Covenant Eyes seems to be messing with Bash on Windows, the new Linux Subsystem layer in the Insider Previews. (It will be released on the Windows 10 Anniversary update coming next month)
Specifically, I'm trying to use git to clone a repo and it fails the certificate check. I then used the openssl program to test out the connection to github using the following command:
openssl s_client -showcerts -connect www.github.com:443
But that fails saying that the local certificates are untrusted. I investigated further and found a bunch of CovenantEyesProxy certificates installed in Windows, so I exported them into PEM format and imported them in the Bash prompt under /usr/local/share/ca-certificates
This, however, did not fix my problem. It seems the main issue is that the Covenant Eyes Root CA certificate isn't trusted by Bash. I'm not sure if we should just import the root CA, or if more needs to be done to support Bash on Windows.
Thanks!
Specifically, I'm trying to use git to clone a repo and it fails the certificate check. I then used the openssl program to test out the connection to github using the following command:
openssl s_client -showcerts -connect www.github.com:443
But that fails saying that the local certificates are untrusted. I investigated further and found a bunch of CovenantEyesProxy certificates installed in Windows, so I exported them into PEM format and imported them in the Bash prompt under /usr/local/share/ca-certificates
This, however, did not fix my problem. It seems the main issue is that the Covenant Eyes Root CA certificate isn't trusted by Bash. I'm not sure if we should just import the root CA, or if more needs to be done to support Bash on Windows.
Thanks!
- 6 Posts
- 0 Reply Likes
Posted 3 years ago
Heather, Alum
- 81 Posts
- 12 Reply Likes
Hi Sparticuz,
Thanks for your post! We have our developers looking into this and one of us will be here with an answer for you as soon as we get some information.
I do have a few questions for you so they can find an answer more readily.
1. What version of Covenant Eyes are you currently using?
2. What build of Windows 10 are you running CE on?
3. Can you work around this issue using a different git client?
Regards,
Heather
Thanks for your post! We have our developers looking into this and one of us will be here with an answer for you as soon as we get some information.
I do have a few questions for you so they can find an answer more readily.
1. What version of Covenant Eyes are you currently using?
2. What build of Windows 10 are you running CE on?
3. Can you work around this issue using a different git client?
Regards,
Heather
(Edited)
- 6 Posts
- 0 Reply Likes
I'm on the latest CE public build, 6.0.16. (Looked for a beta, but couldn't find anything)
Currently, I'm on Windows build 14385, but it's been happening on all Insider builds that I've tried (I'm on the fast ring)
The normal windows Github application works, but git for powershell doesn't work (get the same error as git for bash)
Also, nodejs's npm in Bash (and in windows) doesn't work. Getting more 'unable to verify'
npm ERR! Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE
npm ERR! at SecurePair. (tls.js:1370:32)
npm ERR! at SecurePair.EventEmitter.emit (events.js:92:17)
npm ERR! at SecurePair.maybeInitFinished (tls.js:982:10)
npm ERR! at CleartextStream.read [as _read] (tls.js:469:13)
npm ERR! at CleartextStream.Readable.read (_stream_readable.js:320:10)
npm ERR! at EncryptedStream.write [as _write] (tls.js:366:25)
npm ERR! at doWrite (_stream_writable.js:223:10)
npm ERR! at writeOrBuffer (_stream_writable.js:213:5)
npm ERR! at EncryptedStream.Writable.write (_stream_writable.js:180:11)
npm ERR! at write (_stream_readable.js:583:24)
npm ERR! at flow (_stream_readable.js:592:7)
npm ERR! at Socket.pipeOnReadable (_stream_readable.js:624:5)
npm ERR! If you need help, you may report this log at:
npm ERR!
npm ERR! or email it to:
npm ERR!
So, after testing both in Windows (powershell & cmd) and in Bash on Windows, Maybe this is a problem with apps that use OpenSSL to verify certificates and not just an incompatibility with the new Bash on Windows.
Currently, I'm on Windows build 14385, but it's been happening on all Insider builds that I've tried (I'm on the fast ring)
The normal windows Github application works, but git for powershell doesn't work (get the same error as git for bash)
Also, nodejs's npm in Bash (and in windows) doesn't work. Getting more 'unable to verify'
npm ERR! Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE
npm ERR! at SecurePair. (tls.js:1370:32)
npm ERR! at SecurePair.EventEmitter.emit (events.js:92:17)
npm ERR! at SecurePair.maybeInitFinished (tls.js:982:10)
npm ERR! at CleartextStream.read [as _read] (tls.js:469:13)
npm ERR! at CleartextStream.Readable.read (_stream_readable.js:320:10)
npm ERR! at EncryptedStream.write [as _write] (tls.js:366:25)
npm ERR! at doWrite (_stream_writable.js:223:10)
npm ERR! at writeOrBuffer (_stream_writable.js:213:5)
npm ERR! at EncryptedStream.Writable.write (_stream_writable.js:180:11)
npm ERR! at write (_stream_readable.js:583:24)
npm ERR! at flow (_stream_readable.js:592:7)
npm ERR! at Socket.pipeOnReadable (_stream_readable.js:624:5)
npm ERR! If you need help, you may report this log at:
npm ERR!
npm ERR! or email it to:
npm ERR!
So, after testing both in Windows (powershell & cmd) and in Bash on Windows, Maybe this is a problem with apps that use OpenSSL to verify certificates and not just an incompatibility with the new Bash on Windows.
(Edited)
Jared Burkeen, Software Engineer
- 23 Posts
- 4 Reply Likes
Hi Sparticuz,
I tested in Bash on Windows and also the Github client (client and cmd), and I was able to clone repos just fine with CE 6.0.16 installed.
I don't believe that the certificates that we install should interfere with Bash.
I'm running Windows 10 Preview Build 14388 (Windows auto-updated from 14385 to 14388 while I was testing).
Can you try again with build 14388?
Thanks,
Jared
I tested in Bash on Windows and also the Github client (client and cmd), and I was able to clone repos just fine with CE 6.0.16 installed.
I don't believe that the certificates that we install should interfere with Bash.
I'm running Windows 10 Preview Build 14388 (Windows auto-updated from 14385 to 14388 while I was testing).
Can you try again with build 14388?
Thanks,
Jared
- 10 Posts
- 0 Reply Likes
Since we're calling this thread "Messing with Bash on Windows" I'd like to chime in and ask how CE is monitoring network calls through the WSL. I managed to get firefox running via X and noticed CE doesn't seem to see the traffic like it would for the Windows version. I should be on the latest insider build (fast ring) and the latest CE build.
- 6 Posts
- 0 Reply Likes
14388 still didn't work. I'm going to uninstall/reinstall and see if that fixes it.
I would assume that CE should still see all the traffic because it's still passing through the windows networking stack. It might all be labeled 'unconfirmed' since you might not have the firefox plugin installed.
EDIT: CE is crashing when I'm trying to uninstall it. (Get's past uninstall code, click next, 10 seconds later InstallShield crashes) I'll see if I can reformat Windows this weekend.
I would assume that CE should still see all the traffic because it's still passing through the windows networking stack. It might all be labeled 'unconfirmed' since you might not have the firefox plugin installed.
EDIT: CE is crashing when I'm trying to uninstall it. (Get's past uninstall code, click next, 10 seconds later InstallShield crashes) I'll see if I can reformat Windows this weekend.
(Edited)
- 10 Posts
- 0 Reply Likes
I'll do additional testing but my dashboard showed no additional traffic while running through firefox. I'm still reading through the developer docs to determine just how far WSL goes before your standard winnt components take over.
Jared Burkeen, Software Engineer
- 23 Posts
- 4 Reply Likes
Hi Sparticuz,
Sorry for you additional trouble uninstalling. I'd hate for you to reformat your PC. Please contact me directly and we can probably avoid reformatting.
jared.burkeen@covenanteyes.com
Hi Justin,
I did some testing with curl on WSL and I'm still getting traffic. So it appears that at a high-leve we should still be able to get WSL traffic.
We haven't tested with X and Firefox yet, but thank you for bringing this to our attention.
Thanks,
Jared
Sorry for you additional trouble uninstalling. I'd hate for you to reformat your PC. Please contact me directly and we can probably avoid reformatting.
jared.burkeen@covenanteyes.com
Hi Justin,
I did some testing with curl on WSL and I'm still getting traffic. So it appears that at a high-leve we should still be able to get WSL traffic.
We haven't tested with X and Firefox yet, but thank you for bringing this to our attention.
Thanks,
Jared
- 10 Posts
- 0 Reply Likes
Confirmed. Any network activity initiated from the bash window is not tracked at all. Whether it's installing something with aptitude or doing a simple wget/ping the requests are not generating logs in my CE dashboard. To get fancier with testing this reddit thread has some cool tricks you can do with X. I used it to install firefox.
https://www.reddit.com/r/Windows10/comments/4ea4w4/fyi_you_can_run_gui_linux_apps_from_bash/
EDIT just saw your reply Jared. I'm not seeing traffic myself whatsoever. I'm just looking at the logs provided in my dashboard. If there is another spot to check that would be great!
https://www.reddit.com/r/Windows10/comments/4ea4w4/fyi_you_can_run_gui_linux_apps_from_bash/
EDIT just saw your reply Jared. I'm not seeing traffic myself whatsoever. I'm just looking at the logs provided in my dashboard. If there is another spot to check that would be great!
(Edited)
Jared Burkeen, Software Engineer
- 23 Posts
- 4 Reply Likes
Hi Justin,
I was using an internal tool to view the traffic, I then used the dashboard and was not seeing any traffic at all. So it appears that it's technically possible to get the WSL traffic.
We'll be looking at resolving this in a future update.
Thanks,
Jared
I was using an internal tool to view the traffic, I then used the dashboard and was not seeing any traffic at all. So it appears that it's technically possible to get the WSL traffic.
We'll be looking at resolving this in a future update.
Thanks,
Jared
- 10 Posts
- 0 Reply Likes
Fantastic! Hopefully this can be resolved in a sooner rather than later timeline. Not loving the idea of this kind of hole on my PC :( Software development job doing UWP work requires running latest Win10 builds so I can't really roll back.
(Edited)
Jared Burkeen, Software Engineer
- 23 Posts
- 4 Reply Likes
Hi Justin,
I understand your situation, it's difficult being a developer and trying to maintain your protection.
Please contact me directly, we have a beta version that should resolve the issue with reporting WSL traffic.
jared.burkeen@covenanteyes.com
Thanks,
Jared
I understand your situation, it's difficult being a developer and trying to maintain your protection.
Please contact me directly, we have a beta version that should resolve the issue with reporting WSL traffic.
jared.burkeen@covenanteyes.com
Thanks,
Jared
Related Categories
-
Covenant Eyes for Windows
- 587 Conversations
- 169 Followers