LegacyUpdate icon indicating copy to clipboard operation
LegacyUpdate copied to clipboard
verified publisher icon kirb

Investigate delivering the site over HTTPS

Open kirb opened this issue 3 years ago • 9 comments

Cloudflare told me once that they worked out a solution to provide current, valid SHA1 certs for certain customers. I wonder if they would be willing to provide this kind of assistance to us as a FOSS community project? Of course, they'd also need to provide a dedicated IP because of the lack of SNI, so it's not exactly free for them.

If not, the next best thing would be to install a self-signed SHA1 cert. Not as tidy a solution, and it'd need to bypass Cloudflare, but it'll work. I'd need to rent a separate dedicated IP for this approach, again because of no SNI.

kirb avatar Oct 09 '22 03:10 kirb

Unsure on SHA-1 support, but Google's Public CA should work fine on Windows XP, at least in theory (it's backed by GlobalSign Root from 1998).

Also, if using Nginx, you can forward older SSL protocols (read SSLv2, SSLv3, TLSv1) to another load balancer, negating the need (hopefully!) for another IP to be rented.

stream{

    upstream old_ssl_backend
    {
        server 127.0.0.1:8444;
    }

    upstream https_default_backend
    {
        server 127.0.0.1:8443;
    }


    map $ssl_preread_protocol $upstream
    {
        "TLSv1.3" https_default_backend;
        "TLSv1.2" https_default_backend;
        "TLSv1.1" https_default_backend;
        "TLSv1" old_ssl_backend;
        "SSLv3" old_ssl_backend;
        "SSLv2" old_ssl_backend; # I've not tested SSLv2.
    }

    server {
        listen 443;
        listen [::]:443;
        ssl_preread on;
        proxy_protocol on;

        proxy_pass $upstream;
    }

}

InternalLoss avatar Oct 10 '22 08:10 InternalLoss

That’s an interesting approach, I like it, thanks for posting! Hopefully I should be able to proxy_pass to https://legacyupdate.net:443, with that name being routed to 127.0.0.1 in hosts. (There might be a way to tell proxy_pass which SNI to use though)

I heard back from Cloudflare, who gave me the bad news that they can’t provide SHA1 certs any more, because the root they used for this expired in June 2019. Realistically, because CF only supports using a customer-provided cert on Enterprise which is far too expensive ($200/month), it seems I’ll have to migrate to a strategy that looks something like:

  • legacyupdate.net, run through Cloudflare, providing unencrypted http and modern TLS for clients with SNI (Vista+ and anyone just browsing the site on a modern device)
  • sha1.legacyupdate.net, supporting only SSLv3/TLSv1.0 with either a Google cert if possible, or worst case, a self-signed root the Legacy Update installer will need to add to the trust store.

So which host you use to access the site itself is a tradeoff between speed (Cloudflare edge cache) and security. WSUS can be configured to just always use the SHA1 host on XP/2000 because Cloudflare can’t cache it anyway.

kirb avatar Oct 10 '22 08:10 kirb

Sounds like a good idea :)

Do you have a Discord? it might be easier to communicate there than cluttering up GitHub Issues - I'm currently trying to test Win2k RTM and running into issues I'm sure would be easy to fix :P

InternalLoss avatar Oct 10 '22 08:10 InternalLoss

Definitely, send me a friend request at @kirb#1809 (https://chariz.com/discord if you can't find me, I'll be at the top of the member list)

kirb avatar Oct 10 '22 08:10 kirb

Any update on this @kirb? It would definitely be be nice to access the site over HTTPS on XP and 2000.

sydia1103 avatar Nov 08 '22 01:11 sydia1103

Not really any progress on the server side of things yet, but I just released 1.2 which checks whether your machine is capable of connecting to the site over HTTPS, and if so, configures the WSUS server and Start menu shortcut to connect via HTTPS.

kirb avatar Nov 12 '22 03:11 kirb

Also, just letting you know, XP can't access the site at all over HTTPS even with SP3, due to your server not supporting the 3DES cipher. Cloudflare does support it, as shown here, so maybe enabling it would be a start in making your website HTTPS compatible on XP. You can always check what ciphers your website supports here.

sydia1103 avatar Nov 12 '22 14:11 sydia1103

Just to follow along with above, modern Nginx from Ubuntu's APT doesn't seem to come with the ciphers needed for XP anymore (even if you use Mozilla's old SSL config)

InternalLoss avatar Nov 13 '22 01:11 InternalLoss

Thanks heaps for that @sydia1103, though edge certificates is a feature of the advanced certificate manager feature which is a paid addon. I’m also not sure it’ll work without SNI, because if I understand right the idea is you’re purchasing a cert for yourself alone, unlike Cloudflare’s standard cert provisioning where they use one cert with hundreds of domains on it. I’ll do more research and likely enquire with them to get more info on its legacy compatibility.

@InternalLoss Good to know, I’ll probably have to run nginx in a Docker container with a custom build of OpenSSL or an older Ubuntu LTS.

kirb avatar Nov 13 '22 03:11 kirb