SWTOR is still using two ancient TLS/code signing certificates (CAs from 2006):

- VeriSign Class 3 Public Primary Certification Authority - G5

- Thawte Primary Root CA

 

These have been removed on Debian and Gentoo, and at least the former has been removed on Mac.

 

The former is used for signing eualas.patchmanifest, resulting in an error 206 on the launcher (before entering password).

 

The latter is used for signing download.solidconfig, resulting in an error 309.

 

Please fix. There's a reason these certificates are deprecated. It looks like Microsoft is not immediately removing the G5 cert (but is removing some others), but Apple has already removed it. See:

- https://www.microsoft.com/security/blog/2018/10/04/microsoft-partners-with-digicert-to-begin-deprecating-symantec-tls-certificates/

- https://bugs.openjdk.java.net/browse/JDK-8207258 (links Google, Mozilla etc)

 

Wine debugging ticket:

- https://bugs.winehq.org/show_bug.cgi?id=49515

SWTOR is still using two ancient TLS/code signing certificates (CAs from 2006):

- VeriSign Class 3 Public Primary Certification Authority - G5

- Thawte Primary Root CA

Those are not *code-signing* certificates, but rather *certificate-signing* certificates (CA = Certificate Authority). The code-signing certificates themselves are recent (the one on my launcher.exe is valid from March 2020 to March 2021).

 

That said, it would be a really good idea for EA to move away from those CAs, pronto.

For the love of god, update your damn certs. Microsoft started work on deprecating these certs over 2 years ago. Debian/Gentoo have already removed these certs from their distros.

 

From the Microsoft blog:

 

"Starting in September 2018, Microsoft began deprecating the SSL/TLS capability of Symantec root certificates due to compliance issues. Google, Mozilla, and Apple have also announced deprecation plans related to Symantec SSL/TLS certificates. Symantec cryptographic certificates are used in critical environments across multiple industries. In 2017, DigiCert acquired Symantec’s web security business that included their certificate authority business.

 

Since the compliance issues were identified, Microsoft has been engaged with Symantec and DigiCert to uphold industry-wide compliance expectations and maintain customer trust. DigiCert created the deprecation schedule below in partnership with Microsoft to maintain trust in the industry while minimizing impact to our mutual customer"

DigiCert, which acquired Symantec's certificate business last August, announced Wednesday that approximately 20,000 Symantec certificates, including GeoTrust, Thawte and RapidSSL brands, were to be revoked because their private keys had been exposed

The Large Print Edition text isn't necessary. Really. The forum software doesn't handle wide variations of text size in the same post well, and it just makes what you're writing hard to read. If you want to emphasize stuff, just stick to bold and/or italics, with underlines for additional effect when necessary.

 

That said, what you're saying is correct, subject to some questions about the value of an issuer *revoking* certificates. Certificate Revokation Lists are a subject of significant flakiness, with the primary problem being that if there's an *expired* CRL, some of the TLS libraries will refuse to make connections if the server certificate was issued by that CA, even though the server certificate hasn't been revoked.

 

Um. CRLs normally have extremely short expiry times, on the order of a few days and certainly no more than a week. If you can't reliably update CRLs on a *daily* basis, you're better off not using them.

So here's the problem. This is not a short-term flaky CRL issue. The certificates in question were revoked TWO YEARS AGO due to the PRIVATE KEYS BEING COMPROMISED. This means that a malicious actor can man-in-the-middle your traffic and steal your login credentials. This would be bad enough, but maybe you don't care about your SWTOR account credentials being stolen. The bigger problem is that said malicious actor can send crafted packets back to your machine to take advantage of exploits in your machine. Put simply, running this application puts your entire system at risk.

Look, I know that updating certificates is a huge PITA. But they've had two years to deal with this. They need to do it already. These certificates aren't magically going to be removed from CRLs tomorrow. The private keys are public. There's no way to fix that short of using a new certificate.

UP !

 

Bioware, you need to modify yours certificates !

Can't run at all with this issue.

Steam version works, but currently having problems with steam....

To bump up the certificateion issue. I am on Windows 7 and the update of the launcher failed due to 206 error. I researched the issue and it may be related to old certificates. I was unable to update the launcher and game installer fails too on Windows 7, so there is no way to re-install the game. I decided to check the Steam version of SWTOR. I installed Steam, downloaded it and when I press PLAY in the Steam the launcher does not start by I get Certificate authentication failed error. I installed the 2 old VeriSign and Thawte certs but I still cannot start the game.

What a mess!

just upgrade to 10 or 11

3 hours ago, ZUHFB said:

just upgrade to 10 or 11

This is no longer possible, no ? Need buy a licence

@Szob I've seen that you have linux ... i play from linux ... with steam (new launcher break standalone version with wine, similar bug on a test with windows for me)