Web Services communication on a modern distro

Trackmania Forever public API and its open source PHP SDK.

Moderator: NADEO

Post Reply
User avatar
Xymph
Posts: 1399
Joined: 15 Jun 2010, 20:35
Contact:

Web Services communication on a modern distro

Post by Xymph »

Posting this because it took a lot longer to figure out than the description below makes it appear, and may help other users of the TMF Web Services (if any are left).

TL;DR

OpenSSL on a modern distro supports TLS v1.2+, the WS server supports TLS v1.0. Outlined below is how to get WS requests to work nonetheless, by enabling TLS v1.0 only for WS scripts.

Problem

I use the WS in MetaStats and some offline scripts. After (finally, belatedly) upgrading to a modern distro -- Ubuntu Mate LTS in my case -- these scripts failed. A manual check revealed:

Code: Select all

$ wget --tries=1 --server-response --spider https://ws.trackmania.com/
Spider mode enabled. Check if remote file exists.
--2021-09-27 10:11:23--  https://ws.trackmania.com/
Resolving ws.trackmania.com (ws.trackmania.com)... 178.33.106.156
Connecting to ws.trackmania.com (ws.trackmania.com)|178.33.106.156|:443... connected.
OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Unable to establish SSL connection.
Background

Searching for the error led to various postings (like this) that indicated that OpenSSL in the distro supports only TLS v1.2+, while the WS server supports only TLS v1.0 (and SSL v3, but nevermind that). See:

Code: Select all

$ nmap --script ssl-enum-ciphers -p 443 ws.trackmania.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-27 10:46 CEST
Nmap scan report for ws.trackmania.com (178.33.106.156)
Host is up (0.015s latency).
rDNS record for 178.33.106.156: 178-33-106-156.ovh.net

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
[...]
|   TLSv1.0: 
|     ciphers: 
[...]
Nmap done: 1 IP address (1 host up) scanned in 1.36 seconds
Solution

Ideally the WS server is upgraded to modern Apache/OpenSSL versions, as it currently runs an Ubuntu distro with PHP 5.3 (X-Powered-By: PHP/5.3.2-1ubuntu4.30) that is about a decade old. ;) But given that Nadeo does very little to support TMF anymore, this is unlikely to happen, and I'm glad the WS server is still running at all.

So TLS v1.0 needs to be enabled locally, but I would prefer this to happen only for WS scripts rather than system-wide by default. A better approach is a separate config file that is invoked only for WS scripts via environment variable OPENSSL_CONF.

However, PHP's interaction with environment variables is not entirely trivial. It turns out using putenv() or $_ENV[] in the script to define OPENSSL_CONF happens too late, it needs to exist prior to invoking the script. For a standalone script this can be done with a bash wrapper, e.g.:

Code: Select all

#!/bin/bash
OPENSSL_CONF=/usr/local/etc/openssl_tls1.conf php /usr/local/bin/playertype.php $1
In Apache context this can unfortunately not be done via SetEnv restricted to a single directory, but requires a global Apache setting in /etc/apache2/envvars (Ubuntu/Debian) or /etc/sysconfig/httpd (RedHat/CentOS):

Code: Select all

# Allow TLSv1.0 on ws.trackmania.com in TrackMania\WebServices\
export OPENSSL_CONF=/usr/local/etc/openssl_tls1.conf
This is not ideal, as it enables TLS v1.0-1.1 on all websites, but at least it is adequate to revive MetaStats for TMF.
Too bad it's still dead for MP after Nadeo's ws.maniaplanet.com server was shut down...
Developer of XASECO for TMF/TMN ESWC & XASECO2 for TM²: see XAseco.org
Find your way around the Mania community from the TMN ESWC hub, TMF hub, TM² hub, and SM hub
User avatar
Xymph
Posts: 1399
Joined: 15 Jun 2010, 20:35
Contact:

Re: Web Services communication on a modern distro

Post by Xymph »

Upon further thought and testing, the Apache envvar change was less than adequate, as it degraded the SSL score of my sites to a B. So now MetaStats uses the same bash wrapper approach to a separate PHP script that makes the API calls, and returns the info as a JSON string for processing in the main script. SSL score back to A+, phew. :mrgreen:
Developer of XASECO for TMF/TMN ESWC & XASECO2 for TM²: see XAseco.org
Find your way around the Mania community from the TMN ESWC hub, TMF hub, TM² hub, and SM hub
User avatar
Xymph
Posts: 1399
Joined: 15 Jun 2010, 20:35
Contact:

Re: Web Services communication on a modern distro

Post by Xymph »

Xymph wrote: 27 Sep 2021, 10:47 A better approach is a separate config file that is invoked only for WS scripts via environment variable OPENSSL_CONF.
The config file linked there uses "CipherString = DEFAULT@SECLEVEL=1".

After recently upgrading my OS to the latest LTS, OpenSSL had been updated to v3+, and the web services were again unreachable.
Fortunately the solution was simple this time: change that SECLEVEL to 0 instead. So: "CipherString = DEFAULT@SECLEVEL=0"
Hope it helps others.
Developer of XASECO for TMF/TMN ESWC & XASECO2 for TM²: see XAseco.org
Find your way around the Mania community from the TMN ESWC hub, TMF hub, TM² hub, and SM hub
Post Reply

Return to “Trackmania Forever Web Services”

Who is online

Users browsing this forum: No registered users and 2 guests