[Bug 46726] New: Dirt Rally 2.0 does not use embedded CA cert
https://bugs.winehq.org/show_bug.cgi?id=46726 Bug ID: 46726 Summary: Dirt Rally 2.0 does not use embedded CA cert Product: Wine Version: 4.2 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 Assignee: wine-bugs(a)winehq.org Reporter: andreas(a)heider.io Distribution: --- Hi, Dirt Rally 2.0 requires an online connection to play the single player campaign, but with Wine 4.2 it can't successfully establish that connection due to a certificate issue. It tries to connect to https://prod.egonet.codemasters.com/, but since it does not trust the certificate the connection fails. The required CA certificate is embedded in dirtrally2.exe, but Wine does not seem to pick it up and use it. It all works perfectly if I manually trust the CA system-wide, by placing codemasters.pem in /etc/ca-certificates/trust-source/anchors and run update-ca-trust. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 --- Comment #1 from Andreas Heider <andreas(a)heider.io> --- Created attachment 63698 --> https://bugs.winehq.org/attachment.cgi?id=63698 Extracted CA cert -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 --- Comment #2 from Andreas Heider <andreas(a)heider.io> --- Created attachment 63699 --> https://bugs.winehq.org/attachment.cgi?id=63699 Connection cert extracted from wireshark trace -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 --- Comment #3 from Andreas Heider <andreas(a)heider.io> --- Two wine logs, the first one without the workaround, resulting in a failed connection, the second one with the ca anchor workaround. Both ran with WINEDEBUG=cryptnet,dpnet,hnetcfg,inetcomm,inetmib1,msnet,netapi32,netbios,wininet,wnet,crypt,cryptdlg,cryptdll,cryptui http://andreas.heider.io/dr2_broken.log (see around line 1007253) http://andreas.heider.io/dr2_workaround.log They're rather large so hosting them elsewhere. Without crypt I suspect they'd be missing essential info. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 --- Comment #4 from Andreas Heider <andreas(a)heider.io> --- Created attachment 63700 --> https://bugs.winehq.org/attachment.cgi?id=63700 Wine log with broken connection -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 --- Comment #5 from Andreas Heider <andreas(a)heider.io> --- Created attachment 63701 --> https://bugs.winehq.org/attachment.cgi?id=63701 Wine log with successful connection after workaround -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 Brendan Shanks <bshanks(a)codeweavers.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bshanks(a)codeweavers.com --- Comment #6 from Brendan Shanks <bshanks(a)codeweavers.com> --- The game uses WinHTTP to connect to https://prod.egonet.codemasters.com, and sets WINHTTP_OPTION_SECURITY_FLAGS to SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE | SECURITY_FLAG_IGNORE_UNKNOWN_CA. The certificate is incomplete/partial, and when netconn_verify_cert() runs CertGetCertificateChain(), the returned error is CERT_TRUST_IS_PARTIAL_CHAIN. Wine doesn't ignore this error when SECURITY_FLAG_IGNORE_UNKNOWN_CA is set, but Windows seemingly does. I'm sending a patch upstream. I'll also upload my test app here, it tests CertGetCertificateChain() with the certificate (same result on Wine and Windows) and also WinHTTP connecting to the server. Wine does have some differences in the error case: there's no WINHTTP_CALLBACK_FLAG_SECURE_FAILURE callback, and the error returned is different (SECURE_CHANNEL_ERROR instead of SECURE_FAILURE) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 --- Comment #7 from Brendan Shanks <bshanks(a)codeweavers.com> --- Created attachment 67472 --> https://bugs.winehq.org/attachment.cgi?id=67472 Test app for CertGetCertificateChain() and winhttp -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 --- Comment #8 from Brendan Shanks <bshanks(a)codeweavers.com> --- This should be fixed by aa80ef20504660fa55914d40fb4bb296eef94c59 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 Hans Leidekker <hans(a)meelstraat.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|crypt32 |winhttp -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED Fixed by SHA1| |aa80ef20504660fa55914d40fb4 | |bb296eef94c59 --- Comment #9 from Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> --- Fixed by https://source.winehq.org/git/wine.git/?a=commit;h=aa80ef20504660fa55914d40f... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 --- Comment #10 from Hans Leidekker <hans(a)meelstraat.net> --- (In reply to Alistair Leslie-Hughes from comment #9)
Fixed by https://source.winehq.org/git/wine.git/?a=commit; h=aa80ef20504660fa55914d40fb4bb296eef94c59
Did you verify that? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 --- Comment #11 from Brendan Shanks <bshanks(a)codeweavers.com> --- Yes I've verified it fixes the issue. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #12 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 5.12. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 Michael Stefaniuc <mstefani(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |5.0.x -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46726 Michael Stefaniuc <mstefani(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|5.0.x |--- --- Comment #13 from Michael Stefaniuc <mstefani(a)winehq.org> --- Removing the 5.0.x milestone from bug fixes included in 5.0.3. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (2)
-
wine-bugs@winehq.org -
WineHQ Bugzilla