[Bug 48495] New: XCP-ng Center v8.x (.NET 4.6 app) can't connect to server with self-signed certificate
https://bugs.winehq.org/show_bug.cgi?id=48495
Bug ID: 48495 Summary: XCP-ng Center v8.x (.NET 4.6 app) can't connect to server with self-signed certificate Product: Wine Version: 4.21 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 Assignee: wine-bugs@winehq.org Reporter: imirkin@alum.mit.edu Distribution: ---
Needless to say, this works fine on windows. The application requires the "dotnet462" winetricks verb to start, and see #48492 for ways to get past the splash screen. Installation msi available from https://github.com/xcp-ng/xenadmin/releases/download/v8.0.1.26/XCP-ng-Center... .
However once in the application, it can't actually connect. WINEDEBUG=trace+crypt,trace+chain shows the following happening over and over and over and over again:
0072:trace:crypt:CertVerifyCertificateChainPolicy (#0004, 0xbe571d0, 0xd7beb70, 0xd7beb30) 0072:trace:chain:dump_policy_para cbSize = 12 0072:trace:chain:dump_policy_para dwFlags = 00000010 0072:trace:chain:dump_policy_para pvExtraPolicyPara = 0xd7beb60 0072:trace:chain:dump_ssl_extra_chain_policy_para cbSize = 16 0072:trace:chain:dump_ssl_extra_chain_policy_para dwAuthType = 2 0072:trace:chain:dump_ssl_extra_chain_policy_para fdwChecks = 00000000 0072:trace:chain:dump_ssl_extra_chain_policy_para pwszServerName = L"<redacted>" 0072:trace:crypt:CertVerifyCertificateChainPolicy returning 1 (800b0109)
800b0109 = CERT_E_UNTRUSTEDROOT
And indeed, it's a self-signed certificate, which isn't in the trusted list.
However note that policy_para.dwFlags = 0x10 == CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG . This is handled in verify_base_policy. However verify_ssl_policy only checks for the bit in extra_chain_policy_para.fdwChecks, which is empty here.
The (.NET) application does the following:
SslStream sslStream = new SslStream(stream, false, new RemoteCertificateValidationCallback(ValidateServerCertificate), null);
Where the ValidateServerCertificate function = "return true".
I suspect that the policy para's dwFlags should be respected by verify_ssl_policy even if fdwFlags isn't set... but my familiarity with these APIs extends to all of the past couple of hours ... an expert opinion would be quite welcome.
https://bugs.winehq.org/show_bug.cgi?id=48495
--- Comment #1 from Ilia Mirkin imirkin@alum.mit.edu --- Created attachment 66290 --> https://bugs.winehq.org/attachment.cgi?id=66290 crypt: respect CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG in verify_ssl_policy
As I suspected, this fixes the ability to connect to a Xen server with a self-signed certificate. No clue whether it matches what Windows does or not.
https://bugs.winehq.org/show_bug.cgi?id=48495
--- Comment #2 from Ilia Mirkin imirkin@alum.mit.edu --- Update - a test seems to suggest my interpretation is correct. Test + wine patch sent to wine-devel.
https://bugs.winehq.org/show_bug.cgi?id=48495
Ilia Mirkin imirkin@alum.mit.edu changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #3 from Ilia Mirkin imirkin@alum.mit.edu --- This patch was accepted into wine 5.2, and re-testing with upstream wine, running XenCenterMain.exe, which bypasses the image issue from the other bug, appears to connect successfully now.
https://bugs.winehq.org/show_bug.cgi?id=48495
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |5011815d6236c14769c28c2391a | |c9fd2bfd82c7e
https://bugs.winehq.org/show_bug.cgi?id=48495
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |https://github.com/xcp-ng/x | |enadmin/releases/download/v | |8.0.1.26/XCP-ng-Center-8.0. | |1.26.msi CC| |focht@gmx.net
https://bugs.winehq.org/show_bug.cgi?id=48495
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #4 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 5.5.
https://bugs.winehq.org/show_bug.cgi?id=48495
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |5.0.x
https://bugs.winehq.org/show_bug.cgi?id=48495
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|5.0.x |---
--- Comment #5 from Michael Stefaniuc mstefani@winehq.org --- Removing the 5.0.x milestone from bug fixes included in 5.0.2.
-
WineHQ Bugzilla