https://bugs.winehq.org/show_bug.cgi?id=46726
Bug ID: 46726 Summary: Dirt Rally 2.0 does not use embedded CA cert Product: Wine Version: 4.2 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 Assignee: wine-bugs@winehq.org Reporter: andreas@heider.io Distribution: ---
Hi,
Dirt Rally 2.0 requires an online connection to play the single player campaign, but with Wine 4.2 it can't successfully establish that connection due to a certificate issue.
It tries to connect to https://prod.egonet.codemasters.com/, but since it does not trust the certificate the connection fails.
The required CA certificate is embedded in dirtrally2.exe, but Wine does not seem to pick it up and use it.
It all works perfectly if I manually trust the CA system-wide, by placing codemasters.pem in /etc/ca-certificates/trust-source/anchors and run update-ca-trust.
https://bugs.winehq.org/show_bug.cgi?id=46726
--- Comment #1 from Andreas Heider andreas@heider.io --- Created attachment 63698 --> https://bugs.winehq.org/attachment.cgi?id=63698 Extracted CA cert
https://bugs.winehq.org/show_bug.cgi?id=46726
--- Comment #2 from Andreas Heider andreas@heider.io --- Created attachment 63699 --> https://bugs.winehq.org/attachment.cgi?id=63699 Connection cert extracted from wireshark trace
https://bugs.winehq.org/show_bug.cgi?id=46726
--- Comment #3 from Andreas Heider andreas@heider.io --- Two wine logs, the first one without the workaround, resulting in a failed connection, the second one with the ca anchor workaround.
Both ran with WINEDEBUG=cryptnet,dpnet,hnetcfg,inetcomm,inetmib1,msnet,netapi32,netbios,wininet,wnet,crypt,cryptdlg,cryptdll,cryptui
http://andreas.heider.io/dr2_broken.log (see around line 1007253) http://andreas.heider.io/dr2_workaround.log
They're rather large so hosting them elsewhere. Without crypt I suspect they'd be missing essential info.
https://bugs.winehq.org/show_bug.cgi?id=46726
--- Comment #4 from Andreas Heider andreas@heider.io --- Created attachment 63700 --> https://bugs.winehq.org/attachment.cgi?id=63700 Wine log with broken connection
https://bugs.winehq.org/show_bug.cgi?id=46726
--- Comment #5 from Andreas Heider andreas@heider.io --- Created attachment 63701 --> https://bugs.winehq.org/attachment.cgi?id=63701 Wine log with successful connection after workaround
https://bugs.winehq.org/show_bug.cgi?id=46726
Brendan Shanks bshanks@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bshanks@codeweavers.com
--- Comment #6 from Brendan Shanks bshanks@codeweavers.com --- The game uses WinHTTP to connect to https://prod.egonet.codemasters.com, and sets WINHTTP_OPTION_SECURITY_FLAGS to SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE | SECURITY_FLAG_IGNORE_UNKNOWN_CA.
The certificate is incomplete/partial, and when netconn_verify_cert() runs CertGetCertificateChain(), the returned error is CERT_TRUST_IS_PARTIAL_CHAIN. Wine doesn't ignore this error when SECURITY_FLAG_IGNORE_UNKNOWN_CA is set, but Windows seemingly does. I'm sending a patch upstream.
I'll also upload my test app here, it tests CertGetCertificateChain() with the certificate (same result on Wine and Windows) and also WinHTTP connecting to the server. Wine does have some differences in the error case: there's no WINHTTP_CALLBACK_FLAG_SECURE_FAILURE callback, and the error returned is different (SECURE_CHANNEL_ERROR instead of SECURE_FAILURE)
https://bugs.winehq.org/show_bug.cgi?id=46726
--- Comment #7 from Brendan Shanks bshanks@codeweavers.com --- Created attachment 67472 --> https://bugs.winehq.org/attachment.cgi?id=67472 Test app for CertGetCertificateChain() and winhttp
https://bugs.winehq.org/show_bug.cgi?id=46726
--- Comment #8 from Brendan Shanks bshanks@codeweavers.com --- This should be fixed by aa80ef20504660fa55914d40fb4bb296eef94c59
https://bugs.winehq.org/show_bug.cgi?id=46726
Hans Leidekker hans@meelstraat.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|crypt32 |winhttp
https://bugs.winehq.org/show_bug.cgi?id=46726
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED Fixed by SHA1| |aa80ef20504660fa55914d40fb4 | |bb296eef94c59
--- Comment #9 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- Fixed by https://source.winehq.org/git/wine.git/?a=commit;h=aa80ef20504660fa55914d40f...
https://bugs.winehq.org/show_bug.cgi?id=46726
--- Comment #10 from Hans Leidekker hans@meelstraat.net --- (In reply to Alistair Leslie-Hughes from comment #9)
Fixed by https://source.winehq.org/git/wine.git/?a=commit; h=aa80ef20504660fa55914d40fb4bb296eef94c59
Did you verify that?
https://bugs.winehq.org/show_bug.cgi?id=46726
--- Comment #11 from Brendan Shanks bshanks@codeweavers.com --- Yes I've verified it fixes the issue.
https://bugs.winehq.org/show_bug.cgi?id=46726
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #12 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 5.12.
https://bugs.winehq.org/show_bug.cgi?id=46726
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |5.0.x
https://bugs.winehq.org/show_bug.cgi?id=46726
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|5.0.x |---
--- Comment #13 from Michael Stefaniuc mstefani@winehq.org --- Removing the 5.0.x milestone from bug fixes included in 5.0.3.
-
wine-bugs@winehq.org -
WineHQ Bugzilla