http://bugs.winehq.org/show_bug.cgi?id=17783

Maxim Borkunov ru.energy@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |ru.energy@gmail.com

--- Comment #1 from Maxim Borkunov ru.energy@gmail.com 2009-03-20 23:42:54 --- Same problem.

wine 1.1.17

http://bugs.winehq.org/show_bug.cgi?id=17783

Kari refic@psimerion.org changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |refic@psimerion.org

--- Comment #3 from Kari refic@psimerion.org 2009-03-25 06:06:55 --- Same problem here too.

http://bugs.winehq.org/show_bug.cgi?id=17783

--- Comment #5 from Matteo Hausner matteo.hausner@gmail.com 2009-03-31 10:47:21 --- Yup confirming too

http://bugs.winehq.org/show_bug.cgi?id=17783

Vitaliy Margolen vitaliy@kievinfo.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Blocks| |17283

http://bugs.winehq.org/show_bug.cgi?id=17783

Paul "TBBle" Hampson Paul.Hampson@Pobox.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |Paul.Hampson@Pobox.com

--- Comment #7 from Paul "TBBle" Hampson Paul.Hampson@Pobox.com 2009-04-18 10:50:42 --- I can't confirm this right now, as I can't find my records from the time, but a month or two ago Steam's certificates were incorrectly set up, and the described error dialog was happening on Windows Internet Explorer 6 and Firefox 3 as well.

Basically, Steam's servers were not providing the full certificate chain from their certificate to a trusted root certificate, so their certificate was being rejected.

I'm fairly sure it's just a matter of installing the two certificates on http://www.verisign.com/support/verisign-intermediate-ca/extended-validation... into whatever wine-gecko is using as a certificate store. One of them is signed by an existing trusted Verisign root certificate, the other is signed by the former, and the Steam certificate is signed by the latter, completing the chain of trust.

I suspect Steam's support only tested their new certificates with IE7, which probably has the Verisign EV SGC certificates pre-installed.

If I'm wrong about the above URLs, the correct intermediate certificates were found at the time by googling for the name of the signing certificate of the Steam certificate that is failing.

http://bugs.winehq.org/show_bug.cgi?id=17783

--- Comment #9 from Paul "TBBle" Hampson Paul.Hampson@Pobox.com 2009-04-18 11:17:10 --- I've just confirmed (using openssl s_client -connect steamcommunity.com:443 -showcerts) that steamcommunity.com is not including the necessary intermediate certificates, so this is not a Wine problem per se.

I've confirmed that the link I gave before is the correct pair of certificates for users to install to get this fixed on their end. The second one (Secondary EV SSL Intermediate CA Certificate) is the issuer of the steamcommunity.com certificate, and the first one (Primary EV SSL Intermediate CA Certificate) is the issuer of the second one. The first one is signed by "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" which should already be in your trusted certificates list.

I can't post on the Staem forums or the Steam support system (no idea why) so if someone wants to report this to them via either method, that'd be great.

Their server admins should install the bundle at http://www.verisign.com/support/verisign-intermediate-ca/extended-validation... which is the above two certificates combined into one file for use on an Apache server.

http://bugs.winehq.org/show_bug.cgi?id=17783

--- Comment #11 from Austin English austinenglish@gmail.com 2009-04-18 15:17:28 --- (In reply to comment #7)

I'm fairly sure it's just a matter of installing the two certificates on http://www.verisign.com/support/verisign-intermediate-ca/extended-validation... into whatever wine-gecko is using as a certificate store. One of them is signed by an existing trusted Verisign root certificate, the other is signed by the former, and the Steam certificate is signed by the latter, completing the chain of trust.

I believe crypt32 handles that, which checks your native keychain store. See CRYPT_knownLocations in crypt32/rootstore.c

http://bugs.winehq.org/show_bug.cgi?id=17783

--- Comment #13 from Justin H Haynes justin@justinhaynes.com 2009-04-18 15:52:22 --- (In reply to comment #11)

(In reply to comment #7)

...

I'm fairly sure it's just a matter of installing the two certificates on http://www.verisign.com/support/verisign-intermediate-ca/extended-validation... into whatever wine-gecko is using as a certificate store. One of them is signed by an existing trusted Verisign root certificate, the other is signed by the former, and the Steam certificate is signed by the latter, completing the chain of trust.

I believe crypt32 handles that, which checks your native keychain store. See CRYPT_knownLocations in crypt32/rootstore.c

So I find:

static const char * const CRYPT_knownLocations[] = { "/etc/ssl/certs/ca-certificates.crt", "/etc/ssl/certs", "/etc/pki/tls/certs/ca-bundle.crt", "/usr/local/share/certs/", };

Would the certificates need to be present at compile time or runtime?

http://bugs.winehq.org/show_bug.cgi?id=17783

--- Comment #15 from Paul "TBBle" Hampson Paul.Hampson@Pobox.com 2009-04-18 16:27:30 --- Just read the Steam forums posting. I should clarify that this problem also occurs on a fresh version of IE6, one that has never visited another site using these same intermediate CAs. (Which is where I first noticed this problem, inside the steam client itself under Windows XP)

http://bugs.winehq.org/show_bug.cgi?id=17783

--- Comment #17 from James Andrewartha trs80@ucc.asn.au 2009-04-18 22:30:47 --- I ran Steam and Firefox with WINEDEBUG=+crypt and there was nothing about it trying to load certificates. Firefox did work OK with https://www.britishairways.com/ which has a VeriSign EV cert, but s_client shows a full chain being sent.

http://bugs.winehq.org/show_bug.cgi?id=17783

Matthew Hatch hatchmt@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |hatchmt@gmail.com

--- Comment #19 from Matthew Hatch hatchmt@gmail.com 2009-05-05 11:35:48 --- So is it impossible to import these certificates into wine-gecko? Running the latest wine-snapshot rpm available for openSUSE (1.1.20.20090504-1.1) I'm still getting the ssl error.

Bah.

http://bugs.winehq.org/show_bug.cgi?id=17783

--- Comment #21 from Justin H Haynes justin@justinhaynes.com 2009-05-05 19:38:35 ---

You could import them manually into the profile certificate store, which is located in ~/.wine/drive_c/windows/profiles/<username>/Application Data/Mozilla/Profiles/MSHTML/<random characters>/ using http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

I notice that even after running "wine iexplore" and browsing around in the toolbar-less wine-gecko based IE-like browser, that I stiill don't have a ~/.wine/drive_c/windows/profiles/<username>/Application Data/Mozilla/Profiles/MSHTML/<random characters>/ directory. Also I don't find a cert8.db or key3.db file aside from those in my firefox and thunderbird dirs under my ~/. And the certutil must be built I suppose.

So my questions are:

1) How can I generate the key and cert database in the correct place without a profile, or 2) how do I get wine-gecko to make these directories you speak of?

Thanks,

Justin

http://bugs.winehq.org/show_bug.cgi?id=17783

Casey Jones pvtpuddin@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |pvtpuddin@gmail.com

--- Comment #23 from Casey Jones pvtpuddin@gmail.com 2009-05-10 18:09:16 --- Found a workaround. You can go to the Steam Friend's list and right click a friend and hit "View SteamID page" and it takes you to their page.

I believe the certificate problem is occurring because the home page of Steam Community is the control panel for your Account. When you go to other user's pages, it doesn't think you're logged in. You show up as logged in on their friend's list, but on the comments section it says you need to log in, and you don't have links to view your profile, or to view your control panel.

http://bugs.winehq.org/show_bug.cgi?id=17783

Adys adys.wh+winehqdotorg@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |adys.wh+winehqdotorg@gmail. | |com

--- Comment #24 from Adys adys.wh+winehqdotorg@gmail.com 2009-06-07 21:59:38 --- Okay so this is not a wine bug at all; the same happens under Chrome for what it's worth. An enhancement would be to be able to view the page anyway, instead of that awkward popup we get right now.

This could use a rename.

http://bugs.winehq.org/show_bug.cgi?id=17783

Dmitry Timoshkov dmitry@codeweavers.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |n.engyozov@taxundo.com

--- Comment #25 from Dmitry Timoshkov dmitry@codeweavers.com 2009-06-20 07:57:48 --- *** Bug 18998 has been marked as a duplicate of this bug. ***

http://bugs.winehq.org/show_bug.cgi?id=17783

Jacek Caban jacek@codeweavers.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |jacek@codeweavers.com

--- Comment #27 from Jacek Caban jacek@codeweavers.com 2009-08-24 11:09:32 --- Fixed both in Wine and by Valve.

http://bugs.winehq.org/show_bug.cgi?id=17783

--- Comment #29 from Nikolay Engyozov n.engyozov@taxundo.com 2009-08-24 15:27:30 --- I still have the same problem and message - wine version 1.1.27

http://bugs.winehq.org/show_bug.cgi?id=17783

Alexandre Julliard julliard@winehq.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED

--- Comment #31 from Alexandre Julliard julliard@winehq.org 2009-09-02 14:23:57 --- Closing bugs fixed in 1.1.29.