Jump to content

Windows 9x SSL Protocol WinSSLWrap 1.17 (Rev 08)

Recommended Posts

I have found a gem for Windows 9x that allows us to connect to (Servers) that requires SSL Authentication. I pursued this endeavor because of the annoying pop up in Outlook Express.

The server you are connected to is using a security certificate that could not be verified.0x80096004Do you want to continue using this server? (yes)(no)

I have created a Unofficial installer with all of the necessary files. The tool allowed me to connect to Outlook with no errors whatsoever. I thought I would share it with you guys. Some of you can go back to using your classic/favorite apps in the meantime that requires SSL Authentication. Here are the links if you want to do everything manually.


1. Original site with the latest version and source code. https://web.archive.org/web/20031003172432/http://pftp.suxx.sk/winsslwrap/

2. Your gonna need blackwingcat openssl files http://blog.livedoor.jp/blackwingcat/archives/1591502.html

3. A reference webpage that I found that got me started http://oifan.xf.cz/WinSSLWrap/doc/winsslwrapHOW-TO.html


Take a close look at the image. I have added the SSL port numbers in the preset file. The installer creates a shortcut in the startup folder, so it runs in the background, as it should. As you can see, Google shook my hand and acknowledge the SSL.


The installer does most of the work, but users need to configure each app to use localhost, which is present in the screenshot.


Please let me know if I have missed any ports or if I have any of them wrong.

Virus Scanners might flag, but I'm pretty trustworthy and have no intentions messing up any computers.




All credit goes to Eric Young for the delightful app and blackwingcat for the patched openssl files. Enjoy.



Download here



Its back to my cave.



Users need to log off and then login after installation.

Link to comment
Share on other sites

Great work!


It works for any server?

I have only tried SSL Authentication with Outlook Express. I don't know about other apps because I don't get pop ups. I will gradually post screen shots and instructions on how to configure some software. We all use different programs, so each configuration is going to be different.

Link to comment
Share on other sites

It works for any server?

I was able to connect to my FTPS server using classic versions of WS_FTP LE 5.08 and 6.0. They both worked with no problems. So its safe to say as long as you configure the app that requires SSL Authentication correctly, you shouldn't have any problems.

Link to comment
Share on other sites

Very useful. Thanks. BTW, I've used a similar product called "stunnel" on Windows XP. This app does the same thing, and is easier to set up (stunnel required manually editing a configuration file, but this one can be configured right from the GUI). It uses a current version of the well-regarded OpenSSL platform (specifically, 1.0.1p) so it'll support all the latest SSL and TLS protocols and features.


It could use a little more explanation, but it's not hard. For those who are lost; first, start the program. It's installed in "C:\Program Files\SSL Protocol" and is named wrap.exe. You'll probably want a shortcut to wrap.exe in the Startup folder of your start menu so it starts every time you boot up. Once it's running you'll see a "WIN SSL" icon in your system tray.


Next, say you want to set up secure email on a client such as Outlook Express. Set up an account on OE with "localhost" as the server names for POP, IMAP, and/or SMTP (whichever protocols you want to secure). Tell OE the connections to "localhost" are not secure. Then click the "WIN SSL" icon in the system tray, click "Services," put the real server names in the corresponding protocols (and if you use gmail, they're already filled in for you), click OK, then minimize (don't close) the window.


Now OE will connect to wrap.exe, which listens on localhost, and wrap.exe will make the secure connections to the actual server(s), avoiding the problems of Win98's schannel.dll not supporting new certificates and protocols.


Secure email is the most obvious app, but you can use it with other TCP/IP protocols too. I used it to secure a Telnet connection and it works fine.


Its only weakness is HTTP (e.g., web browsing). With email, you usually have only one server per protocol to secure, but with HTTP, there are millions (billions?). Luckily, for straight browsing, there are good alternatives to IE6, so a program like this isn't needed. But if you're using Outlook or OE, Win98 is still using IE6 to open linked images and the like, so email will work but you may see a lot of blank image boxes in some of your emails.

Link to comment
Share on other sites

Thanks Mathwiz


I have plans to post configurations and screenshots for some of the software I use. I also added to the first post, the installer already creates a shortcut in the start up folder, users need to either start it manually or log off and log back in. Did you use the default TNET=TELNET SSL in the preset or did you create another? Also users need to remember, apps that uses firewalls or proxies etc.... needs a more surgical approach. Thanks for the help on instructions, it took me a hot minute to figure some things out because the original instructions are very vague. You would think its simple, (of course to us geeks) but newbies will definitely have some issues. Another thing I noticed, it works somewhat like a firewall. If configurations are wrong, you will not get a connection to whatever server you try to connect to. Are all the ports correct in the preset?


The installer should work on Win95, Win98 FE and WinME.

Link to comment
Share on other sites

I used the default for Telnet; just entered the host name. For my application (an IBM AS/400) I had to add a couple more forwards (insecure port 8470 to secure port 9470, and the same for 8476 / 9476). But that's specific to the AS/400 and its Telnet client software. A generic Telnet application wouldn't need those extra forwards.


All the presets looked correct. The HTTP preset is probably unnecessary for most users. It might come in handy for securing a connection to an HTTP proxy, although in that case the port numbers might not be the default. But I'd think anyone using a secure HTTP proxy would know what port to use.

Link to comment
Share on other sites

I haven't looked at keygen.bat yet, but from the sound of it, I'd guess it's used to generate private/public key pairs. (OpenSSL.org is revamping their site and their docs are temporarily screwed up, so I can't tell much more at the moment.)


I'll take a closer look tonight and reply back, but if I'm right, you probably only need it to create your own certificates, for one of two purposes:

  1. Client certificates (to be used instead of a user ID & password to identify yourself to a server)
  2. If you're running your own server and want to secure it with SSL (using wrap.exe in reverse of how you and I are using it)

Edit: I was right. It uses OpenSSL to generate a private/public key pair. Technically, it generates a 2048-bit RSA key, which is the de facto standard for SSL certificates today. The public key is included in a certificate that is set to expire after one year. OpenSSL will prompt you for identifying info for the certificate.


The batch file then combines the certificate and private key into a .pem file, presumably for use with wrap.exe. (Since the .pem file contains your private key, you should not give it to anyone else.)


End of Edit.


So most folks probably don't need to worry about it.


BTW, here's a definition I found here for the .pem file format:

.pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. The name is from Privacy Enhanced Email, a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.

Also of note, from the same page:

  • .der A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like...
  • .cert .cer .crt A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
Edited by Mathwiz
Link to comment
Share on other sites

Follow the tabs in the screenshots. SE=Self-Explanatory

Replace the names in the shots with your actually information. As you can see, servers are localhost. Thats it, thats all. This is how to get Outlook running. As I said before, each app will be configured differently depending on the features. Since the presets are correct, users only need to set Remote Host in WinSSL and set server to localhost in the application.

To sum it up

1. Make sure WinSSL is running in the background.

2. Set Remote Host to whatever server you are trying to connect to for that specific protocol. Use the screenshots examples.

3. Set the apps you plan to use to localhost if it has a server option. After that, make sure all encryption is unchecked in the app.

Link to comment
Share on other sites

I make extensive (even insane) use of my HOSTS file to block contact with any host that I figure my win-98 computer doesn't need to talk to. I add entries based on what I see when I examine web-page code and also what my router shows in the out-going contact logs. Some of these entries probably makes browsing on some sites difficult or impossible (it's hard to know which entries are responsible) but if FF2 can't perform then Opera 12.02 frequently can.

In an effort to see if I can serve up some of the frequently accessed files locally, I installed Abyss Web Server free version, which you must choose either http or https service (I chose https). So it serves up quite a lot of .js files that I've retrieved manually and placed in the local web-server directory (214 files at last count, 90 of them being .js files, 22 of them .css files, etc). Various jquery.js files being the most common. I examine these .js files (expand them when necessary and store them that way) and look for references to other hosts and mung them for the fun of it.

I mention all this because one of the things that Abyss has is this:


the host that is shown in that example (apis.google.com) is currently rem'd out in my hosts file. It will serve up TLS/SSL ciphers on port 443 for any hosts that I have in my HOSTS file.

Here is the Abyss help-page for these functions: http://www.aprelium.com/data/doc/2/abyssws-win-doc-html/ssl.html

I don't know if any of this would help outlook when contacting a mail host (like gmail) as a way to get around SSL or Certificate errors during login... ?

Link to comment
Share on other sites

I make extensive (even insane) use of my HOSTS file to block contact with any host that I figure my win-98 computer doesn't need to talk to.

I think you must have HOSTS and localhost confused. WINSSL has nothing to do with HOSTS files, it simply shakes hands with a server that has SSL encryption and allows Win98 to connect.. Thats it, thats all. There is a batch file that create .pem certs. I guess they could be equivalent to each other. Edited by PROBLEMCHYLD
Link to comment
Share on other sites


I make extensive (even insane) use of my HOSTS file to block contact with any host that I figure my win-98 computer doesn't need to talk to.

I think you must have HOSTS and localhost confused. WINSSL has nothing to do with HOSTS files, it simply shakes hands with a server that has SSL encryption and allows Win98 to connect.. Thats it, thats all. There is a batch file that create .pem certs. I guess they could be equivalent to each other.

It isn't totally obvious what Nomen is doing, but my guess is he's using a trick I also use: putting the IP address of localhost ( into my HOSTS file for web sites I don't want to connect to (e.g., banner advertising sites). This can speed up browsing because instead of wasting time downloading ads you didn't want to look at anyway, your browser just tries to download the ad from your own PC.


A problem with this trick is that where the ad was supposed to appear, you get an ugly rectangular box with no image to fill it. To get around this, I use a "local only" web server on my PC that feeds small "dummy" images to fill those boxes. However, this only works with blocked http: sites, not https: ones.


I thought about using WinSSLWrap for the blocked https: sites. My idea was to use it in reverse, letting it listen on port 443 using SSL, and connect to my local web server on port 80. But then I realized it wouldn't work: it would always serve the same certificate, no matter which site the browser was trying to access, and that would trigger the browser's "site name mismatch" warning.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...