http://bugs.winehq.org/show_bug.cgi?id=24032
Summary: Cannot authenticate / create online profile for Ubisoft Anno 1404 Product: Wine Version: 1.3.0 Platform: x86 OS/Version: Mac OS X 10.6 Status: UNCONFIRMED Severity: normal Priority: P2 Component: winhttp AssignedTo: wine-bugs@winehq.org ReportedBy: tw3aky@gmail.com
Created an attachment (id=30193) --> (http://bugs.winehq.org/attachment.cgi?id=30193) anno4.exe terminal output
I'm running wine-1.3.0-166-g277040d compiled from git clone made a couple of days ago, running on a Mac OS X 10.6.4 GCC version: i686-apple-darwin10-gcc-4.2.1 (GCC) 4.2.1 (Apple Inc. build 5664)
The game i'm trying to run is Anno 1404 (a.k.a. Dawn of Discovery) I'm running the game with the following command from the game's install location (in order to find correct libraries) : DYLD_FALLBACK_LIBRARY_PATH="/opt/local/lib:/usr/X11/lib" ~/wine-git/wine Anno4.exe I've copied the usersettings from a copy on windows to get engine.ini and account data in place. Performed D3D9 fix in engine.ini and set dbghelp.dll to native with winecfg
D3D9 is installed with winetricks version 20100811.
When the game starts, it tries to authenticate the existing online profile, showing a dialogue with 'Waiting for other online transactions', after a time out, the dialogue shows 'logging in...', again after a certain amount of time, the dialogue asks to enter password again. Clearly it didn't authenticate. I am sure the credentials are correct. When trying to create an online profile, a dialogue ask to enter username and password of your ubi-account. After doing so, the dialogue 'Logging in...' appears and again after a certain amount of time ask to enter your password again.
In the terminal output i found an error from winhttp that coincides connect attempts: err:winhttp:netconn_secure_connect couldn't verify server certificate (12157)
Attached you can find the terminal output from such a test flow described above.
I've had this error also in the wine @1.2 and wine-devel @1.3.0 installed via Macports. Also the latest release of crossover games of Codeweavers has this problem to authenticate an online profile for this game, although there was no error in the terminal output but a warning stating RAS support is not implemented. Bug 21868 insinuates a similar problem in wine version 1.1.39
http://bugs.winehq.org/show_bug.cgi?id=24032
--- Comment #1 from Tw3aky tw3aky@gmail.com 2010-08-17 10:08:31 --- Created an attachment (id=30194) --> (http://bugs.winehq.org/attachment.cgi?id=30194) winhttp trace log
I also did a test run with WINEDEBUG=+winhttp. In this debug run i just started the game, let the game try to authenticate the online profile and after the failed attempts, the game was quit.
http://bugs.winehq.org/show_bug.cgi?id=24032
Tw3aky tw3aky@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #30194|application/octet-stream |text/plain mime type| |
http://bugs.winehq.org/show_bug.cgi?id=24032
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|winhttp |-unknown
--- Comment #2 from Juan Lang juan_lang@yahoo.com 2010-08-17 11:56:22 --- Please attach a +crypt,+chain log.
http://bugs.winehq.org/show_bug.cgi?id=24032
--- Comment #3 from Tw3aky tw3aky@gmail.com 2010-08-18 08:56:53 --- Created an attachment (id=30209) --> (http://bugs.winehq.org/attachment.cgi?id=30209) crypt, chain trace log
The command I ran: WINEDEBUG=+crypt,+chain DYLD_FALLBACK_LIBRARY_PATH="/opt/local/lib:/usr/X11/lib" ~/wine-git/wine Anno4.exe &> anno4_crypt_chain_trace.log
Same test run as with the winhttp trace.
attached the created output.
http://bugs.winehq.org/show_bug.cgi?id=24032
--- Comment #4 from Juan Lang juan_lang@yahoo.com 2010-08-18 10:22:41 --- It's apparently failing somewhere in OpenSSL, then. SSL_connect is failing: http://source.winehq.org/source/dlls/winhttp/net.c#L669 leading to the error message. The +crypt,+chain log only has background stuff, nothing to do with the connection. You might have to get help from the OpenSSL folks for this one.
http://bugs.winehq.org/show_bug.cgi?id=24032
--- Comment #5 from Juan Lang juan_lang@yahoo.com 2010-08-20 12:35:16 --- Could you try to capture the connection with secure.ubisoft.com with wireshark and attach that trace here?
http://bugs.winehq.org/show_bug.cgi?id=24032
--- Comment #6 from Tw3aky tw3aky@gmail.com 2010-08-23 07:47:08 --- Created an attachment (id=30326) --> (http://bugs.winehq.org/attachment.cgi?id=30326) wireshark trace (filter:host secure.ubi.com)
Apparently there is an alert: Unknown CA in the connection, i guess this is why the error: Couldn't verify server certificate shows up in the wine terminal output.
As far as i could see, secure.ubi.com uses a Thawte signed certificate on their server. My Apple keychain contains the Thawte Root CA and it is trusted as i can log in on the site .
For OpenSSL, however, i've noticed i have 2 installations on my box. One provided by Apple (/System/Library/OpenSSL) and one installed by Macports (/opt/local/<somewhere>)
When i type 'OpenSSL version -d' in the terminal it returns:OPENSSLDIR: "/opt/local/etc/openssl", so i presume this is the base dir for the openssl wine uses? I've created the /opt/local/etc/openssl/certs directory, downloaded the Thawte Root CA to that directory and created the symlink <hash>.0 for it and verified the root certificate (as i don't have the specific server certificate) which returned OK.
http://bugs.winehq.org/show_bug.cgi?id=24032
--- Comment #7 from Juan Lang juan_lang@yahoo.com 2010-08-23 12:13:08 --- Does it work once you do all that? If so, this bug is invalid: it's a problem with your default OpenSSL config.
http://bugs.winehq.org/show_bug.cgi?id=24032
--- Comment #8 from Tw3aky tw3aky@gmail.com 2010-08-23 17:32:35 --- Sorry i didn't mention that. But no, it still does not work. In fact, the OpenSSL config steps i did was a couple of days ago. I did that wireshark trace today.
For the record, i've copied the Thawte root CA and created the symlink in every ../certs directory i could find on my box, but as i said, it had no use.
Also, 'OpenSSL version -d' and 'openssl version -d' give the same output, namely /opt/local/etc/openssl
http://bugs.winehq.org/show_bug.cgi?id=24032
--- Comment #9 from Juan Lang juan_lang@yahoo.com 2010-08-23 17:51:28 --- (In reply to comment #8)
For the record, i've copied the Thawte root CA and created the symlink in every ../certs directory i could find on my box, but as i said, it had no use.
secure.ubi.com's cert is signed by Thawte, but Thawte isn't the root. The proper root certificate is Verisign Class 3 Public Primary Certification Authority. You'd need to install that in the proper place for MacPorts's OpenSSL. Since OpenSSL doesn't use the Apple keychain, whether you can get to it from Safari or Firefox on your mac is irrelevant.
I'm pretty sure this bug is still invalid, as it's a configuration problem. I admit that it's confusing that OpenSSL doesn't use the Apple keychain, but it's not really a Wine bug.
http://bugs.winehq.org/show_bug.cgi?id=24032
--- Comment #10 from Tw3aky tw3aky@gmail.com 2010-08-24 09:58:56 --- Agreed. It WAS definitly a config issue with openSSL.
I've downloaded a root certificate zip file from Verisign containing all sorts of root CA for Verisign, Geotrust and Thawte. Then i spent approx an hour creating al those <hash>.0 as a script couldn't deal with spaces in the certificate filenames, but BINGO. It works now.
Nevertheless, pitty the openSSL package from macports doesn't contain these standard root CA's.
http://bugs.winehq.org/show_bug.cgi?id=24032
Tw3aky tw3aky@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |INVALID
--- Comment #11 from Tw3aky tw3aky@gmail.com 2010-08-24 10:02:30 --- Flagging this bug invalid. Thanks though for your support and help Juan.
http://bugs.winehq.org/show_bug.cgi?id=24032
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #12 from Juan Lang juan_lang@yahoo.com 2010-08-24 12:03:09 --- Happy to help. Long term, there is a Wine bug here: we use OpenSSL in wininet and winhttp, GnuTLS in schannel, and we load certificates from various system locations, including the Apple keychain, in crypt32. Naturally these sets may be inconsistent. Ideally, we'd use the same set of certificates in all cases, and on the Mac, use the Apple keychain rather than insist on installing certificates in OpenSSL. It's probably not worth holding this bug open nearly indefinitely while this is addressed, however, so I'll go ahead and close this.
http://bugs.winehq.org/show_bug.cgi?id=24032
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- OS/Version|Mac OS X 10.6 |Mac OS X
-
wine-bugs@winehq.org