Post Reply 
Proxo blocking Opera receiving updated Certificates
Sep. 17, 2009, 12:37 PM (This post was last modified: Sep. 17, 2009 12:41 PM by Mele20.)
Post: #1
Proxo blocking Opera receiving updated Certificates
I'm using Opera a lot more now. I have version 1010 and I tried to use Opera a few days ago to do a Microsoft survey (I am a long time Windows Feedback Panel member). Opera refused to open the survey page complaining that it had not heard of Verisign as a root authority and that also there was a missing intermediate cert. Fx had no problems opening the page nor did IE 6 and 8. In looking at the Opera certs and comparing to those in Fx 1.5 and Fx3, I noticed that Opera has a number of missing certs both intermediate and root. I imported the needed Versign one from Fx and then everything was fine. But I later tried another page that Opera also refused to open saying the cert issuer was unknown. During both problems, I tried bypassing Proxo and that did not help so I did not think Proxo was the problem.

I posted the problem at dslreports Security forum and then went on a short business trip. I checked the thread a few minutes ago and Bandheight has found the culprit and he asked me to post it here. It's this filter:

[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Type: 5a Filter sel. Text Types 9.02.25 [sd] (d.r l.3) (In)"
URL = "^$RESP(204|3)|$TST(hRealCT=*)|$TST(keyword=*.(a_headers|a_type_t|i_level:[12]).*)|$TST(volat=*.post:1.*)|$TST(uExt=exe|gz)"
Match = "text/plain(^*; Prx(^Msg: Fixed acc. to Original))$SET(1=\0)|(^?)($TST(hOrigUA=*msie(^*opera)*)$SET(1=text/plain)|)$SET(2=: No Content-Type)&\0&($TST(volat=*.log:2*)$ADDLST(Log-Main,[$DTM(d T)]\tHDR_In CT_FilterTrue\t\1\2 \t\u)|)$LOG(CRESP $DTM© : Content-Type: Filter True: \1)"
Replace = "\1; PrxMsg: Filter Text\2$SET(hRealCT=filter)$FILTER(1)"

The thread is here:
http://www.dslreports.com/forum/r2302521...s#23037790

Bandheight says that with this filter on that Opera is unable to update certificates. If the filter is unchecked for several hours, and Opera is left running, then Opera will update the certs. So, I am going to disable the filter just before I go to sleep and leave Opera open and running overnight.

Edit: I should add that Bandheight reports that Opera 9.64 also exhibits this problem. It is not just in Opera 10 (my 1010 for anyone curious is a later version that the official Opera 10 and it has Opera Unite enabled).
Add Thank You Quote this message in a reply
Sep. 17, 2009, 03:04 PM (This post was last modified: Sep. 21, 2009 04:04 PM by JJoe.)
Post: #2
RE: Proxo blocking Opera receiving updated Certificates
Request: Shouldn't this thead be in
The Un-Official Proxomitron Forum / Forum Related / Proxomitron Program
.

Looks like Opera's auto update feature updates certs and ?

I just ran Opera 10's auto update by visiting https://autoupdate.opera.com/ with the Proxomitron in bypass.

http://local.ptron/.pinfo/urls/
shows

Code:
application/ocsp-response    550    http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQcvmRTOFIb9yvOlZRB1IfKmOOYlgQUQ0lH589A0ZqokvKMisqYk8%2FJCA8CEAPphrIqXUjwlD7ex7TJKV8%3D
application/x-pkcs7-crl      716    http://crl.entrust.net/2048ca.crl

So you could try adding

Code:
#Allow opera to update.
autoupdate.opera.com:
certs.opera.com:
help.opera.com/servicefiles/userjsfiles/all/browserjs[-0-9]++.js
xml.opera.com/update/\?timesincelastcheck
xml.opera.com/spoof/
xml.opera.com:443/spoof/
xml.opera.com/userjs/
help.opera.com/dictionary/dictionaries.xml

[^.]+.verisign.com/[^.]+.cer
crl.verisign.com/[^.]+.crl
ocsp.verisign.com/?[^/.;?]+

crl.entrust.net/[^.]+.crl

ocsp.digicert.com/?[^/.;?]+

to Bypass or visit
https://autoupdate.opera.com/
with the Proxomitron in bypass when needed.


What addresses are used by Opera 9.64?

HTH

Edit: Added to the list of possible Bypass List entries.
Edit: Added to the list of possible Bypass List entries.
Thanks to BandHeight of DSLReports.com.
Add Thank You Quote this message in a reply
Sep. 23, 2009, 05:15 PM (This post was last modified: Sep. 23, 2009 05:30 PM by sidki3003.)
Post: #3
RE: Proxo blocking Opera receiving updated Certificates
I haven't checked with Opera 10. Maybe it's time to distribute a "Bypass List.txt" containing SSL bypasses with the config.

Opera 7.x till 9.x were downloading a hot-patch JS containing a hash (file checksum). So the modifications by filters like the one mentioned above resulted in Opera rejecting the script.

That's why 2004 and and later configs contain an Exceptions entry:
Code:
[^.]+.opera.com/servicefiles/            $SET(0=a_web.)
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: