AstroSkipper Posted February 20, 2022 Share Posted February 20, 2022 (edited) ProxHTTPSProxy and HTTPSProxy in Windows XP for future use 0. Table of Contents 0. Table of Contents 1. Introduction 2. Purpose of ProxHTTPSProxy and HTTPSProxy 3. Area of application 4. The TLS protocols and their cipher suites 5. Certificates - CA and Root Certificates 5.1. The CA certficate of ProxHTTPSProxy 5.2. The Root Certificates of Windows XP 6. The TLS 1.2 proxies ProxHTTPSProxy and HTTPSProxy 6.1. Prerequisites 6.1.1. Detailed information 6.2. Installation 6.3. Configuration 6.3.1. Configuration of ProxHTTPSProxy 6.3.2. Configuration of HTTPSProxy 6.3.3. Configuration of these proxies to access the MU website successfully nowadays 6.4. Usage 6.4.1. Usage of ProxHTTPSProxy 6.4.2. Usage of HTTPSProxy 6.5. Maintenance of ProxHTTPSProxy and HTTPSProxy for future use 7. The TLS 1.2 proxy ProxHTTPSProxy's PopMenu 3V1 7.1. Prerequisites 7.2. Purpose and components of ProxHTTPSProxy's PopMenu 3V1 7.3. Features of ProxHTTPSProxy's PopMenu 3V1 7.4. Changelog of ProxHTTPSProxy's PopMenu 3V1: 7.5. Installation and configuration of ProxHTTPSProxy's PopMenu 3V1 7.6. Tranferring all settings of an existing ProxHTTPSProxy's installation 7.7. Usage of ProxHTTPSProxy's PopMenu 3V1 8. The TLS 1.3 proxy ProxyMII 8.1. Prerequisites 8.2. General information about ProxyMII 8.3. Specific information about the different ProxyMII releases 8.3.1 ProxyMII (20220717) 8.3.2 ProxyMII (20230813) 8.4. How to set up and use the TLS 1.3 proxy ProxyMII 9. The TLS 1.3 proxy ProxHTTPSProxy's PopMenu TLS 1.3 9.1. Prerequisites 9.2. General information about ProxHTTPSProxy's PopMenu TLS 1.3 9.3. ProxHTTPSProxy's PopMenu TLS 1.3 3V3 9.3.1. Features of ProxHTTPSProxy's PopMenu TLS 1.3 3V3 9.3.2. Changelog of ProxHTTPSProxy's PopMenu TLS 1.3 3V3 9.3.3. Installation and start of ProxHTTPSProxy's PopMenu TLS 1.3 3V3 10. Versions 10.1. Versions of the TLS 1.2 proxies ProxHTTPSProxy, HTTPSProxy, and ProxHTTPSProxy's PopMenu 10.2. Versions of the TLS 1.3 proxies ProxyMII and ProxHTTPSProxy's PopMenu TLS 1.3 11. Downloads 11.1. Archived Downloads {obsolete}: 11.2. Latest Downloads 11.2.1. Downloads related to the TLS 1.2 proxies 11.2.1.1. Downloads related to ProxHTTPSProxy 11.2.1.2. Downloads related to HTTPSProxy 11.2.2. Downloads related to the TLS 1.3 proxies 11.2.3. Downloads related to cacert.pem Certificate Update 11.2.4. Downloads related to Root Certificate Updates 12. Update notifications 13. Conclusion 14. Disclaimer 1. Introduction: The idea of this thread is to provide information and recent findings I've made relating to the TSL proxies ProxHTTPSProxy and HTTPSProxy. Due to the fact that I don't use other older NT based Operation Systems (OSs) except Windows XP Professional all my observations and explanations are referring to both proxies in Windows XP only. So, please do not comment off-topic in this thread! I am AstroSkipper, a member of MSFN since 2010, and was involved in restoring of access to the Microsoft Update (MU) website in Windows XP (and some other OSs). This is the thread: https://msfn.org/board/topic/178377-on-decommissioning-of-update-servers-for-2000-xp-and-vista-as-of-july-2019/ While restoring MU in my own Windows XP Professional system, I had to solve a lot of problems and had among other things some significant findings relating to ProxHTTPSProxy and HTTPSProxy, too. The above mentioned thread is now over 140 pages long and unfortunately very bloated. In most cases visitors or members of MSFN don't want to read that much of pages for getting information they have looked for. A lot of comments are part of conversations which no longer can be retraced or understood easily by people who weren't participated. Therefore, I wanted to make my own findings accessible to all interested people in a clear, short way. That's why I decided to make my own thread to provide some facts, tips and especially news referring to these proxies. It is an unfortunate circumstance that the creators of ProxHTTPSProxy and HTTPSProxy, @heinoganda and @Thomas S., haven't been here for a long time and no further development of these proxies has been made the last years. Of course, we thank both creators explicitly for these outstanding proxies, we are very glad to have them, but they have to be used as they are. For this reason, we have to ask ourselves whether they'll continue doing their job in the future or not. But maybe some of you don't really know what actually their job is. 2. Purpose of ProxHTTPSProxy and HTTPSProxy: Originally, ProxHTTPSProxy was created for Proxomitron as an SSL Helper Program. Proximotron is a local HTTP web-filtering proxy. Here are two links about Proxomitron: http://www.buerschgens.de/Prox/index.html (German website, use Google Translator if necessary) and https://msfn.org/board/topic/183295-web-browser-proxomitron-reborn-ptrongui-a-how-to-guide/. This is a quotation from a post of the developer called "whenever" who had made ProxHTTPSProxy originally: Quote For every https request, it returns a "307 Moved Temporarily" response with a "Location" header pointing to the http version of the request. The purpose is to switch the browser from https mode to http mode. For every http request, it fetches the content through https protocol and feeds the decrypted content to the browser. The communication between ProxHTTPSProxy and the remote server is https while the communication between ProxHTTPSProxy and the browser is still http so Proxomitron gets a chance to filter the content. Source link: https://prxbx.com/forums/showthread.php?tid=1618. Here is an image to show how ProxHTTPSProxy works: ProxHTTPSProxy and HTTPSProxy were created by our members mentioned above to provide modern nag-free HTTPS connections for an HTTP proxy. The main purpose in Windows XP is in adding modern ciphers to HTTPS connections of the Internet Explorer (IE) to improve either its missing TLS 1.2 functionality or its rudimentary TLS 1.2 functionality last added by Microsoft after installing some relevant POSReady updates (KB4230450, KB4316682 and KB4019276). Here is a link with further information how TLS 1.1 and TLS 1.2 can be enabled in Windows XP: https://msfn.org/board/topic/178092-enable-tls-11-and-12-in-windows-xp-correctly/?do=findComment&comment=1158544. The original ciphers of IE are outdated and therefore a lot of websites can't be accessed or they don't work properly due to SSL issues. More information about these proxies you can find in the original thread: https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/. 3. Area of application: As already said, the main purpose of these proxies is in adding modern ciphers to HTTPS connections of IE to improve either its missing TLS 1.2 functionality or its rudimentary TLS 1.2 functionality last added by Microsoft after installing some relevant POSReady updates. Therefore, ProxHTTPSProxy or HTTPSProxy is often used in combination with IE to access websites which couldn't be called up by IE without it. Some programs use Internet Explorer's browser engine called Trident to get data from Internet, to search something or to check for updates. For example my favourite movie database program All My Movies™ checks for updates using IE engine. Without one of these proxies it will fail. Some e-mail clients like eM Client or Eudora are using IE engine too. Some browsers like 360 Extreme Explorer are able to use IE engine for surfing. Another new purpose is to access Microsoft Update to look for updates. As I mentioned above I was involved in restoring of access to the Microsoft Update (MU) website in Windows XP (and some other OSs), and we were successful by now. If you're interested in restoring MU functionality, I've written a little guide with the title "Complete guide for restoring IE's access to WU/MU website using ProxHTTPSProxy or HTTPSProxy in Windows XP" which can be found here: https://msfn.org/board/topic/183498-general-and-specific-solutions-for-problems-regarding-auwumu-in-windows-xp/?do=findComment&comment=1216509 This thread is about different proxies to establish secure connections to servers or, more generally, to the internet. You often read about TLS, cipher suites, and certificates here. Therefore, I disseminate here some information about these "termini technici" for those who do not know exactly what is meant by them. 4. The TLS protocols and their cipher suites If you research the term TLS on the internet, you will get a lot of information, sometimes very simply presented, sometimes very technical, more for IT experts. With this small article, which can be seen more as a summary, I try to provide a little more transparency in this stuff. Transport Layer Security, abbreviated TLS, is a protocol for the authentication and encryption of Internet connections. For this purpose, TLS is inserted as its own layer between TCP and the protocols of the application layer. Here is a linked graphic to make it more clear: The individual tasks include authentication, certification, key exchange, integrity assurance and encryption. The main tasks are to guarantee the authenticity of the contacted remote stations, in most cases a server, by means of a certificate and to encrypt the connection between the remote stations. Here is a second linked graphic to demonstrate the actions and reactions in the communication between a client and a server: The used protocol defines the basic communication for the connection and is as crucial for a secure connection as the encryption protocol itself. Due to a series of vulnerabilities, the SSL2 and SSL3 protocols must be considered a security vulnerability and should be avoided at all costs. The successor to SSL3, TLS 1.0 should also be avoided, as the protocol offers a method to downgrade an established TLS 1.0 connection to SSL3. Thus, the connection is again vulnerable to the vulnerabilities that affect SSL3. Unfortunately, its successor TLS 1.1 is also no longer up to date and should be rather avoided nowadays. For a long time, the TLS 1.2 protocol was considered secure and therefore recommended. It offers a number of improvements that should ensure the security of connections again. In general, each new SSL or TLS version has brought additional features and options, making configuration a little more confusing, implementation more error-prone and handling more tedious. Overall, the use of TLS has become more insecure. With TLS 1.3, this should change, at best. Or, this was and is the actual goal, at least. For this reason, every single function of TLS has been tested for its security benefits and risks. In the process of development and in regard to the present knowledge, some parts were removed that no longer offer security and some of which are now also considered insecure. At the same time, security was improved with new procedures. Furthermore, measures for performance optimisation and preventive hardening measures for future attacks were taken into account. TLS 1.3 breaks backwards compatibility for the first time, which unfortunately causes some problems in practice. Connections with TLS 1.3 can be interrupted either because the connection is not accepted en route or due to a defective web server. Anyway, the protocols TLS 1.2 and, above all, TLS 1.3 are recommended as secure protocols nowadays. Here is a list of typical protocols and their cipher suites used by the TLS 1.3 proxy of my current program package ProxHTTPSProxy's PopMenu TLS 1.3 3V3 as an example. It's a screenshot taken from the website https://browserleaks.com/ssl: In the screenshot above, you can see many so called cipher suites belonging to specific TLS protocols. A cipher suite is a standardised collection of cryptographic procedures (algorithms) for encryption. In the Transport Layer Security (TLS) protocol, the cipher suite specifies which algorithms are to be used to establish a secure data connection. A cipher suite is generally displayed as a long string of seemingly random information but each segment of that string contains essential information. Generally, this data string is made up of several key components: The used protocol, in most cases TLS. The key exchange algorithm dictates the manner by which symmetric keys will be exchanged such as RSA, DH, DHE, ECDH, ECDHE. The authentication algorithm dictates how server authentication and (if needed) client authentication will be carried out such as RSA, DSA, ECDSA. The bulk encryption algorithm dictates which symmetric key algorithm will be used to encrypt the actual data such as AES, 3DES, CAMELLIA. The Message Authentication Code (MAC) algorithm dictates the method the connection will use to carry out data integrity checks such as SHA, SHA256, MD5. In some cases, there is an Elliptic Curve Cryptography (ECC) which is an encryption technique that provides public-key encryption similar to RSA. While the security strength of RSA is based on very large prime numbers, ECC uses the mathematical theory of elliptic curves and achieves the same security level with much smaller keys. Here are three linked graphics to illustrate these strings with examples: 5. Certificates - CA and Root Certificates Although Windows XP was abandoned and updates of root certificates were not provided anymore by Microsoft for this OS, we still found ways to update them. And, if we want to install one of our TLS proxies, we have to install a CA certificate to get them working. In both cases, certificates are needed, and this short article is intended to shed some light on this certificate jungle with regards to our TLS proxies. 5.1. The CA certficate of ProxHTTPSProxy A certificate authority (CA) is a trusted entity that issues digital certificates. These are files that cryptographically link an entity to a public key. Certificate authorities are an important part of the Internet's Public Key Infrastructure (PKI) because they issue the Secure Sockets Layer (SSL) certificates that browsers use to authenticate content sent from web servers. All popular web browsers use web servers' SSL certificates to keep content delivered online secure. They all need to trust certificate authorities to issue certificates reliably. SSL certificates are used in conjunction with the Transport Layer Security (TLS) protocol to encrypt and authenticate data streams for the HTTPS protocol, and are therefore sometimes referred to as SSL/TLS certificates or simply TLS certificates. The first time ProxHTTPSProxy is started, it creates the keys for a certificate authority in its program directory if there is none. This file CA.crt is used for on-the-fly generation of dummy certificates for each visited website which are stored in the subfolder Certs. And, there is a second file called cacert.pem located in ProxHTTPSProxy's program directory. This file cacert.pem contains the currently valid root certificates (will be considered in more detail below) used by the proxy to verify the server connections. Since your browser won’t trust the ProxHTTPSProxy's CA certificate out of the box, you will either need to click through a TLS certificate warning on every domain, or install the CA certificate once so that it is trusted. It has to be installed in the Trusted Root Certification Authority of Windows XP and in some cases additionally in the Certificate Manager of a browser as in the cases of New Moon, Pale Moon, Firefox, and others. The Internet Explorer doesn't possess an own certificates store and uses the Trusted Root Certification Authority of Windows XP. Typically, digital certificates contain data about the entity that issued the certificate and cryptographic data to verify the identity of the entity, including the entity's public key and expiration date for the certificate, as well as the entity's name, contact information, and other information associated with the certified entity. Web servers transmit this information when a browser establishes a secure connection over HTTPS. In doing so, they send to it the certificate and the browser authenticates it using its own root certificate store. The following graphic illustrates the structure of a Certificate Authority as for example GlobalSign: SSL/TLS certificates are based on PKI as mentioned above, and there are a few key parts that need to be in place for the SSL certificate to work: A digital certificate (for example, an SSL/TLS certificate) that proves the website’s identity. A certificate authority that verifies the website and issues the digital certificate. A digital signature that proves the SSL certificate was issued by the trusted certificate authority. A public key that your browser uses to encrypt the data sent to the website. A private key that the website uses to decrypt the data sent to it. Here is another graphic to illustrate the role that a certificate authority (CA) plays in the Public Key Infrastructure (PKI): When installing such CA certificates in Windows XP manually, then there is something else to note. It can be of crucial importance whether one installs a root certificate under the account of the Current User or Local Computer. In this article a little further down, you can find more information on that. Furthermore, exiting ProxHTTPSProxy completely, deleting the old CA.cert file in ProxHTTPSProxy's program directory, and restarting ProxHTTPSProxy will result in the generation of a new CA.crt that will be valid for another ten years. In addition, the certificate bundle cacert.pem should be updated, at best regularly. You can do that with the tool cacert Updater Fixed which can be found in the download section 11.2.3. Downloads related to cacert.pem Certificate Update. This tool is also included in my program package ProxHTTPSProxy's PopMenu. And, that is the moment to note something very important. Any change to a ProxHTTPSProxy installation regarding the CA certificate or a severe system crash while one of the proxies is running in the background always requires a reset of all dummy certificates in the Certs subfolder. The word "reset" at this point means deleting all certificates that have been created in the Certs folder, manually by the user. The next time the proxy is started correctly, all necessary certificates will be created again when the corresponding websites are accessed. Here are a few screenshots of ProxHTTPSProxy's CA certificate (German edition of Windows XP, sorry!): 5.2. The Root Certificates of Windows XP In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA). Root certificates are self-signed and form the basis of an X.509-based PKI. Either it has matched Authority Key Identifier with Subject Key Identifier, in some cases there is no Authority Key identifier, then Issuer string should match with Subject string (RFC 5280). For instance, the PKIs supporting HTTPS for secure web browsing and electronic signature schemes depend on a set of root certificates. A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key which is used to "sign" other certificates. All certificates signed by the root certificate, with the "CA" field set to true, inherit the trustworthiness of the root certificate. A signature by a root certificate is somewhat analogous to "notarizing" identity in the physical world. Such a certificate is called an intermediate certificate or subordinate CA certificate. Certificates further down the tree also depend on the trustworthiness of the intermediates. The following graphic illustrates the role of a root certificate in the chain of trust: The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. Root certificates are distributed in Windows XP by Microsoft and located in special certificate stores. These certificate stores may be viewed through the Certificates snap-in Certmgr.msc in the Microsoft Management Console (MMC). You can open the Certificates console focused on the Current User on a Windows XP computer by executing Certmgr.msc in the Run dialog box. Here is a screenshot of what you see running this command (German edition of Windows XP, sorry!): The root certificates of Windows XP can be updated by @heinoganda's Certificate Updater, @Thomas S.'s CAupdater, or by my self-created Root Certificate and Revoked Certificate Updaters, in all cases to the most recent ones provided by Microsoft. These updaters can be found in the download section under 11.2.4. Downloads related to Root Certificate Updates. There is no automatism for this updating. It must be done manually by the user and, if possible, regularly. @heinoganda's Certificate Updater is also included in my program package ProxHTTPSProxy's PopMenu. And now, back to our proxies. 6. The TLS 1.2 proxies ProxHTTPSProxy and HTTPSProxy 6.1. Prerequisites: A CPU with SSE2 instruction set is required to run the more recent versions of these TLS 1.2 proxies under Windows XP. 6.1.1. Detailed information: Testing system: Windows XP Professional SP3 POSReady with an AMD Athlon XP 3200+ (Thoroughbred), an old CPU providing SSE, but lacking of SSE2 instruction set. After testing of all proxies mentioned in this article, I can confirm that all @heinoganda's releases ProxHTTPSProxy REV3b, ProxHTTPSProxy REV3d, ProxHTTPSProxy REV3e and @Thomas S.'s release HTTPSPoxy in version HTTPSProxy_Launcher_v2_2018-11-06 require a CPU with SSE2 instruction set. All these proxies crashed when starting 'ProxHTTPSProxy.exe' or 'HTTPSProxy.exe'. But @whenever's release ProxHTTPSProxyMII 1.3a could be started without crashing, and after testing I can confirm this proxy is fully compatible with a CPU possessing SSE instruction set only. Therefore, this proxy can be used in such old systems, but only if absolutely necessary. For safety reasons. More detailed information below in the section 10.1. Versions of the TLS 1.2 proxies ProxHTTPSProxy, HTTPSProxy, and ProxHTTPSProxy's PopMenu. 6.2. Installation: The program packages provide documents and instructions, actually sufficient. Both proxies do not need any installation. There is no setup installer. They are fully portable with a few exceptions. The user has to edit the config file according to his needs, he should update a special certificate called 'cacert.pem' and he has to install the proxy's root certificate properly in any case. But to avoid unnecessary repetitions, I'll come back to that later in the section 6.3. Configuration. The location of their program folder can be chosen freely. For this purpose, I've created a folder "Portable" in my system partition. I have created this folder to remind me that programs inside folder Portable do not have to be uninstalled. 6.3. Configuration: The configurations of these proxies are a bit different. 6.3.1. Configuration of ProxHTTPSProxy: - Install ProxHTTPSProxy's root certificate 'CA.crt' under the Trusted Root Certification Authority manually or apply 'ProxHTTPS Cert Install.exe'. Alternatively you can use the more recent ProxHTTPSProxy Cert Installer which has been modified and updated by me. You can find it in the section 11.2.1.1. Downloads related to ProxHTTPSProxy. - Edit the config file 'config.ini' according to your needs. More detailed explanations at the end of this section. - Update the certificate 'cacert.pem' by downloading and inserting it manually (see cacert Update.txt) or automatically by applying 'cacert_Updater.exe'. Due to the circumstance that @heinoganda's original cacert Updater doesn't work anymore, I have fixed it. This "cacert Updater Fixed" can be downloaded in the section 11.2.3. Downloads related to cacert.pem Certificate Update. 6.3.2. Configuration of HTTPSProxy: - Generate a new HTTPSProxy's root certificate 'HTTPSProxyCA.crt' by opening 'HTTPSProxy.exe' and closing its window when the process is over. - Install HTTPSProxy's root certificate 'HTTPSProxyCA.crt' under the Trusted Root Certification Authority manually. Alternatively you can use the brand new HTTPSProxy Cert Installer which has been created by me. You can find it in the section 11.2.1.2. Downloads related to HTTPSProxy. - Edit the config files 'config.ini' and 'Launcher.ini' according to your needs. More detailed explanations at the end of this section. - Update the certificate 'cacert.pem' by downloading from url https://curl.se/ca/cacert.pem and inserting it manually (see Installation-Update_EN.txt) or automatically by clicking cacert.pem update in Launcher's menu. - Execute the reg file 'Inet_CurUser_ProxySettings.reg'. Both proxies have got a config file called 'config.ini'. The following parameters of the proxy can be specified there:: ProxAddr, FrontPort, BackPort, LogPort and LogLevel. Look into this file and you'll get short descriptions of these parameters. Furthermore there are special sections titled [SSL No-Verify], [BLACKLIST], [SSL Pass-Thru] and [BYPASS URL]. In these sections url addresses can be inserted letting the proxy know how to perform them. HTTPSProxy has a second config file called 'Launcher.ini'. Here you can set up the Launcher of HTTPSProxy. A short description can be read at the beginning of each file section. Here you can see HTTPSProxy's config file similar to the one of ProxHTTPSProxy: More detailed information about the parameters and sections can be found in their doc files. Both proxies can be set as system-wide proxies using the executable proxycfg.exe. Here are proxycfg's command line parameters: The command proxycfg displays the current WinHTTP proxy settings. The command proxycfg -d specifies that all HTTP and HTTPS servers should be accessed directly. Use this command if there is no proxy server. The command proxycfg -p proxy-server-list optional-bypass-list specifies one or more proxy servers, and an optional list of hosts that should be accessed directly. If a proxy server is not specified for a given protocol and that server is not in the bypass list, the -p option specifies that the server cannot be accessed at all. The command proxycfg -d -p proxy-server-list optional-bypass-list specifies one or more proxy servers, and an optional list of hosts that should be accessed directly. If a proxy server is not specified for the given protocol, the -d option specifies that the server should be accessed directly instead. The command proxycfg -u imports the Internet Explorer proxy settings of the current user. WinHTTP does not support auto-discovery and configuration script-based proxy settings. So far so good, but unfortunately that's not the whole truth. 6.3.3. Configuration of these proxies to access the MU website successfully nowadays: The MU website can be accessed only by IE, but nowadays it needs the more recent cryptographic protocol TLS 1.2. That's the reason why MU wasn't available in the past. Therefore we have to use one of these proxies to gain access. If all steps of my Complete guide for restoring IE's access to WU/MU website using ProxHTTPSProxy or HTTPSProxy in Windows XP have been performed properly, you would like to call up MU website. But in some cases problems could occur. One of them is to get a MU website with output of error code 0x80072f8f (hexadecimal notation). I had examined this error deeply and could solve it. But what does that have to do with our proxies? Of course a lot, otherwise I wouldn't have mentioned it. Here you can read my short post "Final fix of error code 0x80072f8f while accessing WU or MU website": https://msfn.org/board/topic/178377-on-decommissioning-of-update-servers-for-2000-xp-and-vista-as-of-july-2019/?do=findComment&comment=1213188 The steps in order: Delete the old CA.cert file in ProxHTTPSProxy's program folder. Delete all certificates in ProxHTTPSProxy's certs subfolder. Update the certificate cacert.pem. Run the executable ProxHTTPSProxy.exe. A new ProxHTTPSProxy CA certificate CA.crt valid for another ten years has been generated. Import this new ProxHTTPSProxy CA certificate to Trusted Root Certification Authority but under the account local computer. And exactly here lies the problem. You have to import this certificate in a special way to ensure it is really installed in Trusted Root Certification Authority under the account local computer. Otherwise, it can happen that this certificate is installed in Trusted Root Certification Authority under the account current user. And that is definitely the cause of error code 0x80072f8f. No one had told us where this certificate has to be installed to. No hints in the doc files of both proxies. And, how can we do that? Here are the detailed steps using the Microsoft Management Console: Open console by typing mmc. Add a snap-in for certificates. Choose for local computer. Import your recently generated ProxHTTPSProxy CA certificate to Trusted Root Certification Authority. Finished. Now, we have to modify the config file. Alternatively you can use my pre-configured config files in the section 11.2.1. Downloads related to the TLS 1.2 proxies. Open the file config.ini in an editor of your choice. Add these urls under the section [SSL No-Verify]: urs.microsoft.com c.microsoft.com* *one.microsoft.com* download.windowsupdate.com cc.dcsec.uni-hannover.de fe2.ws.microsoft.com *update.microsoft.com ds.download.windowsupdate.com - Save your changes. - Finished. Of course, same procedure for HTTPSProxy with one exception: HTTPSProxy's root certificate is named HTTPSProxyCA.crt. Fixing error code 0x80072f8f leads to fixing another problem and that is the validity of Proxy's root certificate. From now on a freshly generated root certificate of ProxHTTPSProxy or HTTPSProxy valid for another ten years will be fully functional because we finally know where it exactly has to be imported to. Maybe, you understand now how important it is to configure these proxies properly. Otherwise, they wouldn't work flawlessly. In the section 11.2.1. Downloads related to the TLS 1.2 proxies, I provide separate CA Certificate Installer and Uninstaller for both proxies. They have been created by me for the people who do not dare to generate and install certificates themselves. Due to a modification made by me, these installers and uninstallers do now their job properly, i.e. the certificate installation will be definitely performed in the Trusted Root Certification Authority under the account local computer. If you asked me which kind of certificate installation you should choose, I would recommend the manual method. For security reasons only. The installers contain a pre-generated root certificate of its proxy which will be installed properly. But as a result all users of these installers will have got the same certificate unfortunately. Normally, no good. But, do we really want to spy each other? I don't think so. On the other hand, using the manual method we all will have an unique certificate without any risks. So it's up to you! 6.4. Usage: The usage of these proxies is very simple but a bit different. 6.4.1. Usage of ProxHTTPSProxy: The best way to start ProxHTTPSProxy is to execute the file ProxHTTPSProxy_PSwitch.exe. In this case, ProxHTTPSProxy will set up itself automatically and delete its settings when closing. You can check the settings of ProxHTTPSProxy in Internet Options of IE. Here is a screeshot of ProxHTTPSProxy's program window: 6.4.2. Usage of HTTPSProxy: The way to start HTTPSProxy is a bit different. For starting it, you have to simply drag the executable HTTPSProxy.exe onto a second executable Launcher.exe by drag & drop and a new system tray icon appears. Via this icon, all available options of HTTPSProxy's Launcher are accessible. There are a lot of options: HTTPSProxy exit, HTTPSProxy restart, HTTPSProxy show, HTTPSProxy hide, HTTPSProxy launch with Windows, config.ini edit, cacert.pem update, HTTPSProxy enabled - settings - log, Update Windows root CAs, Launcher.ini edit and so on. Here are some screenshots of HTTPSProxy: Launcher's menu: HTTPSProxy - switched on and switched off: HTTPSProxy's program window: HTTPSProxy while accessing MU: If connection errors occur, you can check the settings of HTTPSProxy in Internet Options of IE and set them manually or automatically by applying reg file 'Inet_CurUser_ProxySettings.reg'. And now one important hint. If you want to use both proxies in your system, you mustn't run them in RAM at same time! Otherwise the selected proxy won't work at all. You have to close the unused proxy to use the other. Keep that in mind! 6.5. Maintenance of ProxHTTPSProxy and HTTPSProxy for future use: We have to carry out a bit of maintenance to ensure that these proxies are working properly. First of all, the system's root certificates should be updated every three months. If you have not done that yet, you can use one of the root certificate updater in the section 11.2.4. Downloads related to Root Certificate Updates where different online and offline versions can be downloaded from. Then you should check following list: Regular update of the file 'cacert.pem'. Maintenance and check of the file config.ini according to your needs. Checking the validity of the proxy's root certificate. Deleting of all certificates in the folder 'Certs' if the proxy isn't working properly. Checking the state of the Proxy in IE or in your system. 7. The TLS 1.2 proxy ProxHTTPSProxy's PopMenu 3V1 7.1 Prerequisites: A CPU with SSE2 instruction set is required to run this TLS 1.2 proxies under Windows XP. 7.2. Purpose and components of ProxHTTPSProxy's PopMenu 3V1: This is the first release of ProxHTTPSProxy's PopMenu 3.0 in version 1.0.0.0 shortened 3V1. ProxHTTPSProxy's PopMenu 3V1 is a one-click menu in systray to access and control @heinoganda's ProxHTTPSProxy REV3e. ProxHTTPSProxy's PopMenu 3V1 is a synthesis of self-programmed executables, a very few commands, credits to @AstroSkipper at MSFN, and the freeware PopMenu 3.0, credits to Jochanan Agam at freeware.persoft.ch. All the information I spread about ProxHTTPSProxy in the sections above is of course also valid for ProxHTTPSProxy's PopMenu. 7.3. Features of ProxHTTPSProxy's PopMenu 3V1: ProxHTTPSProxy's PopMenu is not a classical launcher, it is rather a systray popup menu. It can be totally customized and continuously extended according to user's needs due to its modular structure, therefore much more flexible than a classical, compiled launcher. More features can be added easily without touching existent code. Due to ProxHTTPSProxy's PopMenu's modular structure the user can change, add, delete and reorder features. Even the icons in menu can be changed easily by the user. Here is the complete list of features implemented in ProxHTTPSPoxy's PopMenu 3v1: Start ProxHTTPSPoxy Stop ProxHTTPSPoxy Hide ProxHTTPSPoxy Show ProxHTTPSPoxy Check if ProxHTTPSPoxy is running (in RAM) cacert.pem Update Root Certificates Update Open IE Proxy settings Close IE Proxy settings Check system proxy status Enable ProxHTTPSProxy system-wide Disable ProxHTTPSProxy system-wide Edit config.ini Read documentation And here is a screenshot of ProxHTTPSProxy's PopMenu 3V1: ProxHTTPSPoxy's PopMenu is provided together with ProxHTTPSProxy REV3e. This new archive called "ProxHTTPSProxy_REV3e_PopMenu_3V1" has been additionally updated by me. These are the changes to original package of @heinoganda: 7.4. Changelog of ProxHTTPSProxy's PopMenu 3V1: @heinoganda's Certificate Updater 1.6 added. Old CA Root Certificate CA.crt replaced by new one valid until 02/19/2032. ProxHTTPSProxy CA Certificate Installer and Uninstaller replaced by more recent ones corresponding to pre-generated CA Root Certificate valid until 02/19/2032. Old cacert Updater removed, recreated cacert Updater Fixed added. cacert.pem updated to most recent one. Alternative latest cacert.pem dated of 2022-04-26 from Mozilla added with download url. All self-programmed executables of ProxHTTPSPoxy's PopMenu 3v1 created in two different versions, UPX and noUPX, following the spirit of ProxHTTPSPoxy's creator. 7.5. Installation and configuration of ProxHTTPSProxy's PopMenu 3V1: 1. Unpack archive and copy the complete folder ProxHTTPSProxy_REV3e_PopMenu_3V1_noUPX or ProxHTTPSProxy_REV3e_PopMenu_3V1_UPX (or its complete content) to desired location. 2. Although both, ProxHTTPSProxy REV3e and ProxHTTPSPoxy's PopMenu 3V1, are fully portable, the config file of program PopMenu has to be adjusted to new location. This can be done manually or much more comfortable automatically by a tool I created for this purpose only. Go to subfolder PopMenu and execute "Configure PopMenu.exe". This procedure will always set the menu back to default settings. If you modified the menu in the past to your needs, you have to adjust the config file "PopMenu.ini" manually, otherwise you'll lose your modifications. In any case the paths in config file "PopMenu.ini" have to be adjusted when the complete program folder (or its complete content) was copied to a new location. 7.6. Tranferring all settings of an existing ProxHTTPSProxy's installation: Copy the files "CA.crt" and "config.ini" from old installation folder to new one. Same with complete subfolder "Certs". Doing it in that way you won't lose any old settings. 7.7. Usage of ProxHTTPSProxy's PopMenu 3V1: To start ProxHTTPSPoxy's PopMenu, just apply "ProxyPopMenu.exe" in main program folder ProxHTTPSProxy_REV3e_PopMenu_3V1_noUPX or ProxHTTPSProxy_REV3e_PopMenu_3V1_UPX. ProxHTTPSPoxy's PopMenu can be set to "Start automatically at Windows startup" in context menu item "Settings" which is called up by right-clicking systray icon. Here the PopMenu can be configured generally. ProxHTTPSPoxy's PopMenu has been pre-configured by me. The provided functions (items) corresponding to their labels are in most cases self-programmed executables and in a very few inserted commands. All items of ProxHTTPSPoxy's PopMenu are generally self-explanatory. Feel free to click on them and test them! If you click on item "Enable ProxHTTPSProxy system-wide", my program checks whether ProxHTTPSProxy is running or not. If not, it will be started immediately. This is necessary to set ProxHTTPSProxy to mode system-wide or setting process would fail. And one recommendation: Do not change or modify files in subfolder PopMenu and keep the file or folder structure inside main folder, otherwise the ProxHTTPSProxy's PopMenu won't work properly! If you want to modify the menu, do it in PopMenu's "Settings". But you have to know what you do otherwise ProxHTTPSPoxy's PopMenu won't work as expected. ProxHTTPSProxy's PopMenu itself has a very low usage of RAM. It's only about 2 MB. The download link of ProxHTTPSProxy's PopMenu 3V1 can be found in the section 11.2.1.1. Downloads related to ProxHTTPSProxy. 8. The TLS 1.3 proxy ProxyMII 8.1. Prerequisites: ProxyMII was created by Python 3.7.1 which requires Microsoft Visual C++ 2015 Redistributable or Microsoft Visual C++ 2015-2019 Redistributable (latest version 14.28.29213.0). Check if it is installed in your system! 8.2. General information about ProxyMII: ProxyMII is a proxy based on ProxHTTPSProxy which was originally created by whenever. It was enhanced in terms of the TLS 1.3 protocol and its cipher suites by @cmalex who recently created it using Python 3.7.1. Again, a big thanks for that to @cmalex! ProxyMII provides all TLS protocols from TLS 1.0 up to TLS 1.3 and its corresponding cipher suites. It differs from @heinoganda's ProxHTTPSProxy in its file structure and does not provide a comparable program like ProxHTTPSProxy_PSwitch.exe to activate or deactivate the proxy settings automatically, when the proxy is started or closed. This has to be done manually by the user. If you want to use ProxyMII as it is without any additional comfort, then read the following instructions to get it running. 8.3. Specific information about the different ProxyMII releases: 8.3.1 ProxyMII (20220717): Hardware requirements: A CPU with SSE2 instruction set is not required anymore, SSE only is sufficient. ProxyMII (20220717) is now based on OpenSSL 3.0.5, dated from 2022-07-05, and Cryptography 3.4.8, dated from 2021-08-24. 8.3.2. ProxyMII (20230813): Hardware requirements: A CPU with SSE2 instruction set is now required., SSE only is not sufficient anymore. ProxyMII (20230813) is now based on OpenSSL 3.1.2, dated from 2023-08-01, and Cryptography 40.0.2, dated from 2023-04-14. Here are the changelogs: Changes from OpenSSL 3.0.5 to OpenSSL 3.1.2: Quote Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) When building with the `enable-fips` option and using the resulting FIPS provider, TLS 1.2 will, by default, mandate the use of an extended master secret and the Hash and HMAC DRBGs will not operate with truncated digests. Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023] Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. ([CVE-2023-2650]) Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms ([CVE-2023-1255]) Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466]) Fixed handling of invalid certificate policies in leaf certificates ([CVE-2023-0465]) Limited the number of nodes created in a policy tree ([CVE-2023-0464]) Major changes between OpenSSL 3.0.10 and OpenSSL 3.1.0 [14 Mar 2023] SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0. Performance enhancements and new platform support including new assembler code algorithm implementations. Deprecated LHASH statistics functions. FIPS 140-3 compliance changes. Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023] Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023] Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. ([CVE-2023-2650]) Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms ([CVE-2023-1255]) Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466]) Fixed handling of invalid certificate policies in leaf certificates ([CVE-2023-0465]) Limited the number of nodes created in a policy tree ([CVE-2023-0464]) Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023] Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401]) Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286]) Fixed NULL dereference validating DSA public key ([CVE-2023-0217]) Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216]) Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215]) Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450]) Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304]) Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203]) Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996]) Major changes between OpenSSL 3.0.6 and OpenSSL 3.0.7 [1 Nov 2022] Added RIPEMD160 to the default provider. Fixed regressions introduced in 3.0.6 version. Fixed two buffer overflows in punycode decoding functions. ([CVE-2022-3786]) and ([CVE-2022-3602]) Major changes between OpenSSL 3.0.5 and OpenSSL 3.0.6 [11 Oct 2022] Fix for custom ciphers to prevent accidental use of NULL encryption ([CVE-2022-3358]) Changes from Cryptography 3.4.8 to Cryptography 40.0.2: Quote 40.0.2 - 2023-04-14 Fixed compilation when using LibreSSL 3.7.2. Added some functions to support an upcoming pyOpenSSL release. 40.0.1 - 2023-03-24 Fixed a bug where certain operations would fail if an object happened to be in the top-half of the memory-space. This only impacted 32-bit systems. 40.0.0 - 2023-03-24 BACKWARDS INCOMPATIBLE: As announced in the 39.0.0 changelog, the way cryptography links OpenSSL has changed. This only impacts users who build cryptography from source (i.e., not from a wheel), and specify their own version of OpenSSL. For those users, the CFLAGS, LDFLAGS, INCLUDE, LIB, and CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS environment variables are no longer valid. Instead, users need to configure their builds as documented here. Support for Python 3.6 is deprecated and will be removed in the next release. Deprecated the current minimum supported Rust version (MSRV) of 1.48.0. In the next release we will raise MSRV to 1.56.0. Users with the latest pip will typically get a wheel and not need Rust installed, but check Installation for documentation on installing a newer rustc if required. Deprecated support for OpenSSL less than 1.1.1d. The next release of cryptography will drop support for older versions. Deprecated support for DSA keys in load_ssh_public_key() and load_ssh_private_key(). Deprecated support for OpenSSH serialization in DSAPublicKey and DSAPrivateKey. The minimum supported version of PyPy3 is now 7.3.10. Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.0. Added support for parsing SSH certificates in addition to public keys with load_ssh_public_identity(). load_ssh_public_key() continues to support only public keys. Added support for generating SSH certificates with SSHCertificateBuilder. Added verify_directly_issued_by() to Certificate. Added a check to NameConstraints to ensure that DNSName constraints do not contain any * wildcards. Removed many unused CFFI OpenSSL bindings. This will not impact you unless you are using cryptography to directly invoke OpenSSL’s C API. Note that these have never been considered a stable, supported, public API by cryptography, this note is included as a courtesy. The X.509 builder classes now raise UnsupportedAlgorithm instead of ValueError if an unsupported hash algorithm is passed. Added public union type aliases for type hinting: Asymmetric types: PublicKeyTypes, PrivateKeyTypes, CertificatePublicKeyTypes, CertificateIssuerPublicKeyTypes, CertificateIssuerPrivateKeyTypes. SSH keys: SSHPublicKeyTypes, SSHPrivateKeyTypes, SSHCertPublicKeyTypes, SSHCertPrivateKeyTypes. PKCS12: PKCS12PrivateKeyTypes PKCS7: PKCS7HashTypes, PKCS7PrivateKeyTypes. Two-factor: HOTPHashTypes Deprecated previously undocumented but not private type aliases in the cryptography.hazmat.primitives.asymmetric.types module in favor of new ones above. 39.0.2 - 2023-03-02 Fixed a bug where the content type header was not properly encoded for PKCS7 signatures when using the Text option and SMIME encoding. 39.0.1 - 2023-02-07 SECURITY ISSUE - Fixed a bug where Cipher.update_into accepted Python buffer protocol objects, but allowed immutable buffers. CVE-2023-23931 Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8. 39.0.0 - 2023-01-01 BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.0 has been removed. Users on older version of OpenSSL will need to upgrade. BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.5. The new minimum LibreSSL version is 3.5.0. Going forward our policy is to support versions of LibreSSL that are available in versions of OpenBSD that are still receiving security support. BACKWARDS INCOMPATIBLE: Removed the encode_point and from_encoded_point methods on EllipticCurvePublicNumbers, which had been deprecated for several years. public_bytes() and from_encoded_point() should be used instead. BACKWARDS INCOMPATIBLE: Support for using MD5 or SHA1 in CertificateBuilder, other X.509 builders, and PKCS7 has been removed. BACKWARDS INCOMPATIBLE: Dropped support for macOS 10.10 and 10.11, macOS users must upgrade to 10.12 or newer. ANNOUNCEMENT: The next version of cryptography (40.0) will change the way we link OpenSSL. This will only impact users who build cryptography from source (i.e., not from a wheel), and specify their own version of OpenSSL. For those users, the CFLAGS, LDFLAGS, INCLUDE, LIB, and CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS environment variables will no longer be respected. Instead, users will need to configure their builds as documented here. Added support for disabling the legacy provider in OpenSSL 3.0.x. Added support for disabling RSA key validation checks when loading RSA keys via load_pem_private_key(), load_der_private_key(), and private_key(). This speeds up key loading but is unsafe if you are loading potentially attacker supplied keys. Significantly improved performance for ChaCha20Poly1305 when repeatedly calling encrypt or decrypt with the same key. Added support for creating OCSP requests with precomputed hashes using add_certificate_by_hash(). Added support for loading multiple PEM-encoded X.509 certificates from a single input via load_pem_x509_certificates(). 38.0.4 - 2022-11-27 Fixed compilation when using LibreSSL 3.6.0. Fixed error when using py2app to build an application with a cryptography dependency. 38.0.3 - 2022-11-01 Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7, which resolves CVE-2022-3602 and CVE-2022-3786. 38.0.2 - 2022-10-11 (YANKED) Attention This release was subsequently yanked from PyPI due to a regression in OpenSSL. Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6. 38.0.1 - 2022-09-07 Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically seen in large CRLs). 38.0.0 - 2022-09-06 Final deprecation of OpenSSL 1.1.0. The next release of cryptography will drop support. We no longer ship manylinux2010 wheels. Users should upgrade to the latest pip to ensure this doesn’t cause issues downloading wheels on their platform. We now ship manylinux_2_28 wheels for users on new enough platforms. Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0. Users with the latest pip will typically get a wheel and not need Rust installed, but check Installation for documentation on installing a newer rustc if required. decrypt() and related methods now accept both str and bytes tokens. Parsing CertificateSigningRequest restores the behavior of enforcing that the Extension critical field must be correctly encoded DER. See the issue for complete details. Added two new OpenSSL functions to the bindings to support an upcoming pyOpenSSL release. When parsing CertificateRevocationList and CertificateSigningRequest values, it is now enforced that the version value in the input must be valid according to the rules of RFC 2986 and RFC 5280. Using MD5 or SHA1 in CertificateBuilder and other X.509 builders is deprecated and support will be removed in the next version. Added additional APIs to SignedCertificateTimestamp, including signature_hash_algorithm, signature_algorithm, signature, and extension_bytes. Added tbs_precertificate_bytes, allowing users to access the to-be-signed pre-certificate data needed for signed certificate timestamp verification. KBKDFHMAC and KBKDFCMAC now support MiddleFixed counter location. Fixed RFC 4514 name parsing to reverse the order of the RDNs according to the section 2.1 of the RFC, affecting method from_rfc4514_string(). It is now possible to customize some aspects of encryption when serializing private keys, using encryption_builder(). Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL versions older than 22.0 will need to upgrade. Added AES128 and AES256 classes. These classes do not replace AES (which allows all AES key lengths), but are intended for applications where developers want to be explicit about key length. 37.0.4 - 2022-07-05 Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.5. 37.0.3 - 2022-06-21 (YANKED) Attention This release was subsequently yanked from PyPI due to a regression in OpenSSL. Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.4. 37.0.2 - 2022-05-03 Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3. Added a constant needed for an upcoming pyOpenSSL release. 37.0.1 - 2022-04-27 Fixed an issue where parsing an encrypted private key with the public loader functions would hang waiting for console input on OpenSSL 3.0.x rather than raising an error. Restored some legacy symbols for older pyOpenSSL users. These will be removed again in the future, so pyOpenSSL users should still upgrade to the latest version of that package when they upgrade cryptography. 37.0.0 - 2022-04-26 Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2. BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL 2.9.x and 3.0.x. The new minimum LibreSSL version is 3.1+. BACKWARDS INCOMPATIBLE: Removed signer and verifier methods from the public key and private key classes. These methods were originally deprecated in version 2.0, but had an extended deprecation timeline due to usage. Any remaining users should transition to sign and verify. Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by the OpenSSL project. The next release of cryptography will be the last to support compiling with OpenSSL 1.1.0. Deprecated Python 3.6 support. Python 3.6 is no longer supported by the Python core team. Support for Python 3.6 will be removed in a future cryptography release. Deprecated the current minimum supported Rust version (MSRV) of 1.41.0. In the next release we will raise MSRV to 1.48.0. Users with the latest pip will typically get a wheel and not need Rust installed, but check Installation for documentation on installing a newer rustc if required. Deprecated CAST5, SEED, IDEA, and Blowfish because they are legacy algorithms with extremely low usage. These will be removed in a future version of cryptography. Added limited support for distinguished names containing a bit string. We now ship universal2 wheels on macOS, which contain both arm64 and x86_64 architectures. Users on macOS should upgrade to the latest pip to ensure they can use this wheel, although we will continue to ship x86_64 specific wheels for now to ease the transition. This will be the final release for which we ship manylinux2010 wheels. Going forward the minimum supported manylinux ABI for our wheels will be manylinux2014. The vast majority of users will continue to receive manylinux wheels provided they have an up to date pip. For PyPy wheels this release already requires manylinux2014 for compatibility with binaries distributed by upstream. Added support for multiple OCSPSingleResponse in a OCSPResponse. Restored support for signing certificates and other structures in X.509 with SHA3 hash algorithms. TripleDES is disabled in FIPS mode. Added support for serialization of PKCS#12 CA friendly names/aliases in serialize_key_and_certificates() Added support for 12-15 byte (96 to 120 bit) nonces to AESOCB3. This class previously supported only 12 byte (96 bit). Added support for AESSIV when using OpenSSL 3.0.0+. Added support for serializing PKCS7 structures from a list of certificates with serialize_certificates. Added support for parsing RFC 4514 strings with from_rfc4514_string(). Added AUTO to PSS. This can be used to verify a signature where the salt length is not already known. Added DIGEST_LENGTH to PSS. This constant will set the salt length to the same length as the PSS hash algorithm. Added support for loading RSA-PSS key types with load_pem_private_key() and load_der_private_key(). This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a normal RSA private key, discarding the PSS constraint information. 36.0.2 - 2022-03-15 Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n. 36.0.1 - 2021-12-14 Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m. 36.0.0 - 2021-11-21 FINAL DEPRECATION Support for verifier and signer on our asymmetric key classes was deprecated in version 2.0. These functions had an extended deprecation due to usage, however the next version of cryptography will drop support. Users should migrate to sign and verify. The entire X.509 layer is now written in Rust. This allows alternate asymmetric key implementations that can support cloud key management services or hardware security modules provided they implement the necessary interface (for example: EllipticCurvePrivateKey). Deprecated the backend argument for all functions. Added support for AESOCB3. Added support for iterating over arbitrary request attributes. Deprecated the get_attribute_for_oid method on CertificateSigningRequest in favor of get_attribute_for_oid() on the new Attributes object. Fixed handling of PEM files to allow loading when certificate and key are in the same file. Fixed parsing of CertificatePolicies extensions containing legacy BMPString values in their explicitText. Allow parsing of negative serial numbers in certificates. Negative serial numbers are prohibited by RFC 5280 so a deprecation warning will be raised whenever they are encountered. A future version of cryptography will drop support for parsing them. Added support for parsing PKCS12 files with friendly names for all certificates with load_pkcs12(), which will return an object of type PKCS12KeyAndCertificates. rfc4514_string() and related methods now have an optional attr_name_overrides parameter to supply custom OID to name mappings, which can be used to match vendor-specific extensions. BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email address fields as E in rfc4514_string() methods from version 35.0. The previous behavior can be restored with: name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"}) Allow X25519PublicKey and X448PublicKey to be used as public keys when parsing certificates or creating them with CertificateBuilder. These key types must be signed with a different signing algorithm as X25519 and X448 do not support signing. Extension values can now be serialized to a DER byte string by calling public_bytes(). Added experimental support for compiling against BoringSSL. As BoringSSL does not commit to a stable API, cryptography tests against the latest commit only. Please note that several features are not available when building against BoringSSL. Parsing CertificateSigningRequest from DER and PEM now, for a limited time period, allows the Extension critical field to be incorrectly encoded. See the issue for complete details. This will be reverted in a future cryptography release. When OCSPNonce are parsed and generated their value is now correctly wrapped in an ASN.1 OCTET STRING. This conforms to RFC 6960 but conflicts with the original behavior specified in RFC 2560. For a temporary period for backwards compatibility, we will also parse values that are encoded as specified in RFC 2560 but this behavior will be removed in a future release. 35.0.0 - 2021-09-29 Changed the version scheme. This will result in us incrementing the major version more frequently, but does not change our existing backwards compatibility policy. BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the PEM string passed have PEM delimiters of the correct type. For example, parsing a private key PEM concatenated with a certificate PEM will no longer be accepted by the PEM certificate parser. BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows negative serial numbers. RFC 5280 has always prohibited these. BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found during X.509 parsing will raise an error on initial parse rather than when the malformed field is accessed. Rust is now required for building cryptography, the CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longer respected. Parsers for X.509 no longer use OpenSSL and have been rewritten in Rust. This should be backwards compatible (modulo the items listed above) and improve both security and performance. Added support for OpenSSL 3.0.0 as a compilation target. Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algorithms are provided for compatibility in regions where they may be required, and are not generally recommended. We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our manylinux2010 and manylinux2014 wheels. Users on distributions like Alpine Linux should ensure they upgrade to the latest pip to correctly receive wheels. Added rfc4514_attribute_name attribute to x509.NameAttribute. Added KBKDFCMAC. 8.4. How to set up and use the TLS 1.3 proxy ProxyMII: Unpack the archive and copy the folder ProxyMII to a location of your choice. Install the file CA.crt to Trusted Root Certification Authority under the account local computer manually. I use the certificate generated by ProxHTTPSProxy REV3e, provided in my release of ProxHTTPSProxy's PopMenu 3V1. Or use my contained ProxHTTPSProxy CA Certificate Installer and Uninstaller to do that automatically. If so, you have to overwrite the already existing CA.crt in ProxyMII's program folder by the one of my release. Enable the proxy settings of IE in the Internet Options -> LAN settings, i.e., check mark "Use a proxy server for your LAN", and click on Advanced. Go to the entry Secure and enter the Proxy address 127.0.0.1 and the port 8079. Update the file cacert.pem to have the most recent one by using my cacert Updater Fixed (Recreated). Start the proxy by executing the file ProxHTTPSProxy.exe. Ensure that your firewall doesn't block this proxy. Add it to your exclusions list or allow its connection. Do not forget to disable the proxy settings of IE when ProxyMII has been closed. The download links of ProxyMII and cacert Updater Fixed can be found respectively in the sections 11.2.2. Downloads related to the TLS 1.3 proxies and 11.2.3. Downloads related to cacert.pem Certificate Update. ProxyMII is the TLS 1.3 proxy on which my program package ProxHTTPSProxy's PopMenu TLS 1.3 is based from now on. 9. The TLS 1.3 proxy ProxHTTPSProxy's PopMenu TLS 1.3 9.1. Prerequisites: ProxHTTPSProxy's PopMenu TLS 1.3 is based on ProxyMII, which was created by Python 3.7.1, and requires Microsoft Visual C++ 2015 Redistributable or Microsoft Visual C++ 2015-2019 Redistributable (latest version 14.28.29213.0). Furthermore, Microsoft .NET Framework 4.0 is now additionally required to run the program package ProxHTTPSProxy's PopMenu TLS 1.3 under Windows XP. Check if both are installed in your system! A CPU with SSE2 instruction set is not required anymore, SSE only is sufficient. 9.2. General information about ProxHTTPSProxy's PopMenu TLS 1.3 The main feature of my program package ProxHTTPSProxy's PopMenu TLS 1.3 is @cmalex's ProxyMII, a TLS 1.3 proxy. I replaced @heinoganda's TLS 1.2 proxy from my last release of ProxHTTPSProxy's PopMenu REV3e 3V1 by @cmalex's TLS 1.3 proxy. This sounds simple, but, unfortunately, it wasn't. A lot of problems had to be solved to implement this proxy completely, enhance functionality, and get control of it as convenient as the old one. ProxHTTPSProxy's PopMenu TLS 1.3 is a one-click menu in systray to access and control the brand new TLS 1.3 proxy ProxyMII, better known as ProxHTTPSProxy, credits to @cmalex and its original creator whenever. @cmalex's ProxyMII, dated from 2022-07-17, is now based on OpenSSL 3.0.5 and Cryptography 3.4.8. It provides all TLS protocols from TLS 1.0 up to TLS 1.3 and its corresponding ciphers. 9.3. ProxHTTPSProxy's PopMenu TLS 1.3 3V3 ProxHTTPSProxy's PopMenu TLS 1.3 3V3 is the third release of ProxHTTPSProxy's PopMenu 3.0, now in version 3.0.0.0, shortened 3V3. It is a synthesis of the excellent, brand new TLS 1.3 proxy ProxyMII, dated from 2022-07-17, credits to @cmalex at MSFN, several self-programmed executables and a very few commands, credits to @AstroSkipper at MSFN, the freeware PopMenu 3.0, credits to Jochanan Agam at freeware.persoft.ch, the open source utility Min2Tray v1.7.9, credits to Junyx at junyx.breadfan.de, and the program Certificate Updater 1.6, credits to @heinoganda at MSFN. If you wonder when the second version was released, the answer is very simple: never. This version was unofficial. ProxHTTPSProxy's PopMenu is not a classical launcher, it is rather a systray pop-up menu. It can be totally customized and continuously extended according to the user's needs due to its modular structure, therefore, much more flexible than a classical, compiled launcher. More features can be added easily without touching the existent code. Due to ProxHTTPSProxy's PopMenu's modular structure, the user can change, add, delete and reorder features. Even the icons in the menu can be changed easily by the user. Here is a screenshot: 9.3.1 Features of ProxHTTPSProxy's PopMenu TLS 1.3 3V3: Here is the complete list of features implemented in ProxHTTPSProxy's PopMenu TLS 1.3 3V3 and a short explanation of them: Start ProxHTTPSPoxy – Activates the proxy's settings in IE LAN Settings, starts the proxy, and deactivates and cleans its settings after closing, all automatically. Stop ProxHTTPSPoxy – Stops the proxy and closes its status window. Minimize ProxHTTPSProxy to systray – Minimizes ProxHTTPSProxy's status window to systray and shows its icon there. Restore ProxHTTPSProxy from systray – Restores ProxHTTPSProxy's minimized status window from systray. Hide ProxHTTPSPoxy – Hides ProxHTTPSProxy's status window completely. Show ProxHTTPSPoxy – Shows ProxHTTPSProxy's hidden status window again. Check if ProxHTTPSPoxy is running (in RAM) – Checks if ProxHTTPSPoxy is running in the background. cacert.pem Update – Performs an update of the file cacert.pem. Root Certificates Update – Performs an update of the system's Root Certificates. Open IE Proxy settings – Opens the tab LAN Settings in IE's Internet Options. Close IE Proxy settings – Closes the tab LAN Settings and IE's Internet Options completely. Check system proxy status – Checks whether the proxy is used system-wide or the system has direct access. Enable ProxHTTPSProxy system-wide – Permits the whole system to use this proxy. In this mode, services can route their traffic through the proxy, too. Disable ProxHTTPSProxy system-wide – The proxy can be used only locally if it is running, generally all have direct access to their servers or the internet. Edit config.ini – Opens the file config.ini with the editor Notepad to check or modify the proxy's configuration. Read documentation – Opens the documentation with the editor Notepad to get quickly information. In the screenshot above, you can see a red arrow which points to the icon of ProxHTTPSPoxy, minimized to systray. It's a new feature, and the green marked items have been added to the pop-up menu since last release. ProxHTTPSPoxy's PopMenu is provided together with ProxyMII from 2022-07-17, created by @cmalex and branded by me as ProxHTTPSProxy 1.5.220717. This new archive called ProxHTTPSProxy TLS 1.3 1.5.220717 PopMenu 3V3 has been additionally updated by me. These are the changes to the previous version of ProxHTTPSPoxy's PopMenu: 9.3.2 Changelog of ProxHTTPSProxy's PopMenu TLS 1.3 3V3: @heinoganda's ProxHTTPSProxy REV3e replaced by @cmalex's ProxHTTPSProxy 1.5.220717 with a brand new TLS 1.3 support. New starter program StartProxy.exe created to activate the proxy settings, start the proxy, and deactivate its settings after closing, all automatically. cacert.pem updated to the most recent one. Alternative cacert.pem from Mozilla, updated to the most recent version dated 2022-07-19. The open source utility Min2Tray has been fully implemented by the new configuration tools Configure PopMenu.exe and Setup Min2Tray.exe, all automatically. After the setup procedure, the programs PopMenu and Min2Tray are started automatically. All self-created files are not UPX-compressed. Therefore, the version is a noUPX only. Two new items added to the pop-up menu: Minimize ProxHTTPSProxy to systray and Restore ProxHTTPSProxy from systray. All unnecessarily embedded files have been removed from my self-created executables. Changes in calling up other programs. In all my affected programs, protection against code injection has been improved. This leads to preventing of future "space bugs", too! Different issues, which could have been noticed only in very rare cases, have been fixed. All unnecessary code has been removed. New bugs I additionally found have been fixed. Autostart entries of PopMenu and the new Min2Tray, automatically added to the registry by my configuration program, have been fixed in regard to the "space bug". All message windows of my programs have been resized and adjusted for a better visibility. All my self-created program files have been recompiled by using a different compiler. @cmalex's original ProxyMII wasn't modified by me, except a replacement of ProxHTTPSProxy.EXE's program icon, back to the old one and an update of the file config.ini to get access to the Microsoft Updates (MU) website with this proxy. 9.3.2 Installation and start of ProxHTTPSProxy's PopMenu TLS 1.3 3V3: Check if Microsoft Visual C++ 2015 Redistributable or Microsoft Visual C++ 2015-2019 Redistributable (latest version 14.28.29213.0) is installed in your system. Check if Microsoft .NET Framework 4.0 is installed in your system. Unpack the archive and copy either the complete folder ProxHTTPSProxy_TLS_1_3_1_5_220717_PopMenu_3V3 or its complete content to your desired location. Install the file CA.crt, located in the main program folder, to Trusted Root Certification Authority under the account local computer, or use the program ProxHTTPSProxy Cert Installer, provided in the archive. Go to the subfolder PopMenu and execute the program Configure PopMenu.exe. PopMenu and Min2Tray will be started automatically. A more detailed documentation, titled Documentation of ProxHTTPSProxy's PopMenu 3V3, can be found in the subfolder Docs of my program package and should be read before using ProxHTTPSProxy's PopMenu in any case. All features and more are described there. The programs PopMenu and Min2Tray have a very low usage of RAM. It's only about 2 MB and 4 MB respectively. The download link of ProxHTTPSProxy's PopMenu TLS 1.3 3V3 can be found in the section 11.2.2. Downloads related to the TLS 1.3 proxies. 10. Versions: 10.1. Versions of the TLS 1.2 proxies ProxHTTPSProxy, HTTPSProxy, and ProxHTTPSProxy's PopMenu: Last known version of ProxHTTPSProxyMII, created by @whenever and released in June of 2018: ProxHTTPSProxyMII 1.5 (20180616) ProxHTTPSProxyMII 1.3a (20150527) was released in May of 2015. Here are two links: https://prxbx.com/forums/showthread.php?tid=2172&pid=17686#pid17686 and https://prxbx.com/forums/showthread.php?tid=2172&pid=18454#pid18454 Due to support of SHA1 for signing certificates ProxHTTPSProxyMII 1.3a can be used in a Windows XP Professional x64 system to access MU successfully. More recent versions use SHA256 to sign certificates and fail while accessing MU. But that also means ProxHTTPSProxyMII 1.3a is not secure and should only be used if there is no other option. Here is a link to the post with necessary instructions and a screenshot of successful access to MU using ProxHTTPSProxyMII 1.3a in Windows XP Professional x64, credits to @maile3241: https://msfn.org/board/topic/178377-on-decommissioning-of-update-servers-for-2000-xp-and-vista-as-of-july-2019/?do=findComment&comment=1214098 Last known version of ProxHTTPSProxy released in November of 2019: ProxHTTPSProxy REV3e. Here is a link: https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/?do=findComment&comment=1173585 Last known version of HTTPSProxy released in November of 2018: HTTPSProxy_Launcher_v2_2018-11-06 Here are two links: https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/?do=findComment&comment=1155858 and https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/?do=findComment&comment=1156032 Last version of ProxHTTPSProxy's PopMenu released in May of 2022: ProxHTTPSProxy's PopMenu 3V1 (20220510) Here is the link to my post of this initial release: https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1218622 10.2. Versions of the TLS 1.3 proxies ProxyMII and ProxHTTPSProxy's PopMenu TLS 1.3: ProxyMII released in July of 2022: ProxyMII (20220717). It was rebranded by me to ProxHTTPSProxy 1.5.220717. Here is the link to @cmalex's original post: https://msfn.org/board/topic/183684-looking-for-a-person-with-python-programming-skills-to-implement-tls-13-functionality-in-proxhttpsproxy-rev3e/?do=findComment&comment=1222235 Latest version of ProxyMII released in August of 2023: ProxyMII (20230813). Here is the link to @cmalex's original post: https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1250552 Latest version of ProxHTTPSProxy's PopMenu TLS 1.3 3V3 released in August of 2022: ProxHTTPSProxy's PopMenu TLS 1.3 3V3 (20220817). Here is the link to the post of its official release: https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1224184 11. Downloads: 11.1. Archived Downloads {obsolete}: ProxHTTPSProxyMII 1.3a can be downloaded here: http://www.proxfilter.net/proxhttpsproxy/ProxHTTPSProxyMII 1.3a.zip. Credits to @whenever. ProxHTTPSProxyMII 1.5 can be downloaded here: http://jjoe.proxfilter.net/ProxHTTPSProxyMII/files/ProxHTTPSProxyMII 1.5 advanced 34cx_freeze5.0.1urllib3v1.22Win32OpenSSL_Light-1_0_2o-1_1_0h.zip. Credits to @whenever. ProxHTTPSProxy REV3d can be downloaded here: https://www.mediafire.com/file/r23ct8jd2ypfjx5/ProxHTTPSProxyMII_REV3d_PY344.7z/file. Credits to @heinoganda. Root Certificate and Revoked Certificate Updater of 02/24/2022 created by @AstroSkipper: https://www.mediafire.com/file/n4ea8nbijox88o3/Roots_Certificate_Updater_24.02.22.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 02/24/2022 created by @AstroSkipper: https://www.mediafire.com/file/8ler7d9z8aesz08/rootsupd.exe/file Root Certificate and Revoked Certificate Updater of 04/28/2022 created by @AstroSkipper: https://www.mediafire.com/file/7e6jw2mdp6bi3u0/Roots_Certificate_Updater_28.04.22.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 04/28/2022 created by @AstroSkipper: https://www.mediafire.com/file/m6n7481wdq546ad/rootsupd.EXE/file Root Certificate and Revoked Certificate Updater of 05/24/2022 created by @AstroSkipper: https://www.mediafire.com/file/aob1fkpf6f3vyhd/Roots_Certificate_Updater_24.05.22.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 05/24/2022 created by @AstroSkipper: https://www.mediafire.com/file/vkopcjfymnei5cn/rootsupd.exe/file Root Certificate and Revoked Certificate Updater of 06/28/2022 created by @AstroSkipper: https://www.mediafire.com/file/2eowvtl8r56q8tx/Roots_Certificate_Updater_28.06.22.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 06/28/2022 created by @AstroSkipper: https://www.mediafire.com/file/h1460guuxqklkk5/rootsupd.exe/file Root Certificate and Revoked Certificate Updater of 08/23/2022 created by @AstroSkipper: https://www.mediafire.com/file/nxt11m8m39fnc1k/Roots_Certificate_Updater_23.08.22.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 08/23/2022 created by @AstroSkipper: https://www.mediafire.com/file/0o2h3y16ekmtv2o/rootsupd.EXE/file Root Certificate and Revoked Certificate Updater of 09/27/2022 created by @AstroSkipper: https://www.mediafire.com/file/d4mtrexun8ao81l/Roots_Certificate_Updater_27.09.22.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 09/27/2022 created by @AstroSkipper: https://www.mediafire.com/file/44suzv2x2fbrret/rootsupd.EXE/file Root Certificate and Revoked Certificate Updater of 10/25/2022 created by @AstroSkipper: https://www.mediafire.com/file/naxyauof6fs0p88/Roots_Certificate_Updater_25.10.22.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 10/25/2022 created by @AstroSkipper: https://www.mediafire.com/file/nmzw6l4lzmxn8wx/rootsupd.EXE/file Root Certificate and Revoked Certificate Updater of 11/29/2022 created by @AstroSkipper: https://www.mediafire.com/file/cnlbxdffjq9beva/Roots_Certificate_Updater_29.11.22.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 11/29/2022 created by @AstroSkipper: https://www.mediafire.com/file/pctxthjlcb6croc/rootsupd.EXE/file Root Certificate and Revoked Certificate Updater of 02/28/2023 created by @AstroSkipper: https://www.mediafire.com/file/6chiibdsdoh4i22/Roots_Certificate_Updater_28.02.23.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 02/28/2023 created by @AstroSkipper: https://www.mediafire.com/file/rmjyq3pak60jayz/rootsupd.EXE/file Root Certificate and Revoked Certificate Updater of 04/25/2023 created by @AstroSkipper: https://www.mediafire.com/file/xgmi98u15ikerrn/Roots_Certificate_Updater_25.04.23.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 04/25/2023 created by @AstroSkipper: https://www.mediafire.com/file/dxtxkgqdk6xlfb9/rootsupd.EXE/file Root Certificate and Revoked Certificate Updater of 08/22/2023 created by @AstroSkipper: https://www.mediafire.com/file/53fv86ouqgonm7f/Roots_Certificate_Updater_22.08.23.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 08/22/2023 created by @AstroSkipper: https://www.mediafire.com/file/9xhsy3i2bphtf0i/rootsupd.EXE/file Root Certificate and Revoked Certificate Updater of 11/28/2023 created by @AstroSkipper: https://www.mediafire.com/file/361ux1ogvmokuhf/Roots_Certificate_Updater_28.11.23.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 11/28/2023 created by @AstroSkipper: https://www.mediafire.com/file/6o1rfz4oqnh0din/rootsupd.EXE/file Root Certificate and Revoked Certificate Updater of 02/27/2024 created by @AstroSkipper: https://www.mediafire.com/file/7awvvb37in89op1/Roots_Certificate_Updater_27.02.24.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 02/27/2024 created by @AstroSkipper: https://www.mediafire.com/file/55c7c574pyem2vg/rootsupd.EXE/file 11.2. Latest Downloads: 11.2.1. Downloads related to the TLS 1.2 proxies: 11.2.1.1. Downloads related to ProxHTTPSProxy: ProxHTTPSProxy REV3e can be downloaded here: https://www.mediafire.com/file/me5l9dydomgwa0h/2005536469_ProxHTTPSProxyMIIv1.5Rev3ePython3.44OriginalFiles.7z/file. Credits to @heinoganda. ProxHTTPSProxy's PopMenu 3V1 can be downloaded here: https://www.mediafire.com/file/h20kkuucurv2i2b/ProxHTTPSProxy_REV3e_PopMenu_3V1.7z/file. Credits to @AstroSkipper. ProxHTTPSProxy CA Certificate Installer and Uninstaller with a freshly pre-generated root certificate valid until 02/19/2032 modified and built by @AstroSkipper: https://www.mediafire.com/file/9tnonnlymrp98f8/ProxHTTPSProxy_Cert_Installer_%2B_Uninstaller_%2B_CA_valid_until_02-19-2032.7z/file ProxHTTPSProxy's config file to access MU website successfully, modified by @AstroSkipper: https://www.mediafire.com/file/vr1klatuzjh6v5c/ProxHTTPSProxy_-_config.ini/file 11.2.1.2. Downloads related to HTTPSProxy: HTTPSProxy in the version of HTTPSProxy_Launcher_v2_2018-11-06 can be downloaded here: https://www.mediafire.com/file/ku859ikt2t79cgl/HTTPSProxy_Launcher_v2_2018-11-06.7z/file. Credits to @Thomas S.. HTTPSProxy CA Certificate Installer and Uninstaller with a freshly pre-generated root certificate valid until 02/19/2032 created by @AstroSkipper: https://www.mediafire.com/file/sx1i6w2c6f1hvwm/HTTPSProxy_Cert_Installer_%2B_Uninstaller_%2B_CA_valid_until_02-19-2032.7z/file HTTPSProxy's config file to access MU website successfully, modified by @AstroSkipper: https://www.mediafire.com/file/6emtdvx2vmw4iz8/HTTPSProxy_-_config.ini/file 11.2.2. Downloads related to the TLS 1.3 proxies: ProxyMII (20220717) = ProxHTTPSProxy 1.5.220717 can be downloaded here: https://www.mediafire.com/file/pdy1cd8insmdq7g/ProxyMII_220717.7z/file. Credits to @cmalex. ProxyMII (20230813) can be downloaded here: https://www.mediafire.com/file/yb0xjos28l110xx/ProxyMII_230813.7z/file. Credits to @cmalex. ProxHTTPSProxy's PopMenu TLS 1.3 3V3 can be downloaded here: https://www.mediafire.com/file/1fd0ezzpuy7qctu/ProxHTTPSProxy_TLS_1_3_1_5_220717_PopMenu_3V3.7z/file. Credits to @AstroSkipper. ProxHTTPSProxy CA Certificate Installer and Uninstaller with a freshly pre-generated root certificate valid until 02/19/2032 modified and built by @AstroSkipper: https://www.mediafire.com/file/9tnonnlymrp98f8/ProxHTTPSProxy_Cert_Installer_%2B_Uninstaller_%2B_CA_valid_until_02-19-2032.7z/file ProxHTTPSProxy's config file to access MU website successfully, modified by @AstroSkipper: https://www.mediafire.com/file/vr1klatuzjh6v5c/ProxHTTPSProxy_-_config.ini/file 11.2.3. Downloads related to cacert.pem Certificate Update: cacert Updater Fixed, fixed and recreated by @AstroSkipper: https://www.mediafire.com/file/y98gtqf8ewr6zz4/cacert_Updater_Fixed_Recreated.7z/file. Credits to @heinoganda. 11.2.4. Downloads related to Root Certificate Updates: Root Certificate and Revoked Certificate Updater of 03/26/2024 created by @AstroSkipper: https://www.mediafire.com/file/a1oil6g5cane3bu/Roots_Certificate_Updater_26.03.24.7z/file Root Certificate and Revoked Certificate Updater (AIO version!) of 03/26/2024 created by @AstroSkipper: https://www.mediafire.com/file/6hcuv2r715l8nnm/rootsupd.EXE/file Certificate Updater 1.6: https://www.mediafire.com/file/nmoqrx8vwc8jr6l/jveWB2Qg1Lt9yT5m3CYpZ8b8N4rH.rar/file. Credits to @heinoganda. Archive password: S4QH5TIefi7m9n1XLyTIZ3V5hSv4se1XB6jJZpH5TfB6vkJ8hfRxU7DWB2p CAupdater 1.0.0.1: https://www.mediafire.com/file/z34fifg2a09fzxo/CAupdater.7z/file. Credits to @Thomas S.. The installers created by myself or built by me will be updated from time to time if necessary. All files in my offered archives are definitely virus-free and clean, although some AV scanners produce false positives. I recommend adding the complete folder to the exclusion list of your security program(s), only if you trust me, of course. Apart from that, you can also check positive reported files on VirusTotal, though. 12. Update notifications: 02/26/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 02/24/2022. 03/16/2022: The functionality of @heinoganda's cacert Updater has been restored. cacert Updater Fixed can be downloaded in the section 11.2.3. Downloads related to cacert.pem Certificate Update. 04/23/2022: cacert Updater Fixed has been completely recreated due to false alarms of some virus scanners and can be downloaded in the section 11.2.3. Downloads related to cacert.pem Certificate Update. 05/10/2022: ProxHTTPSProxy's PopMenu 3V1 has been released. Here is the link to my post of the initial release with the download link: https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1218622 05/16/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 04/28/2022. 06/05/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 05/24/2022. 06/30/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 06/28/2022. 07/17/2022: ProxyMII has been released. Here is the link to the post of its official release: https://msfn.org/board/topic/183684-looking-for-a-person-with-python-programming-skills-to-implement-tls-13-functionality-in-proxhttpsproxy-rev3e/?do=findComment&comment=1222235. 08/17/2022: ProxHTTPSProxy's PopMenu TLS 1.3 3V3 has been released. Here is the link to the post of its official release: https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1224184 09/05/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 08/23/2022. 10/06/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 09/27/2022. 11/06/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 10/25/2022. 12/09/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 11/29/2022. 03/04/2023: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 02/28/2023. 05/09/2023: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 04/25/2023. 08/13/2023: ProxyMII has been updated. Here is the link to the post of its official release: https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1250552. 09/01/2023: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 08/22/2023. 12/11/2023: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 11/28/2023. 04/05/2024: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 02/27/2024. 04/05/2024: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 03/26/2024. 13. Conclusion: At the beginning of this post, I said we had to ask ourselves whether these proxies would continue doing their job in the future or not. After all these observations and explanations, the answer to this question is quite clear: Yes, of course. And especially since we have our new TLS 1.3 proxies. But we have to avoid misconfiguration of these proxies, and in addition, we know they won't work properly without updating and carrying out maintenance. Doing all these things leads to a general, positive side effect for those loving their Windows XP. If all is done correctly, we are now able to use a freshly generated 10 years valid root certificate of ProxHTTPSProxy or HTTPSProxy at any time as long as Windows XP, Internet Explorer access to WWW, TLS 1.2 or TLS 1.3 functionality, Microsoft Update for Windows XP, or the user himself still exist. 14. Disclaimer: All information that I spread here corresponds to my level of knowledge. Most of it has been carefully researched by me. I tested all programs of the section 11. Downloads extensively, and they worked properly in my system. Nevertheless, I do not assume any guarantee either for the correctness and completeness or for the implementation of my tips. The same applies to the application of my tools in the section 11. Downloads. Therefore, all at your own risk! You can use the commenting zone below to tell us about your experiences, problems and questions or to provide further tips and recommendations. Any discussions about these proxies are explicitly welcome. If this article has not been able to resolve any issues related to these proxies, and you need further assistance with configuring or running them, I will try to help you as much as I can. But one thing must be clear, everything should relate to the topic of this thread. That means please stay on-topic! If you enjoyed this article or maybe, you found it interesting and helpful, I would be pleased about any reaction by liking, upvoting, and of course, commenting. Kind regards, AstroSkipper Edited April 4 by AstroSkipper Update of content 20 Link to comment Share on other sites More sharing options...
Dave-H Posted February 20, 2022 Share Posted February 20, 2022 Thank you so much for all that work! I'm sure this will be very useful to others in the future. The use of ProxHTTPSProxyMII when it was first ported to XP by @heinoganda, and now HTTPSProxy with its much improved control system, fixed a huge number of internet access incompatibilities for me in XP. I would heartily recommend to all XP users to use one or the other of them now as a matter of course! 2 Link to comment Share on other sites More sharing options...
AstroSkipper Posted February 20, 2022 Author Share Posted February 20, 2022 23 minutes ago, Dave-H said: Thank you so much for all that work! I'm sure this will be very useful to others in the future. The use of ProxHTTPSProxyMII when it was first ported to XP by @heinoganda, and now HTTPSProxy with its much improved control system, fixed a huge number of internet access incompatibilities for me in XP. I would heartily recommend to all XP users to use one or the other of them now as a matter of course! You're welcome! It has been a lot of work indeed. I did that all especially for people not familiar with this kind of stuff. But now it's finally finished if something can really be finished. In any case, thanks for your support! 1 Link to comment Share on other sites More sharing options...
mina7601 Posted February 20, 2022 Share Posted February 20, 2022 Thank you so much for this long post and your hard work, @AstroSkipper! I am very glad to finally see a long post explaining what are ProxHTTPSProxy and HTTPSProxy, and how do they work, and more! PS: Great signature you got there. Link to comment Share on other sites More sharing options...
AstroSkipper Posted February 20, 2022 Author Share Posted February 20, 2022 18 minutes ago, mina7601 said: Thank you so much for this long post and your hard work, @AstroSkipper! I am very glad to finally see a long post explaining what are ProxHTTPSProxy and HTTPSProxy, and how do they work, and more! You're welcome! Nice to hear that you liked it. 1 Link to comment Share on other sites More sharing options...
CIACIACIACIACIACIA Posted February 23, 2022 Share Posted February 23, 2022 (edited) It's been a long time since the broken connections but now i think it's better. ProxHTTPSProxy and HTTPSProxy against Proxomitron. Edited February 23, 2022 by CIACIACIACIACIACIA Link to comment Share on other sites More sharing options...
genieautravail Posted February 24, 2022 Share Posted February 24, 2022 @AstroSkipper Nice post! I just want to tell you about ProxHTTPSProxy that the last version isn't REV3d. On my HDDs I have a build REV3e release in november 2019. Search in the thread around november 2019 to find the download link. Regards Link to comment Share on other sites More sharing options...
AstroSkipper Posted February 24, 2022 Author Share Posted February 24, 2022 (edited) 1 hour ago, genieautravail said: I just want to tell you about ProxHTTPSProxy that the last version isn't REV3d. Thanks for your info! But where did I say that last verion is REV3d? I wrote: Quote Versions: Last known version of ProxHTTPSProxy released in November of 2019: ProxHTTPSProxy REV3e. You probably misread it or missed it. I provided a download link for version REV3d because there is no link for version REV3e. 1 hour ago, genieautravail said: Search in the thread around november 2019 to find the download link. @heinoganda hadn't provided any download links generally. You had to send him a PM to get his latest release. And he doesn't provide download links anymore. So there is only a download link for version REV3d. As I already mentioned in my article I did my job carefully: Quote Most of it has been carefully researched by me. But no problem, that can happen to anybody. The Romans said: "Errare humanum est." Edited February 24, 2022 by AstroSkipper correction 1 Link to comment Share on other sites More sharing options...
Dave-H Posted February 27, 2022 Share Posted February 27, 2022 Here's ProxHTTPSProxyMII v1.5 Rev3e if anyone wants it. Credit to @heinoganda of course. Prox HTTPS Proxy MII v1.5 Rev3e Python 3.44 Original Files.7z 5 Link to comment Share on other sites More sharing options...
AstroSkipper Posted February 28, 2022 Author Share Posted February 28, 2022 23 hours ago, Dave-H said: Here's ProxHTTPSProxyMII v1.5 Rev3e if anyone wants it. Credit to @heinoganda of course. Thank you for providing a download link of ProxHTTPSProxy REV3e! I have added your link to my article above in section Downloads so that the reader has a better overview. 2 Link to comment Share on other sites More sharing options...
xpandvistafan Posted March 2, 2022 Share Posted March 2, 2022 Thanks for this great and in detail tutorial! I will surely link it to my all-in-one restore wu package over at MDL. Link to comment Share on other sites More sharing options...
AstroSkipper Posted March 2, 2022 Author Share Posted March 2, 2022 (edited) 7 hours ago, xpandvistafan said: Thanks for this great and in detail tutorial! I will surely link it to my all-in-one restore wu package over at MDL. Thanks for commenting! And now I have a mathematical statement for you: @Windows7fan = @xpandvistafan I think after evaluation the boolean truth value has to be set to true. What do you think? PS: I hope today is my day! Edited March 2, 2022 by AstroSkipper 1 Link to comment Share on other sites More sharing options...
xpandvistafan Posted March 2, 2022 Share Posted March 2, 2022 44 minutes ago, AstroSkipper said: Thanks for commenting! And now I have a mathematical statement for you: @Windows7fan = @xpandvistafan I think after evaluation the boolean truth value has to be set to true. What do you think? PS: I hope today is my day! Yes, that is correct. Set that value to true. Link to comment Share on other sites More sharing options...
AstroSkipper Posted March 8, 2022 Author Share Posted March 8, 2022 (edited) Hi to all, I have updated the content of my article in first post. Due to the fact that some of you had problems when running ProxHTTPSProxy or HTTPSProxy in older systems I have examined the correlation of crashes with the SSE2 capability of a CPU. The current results can be found in sections Prerequisites and Versions. Furthermore both versions of Root Certificate Updater have been updated and are now of 02/24/2022. Regards, AstroSkipper Edited March 9, 2022 by AstroSkipper 2 Link to comment Share on other sites More sharing options...
VistaLover Posted March 10, 2022 Share Posted March 10, 2022 (edited) On 2/27/2022 at 4:59 PM, Dave-H said: Here's ProxHTTPSProxyMII v1.5 Rev3e if anyone wants it. One very important aspect of "v1.5_Rev3e" is that it contains internally "openssl-1.1.1d" (requires at least VistaSP2, ported to WinXP SP3 by @Mathwiz , IIANM, and then compiled with (XP_EoS) Py3.4 by @heinoganda), which bestows this "HTTPS Proxy" TLSv1.3 (final) capabilities (not present in openssl 1.0.2x/1.1.0x); while properly configured web servers do still offer fallback to TLSv1.2, some secure URLs are currently TLSv1.3 exclusive; so, if access to these must be realised via the IE web engine (e.g. an application dependent on system crypto libs/schannel), "Rev3e" is the way to go! ... Thanks @Dave-H for sharing Edited March 11, 2022 by VistaLover 5 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now