Web Services communication on a modern distro
Posted: 27 Sep 2021, 10:47
Posting this because it took a lot longer to figure out than the description below makes it appear, and may help other users of the TMF Web Services (if any are left).
TL;DR
OpenSSL on a modern distro supports TLS v1.2+, the WS server supports TLS v1.0. Outlined below is how to get WS requests to work nonetheless, by enabling TLS v1.0 only for WS scripts.
Problem
I use the WS in MetaStats and some offline scripts. After (finally, belatedly) upgrading to a modern distro -- Ubuntu Mate LTS in my case -- these scripts failed. A manual check revealed:
Background
Searching for the error led to various postings (like this) that indicated that OpenSSL in the distro supports only TLS v1.2+, while the WS server supports only TLS v1.0 (and SSL v3, but nevermind that). See:
Solution
Ideally the WS server is upgraded to modern Apache/OpenSSL versions, as it currently runs an Ubuntu distro with PHP 5.3 (X-Powered-By: PHP/5.3.2-1ubuntu4.30) that is about a decade old.
But given that Nadeo does very little to support TMF anymore, this is unlikely to happen, and I'm glad the WS server is still running at all.
So TLS v1.0 needs to be enabled locally, but I would prefer this to happen only for WS scripts rather than system-wide by default. A better approach is a separate config file that is invoked only for WS scripts via environment variable OPENSSL_CONF.
However, PHP's interaction with environment variables is not entirely trivial. It turns out using putenv() or $_ENV[] in the script to define OPENSSL_CONF happens too late, it needs to exist prior to invoking the script. For a standalone script this can be done with a bash wrapper, e.g.:
In Apache context this can unfortunately not be done via SetEnv restricted to a single directory, but requires a global Apache setting in /etc/apache2/envvars (Ubuntu/Debian) or /etc/sysconfig/httpd (RedHat/CentOS):
This is not ideal, as it enables TLS v1.0-1.1 on all websites, but at least it is adequate to revive MetaStats for TMF.
Too bad it's still dead for MP after Nadeo's ws.maniaplanet.com server was shut down...
TL;DR
OpenSSL on a modern distro supports TLS v1.2+, the WS server supports TLS v1.0. Outlined below is how to get WS requests to work nonetheless, by enabling TLS v1.0 only for WS scripts.
Problem
I use the WS in MetaStats and some offline scripts. After (finally, belatedly) upgrading to a modern distro -- Ubuntu Mate LTS in my case -- these scripts failed. A manual check revealed:
Code: Select all
$ wget --tries=1 --server-response --spider https://ws.trackmania.com/
Spider mode enabled. Check if remote file exists.
--2021-09-27 10:11:23-- https://ws.trackmania.com/
Resolving ws.trackmania.com (ws.trackmania.com)... 178.33.106.156
Connecting to ws.trackmania.com (ws.trackmania.com)|178.33.106.156|:443... connected.
OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Unable to establish SSL connection.
Searching for the error led to various postings (like this) that indicated that OpenSSL in the distro supports only TLS v1.2+, while the WS server supports only TLS v1.0 (and SSL v3, but nevermind that). See:
Code: Select all
$ nmap --script ssl-enum-ciphers -p 443 ws.trackmania.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-27 10:46 CEST
Nmap scan report for ws.trackmania.com (178.33.106.156)
Host is up (0.015s latency).
rDNS record for 178.33.106.156: 178-33-106-156.ovh.net
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
[...]
| TLSv1.0:
| ciphers:
[...]
Nmap done: 1 IP address (1 host up) scanned in 1.36 seconds
Ideally the WS server is upgraded to modern Apache/OpenSSL versions, as it currently runs an Ubuntu distro with PHP 5.3 (X-Powered-By: PHP/5.3.2-1ubuntu4.30) that is about a decade old.
But given that Nadeo does very little to support TMF anymore, this is unlikely to happen, and I'm glad the WS server is still running at all.So TLS v1.0 needs to be enabled locally, but I would prefer this to happen only for WS scripts rather than system-wide by default. A better approach is a separate config file that is invoked only for WS scripts via environment variable OPENSSL_CONF.
However, PHP's interaction with environment variables is not entirely trivial. It turns out using putenv() or $_ENV[] in the script to define OPENSSL_CONF happens too late, it needs to exist prior to invoking the script. For a standalone script this can be done with a bash wrapper, e.g.:
Code: Select all
#!/bin/bash
OPENSSL_CONF=/usr/local/etc/openssl_tls1.conf php /usr/local/bin/playertype.php $1
Code: Select all
# Allow TLSv1.0 on ws.trackmania.com in TrackMania\WebServices\
export OPENSSL_CONF=/usr/local/etc/openssl_tls1.conf
Too bad it's still dead for MP after Nadeo's ws.maniaplanet.com server was shut down...
