Post Reply 
Adapting proxo 4.5 to the latest OpenSSL DLLs
Nov. 02, 2014, 11:05 PM
Post: #16
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
(Nov. 02, 2014 10:38 PM)herbalist Wrote:  Both the 70 and 90 versions are in the system folder and in the Proxomitron folder.
Regarding
Quote:Install this, then install "OpenSSL Light" using the '/bin' option, and then run FixSSL_9xNT4.bat contained within the /bin directory.
I'm wondering if I have to run that every time I update OpenSSL. I'm sure that OpenSSL works on this PC. Tor uses OpenSSL and this PC is an exit node.

Stranger things have happened.
So, Tor existed and was using OpenSSL. You then updated. Can you see that Tor is using the update version?

What is in "FixSSL_9xNT4.bat"?
Add Thank You Quote this message in a reply
Nov. 02, 2014, 11:14 PM
Post: #17
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
OpenSSL is compiled into Tor, at least on Windows versions.
Quote:What is in "FixSSL_9xNT4.bat"?
Code:
echo off
cls

echo This application modifies the OpenSSL binaries so that they work under
echo Win9x/Me/NT4.  The modifications are general-purpose and don't violate
echo default build rules.  Use of this tool is at your own risk!
echo.
echo ("Your own risk" being technical, legal, etc. issues)
echo.
echo.
echo Don't forget to donate to OpenSSL!
echo.
echo.
echo.
pause
cls

if exist osslkrnl.dll goto AlreadyFixed

if not exist libeay32.dll goto NotBinInstalled
if not exist ssleay32.dll goto NotBinInstalled

if not exist %windir%\PEProxy.exe goto MissingDependency

if exist %windir%\system32\vc90hook.dll goto DetectedNT
if not exist %windir%\system\vc90hook.dll goto MissingDependency

rem Win9x/Me only.
copy %windir%\system\vc90hook.dll .
copy %windir%\system\unicows.dll .

goto RunMain


:DetectedNT
copy %windir%\system32\vc90hook.dll .
copy %windir%\system32\unicows.dll .


:RunMain
PEProxy kernel32.dll osslkrnl.dll vc90hook.dll*unicows.dll libeay32.dll ssleay32.dll openssl.exe
copy ssleay32.dll libssl32.dll
erase vc90hook.dll
erase unicows.dll
erase *.bak.*
copy *.dll ..\.

goto end


:AlreadyFixed
cls
echo Already fixed.
echo.
echo It appears that OpenSSL has already been modified for use for your OS.
pause
goto end


:NotBinInstalled
cls
echo A dependency of this program is missing.
echo.
echo Did you install OpenSSL with the /bin option?
pause
goto end


:MissingDependency
cls
echo A dependency of this program is missing.
echo.
echo Did you install the RunMagic version of the VC++ 2008 Redistributables
echo globally using the InstallGlobal application included with RunMagic?
pause
goto end

:end
cls
Add Thank You Quote this message in a reply
Nov. 03, 2014, 12:54 AM
Post: #18
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
(Nov. 02, 2014 11:14 PM)herbalist Wrote:  OpenSSL is compiled into Tor, at least on Windows versions.

If you have never followed all the steps to install the "Visual C++ 2008 Redistributables for Windows 9x/NT4" from slproweb, I would.

Code:
if exist osslkrnl.dll goto AlreadyFixed

That reads like you only need to do it once but

Code:
:AlreadyFixed
cls
echo Already fixed.
echo.
echo It appears that OpenSSL has already been modified for use for your OS.
pause
goto end


If OpenSSL is modified by running "FixSSL_9xNT4.bat", updated OpenSSL won't be modified until PEProxy is ran.

My guess is you need to at least
Quote:install "OpenSSL Light" using the '/bin' option, and then run FixSSL_9xNT4.bat contained within the /bin directory
every time you update OpenSSL after using "RunMagic.bat" first.

You might need to uninstall the old OpenSSL first.
You might need to run RunMagic every time.

Read the ReadMe files in the "RunMagic.zip" for more.

Quote:******************** RunMagic - The Best Application Ever ********************

Welcome to RunMagic, the best software application - ever.

Run RunMagic.bat. At your own risk (technical, legal, etc). Prepares the
VC++ 2008 Redistributables for use on Windows 95/98/Me/NT4.


Optional (but recommended): Run InstallGlobal.bat to install the files into
the Windows\System or System32 directory (global install allows many VC++ 2008
applications to run - although they will also likely need PETools).



Active Accessibility (optional):

Windows 95: Win95_ActiveAccessibility_Redist_13.exe
All other versions of Windows: ActiveAccessibility_Redist_20.exe.

The latter installer is a two step process. Extract then install.


NOTE: PETools, included, are not free. Be sure to pay the author a few
bucks (send money via PayPal to [email protected]). Lots of
applications are moving to VC++ 2008, so you'll get quite a bit of use
out of the tools.



If you get use out of this software application, be sure to thank the author.

If you can't figure this out on your own, upgrade your OS.

If you have a blog or website, don't be an idiot like people were with
SysInternals and just pointed at their stuff and, as a result, we have lost a
great website and a huge chunk of advanced Windows source code. Copy this
application everywhere!

Funny guy
Add Thank You Quote this message in a reply
Nov. 03, 2014, 02:03 AM
Post: #19
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
I did run that batch file when I originally installed OpenSSL and the VC redistributables. I've updated OpenSSL many times since but did not rerun the batch files. The next time the Tor traffic drops down, I'll reboot and reinstall all of it.
Add Thank You Quote this message in a reply
Nov. 03, 2014, 05:31 AM
Post: #20
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
(Nov. 03, 2014 02:03 AM)herbalist Wrote:  I'll reboot and reinstall all of it.

I managed to get an old machine together and running. Fortunately, a machine with all the old tools already loaded.

Had to use RunMagic and InstallGlobal bats.
"FixSSL_9xNT4.bat" appeared to modify the DLLs and add files.
Had to add "osslkrnl.dll" to Prox's or windows\system folder.
Had to add windows\system to the path.

Process failed with 'ssleay32.dll initialization routine failed'.

The old machine and I may have some problems but things don't look good for Proxo and latest OpenSSL on Win98.

If you are happy with things as they are, you may not want to risk "updating".
Add Thank You Quote this message in a reply
Nov. 03, 2014, 05:45 AM
Post: #21
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
I'd prefer to filter HTTPS if I can, since more sites are switching to it. Didn't have any success with ProxHTTPSProxyMII on this box. I'll give updating another attempt. If it doesn't work, restoring a backup image is a 5 minute job.
Add Thank You Quote this message in a reply
Nov. 03, 2014, 12:20 PM
Post: #22
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
(Nov. 02, 2014 08:38 PM)JJoe Wrote:  I changed line 54 of ProxHTTPSProxy.pyv1.1b from
Code:
sslparams = dict(cert_reqs="REQUIRED", ca_certs="cacert.pem", ssl_version="TLSv1")
to
Code:
sslparams = dict(cert_reqs="REQUIRED", ca_certs="cacert.pem")
Result is "Your SSL client is Probably Okay." at https://www.howsmyssl.com/ .
Before the change, I saw "Your SSL client is Bad." due to TLSv1 use.
I have not noticed any problems after the change.

Nice find. It will be in the next version if it runs well on my machine for a while.
Add Thank You Quote this message in a reply
Nov. 15, 2014, 07:59 AM (This post was last modified: Nov. 15, 2014 08:02 AM by amy.)
Post: #23
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
I've also been working on patching Proxomitron to work with latest OpenSSL and have success with 1.0.1j, accepts custom cipher configuration and SNI support. Smile!

Here is a brief list of modifications so far, I am still testing it out:
- OpenSSL_add_all_algorithms replaced with SSL_library_init
- Allow configuration of cipher list via SSL_CTX_set_cipher_list (disabled all insecure ciphers)
- SNI support!

https://www.ssllabs.com/ssltest/viewMyClient.html says
Code:
Protocols*
TLS 1.2    Yes
TLS 1.1    Yes*
TLS 1.0    Yes*
SSL 3    Yes*
SSL 2    No


Cipher Suites (in order of preference)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   Forward Secrecy     256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   Forward Secrecy     256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   Forward Secrecy     256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   Forward Secrecy     256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy     256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy     256
TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022)     256
TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021)     256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0xa3)   Forward Secrecy*     256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   Forward Secrecy     256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   Forward Secrecy     256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x6a)   Forward Secrecy*     256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   Forward Secrecy     256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38)   Forward Secrecy*     256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   Forward Secrecy     256
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x87)   Forward Secrecy*     256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)     256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)     256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)     256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)     256
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   Forward Secrecy     112
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)   Forward Secrecy     112
TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c)     112
TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b)     112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   Forward Secrecy     112
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13)   Forward Secrecy*     112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)     112
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy     128
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy     128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   Forward Secrecy     128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   Forward Secrecy     128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy     128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy     128
TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f)     128
TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e)     128
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0xa2)   Forward Secrecy*     128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   Forward Secrecy     128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   Forward Secrecy     128
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x40)   Forward Secrecy*     128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   Forward Secrecy     128
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy*     128
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a)   Forward Secrecy     128
TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x99)   Forward Secrecy*     128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   Forward Secrecy     128
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x44)   Forward Secrecy*     128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)     128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)     128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)     128
TLS_RSA_WITH_SEED_CBC_SHA (0x96)     128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)     128
TLS_RSA_WITH_IDEA_CBC_SHA (0x7)     128
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff)    -

(*) Cannot be used for Forward Secrecy because they require DSS keys, which are effectively limited to 1024 bits.  

Protocol Details
Server Name Indication (SNI) Yes
Secure Renegotiation Yes
TLS compression No
Session tickets Yes
OCSP stapling No
Signature algorithms SHA512/RSA, SHA512/DSA, SHA512/ECDSA, SHA384/RSA, SHA384/DSA, SHA384/ECDSA, SHA256/RSA, SHA256/DSA, SHA256/ECDSA, SHA224/RSA, SHA224/DSA, SHA224/ECDSA, SHA1/RSA, SHA1/DSA, SHA1/ECDSA, MD5/RSA  
Elliptic curves sect571r1, sect571k1, secp521r1, sect409k1, sect409r1, secp384r1, sect283k1, sect283r1, secp256k1, secp256r1, sect239k1, sect233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2, secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1, secp160r2  
Next Protocol Negotiation No
Application Layer Protocol Negotiation No
SSL 2 handshake compatibility No

Still todo improvements:
Disable SSLv3 (prevent POODLE attack)
SubjectAltName extension
Wildcard certificates checking

OCSP stapling (after all the above, this one will take quite a bit more code)
Add Thank You Quote this message in a reply
Nov. 15, 2014, 05:23 PM
Post: #24
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
(Nov. 15, 2014 07:59 AM)amy Wrote:  I've also been working on patching Proxomitron to work with latest OpenSSL and have success with 1.0.1j, accepts custom cipher configuration and SNI support. Smile!

Cool

(Nov. 15, 2014 07:59 AM)amy Wrote:  Still todo improvements:
Disable SSLv3 (prevent POODLE attack)
SubjectAltName extension
Wildcard certificates checking

OCSP stapling (after all the above, this one will take quite a bit more code)

Have fun. Smile!
Add Thank You Quote this message in a reply
Dec. 31, 2014, 09:12 PM
Post: #25
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
(Nov. 01, 2014 03:21 AM)JJoe Wrote:  Looks good. Smile!

The patched Proxomitron exe is using the latest libeay32.dll and ssleay32.dll from https://slproweb.com/products/Win32OpenSSL.html .
The Proxomitron's log window shows the change and various web tests confirm it.

I haven't noticed any new problems. The old problems remain, however.

To try mas's mod... ... ...

i'm reporting to advise against this patch, in my experience at least
sure, it will gain usability with the latest libeay32/ssleay32 but SO WHAT

what i've noticed is LOST is the ability to BYPASS PROXOMITRON from the systray menu, a far FAR more important "feature" than the latest no-real-advantage .dll's...
Add Thank You Quote this message in a reply
Dec. 31, 2014, 10:49 PM
Post: #26
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
additional info...

bypass from systray still functions in 32bit WinXP...
but this patch breaks it in 64bit Win7...
Add Thank You Quote this message in a reply
Dec. 31, 2014, 11:51 PM
Post: #27
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
(Dec. 31, 2014 10:49 PM)ProxRocks Wrote:  bypass from systray still functions in 32bit WinXP...
but this patch breaks it in 64bit Win7...

Bypass from systray works for me on 64bit Win7.

Are you using this patch with others?
Add Thank You Quote this message in a reply
Jan. 01, 2015, 01:37 AM
Post: #28
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
yes, with others
i assumed that any and all patches were "self-contained", one didn't ("shouldn't") effect another...

please PM me an email addy...
Add Thank You Quote this message in a reply
Jan. 01, 2015, 10:23 AM
Post: #29
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
(Nov. 02, 2014 04:43 PM)herbalist Wrote:  It appears to work on a virtual XP. On 98SE, it doesn't find or recognize ssleay32.dll. ... The new DLLs want msvcr90.dll...

i'm not quite following...
is the msvcr90 needed only if you are running 98SE?

System32 folder -
my Win7 does not have ..90 (or ..70), it only has ..100
my WinXP does not have ..90 either, it has ..70, ..71, ..100, ..110, and ..120
Add Thank You Quote this message in a reply
Jan. 01, 2015, 04:32 PM (This post was last modified: Jan. 01, 2015 07:02 PM by JJoe.)
Post: #30
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
(Jan. 01, 2015 10:23 AM)ProxRocks Wrote:  
(Nov. 02, 2014 04:43 PM)herbalist Wrote:  It appears to work on a virtual XP. On 98SE, it doesn't find or recognize ssleay32.dll. ... The new DLLs want msvcr90.dll...

i'm not quite following...
is the msvcr90 needed only if you are running 98SE?

Yes, Windows 95, 98, Me, and NT4.
"Visual C++ 2008 Redistributables for Windows 9x/NT4" from https://slproweb.com/products/Win32OpenSSL.html has msvcr90 for those OSs.

(Jan. 01, 2015 10:23 AM)ProxRocks Wrote:  System32 folder -
my Win7 does not have ..90 (or ..70), it only has ..100
my WinXP does not have ..90 either, it has ..70, ..71, ..100, ..110, and ..120

I also only have 100 on Win7. I think it came from installation of "Visual C++ 2008 Redistributables"

WinXP has 71, 100, and 120.
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: