Thomas S. Posted September 24, 2018 Share Posted September 24, 2018 Hello all, as announced I have released a new CAupdater - and here is how it works. Download via CAupdater, password is wU8moSRS1S9vfYc Installation is easy, only extract the 7z file (and see under "/docs"). The benefit is the enhanced error handling. CAupdater will install only NEW MS CAstore (sst) files (always together with files not updated but still actual), regardless if incorrect OLDER files offered on MS servers. CAupdater use the update procedure as offered from MS regardless the version previous installed via WU / MU. Only WGET is used additionally to download the MS CAstore (sst) files, there are no other third party tools for the update of the CAstore. CAupdater himself only manage and launch the update. You can find the full AutoHotkey (AHK) code with comments of CAupdater.exe in the subdirectory "docs", see the file CaUpdater.ahk.txt. This are the steps CAupdater make. Every step, even every single MS CAstore (sst) file install, has a error routine and give a feedback about any error. 1. WGET looks for newer MS CAstore (sst) files on MS server and download them local only if they are newer as local stored. 2. Then compare the actual local stored MS CAstore (sst) file dates with the last installation (the file dates of the previous update are stored in the CAupdate INI file). 3. Then ask for confirmation to update the local client CAstore if one ore more local stored MS CAstore (sst) files are new. 4. If "YES" install ALL local stored MS CAstore (sst) files (ALL - this is the same as the MS CAstore update do). If "NO" CAupdater do nothing - and finish. The five commands to install the MS CAstore (sst) files are: updroots.exe authroots.sst updroots.exe -d delroots.sst updroots.exe -l roots.sst updroots.exe updroots.sst updroots.exe -l -u disallowedcert.sst 5. At last show the status (or errors if some), safe new installed MS CAstore (sst) file dates in CAupdater INI file and finish. If errors occure, only the date and status of the update try is stored in the INI file, so you can look for the problem and try again. With this steps only NEW MS CAstore (sst) files will be installed (always together with files not updated but still actual), regardless if incorrect OLDER files offered on MS servers. When you run CAupdater the first time there are no file dates in CAupdater INI file present. So ALL MS CAstore (sst) files marked as NEW in the confirmation dialog. This is also a way to install all MS CAstore (sst) files again - simply delete all the file date entries under section [CAupdaterLog] in CAupdater INI file and start CAupdater again. If you want to run CAupdater without any confirmation dialog you can set the entry "NoConfirmation=1" in CAupdater INI file. Then only Errors will be shown. With set to 2 only a small information dialog is shown on the end and close after five seconds. For special situations you can use two batch files stored in the subdirectory "UpdRoots". This will install the local stored MS CAstore (sst) files the same way as WU / MU do and set also all registry settings needed. The two batch run only this commands: #RootsUpdate.bat Rundll32.exe advpack.dll,LaunchINFSection rootsupd.inf,DefaultInstall #RevokedRootsUpdate.bat Rundll32.exe advpack.dll,LaunchINFSection rvkroots.inf,DefaultInstall The INF files are modified as shown by heinoganda in the first post of this thread 1 Link to comment Share on other sites More sharing options...
heinoganda Posted September 25, 2018 Author Share Posted September 25, 2018 Cert_Updater updated to version 1.4 Various features implemented so that no obsolete sst files are installed. It is now possible to use additional download sources for existing download sources (up to 5), one another download source has already been added. Further information can be found in the file "Info Version 1.4.txt". to the updated version 3 Link to comment Share on other sites More sharing options...
glnz Posted September 25, 2018 Share Posted September 25, 2018 heinoganda - I just tried it (without understanding the Info .txt), and the results are: ******************************************************* * authroots.sst 07/18/2018 05:09 PM Roots * * delroots.sst 07/06/2018 02:05 PM Roots * * roots.sst 07/06/2018 02:05 PM Roots * * updroots.sst 08/20/2018 08:12 PM Roots * * disallowedcert.sst 04/27/2018 03:29 PM Revoked * ******************************************************* Does that look correct? Thanks. Link to comment Share on other sites More sharing options...
dencorso Posted September 25, 2018 Share Posted September 25, 2018 I think so. You got the same results as I did. Link to comment Share on other sites More sharing options...
Dave-H Posted September 26, 2018 Share Posted September 26, 2018 I'm now getting this intermittently in my Windows System log - Is this another certificates problem? The information in the data section of the error means nothing to me I'm afraid! I'm still getting problems in my Eudora e-mail program, despite using the certificate updater and HTTPSProxy. I had an e-mail from Plex the other day about some new offering, and it took literally nearly a minute to open in Eudora! The e-mails from Sky and Marks and Spencer only take about 30 seconds, but that's bad enough. They all look perfect once they're opened, but what could possible be taking so long to resolve when downloading them?! Link to comment Share on other sites More sharing options...
heinoganda Posted September 27, 2018 Author Share Posted September 27, 2018 (edited) @Dave-H It would be an advantage if you could find the certificate in the below displayed HEX data, with this error message. The problem is because of the Avast with a certificate with outdated encryption technology for me too, because at Avast the Windows XP support on the technical state of April 2014 has stopped (root certificate with outdated and unsafe encryption technology are still used). This seems to happen when the definition data is updated, which is not a problem because a backup server works with modern encryption technology. For today is once over and will go to sleep. Edited September 27, 2018 by heinoganda Link to comment Share on other sites More sharing options...
Dave-H Posted September 28, 2018 Share Posted September 28, 2018 OK, I've found out what's triggering the error message, it happens now every time I run the Opera 36 browser. This is the last version which works on XP. I have sync enabled, and I can only assume that connecting to Opera's servers for this is causing the error message, but I have no idea why. Link to comment Share on other sites More sharing options...
heinoganda Posted September 28, 2018 Author Share Posted September 28, 2018 @Dave-H Do you have HTTPS proxy running when using Opera? If so, look for the console of HTTPS Proxy if there are yellow entries in the connections when syncing with Opera.The address (URL) of the yellow entry with the error message is needed (best the complete message) and if necessary an entry must be inserted at the config.ini. Link to comment Share on other sites More sharing options...
Dave-H Posted September 28, 2018 Share Posted September 28, 2018 (edited) Yes, this is what I'm seeing in the HTTPSProxy console - [21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222] [21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443] [21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443] [21:31] 039 [D] "POST https://sync.opera.com/api/sync/command/?client=Opera&client_id=xxxxxxxxxxxxxxxxxx" 200 261 [21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443] [21:31] 022 ProxHTTPSProxyMII FrontProxy/v1.4 [WinError 10054] An existing connection was forcibly closed by the remote host [21:31] 023 ProxHTTPSProxyMII FrontProxy/v1.4 [WinError 10054] An existing connection was forcibly closed by the remote host [21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443] [21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222] [21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443] [21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443] [21:31] 041 [D] "GET https://easylist-downloads.adblockplus.org/easyprivacy.txt?_=1538166666207" 200 123845 [21:31] 040 [D] "GET https://easylist-downloads.adblockplus.org/easylist.txt?_=1538166666206" 200 637620 [21:32] 042 [D] "POST https://autoupdate.geo.opera.com/ 1037" 200 - [21:32] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222] [21:32] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443][21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222] [21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443] [21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443] [21:31] 039 [D] "POST https://sync.opera.com/api/sync/command/?client=Opera&client_id=xxxxxxxxxxxxxxxxxx" 200 261 [21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443] [21:31] 022 ProxHTTPSProxyMII FrontProxy/v1.4 [WinError 10054] An existing connection was forcibly closed by the remote host [21:31] 023 ProxHTTPSProxyMII FrontProxy/v1.4 [WinError 10054] An existing connection was forcibly closed by the remote host [21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443] [21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222] [21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443] [21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443] [21:31] 041 [D] "GET https://easylist-downloads.adblockplus.org/easyprivacy.txt?_=1538166666207" 200 123845 [21:31] 040 [D] "GET https://easylist-downloads.adblockplus.org/easylist.txt?_=1538166666206" 200 637620 [21:32] 042 [D] "POST https://autoupdate.geo.opera.com/ 1037" 200 - [21:32] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222] [21:32] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443] I guess this is the problem! Edited September 29, 2018 by Dave-H Link to comment Share on other sites More sharing options...
glnz Posted September 28, 2018 Share Posted September 28, 2018 Dave-H and heinoganda - this is only about the schannel error, not the crypt32 error, correct? Link to comment Share on other sites More sharing options...
Mathwiz Posted September 28, 2018 Share Posted September 28, 2018 1 hour ago, Dave-H said: I guess this is the problem! I'm not so sure - Opera uses schannel.dll to communicate to the proxy server, but the proxy doesn't use schannel.dll to communicate to the outside world. (That's sort of the point.) So unless Opera is bypassing the proxy for some site, the only way you should be getting certificate validation errors from schannel.dll is if the proxy server's own CA.crt certificate isn't installed or trusted. Link to comment Share on other sites More sharing options...
heinoganda Posted September 28, 2018 Author Share Posted September 28, 2018 @Dave-H Quit HTTPS Proxy, open the config.ini file in the HTTPS Proxy directory, add the following entries under [SSL Pass-Thru] and start HTTPS Proxy again as usual. *sync.opera.com* *autoupdate.geo.opera.com* Check if the error messages on the console of HTTPS Proxy still exist and if the error still occurs under Windows system log. Link to comment Share on other sites More sharing options...
Dave-H Posted September 28, 2018 Share Posted September 28, 2018 Thanks, I added those entries and the error messages are gone! This is what I'm seeing now in HTTPSProxy - [23:28] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222] [23:28] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443] [23:28] 003 [D] "GET https://news.google.com/news?q={searchTerms}&sourceid=opera&num=%i&ie=utf-8&oe=utf-8" 301 0 [23:28] 002 [D] "GET https://www.google.com/search?q={searchTerms}&sourceid=opera&num=%i&ie=utf-8&oe=utf-8" 302 315 [23:28] 001 [D] "GET https://www.google.com/search?q={searchTerms}&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest" 302 324 [23:28] 007 [D] "GET https://news.google.com/search?q=%7BsearchTerms%7D&sourceid=opera&num=%25i&ie=utf-8&oe=utf-8" 302 0 [23:28] 006 [D] "GET https://search.opera.com/?search={searchTerms}&global=no" 302 262 [23:28] 008 [D] "GET https://www.google.com/search?client=opera&q={searchTerms}&sourceid=opera&num=%i&ie=utf-8&oe=utf-8" 200 - [23:28] 009 [D] "GET https://www.google.com/search?client=opera&q={searchTerms}&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest" 200 - [23:28] 005 [D] "GET https://www.amazon.com/s/145-7872646-0478402?ie=UTF8&index=blended&keywords=%7BsearchTerms%7D&link_code=qs&tag=opera-20" 200 - [23:28] 010 [D] "GET https://www.google.com/sdch/4orahf3u.dct" 200 - [23:28] 010 ProxHTTPSProxyMII FrontProxy/v1.4 [WinError 10053] An established connection was aborted by the software in your host machine [23:28] 000 [D] SSL Pass-Thru: https://sync.opera.com:443/ [23:28] 004 [D] "GET https://com.com/" 200 - [23:28] 012 [D] "OPTIONS https://plex.tv/pms/:/ip None" 200 0 [23:28] 014 [D] "GET https://plex.tv/pms/:/ip" 200 15 [23:28] 013 [R][D] "GET https://plex.r.worldssl.net/announcements/announcements.json?cb=1538173710824" HTTPSConnectionPool(host='plex.r.worldssl.net', port=443): Max retries exceeded with url: /announcements/announcements.json?cb=1538173710824 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x03772FB0>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed',)) [23:28] 011 [D] "GET https://search.yahoo.com/yhs/search?hspart=Opera&hsimp=yhs-international&p=%7BsearchTerms%7D" 200 - [23:28] 000 [D] SSL Pass-Thru: https://www.google-analytics.com:443/ [23:28] 000 [D] SSL Pass-Thru: https://www.google-analytics.com:443/ [23:28] 000 [D] SSL Pass-Thru: https://www.google-analytics.com:443/ [23:28] 007 [D] "GET https://news.google.com/search?q=%7BsearchTerms%7D&sourceid=opera&num=%25i&ie=utf-8&oe=utf-8" 302 0 [23:28] 015 [D] "GET https://news.google.com/search?q=%7BsearchTerms%7D&sourceid=opera&num=%25i&ie=utf-8&oe=utf-8&hl=en-GB&gl=GB&ceid=GB:en" 200 - [23:28] 015 ProxHTTPSProxyMII RearProxy/v1.4 [WinError 10053] An established connection was aborted by the software in your host machine [23:28] 016 [D] "GET https://search.yahoo.com/favicon.ico" 304 - [23:28] 015 [D] "GET https://news.google.com/search?q=%7BsearchTerms%7D&sourceid=opera&num=%25i&ie=utf-8&oe=utf-8&hl=en-GB&gl=GB&ceid=GB:en" 200 - [23:28] 000 [D] SSL Pass-Thru: https://autoupdate.geo.opera.com:443/ [23:28] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222] [23:28] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443] Still some apparent errors there, but nothing in the Windows logs. Cheers, Dave. Link to comment Share on other sites More sharing options...
heinoganda Posted September 29, 2018 Author Share Posted September 29, 2018 (edited) @Dave-H An error is still at the beginning and end to see again in the HTTPS proxy console, open the config.ini file in the HTTPS proxy directory, add the following entrie under [SSL pass-thru] and start HTTPS proxy again as usual. *push.opera.com* The next coming update of HTTPS Proxy will apply these entries. If you have such yellow error messages on certain web pages you can communicate them via PM. Otherwise, only Windows system log remains to see if this error still occurs. Edited September 29, 2018 by heinoganda Link to comment Share on other sites More sharing options...
Vistaboy Posted September 29, 2018 Share Posted September 29, 2018 (edited) On a XP installed before 21/8 (certificate expiring date) today no traces of certificate errors on Chrome either IE8. What's the matter? Edited September 29, 2018 by Vistaboy Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now