[OpenSSL 3.0 Support] - Current WinRM version does not support the latest OpenSSL version #340
Description
Hello @pmorton @sneal @mwrock
after the latest update of OpenSSL version to OpenSSL 3.0.x, WinRM component is not working anymore as intended. It occurs because with the latest OpenSSL version, maintainers decided to keep disable by default legacy protocols.
In particular, for some tools leveraging WinRM, as Evil-WinRM, when they call the WinRM component, an OpenSSL error arises.
The detailed explanation and reproduction of the issue is here: BlackArch/blackarch#3593
According to https://bugs.archlinux.org/task/76653?project=1&order=dateopened&sort=desc the user "loqs" states the following:
"NTLM v1 Authentication uses md4 [1]. The ruby ntlm gem as used by winrm uses the openssl gem to provide md4 [2]. With OpenSSSL 3 md4 in the legacy provider which is not enabled by default.
The ruby openssl gem does not currently provide a method to load a provider [3] so the provider has to be loaded using OpenSSL's configuration file.
Assuming evil-winrm / winrm are not run set-user-ID or set-group-ID the environment variable the environment variable OPENSSL_CONF can be used to specify an alternate location for OpenSSL's config. This avoids changing the default configuration. The variable can in set in a script file that then calls the real executable.
[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/464551a8-9fc4-428e-b3d3-bc5bfb2e73a5?redirectedfrom=MSDN
[2] https://github.com/macks/ruby-ntlm/blob/323ef447c04e130a31940fa6dabe96607677c22b/lib/ntlm/util.rb#L77
[3] https://github.com/ruby/openssl/issues/567"
Could you please add the support to OpenSSL 3.0.x for WinRM component please?
Thank you in advance.