[Bug 53344] New: Legacy TLS applications: GnuTLS priority string overrides are ignored in schan_create_session() (patch included)
WineHQ Bugzilla
wine-bugs at winehq.org
Wed Jul 13 10:56:35 CDT 2022
https://bugs.winehq.org/show_bug.cgi?id=53344
Bug ID: 53344
Summary: Legacy TLS applications: GnuTLS priority string
overrides are ignored in schan_create_session() (patch
included)
Product: Wine
Version: 7.12
Hardware: x86-64
URL: https://support.hpe.com/connect/s/softwaredetails?lang
uage=en_US&softwareId=MTX_bc8e3ffa59904ec3b505d9964d
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: secur32
Assignee: wine-bugs at winehq.org
Reporter: cflwxa at knowledgemd.com
Distribution: Debian
Created attachment 72727
--> https://bugs.winehq.org/attachment.cgi?id=72727
trace+secur32,warn+secur32 and GNUTLS_DEBUG_LEVEL=11
I use Wine devel 7.12 from the winehq repos and winetricks 20220411 from
github.
Context: I am trying to run the "HPE Lights-Out Standalone Remote Console"
(HPLOCONS.exe,
https://support.hpe.com/connect/s/softwaredetails?language=en_US&softwareId=MTX_bc8e3ffa59904ec3b505d9964d)
to connect to an iLO 3 interface of an HP ProLiant server.
iLO 3 only supports legacy ciphers (3DES, RC4). Because the Wine schannel
implementation uses GnuTLS, I added an override config like so:
sudo mkdir -p /etc/gnutls
sudo tee /etc/gnutls/config_hplocons <<EOF
[overrides]
default-priority-string = NORMAL:+3DES-CBC:+ARCFOUR-128
EOF
Then I set up a wine prefix like so:
env WINEARCH=win32 WINEPREFIX=~/.local/share/wineprefixes/hplocons wineboot
--init
env WINEARCH=win32 WINEPREFIX=~/.local/share/wineprefixes/hplocons winetricks
-q dotnet471 d3dcompiler_47 corefonts fontfix winver=
wget
https://downloads.hpe.com/pub/softlib2/software1/pubsw-windows/p390407056/v138774/Setup.exe
env WINEARCH=win32 WINEPREFIX=~/.local/share/wineprefixes/hplocons wine
Setup.exe
And successfully run HPLOCONS:
env WINEARCH=win32 WINEPREFIX=~/.local/share/wineprefixes/hplocons
WINEDEBUG=trace+secur32,warn+secur32
GNUTLS_SYSTEM_PRIORITY_FILE=/etc/gnutls/config_hplocons GNUTLS_DEBUG_LEVEL=11
LC_ALL=C wine start 'C:\Program Files\Hewlett Packard Enterprise\HPE iLO
Integrated Remote Console\HPLOCONS.exe'
When trying to connect to iLO, I get "The request was aborted: Could not create
SSL/TLS secure channel." The trace logs and gnutls debug logs (attached) show
that schan_create_session() in dlls\secur32\schannel_gnutls.c ignores my
priority string override and instead, uses "NORMAL" without TLS 1.3
ciphersuites.
A look at the source code confirms that schan_create_session() does indeed not
incorporate the system defaults.
Also note that process_attach() sets GNUTLS_SYSTEM_PRIORITY_FILE to "/dev/null"
if it was unset, which has the consequence that everything in the default
/etc/gnutls/config file is always ignored.
I further confirmed that this is a Wine issue by running gnutls-cli:
# Succeeds
env GNUTLS_SYSTEM_PRIORITY_FILE=/etc/gnutls/config_hplocons gnutls-cli
--insecure <iLO-IP>
# Fails with "Received alert [40]: Handshake failed"
gnutls-cli --insecure <iLO-IP>
To be able to run legacy applications, I think Wine should respect GnuTLS
overrides. I attached an untested patch proposal. Note that this patch does not
change behaviour if the default priority string is "NORMAL". Also note that
Wine would require gnutls 3.6.3 due to the use of
gnutls_set_default_priority_append().
Perhaps check_supported_protocols() should also be patched in a similar way.
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list