daemonic79
Forum Replies Created
-
@yorkki Sorry it didnt work for you…
I started off debugging by adding the following after line 1924 ($this->response = ……) in wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.phpfile_put_contents('./output.txt', var_export($payload, true), FILE_APPEND);
file_put_contents('./output.txt', var_export($this->response, true), FILE_APPEND);This would save the payload and response for the rules request to a local text file (will end up being in the wp-admin folder). I did this to work around the rate limit, as it meant i could use the saved response data then to continue debugging.
With this information i worked through in a test script effectively doing the same thing as the $waf->verifySignedRequest function on line 1933, which then gave me the pointer to look into the openssl signing functions.
@yorkki sure…
My thread on this was https://ww.wp.xz.cn/support/topic/rules-not-updating-5/
Solution is as follows;To show your current crypto policy, run the following;
update-crypto-policies --show
which returns;DEFAULT
To then add SHA1 to the default policy, run the following;update-crypto-policies --set DEFAULT:SHA1
which returns;Setting system policy to DEFAULT:SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
Reboot the server as directed, you can check it applied afterwards by running the original command again;update-crypto-policies --show
which returns;DEFAULT:SHA1
Feel free to do your own research on the above commands, before typing random commands from the internet into your server 😀This appears to modify the policy files within /etc/crypto-policies/, reverting should be;
update-crypto-policies --set DEFAULTDue to hitting the free rate limit of once every 24 hours, i had to wait for the next update, but it then worked for me. Hope this works for you 🙂
- This reply was modified 2 years, 10 months ago by daemonic79.
- This reply was modified 2 years, 10 months ago by daemonic79.
- This reply was modified 2 years, 10 months ago by daemonic79. Reason: Tidied code formtting
What OS are you running on your server @yorkki ?
I had a similar issue with Alma/Rocky 9.2 due to SHA1 being disabled in the crypto-policyHi Peter,
I believe I have found the cause of the issue…
I cached the response from the wfWAFCronFetchRulesEvent->fire() function to a file (to avoid the rate limiting) to work out what was going on.
As part of that function, verifySignedRequest is called to verify the signature of the rules being received.
My test code of the resulting openssl_verify output was returning -1 as the result.
On checking the errors from openssl_error_string() i was getting the following;0480006c:pem routines::no start line
03000098:digital envelope routines::invalid digest
This then led me to look into SHA1 with Redhat 9 and clones (Alma/Rocky in my case).
From the changelog, it turns out that;The use of SHA-1 for signatures is restricted in the default crypto policy.
After enabling SHA1 the resulting openssl_verify output now returns 1, as expected.
Checking this on another site that isn’t rate limited at present, now allows for the rules to update.
I imagine that I wont be the last to come across this issue, going forward, so it could be worth the signature verification algorithm being updated to something other than SHA1?Thanks 🙂
Hi Peter,
I have sent the Diagnostics page as requested.
Thanks
Is there any news on version 2.0.3.3 being released?