Skip to content

HTTPS and SSL

Jump to bottom Edit New page
Alexander Tauenis edited this page Oct 17, 2024 · 12 revisions

WebOne since version 0.16 is supporting working as HTTPS and TLS gateway. You may open any https:// websites through old browsers and WebOne, and get access SSL/TLS-based servers from applications that can work with HTTPS proxies.

For such software, the proxy server is able to downgrade security level to compatible.

Common

The HTTPS downgrade feature (which actually is TLS traffic decrypting and then new SSL/TLS encrypting via WebOne) replaces original server's certificate with WebOne's own certificate. All certificates are signed by proxy server's root certificate, so it must be imported to web browser's certificate authority store to made HTTPS working. The detailed guide: Installing the Root Certificate.

Proxy server's root certificate is unique for each WebOne installation, and gets generated on first run of WebOne. To download it, open Proxy's status page (http://localhost:8080/) and click the "WebOne CA root certificate" link.

Microsoft Internet Explorer, Apple Safari and Google Chrome (including other Chromium-based browsers such as Opera 15+, Yandex, Atom, Otter) are using operating system root certificate store. Mozilla-based applications and Opera browser are using own store, configurable via browser's preferences.

All internal pages like status page are available only via plain HTTP.

SSL and TLS versions supported

At this moment, the level of SSL support depends on server OS configuration and its possibilities. In best case, the minimum and the maximum levels of SSL support in WebOne are:

  • Protocol: SSL 2.0/3.0, TLS 1.0/1.1/1.2/1.3
  • Cipher strength: 40/56/128/168/256-bit RC4/3DES/AES
  • X.509 V3 certificate signature: MD5, SHA1, SHA256, SHA384, SHA512 (all are RSA)

The top available security level is compatible with Firefox 3, Internet Explorer 8 (on Windows 7), Chrome 47 and similar "modern" software. And these crypto algorithms are still assuming as secure. The lowest available security level is compatible with Windows 95 Internet Explorer.

Known limitations (server side):

  • Windows 10, Windows 11 requires a registry tweak to work (manual enable all encryption suites). See below.
  • SSL 2.0 is supported only on Windows 7/8 servers. No support in Linux, macOS, Windows 10+/2016+.
  • 40-bit & NULL ciphers are working only on Windows (even 11) only with a registry tweak. No support on Linux, macOS.
  • 56-bit ciphers are working on Windows only with a registry tweak, and on macOS only with a tweak. No support on Linux.
  • macOS: needs apply of OpenSSL configuration to enable SSL 3.0/3DES-56 (the default configuration bans everything weaker than TLS 1.2, AES-256). [10.14]
  • Linux: needs apply of OpenSSL configuration to enable non-SHA2 certificate support.
    • No support for 40-bit ciphers in most of distributions.
    • No support for 56-bit ciphers in most of distributions.
    • Ubuntu 22.04: no support for RC4/3DES ciphers, AES only.
    • Debian 12: no support for custom OpenSSL configuration, so TLS 1.2+, AES-256, SHA2 (root and sites) are minimum supported.
    • All: you may try to recompile OpenSSL libraries to get more ciphers and protocols supported.

ℹ️ Hint: Windows (not matter, 7/11 or Server 2008R2/2025) is the preferred server OS to host WebOne to use with old browsers by "true" HTTPS.

Supported clients

✔️ HTTPS through WebOne is working with these apps or newer versions of them:

  • Microsoft Internet Explorer: 3.0 and up.
  • Microsoft Internet Explorer Macintosh Edition: 5.0 and up (partially 4.5 is supported).
  • Microsoft Pocket Internet Explorer: 4.01 and up.
  • Mozilla: any.
  • Firefox, SeaMonkey: any.
  • Netscape: 4.0 and up.
  • Opera: 5.0 and up.
  • Safari: any.
  • Chrome: any.
  • The list will be expanded in future.

✔️ In some cases (modern Linux servers) WebOne will use only SHA2 certificates and AES ciphers, so this will limit system requirements for client browsers to:

  • Microsoft Internet Explorer: any version on Windows XP SP3 or Vista or newer.
  • Mozilla: 1.7 and up.
  • Netscape: 7.2 and up.
  • Firefox, SeaMonkey: 1.0 and up. Sometimes Firefox 3.0/SeaMonkey 2.0 is a minimum.
  • Opera: 9.0 and up.
  • Safari: 3.0 and up on MacOS X 10.5+ or Windows XP SP3 or Vista+.
  • Windows SSL applications: Windows XP SP3 or Vista+.
  • Linux SSL applications: all which use OpenSSL 0.9.8o or newer.
  • MacOS X SSL applications: MacOS X 10.5+.
  • Konqueror: 3.5.6 and up.
  • iPhone/iPad applications: iOS 3.0+.
  • Windows Phone applications: 7.0+.
  • Google Chrome: 38+ on Windows XP SP2 and all versions on SP3 or Vista+.
  • (There also were a bug in WebOne v0.16.x, fixed in v0.17 and up, which always sets SHA256 for certificates.)

Server OS-specific notes

WebOne is looking to system-wide configuration to enable or disable cryptography technologies used to communicate with clients (and this cannot be fully overridden by WebOne developers). By default, on modern systems most of retro technologies such as SSL3 40-bit are disabled or even removed. This prevents work of some older browsers via HTTPS with the proxy without server reconfiguration.

Windows Server hosts

The lists of enabled SSL/TLS versions and cipher sets are configuring via HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 and HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL registry hives. By default on Windows 11 23H2, SSL 3.0 and most of TLS 1.0 ciphers are disabled. Connections from browsers like Internet Explorer 6 will result in a 36871/10011 SChannel error. However, it's possible to enable anything up to TLS_RSA_WITH_RC4_128_SHA via registry. Support for SSL 2.0 is dropped since Windows 10 v1607. Actual list of cipher suites on Windows can be found here.

Always backup the registry hives listed above before editing. To enable all available SSL and TLS ciphers in Windows 7/8.1/10/11, Server 2016-2022, import the registry file and reboot. Note that it will affect all SSL/TLS applications on the system, which may became less secure.

Linux and macOS hosts

On UNIX-like systems, WebOne is using OpenSSL libraries and their configuration to establish SSL/TLS connections. Since WebOne 0.17, it's using a custom OpenSSL configuration file located at /etc/webone.conf.d/openssl_webone.cnf. It's enabling all possible cryptography algorithms, which are built in used OpenSSL version. Sadly, but latest OpenSSL 1.1.x, 3.x.x libraries supplied with most of Linux distributions have been built without legacy ciphers. So even with this custom configuration, pre-2008 browsers won't connect to WebOne proxies. It's need to perform some magic about rebuilding OpenSSL from sources to made SSL 3.0/TLS 1.0 working again.

Errors FAQ:

  • Using SSL certificate failed with OpenSSL error - ca md too weak: OpenSSL bans MD5 or SHA1 certificate(s) used by WebOne. Set SslHashAlgorithm to SHA256 in WebOne [SecureProxy] configuration.
  • SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL: There are no common ciphers between retro client and used OpenSSL version. Try to specify some older ciphers in [SecureProxy]/SslCipherSuites option, but probably all of need cipher suites are banned at OpenSSL compile time.
  • I'm see these errors under console-run of WebOne, but don't see when run it as systemd service. Try export OPENSSL_CONF=/etc/webone.conf.d/openssl_webone.cnf before starting WebOne.
  • I'm using Apple macOS system. Run export OPENSSL_CONF=/Users/yourusername/Downloads/WebOne.0.17.3.mac-intel/openssl_webone.cnf before running WebOne.

Client-specific notes

Windows clients

Microsoft Windows XP

If you're experiencing problems, try to install these updates (Windows XP 32-bit only): SSL Updates XP.zip. On Server 2003, try to install KB968730 update.

Microsoft Internet Explorer 4.0, 4.01, 5.0

The ie4dom.exe and ie5dom.exe updates for Microsoft Internet Explorer 4.0/5.0 does not working on Windows NT 4.0 systems. You need to install an NT Service Pack with High Encryption Support (MSNT128.EXE) or ie501dom.exe update, which is suitable for MSIE 4.0 too. However, the update is fully compatible with Windows 95 and 98.

Microsoft Internet Explorer 3

The msie302_128bit.exe version of Microsoft Internet Explorer 3.02 does not applying 128-bit encryption support on Windows NT 4.0 systems. You need to install an NT Service Pack with High Encryption Support (MSNT128.EXE) or ie501dom.exe update, which is suitable for MSIE 3.0 too. However, the version is fully compatible with Windows 95 and Windows 95 OSR2.

Microsoft Internet Explorer 2

This browser does not supports any HTTPS proxies. Upgrade to at least MSIE 3.0.

Used ciphers:

There is list of supported ciphers based on Wireshark diagnosics. In case of connection problems, check that your proxy server OS supports at least one of cipher suite.

  • * - means use of "U.S. Only" SChannel.dll library. It's included in MSIE 5.5+, Windows 2000 SP2+, Windows ME, High Encryption Pack for MSIE, and "North American" NT Service Packs with 128-bit security.
  • SPx, IEx, XP KBxxxxxxx - some ciphers were introduced in SChannel version supplied with a specific version of MSIE or Windows updates.
    • TLS_RSA_WITH_RC4_128_MD5 - *
    • TLS_RSA_WITH_RC4_128_SHA - *
    • TLS_RSA_EXPORT_WITH_RC4_40_MD5
    • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - NT4SP4+ IE5+
    • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - NT4SP4+ IE5+
    • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - IE4+
    • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - IE4+
    • TLS_RSA_WITH_3DES_EDE_CBC_SHA - * NT4SP4+ IE5+ The most used cipher suite by Web browsers in 2000s
    • TLS_RSA_WITH_DES_CBC_SHA - * NT4SP4+ IE5+
    • TLS_RSA_WITH_AES_256_CBC_SHA256 - XP KB3055973 The most used cipher suite by Web browsers in 2010s (and Firefox 2, Opera 9, etc)
    • TLS_RSA_WITH_AES_128_CBC_SHA256 - XP KB3055973
    • TLS_RSA_WITH_AES_256_CBC_SHA - XP KB3055973
    • TLS_RSA_WITH_AES_128_CBC_SHA - XP KB3055973
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - Vista KB4056564
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - Vista KB4056564
    • SSL2_RC4_128_WITH_MD5 - *
    • SSL2_RC4_128_EXPORT40_WITH_MD5
    • SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 - IE4+
    • SSL2_DES_192_EDE3_CBC_WITH_MD5 - * NT4SP4+ IE5+
    • SSL2_RC2_128_CBC_WITH_MD5 - * NT4SP4+ IE5+
    • SSL2_DES_64_CBC_WITH_MD5 - * NT4SP4+ IE5+
    • [TLS 1.0] - NT4SP4+ IE5+
    • [TLS 1.1, 1.2] - XP/Vista KB4019276
    • [SHA2] - XP SP3, Vista SP0, 2003 KB968730
  • MSIE for Windows 3.1:
    • TLS_RSA_WITH_RC4_128_MD5 - * IE5
    • TLS_RSA_WITH_RC4_128_SHA - * IE5
    • TLS_RSA_EXPORT_WITH_RC4_40_MD5 - IE5
    • SSL2_RC4_128_EXPORT40_WITH_MD5

Note: OpenSSL and SChannel are using a bit different cipher suite name set. "TLS" may mean SSL 3.0 in some cases, not TLS 1.x. PCT-based suites are removed from the list, as Wireshark doesn't understand them in Client Hello messages.

Macintosh clients

Microsoft Internet Explorer 4.5

This version of MSIE does not fully supports X.509 V3 certificates, so it is not suitable for HTTPS browsing via WebOne. However, you may install MSIE 5 in a separate folder, import WebOne CA certificate, then it will be accessible by MSIE 4.5. Both MSIE versions are using same preferences folder.

Non-HTTPS SSL-based protocols support

WebOne supports software that uses HTTP CONNECT method to connect to non-HTTPS servers with SSL. So you may connect, say, mIRC on Windows XP to a modern IRCS server via WebOne.

The port or host name must me listed in [NonHttpSslServers] configuration file section, otherwise WebOne will not downgrade TLS traffic encryption level. This is intended to allow non SSL-based protocols work via WebOne (e.g. 5190th port is ICQ, and ICQ uses HTTP CONNECT but does not uses SSL/TLS).

E-Mail SSL support

WebOne currently does not have support for processing STARTTLS method for E-Mail protocols (POP3, IMAP, SMTP, etc).

Server configuring

Options of HTTPS/SSL proxy are configuring via [SecureProxy] section of configuration file(s). Note that the SslProtocols option still rely on OS configuration. It will not accept SSL 2.0 unless it (and the corresponding cipher suites) is enabled by OS configuration and is supported by OpenSSL/SChannel on proxy server OS.

After changes related to CA root certificate, it is need to rebuild it from scratch. Just run WebOne with --rebuild-ca command line argument (or clear ssl.key file contents), then relaunch the proxy server normally. After this it's need to import new CA file to client system(s).

ℹ️ Notice: if you have upgraded from WebOne 0.17.2 or earlier to 0.17.3 or newer, consider rebuild your CA certificate. The older certificates are not quite valid, and sometimes rejecting by older software.

Custom certificate generator

Also you may specify custom root certificate and even an external utility which will produce sites certificates, instead of using built-in certificate generator. With custom certificate generator, it will be possible to work with strange (buggy) clients.

Both the CA and site certificates must be in PEM format, splitted to 2 files: the certificate itself (.crt) and its private key (.key). The root certificate/key files are expected to be found at specified paths. If these files are absent, they will be generated by WebOne. If they're present, they will be loaded. The sites certificates & keys are looking at paths specified in SslSiteCerts, and if not present, SslSiteCertGenerator-specified app or built-in generator will be invoked to generate them. The built-in generator is storing the certificates in RAM-cache only.

Add a custom footer

Usage:

Web standards timeline:

Troubleshooting guides:

Developer corner:

Clone this wiki locally