HTTPS support

[TorutheRedFox]

ok so I've managed to get HTTPS working through a reverse proxy on my Apache web server

to get it to connect, you have to swap the SCERT root certificate in the game's executable, which is in X509 PEM format, which makes it easy to find as it starts with "-----BEGIN CERTIFICATE-----" every time (without the quotes obviously) and ends with "-----END CERTIFICATE-----", making it fairly easy to swap

the root certificate has to be the same length or shorter, so keep the info you put into openssl or whatever you're using to generate the certificate short, then sign a certificate for the domain you're hosting your instance with using said root certificate and its corresponding private key.

[TorutheRedFox]

here's a batch file to generate a certificate and its corresponding cnf file

rem generate root certificate. root_cert.crt will be injected into the game's EBOOT
openssl genrsa -out root_key.key 2048
openssl req -x509 -new -nodes -subj "/C=US/ST=CA/L=San Diego/O=SONY Computer Entertainment America Inc./OU=SCERT Group/CN=SCERT Root Authority" -key root_key.key -sha1 -days 10957 -out root_cert.crt -config root_cert.cnf

rem generate certificate for the gameserver itself.
openssl genrsa -out gameserver_key.key 1024
openssl req -new -sha1 -key gameserver_key.key -subj "/C=US/ST=CA/L=San Diego/O=SONY Computer Entertainment America Inc./OU=SCERT Group/CN=gameserver.mylighthouseserver.com" -out gameserver_req.csr
openssl x509 -req -in gameserver_req.csr -CA root_cert.crt -CAkey root_key.key -CAcreateserial -out gameserver_cert.crt -days 3652 -sha1

root_cert.cnf

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# Use SHA-1 for size and because LBP used it
default_md          = sha1

# Extension to add when the -x509 option is used.

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = US
stateOrProvinceName             = CA
localityName                    = San Diego
0.organizationName              = SONY Computer Entertainment America Inc.
organizationalUnitName          = SCERT Group
commonName                      = SCERT Root Authority

[TorutheRedFox]

the certificate somehow comes out a couple of bytes smaller than the original, despite providing the same info

[TorutheRedFox]

oh and make sure to convert line endings to LF if you're generating these on Windows as CRLF adds an extra byte per line break

[TorutheRedFox]

you can then use this command to output it in a format that Kestrel accepts:
openssl pkcs12 -export -out gameserver_cert.pfx -inkey gameserver_key.key -in gameserver_cert.crt

[TorutheRedFox]

a self-signed cert is fine in this case (and better due to size constraints) as the game has its own single certificate truststore that you're replacing

[Slendy]

Did you actually get the game to connect to the server? If so, what platform were you using? I tried your method in the past and was unable to get results.

[TorutheRedFox]

I got the game to connect to the server yeah

I'm using RPCS3 with LittleBigPlanet 2 Beta primarily, but I've tested LBP1 too and it works just fine

can't test LBP3 atm because I messed up my eboot by accident and it won't boot anymore lmao

[TorutheRedFox]

and yeah having both URLs be HTTPS works too

[TorutheRedFox]

you sure that you're not using cipher suites that the game doesn't support?

to make sure cipher suites or proxy configuration aren't the issue, try connecting to it over SSL using LBP1 deploy as it doesn't care about the certificate (at least when address is configured through craftworld.ini)

[Slendy]

I’ll try when I get home later today but my issue was the system rejecting the certificate because it was self signed. I only tested on RPCS3 though.

[TorutheRedFox]

the game has its own root certificate in the eboot that you need to replace with the one you used to sign the server certificate, which has to have the cname set your domain (the root cert is fine with any cname it seems? either that or it has to be the same as the issuer)

otherwise it'll reject the server's certificate and terminate the connection

[TorutheRedFox]

I can email you an example eboot if you want

[TorutheRedFox]

fixed my LBP3 eboot, it works too

[TorutheRedFox]

btw you also should configure a subject alternative name for the resource subdomains for LBP3 otherwise it won't be able to load any resources

[TorutheRedFox]

actually you should make a separate vhost and wildcard certificate for the res domains as LBP3 doesn't seem to support alternate names

[jvyden]

I can email you an example eboot if you want

Do not do this. This is piracy.

[jvyden]

btw you also should configure a subject alternative name for the resource subdomains for LBP3 otherwise it won't be able to load any resources

LBP3 already works completely fine over HTTPS with no modifications, probably not worth it to worry about LBP3 support here.

[TorutheRedFox]

from what I've found it actually doesn't

LBP1 Deploy does though as it completely ignores the certificate and only cares if the handshake minus the cert check went through

[TorutheRedFox]

probably for testing reasons so that each dev doesn't need a new certificate for every new local server instance that they have

[jvyden]

Both LBP3 and LBP Vita will accept our LetsEncrypt certificate on production, so I'm fairly certain that behavior is because of the self-signed certificate.

[TorutheRedFox]

huh

guess Tarsier made it also load the system store?

[jvyden]

Interesting research, though. I actually looked into this with LBP2 but stopped because LetsEncrypt's root certificate (ISRG Root X1) is too big to fit in the EBOOT. Gave up there, essentially lol

[jvyden]

Oops, this should be a discussion actually

[TorutheRedFox]

late LBP2 and LBP3 seem to be a bit unstable connection wise over HTTPS and I'm not sure why

[m88youngling]

I'm pretty curious as to exactly why LBP3 keeps breaking when connected to Lighthouse. I've never successfully been able to connect without a crash. Maybe someday we'll figure it out