Messing with Bash on Windows

  • 1
  • Problem
  • Updated 3 years ago
Covenant Eyes seems to be messing with Bash on Windows, the new Linux Subsystem layer in the Insider Previews. (It will be released on the Windows 10 Anniversary update coming next month)

Specifically, I'm trying to use git to clone a repo and it fails the certificate check. I then used the openssl program to test out the connection to github using the following command:

openssl s_client -showcerts -connect www.github.com:443

But that fails saying that the local certificates are untrusted. I investigated further and found a bunch of CovenantEyesProxy certificates installed in Windows, so I exported them into PEM format and imported them in the Bash prompt under /usr/local/share/ca-certificates

This, however, did not fix my problem. It seems the main issue is that the Covenant Eyes Root CA certificate isn't trusted by Bash. I'm not sure if we should just import the root CA, or if more needs to be done to support Bash on Windows.

Thanks!
Photo of Sparticuz

Sparticuz

  • 6 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Heather

Heather, Official Rep

  • 81 Posts
  • 12 Reply Likes
Hi Sparticuz,

Thanks for your post! We have our developers looking into this and one of us will be here with an answer for you as soon as we get some information.

I do have a few questions for you so they can find an answer more readily.

1. What version of Covenant Eyes are you currently using?
2. What build of Windows 10 are you running CE on?
3. Can you work around this issue using a different git client?

Regards,

Heather
(Edited)
Photo of Sparticuz

Sparticuz

  • 6 Posts
  • 0 Reply Likes
I'm on the latest CE public build, 6.0.16. (Looked for a beta, but couldn't find anything)

Currently, I'm on Windows build 14385, but it's been happening on all Insider builds that I've tried (I'm on the fast ring)

The normal windows Github application works, but git for powershell doesn't work (get the same error as git for bash)

Also, nodejs's npm in Bash (and in windows) doesn't work. Getting more 'unable to verify'


npm ERR! Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE

npm ERR! at SecurePair. (tls.js:1370:32)

npm ERR! at SecurePair.EventEmitter.emit (events.js:92:17)

npm ERR! at SecurePair.maybeInitFinished (tls.js:982:10)

npm ERR! at CleartextStream.read [as _read] (tls.js:469:13)

npm ERR! at CleartextStream.Readable.read (_stream_readable.js:320:10)

npm ERR! at EncryptedStream.write [as _write] (tls.js:366:25)

npm ERR! at doWrite (_stream_writable.js:223:10)

npm ERR! at writeOrBuffer (_stream_writable.js:213:5)

npm ERR! at EncryptedStream.Writable.write (_stream_writable.js:180:11)

npm ERR! at write (_stream_readable.js:583:24)

npm ERR! at flow (_stream_readable.js:592:7)

npm ERR! at Socket.pipeOnReadable (_stream_readable.js:624:5)

npm ERR! If you need help, you may report this log at:

npm ERR!

npm ERR! or email it to:

npm ERR!


So, after testing both in Windows (powershell & cmd) and in Bash on Windows, Maybe this is a problem with apps that use OpenSSL to verify certificates and not just an incompatibility with the new Bash on Windows.
(Edited)
Photo of Jared Burkeen

Jared Burkeen, Software Engineer

  • 23 Posts
  • 4 Reply Likes
Hi Sparticuz,

I tested in Bash on Windows and also the Github client (client and cmd), and I was able to clone repos just fine with CE 6.0.16 installed.
I don't believe that the certificates that we install should interfere with Bash.

I'm running  Windows 10 Preview Build 14388 (Windows auto-updated from 14385 to 14388 while I was testing).

Can you try again with build 14388?

Thanks,
Jared
Photo of chewiebacca

chewiebacca

  • 10 Posts
  • 0 Reply Likes
Since we're calling this thread "Messing with Bash on Windows" I'd like to chime in and ask how CE is monitoring network calls through the WSL. I managed to get firefox running via X and noticed CE doesn't seem to see the traffic like it would for the Windows version. I should be on the latest insider build (fast ring) and the latest CE build.
Photo of Sparticuz

Sparticuz

  • 6 Posts
  • 0 Reply Likes
14388 still didn't work. I'm going to uninstall/reinstall and see if that fixes it.


I would assume that CE should still see all the traffic because it's still passing through the windows networking stack. It might all be labeled 'unconfirmed' since you might not have the firefox plugin installed.

EDIT: CE is crashing when I'm trying to uninstall it. (Get's past uninstall code, click next, 10 seconds later InstallShield crashes) I'll see if I can reformat Windows this weekend.
(Edited)
Photo of chewiebacca

chewiebacca

  • 10 Posts
  • 0 Reply Likes
I'll do additional testing but my dashboard showed no additional traffic while running through firefox. I'm still reading through the developer docs to determine just how far WSL goes before your standard winnt components take over.
Photo of Jared Burkeen

Jared Burkeen, Software Engineer

  • 23 Posts
  • 4 Reply Likes
Hi Sparticuz,

Sorry for you additional trouble uninstalling. I'd hate for you to reformat your PC. Please contact me directly and we can probably avoid reformatting.

jared.burkeen@covenanteyes.com

Hi Justin,

I did some testing with curl on WSL and I'm still getting traffic. So it appears that at a high-leve we should still be able to get WSL traffic.
We haven't tested with X and Firefox yet, but thank you for bringing this to our attention.

Thanks,
Jared
Photo of chewiebacca

chewiebacca

  • 10 Posts
  • 0 Reply Likes
Confirmed. Any network activity initiated from the bash window is not tracked at all. Whether it's installing something with aptitude or doing a simple wget/ping the requests are not generating logs in my CE dashboard. To get fancier with testing this reddit thread has some cool tricks you can do with X. I used it to install firefox.

https://www.reddit.com/r/Windows10/comments/4ea4w4/fyi_you_can_run_gui_linux_apps_from_bash/

EDIT just saw your reply Jared. I'm not seeing traffic myself whatsoever. I'm just looking at the logs provided in my dashboard. If there is another spot to check that would be great!
(Edited)
Photo of Jared Burkeen

Jared Burkeen, Software Engineer

  • 23 Posts
  • 4 Reply Likes
Hi Justin,

I was using an internal tool to view the traffic, I then used the dashboard and was not seeing any traffic at all. So it appears that it's technically possible to get the WSL traffic. 
We'll be looking at resolving this in a future update.

Thanks,
Jared
Photo of chewiebacca

chewiebacca

  • 10 Posts
  • 0 Reply Likes
Fantastic! Hopefully this can be resolved in a sooner rather than later timeline. Not loving the idea of this kind of hole on my PC :( Software development job doing UWP work requires running latest Win10 builds so I can't really roll back.
(Edited)
Photo of Jared Burkeen

Jared Burkeen, Software Engineer

  • 23 Posts
  • 4 Reply Likes
Hi Justin,

I understand your situation, it's difficult being a developer and trying to maintain your protection.
Please contact me directly, we have a beta version that should resolve the issue with reporting WSL traffic.

jared.burkeen@covenanteyes.com

Thanks,
Jared