nds-constrain't: Fix instructions
This commit is contained in:
parent
81e77a7f63
commit
5d232dfc71
GPG Key ID:
94F56ADFD848851E
@ -56,31 +56,68 @@ NGINX users need to create a file for the certificate chain as well.
|
||||
|
||||
cat server.crt NWC.crt > server-chain.crt
|
||||
|
||||
We are now ready to rock and roll!
|
||||
|
||||
### Using your phony certificate
|
||||
|
||||
Once the SSL certificate is installed, you may run into issues connecting with
|
||||
your DS. This because your NDS only knows how to use SSLv3, with either the
|
||||
RC4-SHA or RC4-MD5 cipher set. To enable DS compatibility for NGINX, add the
|
||||
following lines to your NGINX configuration.
|
||||
RC4-SHA or RC4-MD5 cipher set. Webservers don't support this by default, so this
|
||||
requires special configuration.
|
||||
|
||||
### NGINX configuration
|
||||
|
||||
First, you need to compile a custom version of NGINX that supports SSLv3 and
|
||||
the RC4 ciphers. Instructions on how to do this are included further down this
|
||||
page.
|
||||
|
||||
Then, add the following lines to your NGINX configuration.
|
||||
|
||||
ssl_protocols SSLv3;
|
||||
ssl_ciphers RC4-SHA:RC4-MD5:@SECLEVEL=0;
|
||||
|
||||
The config settings are nearly identical in Apache.
|
||||
|
||||
SSLProtocol SSLv3
|
||||
SSLCipherSuite RC4-SHA:RC4-MD5:@SECLEVEL=0
|
||||
|
||||
Most services for Nintendo consoles make liberal use of headers. Unfortunately,
|
||||
some headers (e.g. `http_x_gamecd`) contain underscores, which
|
||||
Assuming that you have added your certificate chain and key, your DS should be
|
||||
able to connect. It is worth noting that most services for Nintendo consoles
|
||||
make liberal use of headers, and some headers (e.g. `http_x_gamecd`) contain
|
||||
underscores, which
|
||||
[shouldn't be in the header field](https://tools.ietf.org/html/rfc7230#section-3.2.6).
|
||||
Allowing this in NGINX is simple.
|
||||
You should also configure NGINX to pass request headers to your server if you
|
||||
haven't already.
|
||||
|
||||
underscores_in_headers on;
|
||||
proxy_pass_request_headers on;
|
||||
|
||||
### Apache configuration
|
||||
|
||||
First, you need to compile a custom version of Apache that supports SSLv3
|
||||
and the RC4 ciphers. Instructions on how to do this are included further down
|
||||
this page.
|
||||
|
||||
Then, use the following SSL settings.
|
||||
|
||||
SSLProtocol SSLv3
|
||||
SSLCipherSuite RC4-SHA:RC4-MD5
|
||||
|
||||
Unfortunately, because lowering the
|
||||
[security level](https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html)
|
||||
of OpenSSL in the cipher string results in an error in Apache, Apache users must
|
||||
also modify their OpenSSL configuration. This is usually located in
|
||||
`/etc/ssl/openssl.cnf`. However, since we are using a custom version of OpenSSL,
|
||||
we will make the change in `/usr/local/ssl/openssl.cnf` instead.
|
||||
|
||||
At the top, add the following:
|
||||
|
||||
openssl_conf = default_conf
|
||||
|
||||
At the bottom, add the following:
|
||||
|
||||
[default_conf]
|
||||
ssl_conf = ssl_sect
|
||||
|
||||
[ssl_sect]
|
||||
system_default = system_default_sect
|
||||
|
||||
[system_default_sect]
|
||||
CipherString = DEFAULT:@SECLEVEL=0
|
||||
|
||||
Working around this in Apache is a bit more difficult. For information about
|
||||
working around invalid headers in Apache, see
|
||||
[this example](http://httpd.apache.org/docs/trunk/env.html#fixheader). If you
|
||||
@ -94,26 +131,69 @@ without ROM patches!
|
||||
|
||||
---
|
||||
|
||||
### Update
|
||||
### The issue with OpenSSL
|
||||
|
||||
Modern versions of OpenSSL have SSLv3 and the RC4 ciphers disabled by default,
|
||||
which means that you will need to compile OpenSSL yourself. For information on
|
||||
doing this, see the
|
||||
[INSTALL.md](https://github.com/openssl/openssl/blob/master/INSTALL.md)
|
||||
from the OpenSSL repository, or the
|
||||
[Compilation and Installation](https://wiki.openssl.org/index.php/Compilation_and_Installation)
|
||||
page from their wiki.
|
||||
By default, modern versions of OpenSSL disable SSLv3 and the RC4 ciphers. We
|
||||
need those to talk to the Nintendo DS, so we need to compile a custom version of
|
||||
OpenSSL to use with the webserver.
|
||||
|
||||
When configuring OpenSSL, be sure to specify the "enable-ssl3",
|
||||
"enable-ssl3-method" and "enable-weak-ciphers" flags like so:
|
||||
### NGINX with custom OpenSSL
|
||||
|
||||
./config enable-ssl3 enable-ssl3-method enable-weak-ciphers
|
||||
Download and extract the [OpenSSL](https://www.openssl.org/source/) and
|
||||
[nginx](https://nginx.org/en/download.html) sources. Then, configure NGINX like
|
||||
so:
|
||||
|
||||
It will install in /usr/local and /usr/local/ssl by default, so it shouldn't
|
||||
interfere with the version currently installed on your system.
|
||||
./configure --with-http_ssl_module --with-openssl=/path/to/openssl/src \
|
||||
--with-openssl-opt=enable-ssl3 --with-openssl-opt=enable-ssl3-method \
|
||||
--with-openssl-opt=enable-weak-ciphers
|
||||
|
||||
Run "make" and "sudo make install" like usual. Be sure that you run the version
|
||||
of NGINX in /usr/local for nds-constrain't. You might want to uninstall any
|
||||
existing versions of NGINX to avoid confusion.
|
||||
|
||||
Gentoo users can add the "sslv3" and "weak-ciphers" USE flags to OpenSSL
|
||||
and rebuild it. Since there is no weak-ciphers USE flag at the time of writing,
|
||||
you might want to add my
|
||||
[flewkey-overlay](https://git.sdf.org/flewkey/flewkey-overlay) and unmask
|
||||
`dev-libs/openssl::flewkey-overlay`.
|
||||
`dev-libs/openssl::flewkey-overlay`. After that, install NGINX as usual.
|
||||
|
||||
### Apache with custom OpenSSL
|
||||
|
||||
Download and extract the [OpenSSL](https://www.openssl.org/source/) and
|
||||
[Apache](https://httpd.apache.org/download.cgi) sources. Then, we must configure
|
||||
OpenSSL like so:
|
||||
|
||||
./config enable-ssl3 enable-ssl3-method enable-weak-ciphers
|
||||
|
||||
After this, run "make" and "sudo make install". OpenSSL will install in
|
||||
/usr/local and /usr/local/ssl by default, so it shouldn't interfere with the
|
||||
version currently installed on your system. You will also need to make the
|
||||
OpenSSL configuration change made in the "Apache configuration"
|
||||
|
||||
Next, we need to actually configure Apache, specifying the location of OpenSSL
|
||||
like so:
|
||||
|
||||
./configure --enable-ssl --with-ssl=/usr/local
|
||||
|
||||
Run "make" and "sudo make install" like usual. Be sure that you use the version
|
||||
of Apache in /usr/local for nds-constrain't. You might want to uninstall any
|
||||
existing versions of Apache to avoid confusion.
|
||||
|
||||
Gentoo users can add the "sslv3" and "weak-ciphers" USE flags to OpenSSL
|
||||
and rebuild it. Since there is no weak-ciphers USE flag at the time of writing,
|
||||
you might want to add my
|
||||
[flewkey-overlay](https://git.sdf.org/flewkey/flewkey-overlay) and unmask
|
||||
`dev-libs/openssl::flewkey-overlay`. After that, install Apache as usual.
|
||||
|
||||
---
|
||||
|
||||
### Contributions
|
||||
|
||||
Thanks to [shutterbug2000](https://github.com/shutterbug2000) for discovering
|
||||
nds-constrain't, as well as [Lauren Kelly](https://muffinti.me/) and
|
||||
[jaames](https://jamesdaniel.dev/) for their work on the official guide. These
|
||||
individuals have contributed a lot to the Nintendo and Flipnote Studio
|
||||
communities in general.
|
||||
|
||||
Greetings to [Adam Gilbert](https://i-am.djelectro.me/),
|
||||
[MeGaMoV](https://megamov.fr/) and Brandon Serpas.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user