proxy icon indicating copy to clipboard operation
proxy copied to clipboard

Published 20 hours ago verified publisher icon WhatsApp

Why port 587 not using self generated CA Certificate?

Open bilogic opened this issue 1 year ago • 18 comments

Before reporting a bug, please see our FAQ in FAQ.md!

Description

https://github.com/WhatsApp/proxy/blob/main/FAQ.md#5-does-the-proxy-support-https-or-socks

  1. It is indicated here that this proxy is just passing TCP traffic around.
  2. If that is the case, why need to generate a random CA Certificate?

https://github.com/WhatsApp/proxy/blob/2ea2f1fee80a065a4600ac43e3dec0f659e1c7df/proxy/src/generate-certs.sh#L25-L47

  1. Since a random CA Certificate is generated for port 443, why doesn't port 587 use this same CA Certificate but chooses to use the official WhatsApp one?

These 3 points are total contradictions and makes media fails in places that block WhatsApp. There is so much room to do better if the aim is to really help people get access to WhatsApp.

Failed Step

The use of offical WhatsApp cert makes media fails in places that block WhatsApp.

bilogic avatar Sep 13 '24 07:09 bilogic

Yes, that’s the problem

Nicepaul avatar Sep 13 '24 23:09 Nicepaul

@Nicepaul do you know of a workaround?

bilogic avatar Sep 14 '24 01:09 bilogic

@Nicepaul do you know of a workaround?

I'm not deploying a WhatsApp proxy on a VPS; I'm setting it up on my home OpenWRT router to bypass issues with media not working. However, the prerequisite is that the OpenWRT router must be able to successfully bypass the firewall restrictions.

Nicepaul avatar Sep 14 '24 03:09 Nicepaul

Does the proxy behave differently on different hardware? The proxy has to be located outside the restricted network.

bilogic avatar Sep 14 '24 03:09 bilogic

Does the proxy behave differently on different hardware? The proxy has to be located outside the restricted network.

This is not hardware-related. I’ve installed Passwall or SSRPlus on OpenWRT to bypass the Great Firewall of China, essentially setting up a VPN. All internal network applications and data, including WhatsApp, are routed through this tunnel, so the data packets are transmitted within the VPN and won’t be intercepted by the firewall. I’ve then mapped WhatsApp proxy's port to the public IP of the OpenWRT router. This is essentially a workaround to bypass WhatsApp’s certificate issues

Nicepaul avatar Sep 14 '24 07:09 Nicepaul

I'm a little confused, if your mobile's WhatsApp is connected to the router which has VPN, why does it still need a proxy?

bilogic avatar Sep 14 '24 08:09 bilogic

I'm a little confused, if your mobile's WhatsApp is connected to the router which has VPN, why does it still need a proxy?

I want to use WhatsApp but prefer not to install a VPN app on my phone. Therefore, setting up a WhatsApp proxy on my home OpenWRT router seems like a good solution. Additionally, VPNs tend to drain battery and can significantly affect phone network performance, making it impractical to keep them always on. However, turning it off would disrupt WhatsApp communication.

Nicepaul avatar Sep 14 '24 08:09 Nicepaul

ping @eozturk1

cloudwindy avatar Sep 19 '24 19:09 cloudwindy

587 and 443 front different backends, with different cert requirements: https://github.com/WhatsApp/proxy/blob/main/proxy/src/proxy_config.cfg#L87

peixian avatar Mar 29 '25 13:03 peixian

https://faq.whatsapp.com/1299035810920553/?helpref=uf_share

Since a random CA Certificate is generated for port 443, why doesn't port 587 use this same CA Certificate but chooses to use the official WhatsApp one?

  • I believe many are unable to connect directly to WhatsApp servers because they are being blocked actively
  • And blocking in this age is almost always more than just simple IP blocking
  • So much explanations, but no answers

bilogic avatar Mar 30 '25 02:03 bilogic

still no solution?

M4mB14 avatar Aug 18 '25 11:08 M4mB14

443 is intended to unblock chat, while 587 fronts media on WA. These are configurable from inside the client, as traffic is distinguishable between them and we need to have different routes.If you'd like to game out another threat model, I'd encourage you to make a PR.

peixian avatar Aug 18 '25 12:08 peixian

443 is intended to unblock chat, while 587 fronts media on WA. These are configurable from inside the client, as traffic is distinguishable between them and we need to have different routes.If you'd like to game out another threat model, I'd encourage you to make a PR.

How does that answer my question? Since a random CA Certificate is generated for port 443, why doesn't port 587 use this same CA Certificate but chooses to use the official WhatsApp one?

bilogic avatar Aug 18 '25 12:08 bilogic

Because both paths are different. 443 fronts chat. 587 fronts media. Per the WhatsApp white paper (https://scontent.xx.fbcdn.net/v/t39.8562-6/455962147_1148247109601582_1673264986279156121_n.pdf?_nc_cat=101&ccb=1-7&_nc_sid=e280be&_nc_ohc=jJjOSDHnf5UQ7kNvwG8VXgy&_nc_oc=Adnc-fxOGUJbX9yFtP5mVIUP5S4LgHNuKrsx3JZ_6ghQ0kbtre0niq9X74NIvQhBnIY&_nc_zt=14&_nc_ht=scontent.xx&nc_gid=yF2uFxWBNL3xzoK9sm9fiQ&oh=00_AfXkr-k-uZ5yDTC8mB-9Z1ZwMt5go0tPTw-CStNRX6L_w&oe=68A8F899), we use noise pipes as the transport layer security for chat, but media is loaded separately.

I’d encourage you to make a PR to try out the effectiveness of 587 using a self signed CA.

On 18 Aug 2025, at 8:59, bilogic wrote:

bilogic left a comment (WhatsApp/proxy#303)

443 is intended to unblock chat, while 587 fronts media on WA. These are configurable from inside the client, as traffic is distinguishable between them and we need to have different routes.If you'd like to game out another threat model, I'd encourage you to make a PR.

How does that answer my question? Since a random CA Certificate is generated for port 443, why doesn't port 587 use this same CA Certificate but chooses to use the official WhatsApp one?

-- Reply to this email directly or view it on GitHub: https://github.com/WhatsApp/proxy/issues/303#issuecomment-3196707779 You are receiving this because you commented.

Message ID: @.***>

peixian avatar Aug 18 '25 13:08 peixian

Well, quite clearly, we have trouble understanding each other.

  1. First, https://github.com/WhatsApp/proxy/blob/main/proxy/src/proxy_config.cfg#L87 - yes I know it's port 587, but I don't see any cert requirements... My SMTP port uses the same SSL cert as my HTTPS, so I can't make any sense of this.
  2. Then comes the threat model, this assumes I know the existing threat model (which I don't). How does a proxy mitigate threats apart from obscuring its original source host, which is mooted by the use of unconfigurable cert with whatsapp in its CN?
  3. Then it is mentioned both paths are different... are you saying they can't use the same cert because of that? How does this makes any sense.

At this point, it's probably easier to just say nobody knows why 587 chooses to the original cert from the source host.

bilogic avatar Aug 18 '25 13:08 bilogic

Each port serves a different path. 443 is serves noise pipes traffic wrapped in TLS. 587 serves media traffic out of WhatsApp CDNs (http, not noise). These have different cert auth methods. I'm not sure how to be clearer than that. -- PeixianOn Aug 18, 2025, at 09:51, bilogic @.***> wrote:bilogic left a comment (WhatsApp/proxy#303) Well, quite clearly, we have trouble understanding each other.

First, https://github.com/WhatsApp/proxy/blob/main/proxy/src/proxy_config.cfg#L87 - yes I know it's port 587, but I don't see any cert requirements... My SMTP port uses the same SSL cert as my HTTPS, so I can't make any sense of this. Then comes the threat model, this assumes I know the existing threat model (which I don't). How does a proxy mitigate threats apart from obscuring its original source host, which is mooted by the use of unconfigurable cert with whatsapp in its CN? Then it is mentioned both paths are different... are you saying they can't use the same cert because of that? How does this makes any sense.

At this point, it's probably easier to just say nobody knows why 587 chooses to the original cert from the source host.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>

peixian avatar Aug 18 '25 14:08 peixian

Ok...

  1. Where are the "different cert auth methods" documented?
  2. https://scontent.xx.fbcdn.net/v/t39.8562-6/455962147_1148247109601582_1673264986279156121_n.pdf?_nc_cat=101&ccb=1-7&_nc_sid=e280be&_nc_ohc=jJjOSDHnf5UQ7kNvwG8VXgy&_nc_oc=Adnc-fxOGUJbX9yFtP5mVIUP5S4LgHNuKrsx3JZ_6ghQ0kbtre0niq9X74NIvQhBnIY&_nc_zt=14&_nc_ht=scontent.xx&nc_gid=yF2uFxWBNL3xzoK9sm9fiQ&oh=00_AfXkr-k-uZ5yDTC8mB-9Z1ZwMt5go0tPTw-CStNRX6L_w&oe=68A8F899 I cannot find any "cert" word in this file

bilogic avatar Aug 18 '25 16:08 bilogic

Again, noise does not require TLS. HTTPS (obviously) does require it. Noise can be optionally wrapped in TLS frames, which do not required cert validation. Chat messages are delivered via noise (optionally TLS). Media is always delivered over HTTPS, so a trusted cert authority is required. I would suggest reading through the noise pipes section and the media section on the white paper. -- PeixianOn Aug 18, 2025, at 12:22, bilogic @.***> wrote:bilogic left a comment (WhatsApp/proxy#303) Ok...

Where are the "different cert auth methods" documented? https://scontent.xx.fbcdn.net/v/t39.8562-6/455962147_1148247109601582_1673264986279156121_n.pdf?_nc_cat=101&ccb=1-7&_nc_sid=e280be&_nc_ohc=jJjOSDHnf5UQ7kNvwG8VXgy&_nc_oc=Adnc-fxOGUJbX9yFtP5mVIUP5S4LgHNuKrsx3JZ_6ghQ0kbtre0niq9X74NIvQhBnIY&_nc_zt=14&_nc_ht=scontent.xx&nc_gid=yF2uFxWBNL3xzoK9sm9fiQ&oh=00_AfXkr-k-uZ5yDTC8mB-9Z1ZwMt5go0tPTw-CStNRX6L_w&oe=68A8F899 I cannot find any "cert" word in this file

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>

peixian avatar Aug 18 '25 16:08 peixian