https://bugs.winehq.org/show_bug.cgi?id=55105
Bug ID: 55105 Summary: libHttpClient requires WINHTTP_OPTION_CLIENT_CERT_ISSUER_LIST support Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: winhttp Assignee: wine-bugs@winehq.org Reporter: flibitijibibo@gmail.com Distribution: ---
libHttpClient is the web socket abstraction layer for Xbox Live titles on various platforms; on Windows it uses winhttp for http sources. Two example games using this library are Gears 5 and Halo: The Master Chief collection.
One part of the implementation handles certificate authentication; in particular it handles ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED, which according to MSDN should be handled by calling WinHttpQueryOption with WINHTTP_OPTION_CLIENT_CERT_ISSUER_LIST, so that it can attempt to find a relevant certificate chain and re-attempt the connection if a cert is found.
Luckily, libHttpClient is open source, so the exact block that does this can be found here: https://github.com/microsoft/libHttpClient/blob/1c8386866fb180dd31890186291d...
As of the latest Git revision, Wine does not handle this parameter, so the default case is tripped:
https://gitlab.winehq.org/wine/wine/-/blob/81859c9af70aa5ed6da3060488d1815a3...
https://bugs.winehq.org/show_bug.cgi?id=55105
Neko-san nekoNexus@protonmail.ch changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |nekoNexus@protonmail.ch
https://bugs.winehq.org/show_bug.cgi?id=55105
--- Comment #1 from Hans Leidekker hans@meelstraat.net --- Do you perhaps have a specific test case? We have a test for ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED but querying WINHTTP_OPTION_CLIENT_CERT_ISSUER_LIST after receiving this response returns ERROR_WINHTTP_INCORRECT_HANDLE_STATE, which seems to contradict MSDN.
https://bugs.winehq.org/show_bug.cgi?id=55105
--- Comment #2 from Ethan Lee flibitijibibo@gmail.com --- libHttpClient has some samples but I don't know of any direct example off the top of my head beyond what's used in the library itself:
https://github.com/microsoft/libHttpClient/tree/main/Samples
https://bugs.winehq.org/show_bug.cgi?id=55105
--- Comment #3 from Ethan Lee flibitijibibo@gmail.com --- Oops, hit send too soon: A runtime example will be Gears 5 on Steam, which will successfully start and log in with the latest release but will fail to download user data and fail to connect to multiplayer services.
https://bugs.winehq.org/show_bug.cgi?id=55105
--- Comment #4 from Ethan Lee flibitijibibo@gmail.com --- Someone did a bit of digging and found that the Proton 7.0 branch successfully logged in, which was surprising - it turns out there are a few patches that made it work:
https://github.com/ValveSoftware/wine/commit/d8c2086d0e34450c9b8b5a85466a307... https://github.com/ValveSoftware/wine/commit/6d4dbf0762863f6f1f9dc4738258e98... https://github.com/ValveSoftware/wine/commit/7f18691e39d8de6668e3451f63b0326...
Interestingly this is _not_ in the 8.0 branch, so in addition to being downstream it seems like they got cut for some reason. These appear to bypass the CERT_NEEDED error altogether in favor of just renegotiating as soon as gnutls asks for it.
https://bugs.winehq.org/show_bug.cgi?id=55105
--- Comment #5 from Hans Leidekker hans@meelstraat.net --- (In reply to Ethan Lee from comment #4)
Someone did a bit of digging and found that the Proton 7.0 branch successfully logged in, which was surprising - it turns out there are a few patches that made it work:
https://github.com/ValveSoftware/wine/commit/ d8c2086d0e34450c9b8b5a85466a307a7fc708de https://github.com/ValveSoftware/wine/commit/ 6d4dbf0762863f6f1f9dc4738258e98af05f06ec https://github.com/ValveSoftware/wine/commit/ 7f18691e39d8de6668e3451f63b0326352b964f1
Interestingly this is _not_ in the 8.0 branch, so in addition to being downstream it seems like they got cut for some reason. These appear to bypass the CERT_NEEDED error altogether in favor of just renegotiating as soon as gnutls asks for it.
Those patches look good to go upstream. The problem is that they need changes in secur32 too and the patch that was in Proton 7 doesn't look quite right to me. I ported the above winhttp patches to current Wine and fixed secur32 to handle renegotiate better but the winhttp tests still fail.
To fix that we need to be able to distinguish renegotiate requests that require the app to supply a certificate from other renegotiate requests (which can be handled transparently). I haven't yet found a way to do that with GnuTLS.
-
WineHQ Bugzilla