAST5-CBC
CAST5-CBC
CAST5-CFB
CAST5-ECB
CAST5-OFB
ChaCha20
ChaCha20-Poly1305
des => DES-CBC
DES-CBC
DES-CFB
DES-CFB1
DES-CFB8
DES-ECB
DES-EDE
DES-EDE-CBC
DES-EDE-CFB
des-ede-ecb => DES-EDE
DES-EDE-OFB
DES-EDE3
DES-EDE3-CBC
DES-EDE3-CFB
DES-EDE3-CFB1
DES-EDE3-CFB8
des-ede3-ecb => DES-EDE3
DES-EDE3-OFB
DES-OFB
des3 => DES-EDE3-CBC
des3-wrap => id-smime-alg-CMS3DESwrap
desx => DESX-CBC
DESX-CBC
id-aes128-CCM
id-aes128-GCM
id-aes128-wrap
id-aes128-wrap-pad
id-aes192-CCM
id-aes192-GCM
id-aes192-wrap
id-aes192-wrap-pad
id-aes256-CCM
id-aes256-GCM
id-aes256-wrap
id-aes256-wrap-pad
id-smime-alg-CMS3DESwrap
idea => IDEA-CBC
IDEA-CBC
IDEA-CFB
IDEA-ECB
IDEA-OFB
rc2 => RC2-CBC
rc2-128 => RC2-CBC
rc2-40 => RC2-40-CBC
RC2-40-CBC
rc2-64 => RC2-64-CBC
RC2-64-CBC
RC2-CBC
RC2-CFB
RC2-ECB
RC2-OFB
RC4
RC4-40
RC4-HMAC-MD5
RC5-CBC
RC5-CFB
RC5-ECB
RC5-OFB
seed => SEED-CBC
SEED-CBC
SEED-CFB
SEED-ECB
SEED-OFB
sm4 => SM4-CBC
SM4-CBC
SM4-CFB
SM4-CTR
SM4-ECB
SM4-OFB
Provided:
{ 1.2.392.200011.61.1.1.1.4, CAMELLIA-256-CBC, CAMELLIA256 } @ default
{ 1.2.156.10197.1.104.2, SM4, SM4-CBC } @ default
{ 1.2.410.200046.1.1.12, ARIA-256-CBC, ARIA256 } @ default
{ 2.16.840.1.101.3.4.1.22, AES-192-CBC, AES192 } @ default
{ 2.16.840.1.101.3.4.1.4, AES-128-CFB } @ default
{ 1.2.410.200046.1.1.38, ARIA-192-CCM } @ default
{ 1.2.410.200046.1.1.1, ARIA-128-ECB } @ default
{ 2.16.840.1.101.3.4.1.2, AES-128-CBC, AES128 } @ default
{ 2.16.840.1.101.3.4.1.24, AES-192-CFB } @ default
{ 1.2.392.200011.61.1.1.1.2, CAMELLIA-128-CBC, CAMELLIA128 } @ default
{ 1.2.410.200046.1.1.35, ARIA-192-GCM } @ default
{ 2.16.840.1.101.3.4.1.42, AES-256-CBC, AES256 } @ default
{ 2.16.840.1.101.3.4.1.28, AES-192-WRAP-PAD, AES192-WRAP-PAD, id-aes192-wrap-pad } @ default
{ 1.2.410.200046.1.1.36, ARIA-256-GCM } @ default
{ 1.3.111.2.1619.0.1.2, AES-256-XTS } @ default
{ 2.16.840.1.101.3.4.1.8, AES-128-WRAP-PAD, AES128-WRAP-PAD, id-aes128-wrap-pad } @ default
{ 1.2.840.113549.1.9.16.3.6, DES3-WRAP, id-smime-alg-CMS3DESwrap } @ default
{ 2.16.840.1.101.3.4.1.48, AES-256-WRAP-PAD, AES256-WRAP-PAD, id-aes256-wrap-pad } @ default
{ 1.2.156.10197.1.104.3, SM4-OFB, SM4-OFB128 } @ default
{ 2.16.840.1.101.3.4.1.25, AES-192-WRAP, AES192-WRAP, id-aes192-wrap } @ default
{ 2.16.840.1.101.3.4.1.41, AES-256-ECB } @ default
{ 0.3.4401.5.3.1.9.49, CAMELLIA-256-CTR } @ default
{ 1.2.410.200046.1.1.2, ARIA-128-CBC, ARIA128 } @ default
{ 2.16.840.1.101.3.4.1.6, aes-128-gcm, id-aes128-GCM } @ default
{ 0.3.4401.5.3.1.9.41, CAMELLIA-256-ECB } @ default
{ 2.16.840.1.101.3.4.1.44, AES-256-CFB } @ default
{ 1.2.156.10197.1.104.4, SM4-CFB, SM4-CFB128 } @ default
{ 0.3.4401.5.3.1.9.4, CAMELLIA-128-CFB } @ default
{ 1.2.410.200046.1.1.39, ARIA-256-CCM } @ default
{ 1.2.410.200046.1.1.14, ARIA-256-OFB } @ default
{ 2.16.840.1.101.3.4.1.46, aes-256-gcm, id-aes256-GCM } @ default
{ 0.3.4401.5.3.1.9.9, CAMELLIA-128-CTR } @ default
{ 2.16.840.1.101.3.4.1.23, AES-192-OFB } @ default
{ 1.2.156.10197.1.104.1, SM4-ECB } @ default
{ 2.16.840.1.101.3.4.1.7, aes-128-ccm, id-aes128-CCM } @ default
{ 2.16.840.1.101.3.4.1.47, aes-256-ccm, id-aes256-CCM } @ default
{ 1.2.410.200046.1.1.7, ARIA-192-CBC, ARIA192 } @ default
{ 2.16.840.1.101.3.4.1.45, AES-256-WRAP, AES256-WRAP, id-aes256-wrap } @ default
{ 1.2.410.200046.1.1.15, ARIA-256-CTR } @ default
{ 1.2.410.200046.1.1.3, ARIA-128-CFB } @ default
{ 1.2.410.200046.1.1.34, ARIA-128-GCM } @ default
{ 1.2.410.200046.1.1.6, ARIA-192-ECB } @ default
{ 2.16.840.1.101.3.4.1.26, aes-192-gcm, id-aes192-GCM } @ default
{ 0.3.4401.5.3.1.9.29, CAMELLIA-192-CTR } @ default
{ 0.3.4401.5.3.1.9.43, CAMELLIA-256-OFB } @ default
{ 1.2.410.200046.1.1.37, ARIA-128-CCM } @ default
{ 2.16.840.1.101.3.4.1.27, aes-192-ccm, id-aes192-CCM } @ default
{ 1.3.14.3.2.17, DES-EDE, DES-EDE-ECB } @ default
{ 1.2.410.200046.1.1.11, ARIA-256-ECB } @ default
{ 1.3.111.2.1619.0.1.1, AES-128-XTS } @ default
{ 2.16.840.1.101.3.4.1.5, AES-128-WRAP, AES128-WRAP, id-aes128-wrap } @ default
{ 2.16.840.1.101.3.4.1.3, AES-128-OFB } @ default
{ 0.3.4401.5.3.1.9.3, CAMELLIA-128-OFB } @ default
{ 0.3.4401.5.3.1.9.1, CAMELLIA-128-ECB } @ default
{ 1.2.840.113549.3.7, DES-EDE3-CBC, DES3 } @ default
{ 0.3.4401.5.3.1.9.44, CAMELLIA-256-CFB } @ default
{ 1.2.410.200046.1.1.10, ARIA-192-CTR } @ default
{ 0.3.4401.5.3.1.9.23, CAMELLIA-192-OFB } @ default
{ 0.3.4401.5.3.1.9.24, CAMELLIA-192-CFB } @ default
{ 1.2.410.200046.1.1.9, ARIA-192-OFB } @ default
{ 1.2.410.200046.1.1.13, ARIA-256-CFB } @ default
{ 2.16.840.1.101.3.4.1.1, AES-128-ECB } @ default
{ 1.2.410.200046.1.1.8, ARIA-192-CFB } @ default
{ 1.2.156.10197.1.104.7, SM4-CTR } @ default
{ 2.16.840.1.101.3.4.1.43, AES-256-OFB } @ default
{ 1.2.410.200046.1.1.4, ARIA-128-OFB } @ default
{ 1.2.392.200011.61.1.1.1.3, CAMELLIA-192-CBC, CAMELLIA192 } @ default
{ 0.3.4401.5.3.1.9.21, CAMELLIA-192-ECB } @ default
{ 1.2.410.200046.1.1.5, ARIA-128-CTR } @ default
{ 2.16.840.1.101.3.4.1.21, AES-192-ECB } @ default
NULL @ default
AES-128-CBC-CTS @ default
AES-192-CBC-CTS @ default
AES-256-CBC-CTS @ default
AES-256-CFB1 @ default
AES-192-CFB1 @ default
AES-128-CFB1 @ default
AES-256-CFB8 @ default
AES-192-CFB8 @ default
AES-128-CFB8 @ default
AES-256-CTR @ default
AES-192-CTR @ default
AES-128-CTR @ default
AES-256-OCB @ default
AES-192-OCB @ default
AES-128-OCB @ default
AES-128-SIV @ default
AES-192-SIV @ default
AES-256-SIV @ default
AES-128-GCM-SIV @ default
AES-192-GCM-SIV @ default
AES-256-GCM-SIV @ default
{ AES-256-WRAP-INV, AES256-WRAP-INV } @ default
{ AES-192-WRAP-INV, AES192-WRAP-INV } @ default
{ AES-128-WRAP-INV, AES128-WRAP-INV } @ default
{ AES-256-WRAP-PAD-INV, AES256-WRAP-PAD-INV } @ default
{ AES-192-WRAP-PAD-INV, AES192-WRAP-PAD-INV } @ default
{ AES-128-WRAP-PAD-INV, AES128-WRAP-PAD-INV } @ default
AES-128-CBC-HMAC-SHA1 @ default
AES-256-CBC-HMAC-SHA1 @ default
AES-128-CBC-HMAC-SHA256 @ default
AES-256-CBC-HMAC-SHA256 @ default
ARIA-256-CFB1 @ default
ARIA-192-CFB1 @ default
ARIA-128-CFB1 @ default
ARIA-256-CFB8 @ default
ARIA-192-CFB8 @ default
ARIA-128-CFB8 @ default
CAMELLIA-128-CBC-CTS @ default
CAMELLIA-192-CBC-CTS @ default
CAMELLIA-256-CBC-CTS @ default
CAMELLIA-256-CFB1 @ default
CAMELLIA-192-CFB1 @ default
CAMELLIA-128-CFB1 @ default
CAMELLIA-256-CFB8 @ default
CAMELLIA-192-CFB8 @ default
CAMELLIA-128-CFB8 @ default
{ DES-EDE3, DES-EDE3-ECB } @ default
DES-EDE3-OFB @ default
DES-EDE3-CFB @ default
DES-EDE3-CFB8 @ default
DES-EDE3-CFB1 @ default
DES-EDE-CBC @ default
DES-EDE-OFB @ default
DES-EDE-CFB @ default
{ 1.2.156.10197.1.104.8, SM4-GCM } @ default
{ 1.2.156.10197.1.104.9, SM4-CCM } @ default
{ 1.2.156.10197.1.104.10, SM4-XTS } @ default
ChaCha20 @ default
ChaCha20-Poly1305 @ default
$ openssl list --disabled
Disabled algorithms:
SCTP
SSL3
BROTLI
ZSTD
You may try this image also.
@atauenis , since version 0.17.0 we have OPENSSL_CONF variable set in linux ENV. That supposedly makes use of custom openssl config while webone is running.
[Service] Environment="OPENSSL_CONF=/etc/webone.conf.d/openssl_webone.cnf"
I have a doubts that this path being used. When I deleted/replaced openssl_webone.cnf it looks that nothing have changed, so webone doesn't change its behavior.
Do I miss something or how WebOne make use of openssl except setting ENV variable?
It only uses the environment variable, and nothing more. There also two webone.conf
options (SslProtocols
, SslCipherSuites
in [SecureProxy]
section), but all of them are ignored by OpenSSL (exactly, OpenSSL is able to disable some protocols&ciphers by application configuration, but cannot enable them if they're not manually enabled via OpenSSL own configuration before).
Also there is a strange thing in OpenSSL (I don't know reasons): on some distributions the OPENSSL_CONF
does working and on some does not. Probably they have differently compiled versions of this library. Or it is not fully ignored, but even lowest level (CipherString = ALL@SECLEVEL=0
) does not meaning enable of SHA1 certificates in these builds due to unknown (compile-time?) reasons.
The problem could have a real measure when someone is installing WebOne onto a machine (ex. a server) which has specific openssl version. This may lead to user denial of WebOne just because it's impossible to create required env.
I want to propose to use built-in openssl. There is no problem to set custom paths for openssl and install it side by side with WebOne and specifically to its use by WebOne.
I also want to suggest to begin managing development with different branches. There are many installations already that use master
branch as the source of latest stable release. Downloading sources from releases has many inconveniences, ex: automatic scripts could not be changed every release, but git clone
is always there.
So I propose to maintain dev
branch and commit into master
only for a release. ;)
I want to propose to use built-in openssl. There is no problem to set custom paths for openssl and install it side by side with WebOne and specifically to its use by WebOne.
This may be possible only via Docker images or something. I'm using .NET SDK to build WebOne, and it doesn't allow managing linking with non-.NET libraries. Even it self manages the choice between OpenSSL on Linux and SChannel on Windows (I've linked with System.Security.Cryptography.X509Certificates
& System.Net.Security
classes from .NET and they're doing everything cross-platform).
I also want to suggest to begin managing development with different branches. There are many installations already that use
master
branch as the source of latest stable release. Downloading sources from releases has many inconveniences, ex: automatic scripts could not be changed every release, butgit clone
is always there. So I propose to maintaindev
branch and commit intomaster
only for a release. ;)
It's an good idea. After v0.17.1 I can split to two branches, and keep them in parallel with merges before each release. And it will not require me to commit only stable things (currently the master
branch is something like "beta" channel).
I want to propose to use built-in openssl. There is no problem to set custom paths for openssl and install it side by side with WebOne and specifically to its use by WebOne.
This may be possible only via Docker images or something. I'm using .NET SDK to build WebOne, and it doesn't allow managing linking with non-.NET libraries. Even it self manages the choice between OpenSSL on Linux and SChannel on Windows (I've linked with
System.Security.Cryptography.X509Certificates
&System.Net.Security
classes from .NET and they're doing everything cross-platform).
This may also be possible with "compile from sources" installation (ex. using autoinstall script) ;) My setup for instance is automatically reinstall WebOne on every release, so it is frustrating to put my hands on it every time since 0.17.0. Well, you're an architect here, in this case my concerns are "on your shoulders" :)
--- UPD: Does .NET SDK allow to run scripts while building or after that? Most people are using Docker image or pre-compiled deb or rpm, almost no one would use NET SDK to build their own copy. By built-in solution I meant that it may just dwell side by side with WebOne in its directory as utility.
Does .NET SDK allow to run scripts while building or after that?
Only scripts in own XML-based format, putted inside CSPROJ file. The build-time scripts are considered as cross-platform. There's no equivalent of make install
.
I've made build.bat/build.sh only to simplify build of all ~10 packages for each architecture. Just only dotnet run
or dotnet publish -c "Release"
is enough to make binaries from sources. And this makes an half-portable version (it still makes log file, but using local configuration). And just only dotnet deb
is enough to build from sources to a regular deb package, identical to published at Release archive.
So I propose to maintain dev branch and commit into master only for a release. ;)
Performed the split. Now master
is containing latest version, and dev
will contain the head of development progress.
So I propose to maintain dev branch and commit into master only for a release. ;)
Performed the split. Now
master
is containing latest version, anddev
will contain the head of development progress.
Good news! 👍
Still, what do we do with openssl
issue?
The problem is that it's impossible to use openssl
system instance sometimes, se we'd need to reinvent the method WebOne does its business.
If you have an idea, would you mind to share it please? 😉
----- UPD:
Yet, I am not able to make it work, even with CipherString = ALL@SECLEVEL=0
and all the legacy cyphers built-in. I've tested it with openssl-3.0 and higher.
It's possible to use WebOne with OpenSSL 3.x by enabling SHA2 certificates.
[SecureProxy]
SslHashAlgorithm=SHA256
This will limit old browser support to Firefox 4+ (and some Opera, Chrome versions from ~2010 and newer). So HTTPS will be not fully functional. MSIE, for example, will work only via HTTP like older WebOne versions.
To add SHA1/MD5 & SSL3 support, it's need to somewhy rebuild OpenSSL with right compile-time options. Probably even downgrade it to OpenSSL 1.1, as I'm not sure are OpenSSL 3.x have the required code even in disabled form or the code is removed at all.
For the sake of research and testing I published Docker image which has openssl-1.0.1 on board, based on Ubuntu 16.04.
I'm trying to get a dockerized version of webone setup but when sending a request via the proxy for a https page (
curl -v --proxy http://192.168.1.1:8080 https://example.com/
) I get an SSL failure and the logs show this:I believe version 0.17.0 of webone is ment to address this issue specifically (https://github.com/atauenis/webone/discussions/125) and you can see from the logs it's running version 0.17.0 (I'm using the "0.17.0" docker tag).
Any idea if it's something I'm going on my end, a problem with how the image is build or a problem with webone itself?
Thanks for your efforts maintaining a docker version of such a useful program :)