Why port 587 not using self generated CA Certificate?

[bilogic]

Before reporting a bug, please see our FAQ in FAQ.md!

Description

https://github.com/WhatsApp/proxy/blob/main/FAQ.md#5-does-the-proxy-support-https-or-socks

1. It is indicated here that this proxy is just passing TCP traffic around.
2. If that is the case, why need to generate a random CA Certificate?

proxy/proxy/src/generate-certs.sh

Lines 25 to 47 in 2ea2f1f

	export RANDOM_SSL=$(head -c 60 /dev/urandom | tr -dc 'a-zA-Z0-9')
	export SSL_SUBJECT="${RANDOM_SSL}.net"
	export SSL_DNS=${SSL_DNS}
	export SSL_IP=${SSL_IP}
	export DEBUG=${DEBUG:=1}
	echo "--> Certificate Authority"
	echo "Generating certs for ${SSL_SUBJECT}"
	if [[ -e ./${CA_KEY} ]]; then
	echo "====> Using existing CA Key ${CA_KEY}"
	else
	echo "====> Generating new CA key ${CA_KEY}"
	openssl genrsa -out ${CA_KEY} 4096
	fi
	if [[ -e ./${CA_CERT} ]]; then
	echo "====> Using existing CA Certificate ${CA_CERT}"
	else
	echo "====> Generating new CA Certificate ${CA_CERT}"
	openssl req -x509 -new -nodes -key ${CA_KEY} -days ${CA_EXPIRE} -out ${CA_CERT} -subj "/CN=${CA_SUBJECT}" || exit 1
	fi

3. Since a random CA Certificate is generated for port 443, why doesn't port 587 use this same CA Certificate but chooses to use the official WhatsApp one?

These 3 points are total contradictions and makes media fails in places that block WhatsApp. There is so much room to do better if the aim is to really help people get access to WhatsApp.

Failed Step

The use of offical WhatsApp cert makes media fails in places that block WhatsApp.

[Nicepaul]

Yes, that’s the problem

[bilogic]

@Nicepaul do you know of a workaround?

[Nicepaul]

@Nicepaul do you know of a workaround?

I'm not deploying a WhatsApp proxy on a VPS; I'm setting it up on my home OpenWRT router to bypass issues with media not working. However, the prerequisite is that the OpenWRT router must be able to successfully bypass the firewall restrictions.

[bilogic]

Does the proxy behave differently on different hardware?
The proxy has to be located outside the restricted network.

[Nicepaul]

Does the proxy behave differently on different hardware? The proxy has to be located outside the restricted network.

This is not hardware-related. I’ve installed Passwall or SSRPlus on OpenWRT to bypass the Great Firewall of China, essentially setting up a VPN. All internal network applications and data, including WhatsApp, are routed through this tunnel, so the data packets are transmitted within the VPN and won’t be intercepted by the firewall. I’ve then mapped WhatsApp proxy's port to the public IP of the OpenWRT router. This is essentially a workaround to bypass WhatsApp’s certificate issues

[bilogic]

I'm a little confused, if your mobile's WhatsApp is connected to the router which has VPN, why does it still need a proxy?

[Nicepaul]

I'm a little confused, if your mobile's WhatsApp is connected to the router which has VPN, why does it still need a proxy?

I want to use WhatsApp but prefer not to install a VPN app on my phone. Therefore, setting up a WhatsApp proxy on my home OpenWRT router seems like a good solution. Additionally, VPNs tend to drain battery and can significantly affect phone network performance, making it impractical to keep them always on. However, turning it off would disrupt WhatsApp communication.

[cloudwindy]

ping @eozturk1