HTTPS and SSL - atauenis/webone GitHub Wiki

WebOne since version 0.16 is supporting work as HTTPS and TLS gateway. So you may open https:// websites through old browsers and WebOne, and get access SSL/TLS-based servers from applications that can work with HTTPS proxies.

For such software, the proxy server is able to downgrade security level to compatible.

Common

The HTTPS downgrade feature (which actually is TLS traffic decrypting and then new SSL/TLS encrypting via WebOne) replaces original server's certificate with WebOne's own certificate. All certificates are signed by proxy server's root certificate, so it must be imported to web browser's certificate authority store to made HTTPS working.

Proxy server's root certificate is unique for each WebOne installation, and gets generated on first run of WebOne. To download it, open proxy's status page (http://localhost:8080/) and click the "WebOne CA root certificate" link.

Microsoft Internet Explorer, Apple Safari and Google Chrome (including other Chromium-based browsers such as Opera 15+, Yandex, Atom, Otter) are using operating system root certificate store. Mozilla-based applications and Opera browser are using own store, configurable via browser's preferences.

All internal pages like status page are available only via plain HTTP.

Client requirements

At this moment, the minimum level of SSL support is:

• Protocol: SSL 3.0 (2.0 is also sometimes working)
• Cipher strength: 128-bit Triple-DES (40-bit RC4 is also sometimes working)
• Certificate signing: SHA256

So, HTTPS through WebOne is working with these apps:

• Microsoft Internet Explorer: 6.0 and up on Windows XP SP3 or Vista+.
• Mozilla: 1.7 and up.
• Netscape: 7.2 and up.
• Firefox, SeaMonkey: 1.0 and up.
• Opera: 9.0 and up.
• Safari: 3.0 and up on MacOS X 10.5+ or Windows XP SP3 or Vista+.
• Windows SSL applications: Windows XP SP3 or Vista+.
• Linux SSL applications: all which use OpenSSL 0.9.8o or newer.
• MacOS X SSL applications: MacOS X 10.5+.
• Konqueror: 3.5.6 and up.
• iPhone/iPad applications: iOS 3.0+.
• Windows Phone applications: 7.0+.
• Google Chrome: 38+ on Windows XP SP2 and all versions on SP3 or Vista+.

The maximum available level is TLS 1.2 with 256-bit AES ciphers. It's compatible with Firefox 2.x, Internet Explorer 8 (on Windows 7), Chrome 47 and similar "modern" software.

Some browsers without SHA2 certificate support also can work with a warning message appearing on each page:

• Microsoft Internet Explorer 4.0-6.0 on Windows 9x, NT, 2000, XP (pre-SP3).
• Opera 6.0 and up.
• Mozilla 1.4 and up.
• Netscape 6.0-7.1.

HTTPS don't work at all with (probably due to strict certificate checking):

• Microsoft Internet Explorer 2.x, 3.x.
• Microsoft Internet Explorer for Macintosh.
• Opera 5.x and earlier.
• Netscape Navigator.

Server OS-specific notes

WebOne is looking to system-wide configuration to enable or disable cryptography technologies used to communicate with clients (and this cannot be overridden by WebOne developers). By default, on modern systems most of retro technologies such as SSL3 56-bit are disabled or even removed. This prevents work of some older browsers via HTTPS with the proxy without server reconfiguration.

Windows Server hosts

The lists of enabled SSL/TLS versions and cipher sets are configuring via HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 and HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL registry hives. By default on Windows 11 23H2, SSL 3.0 and most of TLS 1.0 ciphers are disabled. Connections from browsers like Internet Explorer 6 will result in a 36871/10011 SChannel error. However, it's possible to enable anything up to SSL 3.0 40-bit RC4 MD5 via registry. Support for SSL 2.0 is dropped since Windows 10 v1607. Actual list of cipher suites on Windows can be found here.

Always backup the registry hives listed above before editing. To enable all available SSL and TLS ciphers in Windows 7/8.1/10/11, Server 2016-2022, import the registry file and reboot. Note that it will affect all SSL/TLS applications on the system, which may became less secure.

Linux and macOS hosts

On UNIX-like systems, WebOne is using OpenSSL libraries and their configuration to establish SSL/TLS connections. How to enable a non default OpenSSL Cipher Suite.

Client-specific notes

Windows clients

In some cases, the certificate does not installing properly with automatically detected settings. So it's need to specify store location:

Windows XP SP2 and earlier versions have no internal support for SHA256. On these systems Firefox/Opera will open HTTPS sites, and Internet Explorer will not. Also software like MSN Messenger 4.7+ will not connect to server because unable to verify SSL certificate. The temporary solution is to not install WebOne CA certificate, and at least MSIE (even 4.0 with 128-bit update) will open HTTPS sites with a warning message box. Sadly, but this won't enable work of MSN Messenger, as it is unable to bypass certificate warning.

On Windows Server 2003 the SHA256 support is available after install of KB938397 or KB968730. So they are required.

Windows XP SP3 and Vista/Server 2008 have proper support for WebOne certificates. However, if you're experiencing problems, try to install updates: SSL Updates XP.zip.

Miranda NG

If you're running Miranda NG on systems without SHA256 support (like Windows XP SP2), it's need to disable certificate validating. This will solve SSL connection failures.

Windows 2000 Extended Kernel

Support for SHA256 certificates is also available in Blackwingcat's Extended Kernel for Windows 2000 SP4. It is enough to allow applications like Miranda NG work with SSL on Windows 2000 through WebOne. But the Extended Kernel itself may break some applications from correct working, be ready for complete system reinstall.

OS/2 clients

The IBM Web Browser included in OS/2 Warp 4.52 is based on a early build of Mozilla Suite (rv:0.9.2 aka Netscape 6.1). It does not include SHA256 support, so does not work with HTTPS via WebOne. You need to install a newer version of Mozilla or Firefox.

E-Mail SSL support

WebOne currently does not have support for processing STARTTLS method for E-Mail protocols (POP3, IMAP, SMTP, etc).

Server configuring

Options of HTTPS/SSL proxy are configuring via [SecureProxy] section of configuration file(s). Note that the SslProtocols option still rely on OS configuration. It will not accept SSL 2.0 unless it (and the corresponding cipher suites) is enabled by OS configuration and is supported by OpenSSL/SChannel on proxy server OS.

Custom certificate generator

Also you may specify custom root certificate and even an external utility which will produce sites certificates, instead of using built-in certificate generator. With custom certificate generator, it will be possible to work with non-SHA2-capable clients.

Both the CA and site certificates must be in PEM format, splitted to 2 files: the certificate itself (.crt) and its private key (.key). The root certificate/key files are expected to be found at specified paths. If these files are absent, they will be generated by WebOne. If they're present, they will be loaded. The sites certificates & keys are looking at paths specified in SslSiteCerts, and if not present, SslSiteCertGenerator-specified app or built-in generator will be invoked to generate them. The built-in generator is storing the certificates in RAM-cache only.

Links

• https://support.globalsign.com/ssl/ssl-certificates-life-cycle/sha-256-compatibility
• https://www.kinamo.be/en/support/faq/which-browsers-support-sha-256-ssl-certificates
• https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/sha2-and-windows/ba-p/1128617
• https://www.emailarchitect.net/easendmail/sdk/html/object_tls12_a.htm
• https://web.archive.org/web/20131226222853/http://blogs.msdn.com/b/ieinternals/archive/2009/06/19/windows-7-support-for-tls-and-ciphers.aspx