https://bugs.winehq.org/show_bug.cgi?id=53813
Bug ID: 53813 Summary: Let's encrypt certificate validation fails Product: Wine Version: 7.19 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 Assignee: wine-bugs@winehq.org Reporter: panard@inzenet.org Distribution: ---
Created attachment 73329 --> https://bugs.winehq.org/attachment.cgi?id=73329 WINEDEBUG=-all,cryptnet,cryptasn,wininet,chain of .NET application
The .NET application "Magic Online" fails to validate the certificate of mtgologin1.mtgo.com:7770, which prevents login (the app thinks it is in maintenance mode due to the connection error).
The certificate of mtgologin1.mtgo.com:7770 seems valid, however. It is issued by Let's encrypt.
Certificate chain is 0 s:CN = *.mtgo.com i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3
From the log, the issue seems related to the verification of the revocation status with OCSP on http://r3.o.lencr.org, with a warning on an invalid tag in CRYPT_AsnDecodeResponderID.
I join the log with WINEDEBUG=-all,cryptnet,cryptasn,wininet,chain where I just kept the relevant cryptasn part.
The main path of error seems the following:
0220:trace:cryptnet:verify_cert_revocation_from_aia_ext OCSP URL = L"http://r3.o.lencr.org" 0220:trace:wininet:HTTP_GetResponseHeaders version [L"HTTP/1.1"] status code [L"200"] status text [L"OK"] 01a4:warn:cryptasn:CRYPT_AsnDecodeResponderID Unexpected tag 30 0220:trace:cryptnet:verify_cert_revocation verify_cert_revocation_from_aia_ext() returned 8009310b 0220:trace:cryptnet:verify_cert_revocation no CRL found 0220:trace:cryptnet:verify_cert_revocation verify_cert_revocation_from_aia_ext() returned 80092012 0220:trace:chain:CertGetCertificateChain error status: 01000040
https://bugs.winehq.org/show_bug.cgi?id=53813
--- Comment #1 from Panard panard@inzenet.org --- Created attachment 73330 --> https://bugs.winehq.org/attachment.cgi?id=73330 issuer.pem
https://bugs.winehq.org/show_bug.cgi?id=53813
--- Comment #2 from Panard panard@inzenet.org --- Created attachment 73331 --> https://bugs.winehq.org/attachment.cgi?id=73331 mtgologin1.mtgo.com certificate
Here is the OCSP response using certificate chain + mtgologin1 certificate:
$ openssl ocsp -timeout "119" -no_nonce -issuer ~/issuer.pem -cert ~/mtgologin1.mtgo.com_7770_D8D825A5.pem -url http://r3.o.lencr.org -header HOST=r3.o.lencr.org -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4 Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6 Serial Number: 03261C8280F38C13EFAE839D89B9CD59835B OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = R3 Produced At: Oct 20 06:01:00 2022 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4 Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6 Serial Number: 03261C8280F38C13EFAE839D89B9CD59835B Cert Status: good This Update: Oct 20 06:00:00 2022 GMT Next Update: Oct 27 05:59:58 2022 GMT
Signature Algorithm: sha256WithRSAEncryption 1d:9e:19:98:74:c4:5c:bb:85:8b:81:23:b6:2f:62:bf:69:0e: b4:f2:6f:af:4d:25:f3:7a:08:de:b2:d6:b8:50:89:17:88:12: 78:7a:09:45:a8:74:22:0d:ae:4d:2c:d7:7f:77:4d:e5:8a:3e: b6:fa:ef:bc:50:b9:81:f6:92:2a:af:79:98:33:ad:83:de:d5: 4e:8d:80:6a:e8:47:c5:8c:e4:c3:de:fc:34:bc:89:bf:1b:0e: 62:e8:d2:09:2b:dc:85:ce:dc:ad:af:2d:d5:7f:b1:96:31:11: dd:99:c4:29:af:f0:c4:75:79:04:80:da:09:f1:7b:42:23:a7: e1:2b:7d:72:ef:12:42:10:c5:77:e5:48:3d:bd:98:46:aa:c1: e0:13:19:79:10:ee:1c:40:b9:83:06:8c:2f:2f:fa:9a:ca:c3: 21:80:d4:83:38:51:69:33:6c:e5:df:1b:bd:e8:d2:c3:4f:79: 7e:81:69:af:bd:df:c2:91:bf:4e:6e:ed:cd:7c:9e:e2:31:bf: a8:14:a1:a2:c8:3e:61:a0:d0:fd:c9:02:42:14:7d:38:cc:4a: 5a:fe:48:71:1a:52:1e:20:88:22:7d:ba:f4:33:61:86:8e:f0: a5:7d:2f:c7:05:db:3a:ea:72:0c:88:7b:1f:6c:d8:cf:c5:7f: ad:ff:f5:dd Response verify OK /home/pauleve/mtgologin1.mtgo.com_7770_D8D825A5.pem: good This Update: Oct 20 06:00:00 2022 GMT Next Update: Oct 27 05:59:58 2022 GMT
-- crypt32 CRYPT_AsnDecodeResponderID complains of a wrong tag for the ResponderID field. Tag 0x30 seems to be a sequence AFAIU. Could it be that the above response does not follow the RFC https://www.rfc-editor.org/rfc/rfc6960#page-32? That would be strange for such a usual OCSP server...
https://bugs.winehq.org/show_bug.cgi?id=53813
--- Comment #3 from Hans Leidekker hans@meelstraat.net --- (In reply to Panard from comment #2)
crypt32 CRYPT_AsnDecodeResponderID complains of a wrong tag for the ResponderID field. Tag 0x30 seems to be a sequence AFAIU. Could it be that the above response does not follow the RFC https://www.rfc-editor.org/rfc/rfc6960#page-32? That would be strange for such a usual OCSP server...
It uses the name format for the responder ID which isn't specified in the RFC.
https://bugs.winehq.org/show_bug.cgi?id=53813
--- Comment #4 from Hans Leidekker hans@meelstraat.net --- Created attachment 73337 --> https://bugs.winehq.org/attachment.cgi?id=73337 patch
Can you try this patch?
https://bugs.winehq.org/show_bug.cgi?id=53813
--- Comment #5 from Panard panard@inzenet.org --- The patch seems to work perfectly and resolves the issue. Thanks a lot!
https://bugs.winehq.org/show_bug.cgi?id=53813
Hans Leidekker hans@meelstraat.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Regression SHA1| |d393709fe42bf88a14c52a2f0c8 | |779d73d1a6708 Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED
--- Comment #6 from Hans Leidekker hans@meelstraat.net --- Fixed with d393709fe42bf88a14c52a2f0c8779d73d1a6708. Thanks for the report.
https://bugs.winehq.org/show_bug.cgi?id=53813
Gijs Vermeulen gijsvrm@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Regression SHA1|d393709fe42bf88a14c52a2f0c8 | |779d73d1a6708 | Fixed by SHA1| |d393709fe42bf88a14c52a2f0c8 | |779d73d1a6708
https://bugs.winehq.org/show_bug.cgi?id=53813
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #7 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 7.20.