https://bugs.winehq.org/show_bug.cgi?id=43605
Bug ID: 43605 Summary: Wine does not support elliptic curve cryptography Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: minor Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: raydongf@gmail.com Distribution: ---
Let's Encrypt and CloudFlare distribute ECC SSL certificates.
If someone tries to use it or connect to an HTTPS website that uses an ECC certificate, Wine will claim that the certificate is invalid, and throw an error.
If you try to view the public key directly, the dialog also claims that the certificate is invalid. This is evident if you view the properties of the CloudFlare ECC root certificate: https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root...
https://bugs.winehq.org/show_bug.cgi?id=43605
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de
--- Comment #1 from Fabian Maurer dark.shadow4@web.de --- How exactly do I test that issue?
https://bugs.winehq.org/show_bug.cgi?id=43605
--- Comment #2 from raydongf@gmail.com --- Created attachment 59020 --> https://bugs.winehq.org/attachment.cgi?id=59020 Comodo ECC public key
https://bugs.winehq.org/show_bug.cgi?id=43605
--- Comment #3 from raydongf@gmail.com --- (In reply to Fabian Maurer from comment #1)
How exactly do I test that issue?
Hi, I've attached a certificate that should show as invalid once you click "details" (can't remember the name).
It will say that the certificate is invalid, but it'll still install. However, even if it's installed, Wine IE won't connect to it without the warning/error message.
This is what it looks like on real Windows: http://i.imgur.com/fbzFl1Z.png
You can also try to access https://ssigames.co - it should also throw an error.
https://bugs.winehq.org/show_bug.cgi?id=43605
--- Comment #4 from Fabian Maurer dark.shadow4@web.de ---
Hi, I've attached a certificate that should show as invalid once you click "details" (can't remember the name).
How would I click on details through wine? Mind elaborating on that, I have no idea what you are doing or how to reproduce it.
You can also try to access https://ssigames.co - it should also throw an error.
I get an "The certificate is issued by an unknown or untrusted publisher" warning. Is that what you mean?
https://bugs.winehq.org/show_bug.cgi?id=43605
--- Comment #5 from raydongf@gmail.com --- (In reply to Fabian Maurer from comment #4)
How would I click on details through wine? Mind elaborating on that, I have no idea what you are doing or how to reproduce it.
If you use Wine Explorer to double click the cer file, you should see a prompt similar to the screenshot from comment #3.
I get an "The certificate is issued by an unknown or untrusted publisher" warning. Is that what you mean?
Yes, that's what I mean. The root certificate is present on the system, but Wine thinks it is invalid.
https://bugs.winehq.org/show_bug.cgi?id=43605
raydongf@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |raydongf@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=43605
--- Comment #6 from Fabian Maurer dark.shadow4@web.de ---
If you use Wine Explorer to double click the cer file, you should see a prompt similar to the screenshot from comment #3.
No, I get an error messagebox with "There is no Windows program configured to open this type of file." Using a clean 32bit wineprefix with wine-2.15. Using the file from comment #2.
Yes, that's what I mean. The root certificate is present on the system, but Wine thinks it is invalid.
I see. You probably mean the certificate is present on the linux system, right?
https://bugs.winehq.org/show_bug.cgi?id=43605
--- Comment #7 from raydongf@gmail.com --- (In reply to Fabian Maurer from comment #6)
No, I get an error messagebox with "There is no Windows program configured to open this type of file." Using a clean 32bit wineprefix with wine-2.15. Using the file from comment #2.
Ah, it appears I was mistaken. I had to install ie6 from winetricks first in order to access the certificate list. I'm not sure if that's built into Wine or not.
I did [wine control], and then Content > Certificates > Certificates. After that, I imported it by selecting "automatically select store" since manual selection is broken. After that, I found the Comodo ECC certificate in the "Trusted Root Certification Authorities" tab. If you go to the Certification Path tab, the last one will say that it has an invalid signature.
http://i.imgur.com/0rBtpT6.png
I see. You probably mean the certificate is present on the linux system, right?
Yup.
https://bugs.winehq.org/show_bug.cgi?id=43605
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |NEW Keywords| |download
--- Comment #8 from Austin English austinenglish@gmail.com --- (In reply to raydongf from comment #7)
I did [wine control], and then Content > Certificates > Certificates. After that, I imported it by selecting "automatically select store" since manual selection is broken. After that, I found the Comodo ECC certificate in the "Trusted Root Certification Authorities" tab. If you go to the Certification Path tab, the last one will say that it has an invalid signature.
I can confirm that, and I can confirm that another non-ECC CA Certificate I have (not public), does not show that issue.
That doesn't mean I verified that ECC is the cause though..
https://bugs.winehq.org/show_bug.cgi?id=43605
--- Comment #9 from raydongf@gmail.com --- Found a post from 2016 detailing a bit of this: http://ccpsnorlax.blogspot.com/2016/04/ssl-issues-in-ingame-browser.html
I guess that Wine in fact does not support ECC..?
https://bugs.winehq.org/show_bug.cgi?id=43605
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=43605
Sagawa sagawa.aki+winebugs@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |sagawa.aki+winebugs@gmail.c | |om
--- Comment #10 from Sagawa sagawa.aki+winebugs@gmail.com ---
From my understanding, Wine doesn't support ECC algorithms. However, we can use
ECDHE if GnuTLS supports it. So, the main issue is that we can't verify ECDSA (Digital Signature Algorithm) which is typically used in TLS 1.2 certificates.
https://bugs.winehq.org/show_bug.cgi?id=43605
--- Comment #11 from raydongf@gmail.com --- (In reply to Sagawa from comment #10)
From my understanding, Wine doesn't support ECC algorithms. However, we can use ECDHE if GnuTLS supports it. So, the main issue is that we can't verify ECDSA (Digital Signature Algorithm) which is typically used in TLS 1.2 certificates.
Looks like GnuTLS does support both ECDHE and ECDSA, and if it's new enough, the TLS 1.3 ECDSA algorithms as well.
https://bugs.winehq.org/show_bug.cgi?id=43605
Scorpion jv2@home.nl changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jv2@home.nl
--- Comment #12 from Scorpion jv2@home.nl --- I use a windows client app, developed with C#/dotNet. The client connects via TLS with an elliptic curve certificate with the server. When I use Wine, with the proper packages installed I get a error that refers to this problem.
Since more servers use ECC I wonder if I could help/support to implement the ECC functionality.
Btw, in contrast with the remark in comment 7, if I import the certificate I don't see it in the "Trusted Root Certification Authorities" tab. I see the RSA version, but not the ECC version.
https://bugs.winehq.org/show_bug.cgi?id=43605
--- Comment #13 from Scorpion jv2@home.nl --- Ah I understand now that the staging environment contains the ECC format. Seems to be working too.
https://bugs.winehq.org/show_bug.cgi?id=43605
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |bcrypt CC| |z.figura12@gmail.com Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/bcrypt-Improveme | |nts Status|NEW |STAGED
--- Comment #14 from Zebediah Figura z.figura12@gmail.com --- (In reply to Scorpion from comment #13)
Ah I understand now that the staging environment contains the ECC format. Seems to be working too.
Marking STAGED then.
https://bugs.winehq.org/show_bug.cgi?id=43605
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |leslie_alistair@hotmail.com Fixed by SHA1| |76b6c360fa7f3d6a0a14ed93507 | |5f5eb10f2f719 Status|STAGED |RESOLVED Resolution|--- |FIXED
--- Comment #15 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- https://source.winehq.org/git/wine.git/?a=commit;h=76b6c360fa7f3d6a0a14ed935...
https://bugs.winehq.org/show_bug.cgi?id=43605
Hans Leidekker hans@meelstraat.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1|76b6c360fa7f3d6a0a14ed93507 |19e0f97f71c79fe52c2ace22e1f |5f5eb10f2f719 |1b8c9e1416378
https://bugs.winehq.org/show_bug.cgi?id=43605
--- Comment #16 from Hans Leidekker hans@meelstraat.net --- (In reply to Alistair Leslie-Hughes from comment #15)
https://source.winehq.org/git/wine.git/?a=commit; h=76b6c360fa7f3d6a0a14ed935075f5eb10f2f719
This commit marks support for ECDSA more accurately:
commit 19e0f97f71c79fe52c2ace22e1f1b8c9e1416378 Author: Michael Müller michael@fds-team.de Date: Mon Mar 26 15:04:34 2018 +0200
bcrypt: Implement BCryptVerifySignature for ECDSA signatures.
https://bugs.winehq.org/show_bug.cgi?id=43605
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #17 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 3.5.
-
wine-bugs@winehq.org