SSL issues using in-game-browser and wine
Hi there,
I've run into a weird problem that I believe is wine-specific. I can't use tripwire in the in game browser because all the assets are blocked. If I try to navigate directly to one (like https://static.eve-apps.com/css/landing/base.css) I get:
Error Loading Requested URL
Unable to process the website's SSL certificate
Error Code: -207
I asked around in Tweetfleet in the #mac-and-linux room and ISD IonCharge mentioned this:
that's to do with your system configuration. you need to configure your network software to only pull SSL rather than SSL or TLS pages for https calls. as igb can't handle tls
This works fine when I use the desktop browser.
This isn't a Tripwire-issue per-se but I'm wondering if any other wine users have run into this and fixed it somehow.
Some similar eve forum threads about this issue:
Comments (13)
-
repo owner -
reporter Hey Daimian, I found something that might be the ticket.
I don't think it's an issue between TLS or SSL. My gut says it's an issue about the wine in game browser not having access to more modern ciphers.
Would you be able to offer more ciphers for your webserver? Looking at https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#The_Cipher_Suite there's a blurb in there:
The recommended cipher suite for backwards compatibility (IE6/WinXP):
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
I came across this by using https://testssl.sh/ to try and figure out the difference between siggy (ok), pathfinder (ok), zkillboard (not ok), fuzzwork.co.uk (ok), and your assets domain static.eve-apps.com (not ok).
./testssl.sh -q -P www.fuzzwork.co.uk Start 2016-03-12 20:13:54 -->> 144.76.101.55:443 (www.fuzzwork.co.uk) <<-- further IP addresses: 2a01:4f8:192:4136::2 rDNS (144.76.101.55): www.fuzzwork.co.uk. Service detected: HTTP Testing server preferences Has server cipher order? yes (OK) Negotiated protocol TLSv1.2 Negotiated cipher ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH Cipher order TLSv1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA CAMELLIA256-SHA CAMELLIA128-SHA DES-CBC3-SHA TLSv1.1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA CAMELLIA256-SHA CAMELLIA128-SHA DES-CBC3-SHA TLSv1.2: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA AES256-SHA AES256-SHA256 AES128-SHA256 CAMELLIA256-SHA CAMELLIA128-SHA DES-CBC3-SHA
./testssl.sh -q -P static.eve-apps.com Testing all IPv4 addresses (port 443): 104.25.78.20 104.25.79.20 ---------------------------------------------------------------------------------------------------------------------- Start 2016-03-12 20:22:03 -->> 104.25.78.20:443 (static.eve-apps.com) <<-- further IP addresses: 104.25.79.20 2400:cb00:2048:1::6819:4e14 2400:cb00:2048:1::6819:4f14 rDNS (104.25.78.20): -- Service detected: HTTP Testing server preferences Has server cipher order? yes (OK) Negotiated protocol TLSv1.2 Negotiated cipher ECDHE-ECDSA-CHACHA20-POLY1305, 256 bit ECDH Cipher order TLSv1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA TLSv1.1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA TLSv1.2: ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-DES-CBC3-SHA spdy/3.1: ECDHE-ECDSA-CHACHA20-POLY1305 AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DES-CBC3-SHA http/1.1: ECDHE-ECDSA-CHACHA20-POLY1305 AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DES-CBC3-SHA
./testssl.sh -q -P siggy.borkedlabs.com Testing all IPv4 addresses (port 443): 159.203.193.36 45.55.96.197 ---------------------------------------------------------------------------------------------------------------------- Start 2016-03-12 20:23:13 -->> 159.203.193.36:443 (siggy.borkedlabs.com) <<-- further IP addresses: 45.55.96.197 2604:a880:800:10::ac:9001 2604:a880:1:20::32:5001 rDNS (159.203.193.36): -- Service detected: HTTP Testing server preferences Has server cipher order? yes (OK) Negotiated protocol TLSv1.2 Negotiated cipher ECDHE-RSA-AES128-SHA, 256 bit ECDH Cipher order TLSv1: ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA AES128-SHA DES-CBC3-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA TLSv1.1: ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA AES128-SHA DES-CBC3-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA TLSv1.2: ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA AES128-SHA DES-CBC3-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-CAMELLIA128-SHA AES128-GCM-SHA256 AES128-SHA256 CAMELLIA128-SHA
-
repo owner Thanks for going the extra mile and doing some research for me on this one - it helps more then I could explain!
I can switch the SSL ciphers on Galileo a little later this morning once the dust settles back down at work today.
-
repo owner OK the SSL ciphers have been changed on https://galileo.eve-apps.com - let me know if it does the trick.
-
reporter Thanks for changing it up. It looks different now. Previously I think one of the CSS files didn't come through.
It's ALMOST usable, except the JS files aren't downloadable. Which is odd.
- https://galileo.eve-apps.com/css/landing/base.css - works fine in the in-game-browser
- https://galileo.eve-apps.com/js/landing/html5shiv.js - works fine too
- https://galileo.eve-apps.com/js/landing/jquery-1.7.1.min.js - can't download it. I get
Error Code: -2
So it prevents you from signing in. If you're able to sign in on windows then it seems like it's now something different between the way the IGBs are working and not an SSL issue at this point.
-
repo owner Thats strange that there is still an issue with the jquery library. Any ideas on what else we could try?
-
reporter Nah, I'm out of ideas. https://galileo.eve-apps.com/js/landing/jquery-1.7.1.min.js works fine with the cider launcher. Going to assume it works fine with windows as well.
No idea why wine's in game browser would have problems downloading it.
-
repo owner Not sure how implementing the SSL change on regular Tripwire will work since the CSS and JS files are coming from CloudFlare and their SSL.
-
reporter Yeah thanks for the help. Perhaps someone else will come across this thread and mention a suggestion.
Until then, I'm going to take a break from debugging wine issues :)
-
Since it seems to be a problem with a jQuery library file, you could try switching to a google hosted version of the library that you are using: https://developers.google.com/speed/libraries/#jquery
Google's SSL policy might not be as strict and it would allow you to remove this file from your repository anyway.
-
I think this can be marked as resolved.
-
- changed status to wontfix
In-game browser being removed so a wine fix will no longer be necessary
-
- changed status to resolved
- Log in to comment
Yes - Wine has been an on going issue for Tripwire SSL. This is partly because I setup very high SSL security requirements that rival most major .com sites. I do this because it seems people are far less worried about getting in trouble for attempting to hack into a site like Tripwire than say amazon.com.
I don't know exactly how to solve this issue and many others have found various solutions that worked for them but not the next person which is strange. I would really like to have a conversation with the developers of the EVE Client and Wine to figure this thing out but that will simply never happen.