[Bug 43605] New: Wine does not support elliptic curve cryptography
https://bugs.winehq.org/show_bug.cgi?id=43605 Bug ID: 43605 Summary: Wine does not support elliptic curve cryptography Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: minor Priority: P2 Component: -unknown Assignee: wine-bugs(a)winehq.org Reporter: raydongf(a)gmail.com Distribution: --- Let's Encrypt and CloudFlare distribute ECC SSL certificates. If someone tries to use it or connect to an HTTPS website that uses an ECC certificate, Wine will claim that the certificate is invalid, and throw an error. If you try to view the public key directly, the dialog also claims that the certificate is invalid. This is evident if you view the properties of the CloudFlare ECC root certificate: https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 Fabian Maurer <dark.shadow4(a)web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4(a)web.de --- Comment #1 from Fabian Maurer <dark.shadow4(a)web.de> --- How exactly do I test that issue? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 --- Comment #2 from raydongf(a)gmail.com --- Created attachment 59020 --> https://bugs.winehq.org/attachment.cgi?id=59020 Comodo ECC public key -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 --- Comment #3 from raydongf(a)gmail.com --- (In reply to Fabian Maurer from comment #1)
How exactly do I test that issue?
Hi, I've attached a certificate that should show as invalid once you click "details" (can't remember the name). It will say that the certificate is invalid, but it'll still install. However, even if it's installed, Wine IE won't connect to it without the warning/error message. This is what it looks like on real Windows: http://i.imgur.com/fbzFl1Z.png You can also try to access https://ssigames.co - it should also throw an error. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 --- Comment #4 from Fabian Maurer <dark.shadow4(a)web.de> ---
Hi, I've attached a certificate that should show as invalid once you click "details" (can't remember the name).
How would I click on details through wine? Mind elaborating on that, I have no idea what you are doing or how to reproduce it.
You can also try to access https://ssigames.co - it should also throw an error.
I get an "The certificate is issued by an unknown or untrusted publisher" warning. Is that what you mean? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 --- Comment #5 from raydongf(a)gmail.com --- (In reply to Fabian Maurer from comment #4)
How would I click on details through wine? Mind elaborating on that, I have no idea what you are doing or how to reproduce it.
If you use Wine Explorer to double click the cer file, you should see a prompt similar to the screenshot from comment #3.
I get an "The certificate is issued by an unknown or untrusted publisher" warning. Is that what you mean?
Yes, that's what I mean. The root certificate is present on the system, but Wine thinks it is invalid. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 raydongf(a)gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |raydongf(a)gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 --- Comment #6 from Fabian Maurer <dark.shadow4(a)web.de> ---
If you use Wine Explorer to double click the cer file, you should see a prompt similar to the screenshot from comment #3.
No, I get an error messagebox with "There is no Windows program configured to open this type of file." Using a clean 32bit wineprefix with wine-2.15. Using the file from comment #2.
Yes, that's what I mean. The root certificate is present on the system, but Wine thinks it is invalid.
I see. You probably mean the certificate is present on the linux system, right? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 --- Comment #7 from raydongf(a)gmail.com --- (In reply to Fabian Maurer from comment #6)
No, I get an error messagebox with "There is no Windows program configured to open this type of file." Using a clean 32bit wineprefix with wine-2.15. Using the file from comment #2.
Ah, it appears I was mistaken. I had to install ie6 from winetricks first in order to access the certificate list. I'm not sure if that's built into Wine or not. I did [wine control], and then Content > Certificates > Certificates. After that, I imported it by selecting "automatically select store" since manual selection is broken. After that, I found the Comodo ECC certificate in the "Trusted Root Certification Authorities" tab. If you go to the Certification Path tab, the last one will say that it has an invalid signature. http://i.imgur.com/0rBtpT6.png
I see. You probably mean the certificate is present on the linux system, right?
Yup. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |NEW Keywords| |download --- Comment #8 from Austin English <austinenglish(a)gmail.com> --- (In reply to raydongf from comment #7)
I did [wine control], and then Content > Certificates > Certificates. After that, I imported it by selecting "automatically select store" since manual selection is broken. After that, I found the Comodo ECC certificate in the "Trusted Root Certification Authorities" tab. If you go to the Certification Path tab, the last one will say that it has an invalid signature.
I can confirm that, and I can confirm that another non-ECC CA Certificate I have (not public), does not show that issue. That doesn't mean I verified that ECC is the cause though.. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 --- Comment #9 from raydongf(a)gmail.com --- Found a post from 2016 detailing a bit of this: http://ccpsnorlax.blogspot.com/2016/04/ssl-issues-in-ingame-browser.html I guess that Wine in fact does not support ECC..? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish(a)gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 Sagawa <sagawa.aki+winebugs(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sagawa.aki+winebugs(a)gmail.c | |om --- Comment #10 from Sagawa <sagawa.aki+winebugs(a)gmail.com> ---
From my understanding, Wine doesn't support ECC algorithms. However, we can use ECDHE if GnuTLS supports it. So, the main issue is that we can't verify ECDSA (Digital Signature Algorithm) which is typically used in TLS 1.2 certificates.
-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 --- Comment #11 from raydongf(a)gmail.com --- (In reply to Sagawa from comment #10)
From my understanding, Wine doesn't support ECC algorithms. However, we can use ECDHE if GnuTLS supports it. So, the main issue is that we can't verify ECDSA (Digital Signature Algorithm) which is typically used in TLS 1.2 certificates.
Looks like GnuTLS does support both ECDHE and ECDSA, and if it's new enough, the TLS 1.3 ECDSA algorithms as well. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 Scorpion <jv2(a)home.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jv2(a)home.nl --- Comment #12 from Scorpion <jv2(a)home.nl> --- I use a windows client app, developed with C#/dotNet. The client connects via TLS with an elliptic curve certificate with the server. When I use Wine, with the proper packages installed I get a error that refers to this problem. Since more servers use ECC I wonder if I could help/support to implement the ECC functionality. Btw, in contrast with the remark in comment 7, if I import the certificate I don't see it in the "Trusted Root Certification Authorities" tab. I see the RSA version, but not the ECC version. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 --- Comment #13 from Scorpion <jv2(a)home.nl> --- Ah I understand now that the staging environment contains the ECC format. Seems to be working too. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 Zebediah Figura <z.figura12(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |bcrypt CC| |z.figura12(a)gmail.com Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/bcrypt-Improveme | |nts Status|NEW |STAGED --- Comment #14 from Zebediah Figura <z.figura12(a)gmail.com> --- (In reply to Scorpion from comment #13)
Ah I understand now that the staging environment contains the ECC format. Seems to be working too.
Marking STAGED then. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |leslie_alistair(a)hotmail.com Fixed by SHA1| |76b6c360fa7f3d6a0a14ed93507 | |5f5eb10f2f719 Status|STAGED |RESOLVED Resolution|--- |FIXED --- Comment #15 from Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> --- https://source.winehq.org/git/wine.git/?a=commit;h=76b6c360fa7f3d6a0a14ed935... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 Hans Leidekker <hans(a)meelstraat.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1|76b6c360fa7f3d6a0a14ed93507 |19e0f97f71c79fe52c2ace22e1f |5f5eb10f2f719 |1b8c9e1416378 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 --- Comment #16 from Hans Leidekker <hans(a)meelstraat.net> --- (In reply to Alistair Leslie-Hughes from comment #15)
https://source.winehq.org/git/wine.git/?a=commit; h=76b6c360fa7f3d6a0a14ed935075f5eb10f2f719
This commit marks support for ECDSA more accurately: commit 19e0f97f71c79fe52c2ace22e1f1b8c9e1416378 Author: Michael Müller <michael(a)fds-team.de> Date: Mon Mar 26 15:04:34 2018 +0200 bcrypt: Implement BCryptVerifySignature for ECDSA signatures. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43605 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #17 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 3.5. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org