Snowshoe Posted February 4, 2023 Share Posted February 4, 2023 14 hours ago, AstroSkipper said: Frankly, I don't really see the need to use curl with ProxHTTPSProxy. It should also do its job without this proxy in Windows XP. About programs with curl embedded, I can't say anything detailed. These programs would have to be specified more clearly. Maybe, @Snowshoe can explain more detailed what kind of programs he referred to, what he actually wants to achieve with these curl programs and why he needs a connection established by ProxHTTPSProxy, including the command line input or other execution commands which leads to the error. In any case, the curl option --ssl-no-revoke prevents the cert revocation check with the server to be connected. The program is a free open-source game called SRB2Kart. To get the latest version to work on XP you just need to place an XP-compatible dbghelp.dll in the same directory. To access the multiplayer feature, you select Multiplayer > Internet Server Browser from the main menu. Setting masterserver_debug "On" in kartconfig.cfg will show more information in the game's log.txt file. Anyway... the server it connects to uses TLS 1.2 (HTTPS only, no HTTP), but I can't get the game to connect to it regardless of whether or not I use ProxHTTPSProxy. Without ProxHTTPSProxy: IE8 can't connect to the server, even though TLS 1.2 is enabled. IE8 gives this error: While the game log shows this error: HMS: connecting 'https://ms.kartkrew.org/ms/api/games/SRB2Kart/10/servers?v=2.2'... * Trying 173.234.30.114:443... * Connected to ms.kartkrew.org (173.234.30.114) port 443 (#0) * schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect. * Closing connection 0 * schannel: shutting down SSL/TLS connection with ms.kartkrew.org port 443 ERROR: There was a problem contacting the master server... From curl_easy_perform: SSL peer certificate or SSH remote key was not OK With ProxHTTPSProxy: IE8 will connect, but the game still cannot. ProxHTTPSProxy log shows this warning when the game tries to connect: 000 "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1094)" while trying to establish local SSL tunnel for [ms.kartkrew.org:443] While the game log shows this error: HMS: connecting 'https://ms.kartkrew.org/ms/api/games/SRB2Kart/10/servers?v=2.2'... * Uses proxy env variable https_proxy == 'localhost:8079' * Trying 127.0.0.1:8079... * Connected to localhost (127.0.0.1) port 8079 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to ms.kartkrew.org:443 > CONNECT ms.kartkrew.org:443 HTTP/1.1 Host: ms.kartkrew.org:443 Proxy-Connection: Keep-Alive < HTTP/1.1 200 Connection established < Proxy-agent: ProxHTTPSProxyMII FrontProxy/v1.5 Python/3.7.1 < * Proxy replied 200 to CONNECT request * CONNECT phase completed! * CONNECT phase completed! * CONNECT phase completed! * schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. * Closing connection 0 * schannel: shutting down SSL/TLS connection with ms.kartkrew.org port 443 ERROR: There was a problem contacting the master server... From curl_easy_perform: SSL connect error Standalone Curl Test (with ProxHTTPSProxy and environment variables): C:\Documents and Settings\Snowshoe>curl -v https://ms.kartkrew.org/ms/api * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 8079 (#0) * Establish HTTP proxy tunnel to ms.kartkrew.org:443 > CONNECT ms.kartkrew.org:443 HTTP/1.1 > Host: ms.kartkrew.org:443 > User-Agent: curl/7.46.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < Proxy-agent: ProxHTTPSProxyMII FrontProxy/v1.5 Python/3.7.1 < * Proxy replied OK to CONNECT request * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: C:\ProxHTTPSProxy\CA.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=*.kartkrew.org * start date: Jan 27 12:32:01 2023 GMT * expire date: Jan 26 12:32:01 2033 GMT * subjectAltName: ms.kartkrew.org matched * issuer: C=CN; O=ProxHTTPSProxy; OU=pyOpenSSL; CN=ProxHTTPSProxy CA * SSL certificate verify ok. > GET /ms/api HTTP/1.1 > Host: ms.kartkrew.org > User-Agent: curl/7.46.0 > Accept: */* > < HTTP/1.1 404 NOT FOUND < Server: nginx/1.18.0 (Ubuntu) < Date: Sat, 04 Feb 2023 15:15:03 GMT < Content-Type: text/html; charset=utf-8 < Content-Length: 232 < <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>404 Not Found</title> <h1>Not Found</h1> <p>The requested URL was not found on the server. If you entered the URL manuall y please check your spelling and try again.</p> * Connection #0 to host localhost left intact I could possibly re-compile the game with CURLOPT_SSL_VERIFYPEER or CURLSSLOPT_NO_REVOKE thrown into the game's code, but that would be a last resort. Hopefully this helps. Link to comment Share on other sites More sharing options...
AstroSkipper Posted February 4, 2023 Author Share Posted February 4, 2023 Hello @Snowshoe! I could successfully connect to https://ms.kartkrew.org/ using IE8 with ProxHTTPSProxy (part of my package ProxHTTPSProxy's PopMenu TLS 1.3 3V3) enabled: To connect successfully, you have to edit the config.ini of ProxHTTPSProxy under the section [SSL No-Verify]: Cheers, AstroSkipper 2 Link to comment Share on other sites More sharing options...
Snowshoe Posted February 4, 2023 Share Posted February 4, 2023 It works in IE8 but not in the game, sadly... I have the following environment variables: http_proxy=localhost:8081 https_proxy=localhost:8079 SSL_CERT_FILE C:\ProxHTTPSProxy\CA.crt Link to comment Share on other sites More sharing options...
AstroSkipper Posted February 4, 2023 Author Share Posted February 4, 2023 Which version of ProxHTTPSProxy are you using? 2 Link to comment Share on other sites More sharing options...
Snowshoe Posted February 4, 2023 Share Posted February 4, 2023 4 minutes ago, AstroSkipper said: Which version of ProxHTTPSProxy are you using? I have the 08/18/2022 version from the first page, ProxHTTPSProxy_TLS_1_3_1_5_220717_PopMenu_3V3. Link to comment Share on other sites More sharing options...
VistaLover Posted February 4, 2023 Share Posted February 4, 2023 (edited) 24 minutes ago, Snowshoe said: It works in IE8 but not in the game, sadly... I have the following environment variables: http_proxy=localhost:8081 ... Leave that envvar empty/don't use it at all, so that your ISP connection is used DIRECTLY for the cert revocation check (which is performed over plain HTTP); in any case, only the secure connections the game attempts should be redirected to the TLS proxy, i.e. ONLY the HTTPS_PROXY envvar should be used... Just my 2c, of course... Edited February 4, 2023 by VistaLover 1 Link to comment Share on other sites More sharing options...
AstroSkipper Posted February 4, 2023 Author Share Posted February 4, 2023 (edited) 52 minutes ago, VistaLover said: 1 hour ago, Snowshoe said: It works in IE8 but not in the game, sadly... I have the following environment variables: http_proxy=localhost:8081 ... Leave that envvar empty/don't use it at all, so that your ISP connection is used DIRECTLY for the cert revocation check (which is performed over plain HTTP); in any case, only the secure connections the game attempts should be redirected to the TLS proxy, i.e. ONLY the HTTPS_PROXY envvar should be used... Just my 2c, of course... Agreed! Do not use http_proxy=localhost:8081 and try again! BTW, the address https://ms.kartkrew.org/ms/api does not exist, neither in IE8 nor in New Moon 28, i.e. leads to the well-known 404 error: Same error in your logs! Edited February 4, 2023 by AstroSkipper Update of content 1 Link to comment Share on other sites More sharing options...
AstroSkipper Posted February 4, 2023 Author Share Posted February 4, 2023 (edited) 43 minutes ago, Snowshoe said: I have the 08/18/2022 version from the first page, ProxHTTPSProxy_TLS_1_3_1_5_220717_PopMenu_3V3. Totally forgot to mention! This version is the most recent. Furthermore, I changed a bit the entry in the config.ini file: ### Ignore SSL certificate verify, Use at your own risk!!! ### Proxy setting still effective [SSL No-Verify] fe2.update.microsoft.com *.12306.cn https://ms.kartkrew.org/* Edited February 4, 2023 by AstroSkipper Update of content 1 Link to comment Share on other sites More sharing options...
AstroSkipper Posted February 4, 2023 Author Share Posted February 4, 2023 (edited) @Snowshoe! However, the address https://ms.kartkrew.org/ms/api/games/SRB2Kart/10/servers?v=2.2 exists and can be accessed by IE8 while running ProxHTTPSProxy: ProxHTTPSProxy's log is fine, no errors: Cheers, AstroSkipper Edited February 4, 2023 by AstroSkipper Update of content 1 Link to comment Share on other sites More sharing options...
cmalex Posted February 5, 2023 Share Posted February 5, 2023 On 2/4/2023 at 5:20 PM, Snowshoe said: Setting masterserver_debug "On" in kartconfig.cfg will show more information in the game's log.txt file. Anyway... the server it connects to uses TLS 1.2 (HTTPS only, no HTTP), but I can't get the game to connect to it regardless of whether or not I use ProxHTTPSProxy. Greetings. "libcurl 7.69 with schannel" and "curl 7.46 with openssl" - is a incomparable thing :-( There is some problems with OpenSSL and "Let's Encrypt" certificates, so simplest way is to use ProxyMII + custom libcurl. In attachment - libcurl 7.69.1 with schannel, built on Visual Studio C Express 2008 with forced disabled revocation (string 516 in lib\vtls\schannel.c). Please set masterserver_debug to "Off" - or this library may crash (i can't understood - why?) Best regards. libcurl.7z 2 Link to comment Share on other sites More sharing options...
Snowshoe Posted February 7, 2023 Share Posted February 7, 2023 On 2/5/2023 at 1:03 PM, cmalex said: Greetings. "libcurl 7.69 with schannel" and "curl 7.46 with openssl" - is a incomparable thing :-( There is some problems with OpenSSL and "Let's Encrypt" certificates, so simplest way is to use ProxyMII + custom libcurl. In attachment - libcurl 7.69.1 with schannel, built on Visual Studio C Express 2008 with forced disabled revocation (string 516 in lib\vtls\schannel.c). Please set masterserver_debug to "Off" - or this library may crash (i can't understood - why?) Best regards. libcurl.7z 199.6 kB · 1 download This solved the problem, thank you. 2 Link to comment Share on other sites More sharing options...
AstroSkipper Posted March 1, 2023 Author Share Posted March 1, 2023 Update notification! The Root Certificates have been updated and are now from 28-02-2023. Here is a screenshot: Therefore, my self-created, offline Root Certificate Updaters in the section 11.2.4. Downloads related to Root Certificate Updates (in the first post of this thread) will also be updated as soon as possible. Cheers, AstroSkipper 2 Link to comment Share on other sites More sharing options...
AstroSkipper Posted March 4, 2023 Author Share Posted March 4, 2023 (edited) On 3/1/2023 at 1:44 PM, AstroSkipper said: Update notification! The Root Certificates have been updated and are now from 28-02-2023. Here is a screenshot: Therefore, my self-created, offline Root Certificate Updaters in the section 11.2.4. Downloads related to Root Certificate Updates (in the first post of this thread) will also be updated as soon as possible. Cheers, AstroSkipper Update notification! Both versions of my Root Certificate and Revoked Certificate Updater for offline use have been updated and are now of 02/28/2023. You can find them in the section 11.2.4. Downloads related to Root Certificate Updates in the first post of this thread. Cheers, AstroSkipper Edited March 4, 2023 by AstroSkipper 2 Link to comment Share on other sites More sharing options...
AstroSkipper Posted March 16, 2023 Author Share Posted March 16, 2023 (edited) CAupdater - An alternative Root Certificate Updater There is an alternative tool for updating Root Certificates in Windows XP. I totally forgot to mention this here as a single program. The creator was @Thomas S.. It is called CAupdater and is available in version 1.0.0.1. I use it for years, and it works great. Here is the link to its original post: It is also embedded in @Thomas S.'s HTTPSProxy package which can be downloaded in the section 11.2.1.2. Downloads related to HTTPSProxy of my main article "ProxHTTPSProxy and HTTPSProxy in Windows XP for future use". In his original post linked above, the download link of CAupdater as a single archive file doesn't work anymore. Therefore, I will provide here a download link of this single archive file as soon as possible. Cheers, AstroSkipper Edited March 17, 2023 by AstroSkipper Update of content 1 Link to comment Share on other sites More sharing options...
AstroSkipper Posted March 21, 2023 Author Share Posted March 21, 2023 (edited) On 3/17/2023 at 12:00 AM, AstroSkipper said: CAupdater - An alternative Root Certificate Updater There is an alternative tool for updating Root Certificates in Windows XP. I totally forgot to mention this here as a single program. The creator was @Thomas S.. It is called CAupdater and is available in version 1.0.0.1. I use it for years, and it works great. Here is the link to its original post: It is also embedded in @Thomas S.'s HTTPSProxy package which can be downloaded in the section 11.2.1.2. Downloads related to HTTPSProxy of my main article "ProxHTTPSProxy and HTTPSProxy in Windows XP for future use". In his original post linked above, the download link of CAupdater as a single archive file doesn't work anymore. Therefore, I will provide here a download link of this single archive file as soon as possible. Cheers, AstroSkipper As promised above, I uploaded the program CAupdater 1.0.0.1 created by @Thomas S.. It is the original archive file without any modifications and an alternative to @heinoganda's Certificate Updater. This archive can be extracted to any desired location as CAupdater is a portable application. Here is the download link: https://www.mediafire.com/file/z34fifg2a09fzxo/CAupdater.7z/file Cheers, AstroSkipper Edited March 21, 2023 by AstroSkipper Update of content 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now