Jump to content

Root Certificates and Revoked Certificates for Windows XP


heinoganda

Recommended Posts

Hello all,

as announced I have released a new CAupdater - and here is how it works.

Download via CAupdater, password is

wU8moSRS1S9vfYc

Installation is easy, only extract the 7z file (and see under "/docs").

The benefit is the enhanced error handling.

CAupdater will install only NEW MS CAstore (sst) files (always together with files not updated but still actual), regardless if incorrect OLDER files offered on MS servers.

CAupdater use the update procedure as offered from MS regardless the version previous installed via WU / MU.
Only WGET is used additionally to download the MS CAstore (sst) files, there are no other third party tools for the update of the CAstore.
CAupdater himself only manage and launch the update.
You can find the full AutoHotkey (AHK) code with comments of CAupdater.exe in the subdirectory "docs", see the file CaUpdater.ahk.txt.

This are the steps CAupdater make.
Every step, even every single MS CAstore (sst) file install, has a error routine and give a feedback about any error.

1. WGET looks for newer MS CAstore (sst) files on MS server and download them local only if they are newer as local stored.

2. Then compare the actual local stored MS CAstore (sst) file dates with the last installation (the file dates of the previous update are stored in the CAupdate INI file).

3. Then ask for confirmation to update the local client CAstore if one ore more local stored MS CAstore (sst) files are new.

4. If "YES" install ALL local stored MS CAstore (sst) files (ALL - this is the same as the MS CAstore update do).
   If "NO" CAupdater do nothing - and finish.
   The five commands to install the MS CAstore (sst) files are:

    updroots.exe authroots.sst
    updroots.exe -d delroots.sst
    updroots.exe -l roots.sst
    updroots.exe updroots.sst
    updroots.exe -l -u disallowedcert.sst

5. At last show the status (or errors if some), safe new installed MS CAstore (sst) file dates in CAupdater INI file and finish.
   If errors occure, only the date and status of the update try is stored in the INI file, so you can look for the problem and try again.

With this steps only NEW MS CAstore (sst) files will be installed (always together with files not updated but still actual), regardless if incorrect OLDER files offered on MS servers.

When you run CAupdater the first time there are no file dates in CAupdater INI file present.
So ALL MS CAstore (sst) files marked as NEW in the confirmation dialog.
This is also a way to install all MS CAstore (sst) files again - simply delete all the file date entries under section [CAupdaterLog] in CAupdater INI file and start CAupdater again.

If you want to run CAupdater without any confirmation dialog you can set the entry "NoConfirmation=1" in CAupdater INI file.
Then only Errors will be shown.
With set to 2 only a small information dialog is shown on the end and close after five seconds.

For special situations you can use two batch files stored in the subdirectory "UpdRoots".
This will install the local stored MS CAstore (sst) files the same way as WU / MU do and set also all registry settings needed.
The two batch run only this commands:
#RootsUpdate.bat        Rundll32.exe advpack.dll,LaunchINFSection rootsupd.inf,DefaultInstall
#RevokedRootsUpdate.bat        Rundll32.exe advpack.dll,LaunchINFSection rvkroots.inf,DefaultInstall

The INF files are modified as shown by heinoganda in the first post of this thread

 

Link to comment
Share on other sites


Cert_Updater updated to version 1.4

Various features implemented so that no obsolete sst files are installed. It is now possible to use additional download sources for existing download sources (up to 5), one another download source has already been added. Further information can be found in the file "Info Version 1.4.txt".

to the updated version

:)

Link to comment
Share on other sites

heinoganda - I just tried it (without understanding the Info .txt), and the results are:

*******************************************************
* authroots.sst         07/18/2018 05:09 PM Roots     *
* delroots.sst          07/06/2018 02:05 PM Roots     *
* roots.sst             07/06/2018 02:05 PM Roots     *
* updroots.sst          08/20/2018 08:12 PM Roots     *
* disallowedcert.sst    04/27/2018 03:29 PM Revoked   *
*******************************************************

Does that look correct?

Thanks.

Link to comment
Share on other sites

I'm now getting this intermittently in my Windows System log -

Schannel.thumb.jpg.911bc2d7df7619544d8b5360873e6388.jpg

Is this another certificates problem?
The information in the data section of the error means nothing to me I'm afraid!

I'm still getting problems in my Eudora e-mail program, despite using the certificate updater and HTTPSProxy.
I had an e-mail from Plex the other day about some new offering, and it took literally nearly a minute to open in Eudora!
The e-mails from Sky and Marks and Spencer only take about 30 seconds, but that's bad enough.
They all look perfect once they're opened, but what could possible be taking so long to resolve when downloading them?!
:dubbio:

Link to comment
Share on other sites

@Dave-H

It would be an advantage if you could find the certificate in the below displayed HEX data, with this error message. The problem is because of the Avast with a certificate with outdated encryption technology for me too, because at Avast the Windows XP support on the technical state of April 2014 has stopped (root certificate with outdated and unsafe encryption technology are still used). This seems to happen when the definition data is updated, which is not a problem because a backup server works with modern encryption technology. For today is once over and will go to sleep.

:)

Edited by heinoganda
Link to comment
Share on other sites

OK, I've found out what's triggering the error message, it happens now every time I run the Opera 36 browser.
This is the last version which works on XP.
I have sync enabled, and I can only assume that connecting to Opera's servers for this is causing the error message, but I have no idea why.
:)

Link to comment
Share on other sites

@Dave-H

Do you have HTTPS proxy running when using Opera? If so, look for the console of HTTPS Proxy if there are yellow entries in the connections when syncing with Opera.The address (URL) of the yellow entry with the error message is needed (best the complete message) and if necessary an entry must be inserted at the config.ini.

:)

Link to comment
Share on other sites

Yes, this is what I'm seeing in the HTTPSProxy console -

[21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222]
[21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443]
[21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443]
[21:31] 039 [D] "POST https://sync.opera.com/api/sync/command/?client=Opera&client_id=xxxxxxxxxxxxxxxxxx" 200 261
[21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443]
[21:31] 022 ProxHTTPSProxyMII FrontProxy/v1.4 [WinError 10054] An existing connection was forcibly closed by the remote host
[21:31] 023 ProxHTTPSProxyMII FrontProxy/v1.4 [WinError 10054] An existing connection was forcibly closed by the remote host
[21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443]
[21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222]
[21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443]
[21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443]
[21:31] 041 [D] "GET https://easylist-downloads.adblockplus.org/easyprivacy.txt?_=1538166666207" 200 123845
[21:31] 040 [D] "GET https://easylist-downloads.adblockplus.org/easylist.txt?_=1538166666206" 200 637620
[21:32] 042 [D] "POST https://autoupdate.geo.opera.com/ 1037" 200 -
[21:32] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222]
[21:32] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443][21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222]
[21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443]
[21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443]
[21:31] 039 [D] "POST https://sync.opera.com/api/sync/command/?client=Opera&client_id=xxxxxxxxxxxxxxxxxx" 200 261
[21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443]
[21:31] 022 ProxHTTPSProxyMII FrontProxy/v1.4 [WinError 10054] An existing connection was forcibly closed by the remote host
[21:31] 023 ProxHTTPSProxyMII FrontProxy/v1.4 [WinError 10054] An existing connection was forcibly closed by the remote host
[21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443]
[21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222]
[21:31] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443]
[21:31] 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)" while trying to establish local SSL tunnel for [autoupdate.geo.opera.com:443]
[21:31] 041 [D] "GET https://easylist-downloads.adblockplus.org/easyprivacy.txt?_=1538166666207" 200 123845
[21:31] 040 [D] "GET https://easylist-downloads.adblockplus.org/easylist.txt?_=1538166666206" 200 637620
[21:32] 042 [D] "POST https://autoupdate.geo.opera.com/ 1037" 200 -
[21:32] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222]
[21:32] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443]

I guess this is the problem!
:yes:

Edited by Dave-H
Link to comment
Share on other sites

1 hour ago, Dave-H said:

I guess this is the problem!

I'm not so sure - Opera uses schannel.dll to communicate to the proxy server, but the proxy doesn't use schannel.dll to communicate to the outside world. (That's sort of the point.) So unless Opera is bypassing the proxy for some site, the only way you should be getting certificate validation errors from schannel.dll is if the proxy server's own CA.crt certificate isn't installed or trusted.

Link to comment
Share on other sites

@Dave-H

Quit HTTPS Proxy, open the config.ini file in the HTTPS Proxy directory, add the following entries under [SSL Pass-Thru] and start HTTPS Proxy again as usual.

*sync.opera.com*
*autoupdate.geo.opera.com*

Check if the error messages on the console of HTTPS Proxy still exist and if the error still occurs under Windows system log.

:)

Link to comment
Share on other sites

Thanks, I added those entries and the error messages are gone!
:thumbup
This is what I'm seeing now in HTTPSProxy -

[23:28] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222]
[23:28] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443]
[23:28] 003 [D] "GET https://news.google.com/news?q={searchTerms}&sourceid=opera&num=%i&ie=utf-8&oe=utf-8" 301 0
[23:28] 002 [D] "GET https://www.google.com/search?q={searchTerms}&sourceid=opera&num=%i&ie=utf-8&oe=utf-8" 302 315
[23:28] 001 [D] "GET https://www.google.com/search?q={searchTerms}&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest" 302 324
[23:28] 007 [D] "GET https://news.google.com/search?q=%7BsearchTerms%7D&sourceid=opera&num=%25i&ie=utf-8&oe=utf-8" 302 0
[23:28] 006 [D] "GET https://search.opera.com/?search={searchTerms}&global=no" 302 262
[23:28] 008 [D] "GET https://www.google.com/search?client=opera&q={searchTerms}&sourceid=opera&num=%i&ie=utf-8&oe=utf-8" 200 -
[23:28] 009 [D] "GET https://www.google.com/search?client=opera&q={searchTerms}&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest" 200 -
[23:28] 005 [D] "GET https://www.amazon.com/s/145-7872646-0478402?ie=UTF8&index=blended&keywords=%7BsearchTerms%7D&link_code=qs&tag=opera-20" 200 -
[23:28] 010 [D] "GET https://www.google.com/sdch/4orahf3u.dct" 200 -
[23:28] 010 ProxHTTPSProxyMII FrontProxy/v1.4 [WinError 10053] An established connection was aborted by the software in your host machine
[23:28] 000 [D] SSL Pass-Thru: https://sync.opera.com:443/
[23:28] 004 [D] "GET https://com.com/" 200 -
[23:28] 012 [D] "OPTIONS https://plex.tv/pms/:/ip None" 200 0
[23:28] 014 [D] "GET https://plex.tv/pms/:/ip" 200 15
[23:28] 013 [R][D] "GET https://plex.r.worldssl.net/announcements/announcements.json?cb=1538173710824" HTTPSConnectionPool(host='plex.r.worldssl.net', port=443): Max retries exceeded with url: /announcements/announcements.json?cb=1538173710824 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x03772FB0>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed',))
[23:28] 011 [D] "GET https://search.yahoo.com/yhs/search?hspart=Opera&hsimp=yhs-international&p=%7BsearchTerms%7D" 200 -
[23:28] 000 [D] SSL Pass-Thru: https://www.google-analytics.com:443/
[23:28] 000 [D] SSL Pass-Thru: https://www.google-analytics.com:443/
[23:28] 000 [D] SSL Pass-Thru: https://www.google-analytics.com:443/
[23:28] 007 [D] "GET https://news.google.com/search?q=%7BsearchTerms%7D&sourceid=opera&num=%25i&ie=utf-8&oe=utf-8" 302 0
[23:28] 015 [D] "GET https://news.google.com/search?q=%7BsearchTerms%7D&sourceid=opera&num=%25i&ie=utf-8&oe=utf-8&hl=en-GB&gl=GB&ceid=GB:en" 200 -
[23:28] 015 ProxHTTPSProxyMII RearProxy/v1.4 [WinError 10053] An established connection was aborted by the software in your host machine
[23:28] 016 [D] "GET https://search.yahoo.com/favicon.ico" 304 -
[23:28] 015 [D] "GET https://news.google.com/search?q=%7BsearchTerms%7D&sourceid=opera&num=%25i&ie=utf-8&oe=utf-8&hl=en-GB&gl=GB&ceid=GB:en" 200 -
[23:28] 000 [D] SSL Pass-Thru: https://autoupdate.geo.opera.com:443/
[23:28] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:5222]
[23:28] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [push.opera.com:443]

Still some apparent errors there, but nothing in the Windows logs.
Cheers, Dave.
:)

Link to comment
Share on other sites

@Dave-H

An error is still at the beginning and end to see again in the HTTPS proxy console, open the config.ini file in the HTTPS proxy directory, add the following entrie under [SSL pass-thru] and start HTTPS proxy again as usual.

*push.opera.com*

The next coming update of HTTPS Proxy will apply these entries. If you have such yellow error messages on certain web pages you can communicate them via PM. Otherwise, only Windows system log remains to see if this error still occurs.

:)

Edited by heinoganda
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...