All Projects → KaeruTeam → Nds Constraint

KaeruTeam / Nds Constraint

Because Nintendo can't do SSL properly

Projects that are alternatives of or similar to Nds Constraint

Trustkit
Easy SSL pinning validation and reporting for iOS, macOS, tvOS and watchOS.
Stars: ✭ 1,678 (+1041.5%)
Mutual labels:  ssl
Serverpilot Letsencrypt
Automate the installation of Let's Encrypt SSL on the free plan of ServerPilot
Stars: ✭ 129 (-12.24%)
Mutual labels:  ssl
Lua Resty Auto Ssl
On the fly (and free) SSL registration and renewal inside OpenResty/nginx with Let's Encrypt.
Stars: ✭ 1,786 (+1114.97%)
Mutual labels:  ssl
Ansible Role Ssl Certs
Generate and/or deploy SSL certificate
Stars: ✭ 122 (-17.01%)
Mutual labels:  ssl
Axeman
Axeman is a utility to retrieve certificates from Certificate Transparency Lists (CTLs)
Stars: ✭ 125 (-14.97%)
Mutual labels:  ssl
Libleakmydata
A simple LD_PRELOAD library to disable SSL certificate verification. Inspired by libeatmydata.
Stars: ✭ 132 (-10.2%)
Mutual labels:  ssl
Fenix
A simple and visual static web server with collaboration features.
Stars: ✭ 1,559 (+960.54%)
Mutual labels:  ssl
Co
Art of C++. Flag, logging, unit-test, json, go-style coroutine and more.
Stars: ✭ 2,264 (+1440.14%)
Mutual labels:  ssl
Enroute
EnRoute Universal Gateway: Cloud Native API gateway with OpenAPI support and free L7 rate-limiting built on Envoy proxy
Stars: ✭ 126 (-14.29%)
Mutual labels:  ssl
Fluentftp
An FTP and FTPS client for .NET & .NET Standard, optimized for speed. Provides extensive FTP commands, File uploads/downloads, SSL/TLS connections, Automatic directory listing parsing, File hashing/checksums, File permissions/CHMOD, FTP proxies, FXP support, UTF-8 support, Async/await support, Powershell support and more. Written entirely in C#,…
Stars: ✭ 1,943 (+1221.77%)
Mutual labels:  ssl
Pem
Easy PEM file parsing in Python.
Stars: ✭ 122 (-17.01%)
Mutual labels:  ssl
Chromium Gost
Chromium с поддержкой алгоритмов ГОСТ
Stars: ✭ 123 (-16.33%)
Mutual labels:  ssl
Atls
A light TLS implementation used for learning: TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 GMSSL 1.1(国密SSL) based on libcrypto.so.
Stars: ✭ 134 (-8.84%)
Mutual labels:  ssl
Https Localhost
HTTPS server running on localhost
Stars: ✭ 122 (-17.01%)
Mutual labels:  ssl
Sharedfonttool
3DS SharedFontTool
Stars: ✭ 140 (-4.76%)
Mutual labels:  nintendo
Tlslite Ng
TLS implementation in pure python, focused on interoperability testing
Stars: ✭ 119 (-19.05%)
Mutual labels:  ssl
Cheroot
Cheroot is the high-performance, pure-Python HTTP server used by CherryPy. Docs -->
Stars: ✭ 128 (-12.93%)
Mutual labels:  ssl
Ghidra Switch Loader
Nintendo Switch loader for Ghidra
Stars: ✭ 146 (-0.68%)
Mutual labels:  nintendo
Citro3d
Homebrew PICA200 GPU wrapper library for Nintendo 3DS
Stars: ✭ 143 (-2.72%)
Mutual labels:  nintendo
Aspnetcorecertificates
Certificate Manager in .NET Core for creating and using X509 certificates
Stars: ✭ 135 (-8.16%)
Mutual labels:  ssl

nds-constrain't

Because Nintendo can't do SSL properly

Testing Server

tl;dr: If you only want to join the test server, then you can use the following DNS settings:

  • Primary DNS: 178.62.43.212
  • Secondary DNS: 1.1.1.1 or 8.8.8.8

What is this?

A way to sign SSL certificates such that the Nitro/TWL SDK's SSL library will treat as valid, without Nintendo's CA keys

Background information

On Nintendo's consoles, online communications are carried out over various protocols but the predominant of these is HTTPS - HTTP carried within encrypted SSL packets. After some initial unencrypted handshake steps in which the two parties exchange version information and capabilities, SSL servers will present an SSL certificate to the client containing the server's public key. The client uses the server's public key to encrypt a shared secret that the server will decrypt with its private key. This secret is used to protect a further key exchange step (e.g. Diffie-Hellman, although this can vary depending on the capabilities of each party) which will establish a new shared secret to be used to encrypt all further communications. Since SSL is a recognised web standard it is fairly simple for anyone competent to setup a compatible server - however, SSL certificates (and indeed X509 certificates in general) are almost always signed by a certifying authority so that the client knows it can trust the server it's connecting to. Unfortunately for us, the Nintendo SDK will refuse to connect to any server without a certificate signed by a trusted Nintendo CA, and Nintendo are of course not going to simply sign certificates for custom server authors to emulate theirs, leaving us unable to do anything without code patches... in theory.

The flaw

SSL certificate authorities can choose to add a flag to certificates they sign to state that this certificate is allowed to act as an intermediate CA too - that is, it can sign certificates. If the SSL server includes the intermediate CA's certificate with its own signed by that same intermediate, the client can follow the chain of trust back up to the root and will therefore accept the certificate. This, however, is where Nintendo's fatal flaw lies: in their implementation, they do not check if the intermediate certificate is supposed to sign other certs or not (indicated by a flag in the certificate's basicConstraints section - CA:TRUE or CA:FALSE, as appropriate - leading to the name we gave this flaw), and as such if one has any certificate signed by Nintendo with its accompanying private key, they can use it as an intermediate CA to sign their own certificates.

And as it happens, we do.

Nintendo consoles from the Wii onwards include a Nintendo-signed client certificate which it uses to authenticate with Nintendo servers, as well as the accompanying private key for it. This client certificate is signed by the same CA as Nintendo's server certificates and as such is trusted by the DS.

TL;DR: client certs can sign certs and the DS doesn't care!

Instructions

Requirements

  • The Wii's client certificate and its corresponding private key (these are not console-unique and can be pulled from any Wii, a guide will come soon.)
  • A server which supports SSLv3 (may be somewhat difficult to set up as support for SSLv3 has been disabled/removed in most modern servers for security reasons... but it's all the DS supports)
  • OpenSSL, to sign the certificates (or other suitable tool)

Generating trusted certificates

# Generate a 1024-bit private key for your server cert (weak, but it's a DS)
openssl genrsa -out server.key 1024
# Generate a certificate request
openssl req -new -key server.key -out server.csr
# Produce a signed server certificate from the certificate request, signed with the Wii's client certificate.
# The SHA-1 digest algorithm must be used because we're working with old tech here, but you can customise the validity period as you see fit. Here, we specify 10 years.
openssl x509 -req -in server.csr -CA nwc.crt -CAkey nwc.key -CAcreateserial -out server.crt -days 3650 -sha1

Copy the server.key and server.crt files to the correct places, and then configure your server to use them. You must also send nwc.crt to the client as part of the certificate chain, otherwise the DS will not be able to follow the chain of trust back up to the root and reject your lovely certificate - just concatenate your server certificate with nwc.crt like so: cat server.crt nwc.crt > server.chain.crt.

Alternatively, with Apache, you can add SSLCertificateChainFile /path/to/nwc.crt to your server config.

Example configuration:

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    DocumentRoot /var/www/html
    ServerName nas.nintendowifi.net
    
    SSLEngine on
    SSLCertificateFile /path/to/server.crt
    SSLCertificateKeyFile /path/to/server.key
    SSLCertificateChainFile /path/to/nwc.crt
  </VirtualHost>
</IfModule>
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].