SSL issues using in-game-browser and wine

Issue #103 resolved

Resin Neublem created an issue 2016-03-01

Hi there,

I've run into a weird problem that I believe is wine-specific. I can't use tripwire in the in game browser because all the assets are blocked. If I try to navigate directly to one (like https://static.eve-apps.com/css/landing/base.css) I get:

Error Loading Requested URL

Unable to process the website's SSL certificate

Error Code: -207

I asked around in Tweetfleet in the #mac-and-linux room and ISD IonCharge mentioned this:

that's to do with your system configuration. you need to configure your network software to only pull SSL rather than SSL or TLS pages for https calls. as igb can't handle tls

This works fine when I use the desktop browser.

This isn't a Tripwire-issue per-se but I'm wondering if any other wine users have run into this and fixed it somehow.

Some similar eve forum threads about this issue:

Comments (13)

Josh Glassmaker repo owner
Yes - Wine has been an on going issue for Tripwire SSL. This is partly because I setup very high SSL security requirements that rival most major .com sites. I do this because it seems people are far less worried about getting in trouble for attempting to hack into a site like Tripwire than say amazon.com.

I don't know exactly how to solve this issue and many others have found various solutions that worked for them but not the next person which is strange. I would really like to have a conversation with the developers of the EVE Client and Wine to figure this thing out but that will simply never happen.
- 2016-03-01T20:14:08+00:00

Resin Neublem reporter

Hey Daimian, I found something that might be the ticket.

I don't think it's an issue between TLS or SSL. My gut says it's an issue about the wine in game browser not having access to more modern ciphers.

Would you be able to offer more ciphers for your webserver? Looking at https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#The_Cipher_Suite there's a blurb in there:

The recommended cipher suite for backwards compatibility (IE6/WinXP):

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

I came across this by using https://testssl.sh/ to try and figure out the difference between siggy (ok), pathfinder (ok), zkillboard (not ok), fuzzwork.co.uk (ok), and your assets domain static.eve-apps.com (not ok).

./testssl.sh -q -P www.fuzzwork.co.uk

 Start 2016-03-12 20:13:54    -->> 144.76.101.55:443 (www.fuzzwork.co.uk) <<--

 further IP addresses:   2a01:4f8:192:4136::2
 rDNS (144.76.101.55):   www.fuzzwork.co.uk.
 Service detected:       HTTP


 Testing server preferences

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH
 Cipher order
     TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA CAMELLIA256-SHA CAMELLIA128-SHA DES-CBC3-SHA
     TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA CAMELLIA256-SHA CAMELLIA128-SHA DES-CBC3-SHA
     TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA AES256-SHA AES256-SHA256 AES128-SHA256 CAMELLIA256-SHA CAMELLIA128-SHA DES-CBC3-SHA

./testssl.sh -q -P static.eve-apps.com

Testing all IPv4 addresses (port 443): 104.25.78.20 104.25.79.20
----------------------------------------------------------------------------------------------------------------------
 Start 2016-03-12 20:22:03    -->> 104.25.78.20:443 (static.eve-apps.com) <<--

 further IP addresses:   104.25.79.20 2400:cb00:2048:1::6819:4e14 2400:cb00:2048:1::6819:4f14
 rDNS (104.25.78.20):     --
 Service detected:       HTTP


 Testing server preferences

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-ECDSA-CHACHA20-POLY1305, 256 bit ECDH
 Cipher order
     TLSv1:     ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA
     TLSv1.1:   ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA
     TLSv1.2:   ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-DES-CBC3-SHA
     spdy/3.1:  ECDHE-ECDSA-CHACHA20-POLY1305 AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DES-CBC3-SHA
     http/1.1:  ECDHE-ECDSA-CHACHA20-POLY1305 AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DES-CBC3-SHA

./testssl.sh -q -P siggy.borkedlabs.com

Testing all IPv4 addresses (port 443): 159.203.193.36 45.55.96.197
----------------------------------------------------------------------------------------------------------------------
 Start 2016-03-12 20:23:13    -->> 159.203.193.36:443 (siggy.borkedlabs.com) <<--

 further IP addresses:   45.55.96.197 2604:a880:800:10::ac:9001 2604:a880:1:20::32:5001
 rDNS (159.203.193.36):   --
 Service detected:       HTTP


 Testing server preferences

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-SHA, 256 bit ECDH
 Cipher order
     TLSv1:     ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA AES128-SHA DES-CBC3-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA
     TLSv1.1:   ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA AES128-SHA DES-CBC3-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA
     TLSv1.2:   ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA AES128-SHA DES-CBC3-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-CAMELLIA128-SHA AES128-GCM-SHA256 AES128-SHA256 CAMELLIA128-SHA

2016-03-13T01:24:15+00:00

Josh Glassmaker repo owner
Thanks for going the extra mile and doing some research for me on this one - it helps more then I could explain!

I can switch the SSL ciphers on Galileo a little later this morning once the dust settles back down at work today.
- 2016-03-14T14:05:13+00:00
Josh Glassmaker repo owner
OK the SSL ciphers have been changed on https://galileo.eve-apps.com - let me know if it does the trick.
- 2016-03-14T15:05:20+00:00
Resin Neublem reporter
Thanks for changing it up. It looks different now. Previously I think one of the CSS files didn't come through.

It's ALMOST usable, except the JS files aren't downloadable. Which is odd.
- https://galileo.eve-apps.com/css/landing/base.css - works fine in the in-game-browser
- https://galileo.eve-apps.com/js/landing/html5shiv.js - works fine too
- https://galileo.eve-apps.com/js/landing/jquery-1.7.1.min.js - can't download it. I get Error Code: -2
So it prevents you from signing in. If you're able to sign in on windows then it seems like it's now something different between the way the IGBs are working and not an SSL issue at this point.
- 2016-03-14T19:47:31+00:00
Josh Glassmaker repo owner
Thats strange that there is still an issue with the jquery library. Any ideas on what else we could try?
- 2016-03-14T21:15:11+00:00
Resin Neublem reporter
Nah, I'm out of ideas. https://galileo.eve-apps.com/js/landing/jquery-1.7.1.min.js works fine with the cider launcher. Going to assume it works fine with windows as well.

No idea why wine's in game browser would have problems downloading it.
- 2016-03-14T21:23:38+00:00
Josh Glassmaker repo owner
Not sure how implementing the SSL change on regular Tripwire will work since the CSS and JS files are coming from CloudFlare and their SSL.
- 2016-03-14T21:30:10+00:00
Resin Neublem reporter
Yeah thanks for the help. Perhaps someone else will come across this thread and mention a suggestion.

Until then, I'm going to take a break from debugging wine issues :)
- 2016-03-14T21:35:40+00:00
Scott
Since it seems to be a problem with a jQuery library file, you could try switching to a google hosted version of the library that you are using: https://developers.google.com/speed/libraries/#jquery

Google's SSL policy might not be as strict and it would allow you to remove this file from your repository anyway.
- 2016-04-10T01:34:40+00:00
Maximilian Bucher
I think this can be marked as resolved.
- 2016-06-14T19:50:56+00:00
Ashy
- changed status to wontfix
In-game browser being removed so a wine fix will no longer be necessary
- 2016-06-24T15:49:42+00:00
Ashy
- changed status to resolved
- 2016-06-24T17:15:14+00:00
Log in to comment

Assignee: –

Type: bug

Priority: trivial

Status: resolved

Component: –

Version: –

Votes: 0

Watchers: 1