TLS Certificates
Understanding and managing TLS certificates for secure connections.
Overview
Two-Face uses TLS (Transport Layer Security) for encrypted communication with Simutronics’ eAccess authentication servers. This page covers certificate management for direct eAccess mode.
Certificate Architecture
Connection Security
┌─────────────────────────────────────────────────────────────┐
│ TLS Connection Flow │
│ │
│ Two-Face eAccess Server │
│ │ │ │
│ │──── ClientHello ───────────▶│ │
│ │ │ │
│ │◀─── ServerHello + Cert ─────│ │
│ │ │ │
│ │ Verify cert against │ │
│ │ stored simu.pem │ │
│ │ │ │
│ │──── Key Exchange ──────────▶│ │
│ │ │ │
│ │◀═══ Encrypted Channel ═════▶│ │
│ │
└─────────────────────────────────────────────────────────────┘
Why Certificate Pinning?
The eAccess server uses a self-signed certificate. Certificate pinning:
- First connection: Downloads and stores the certificate
- Subsequent connections: Verifies server presents the same certificate
- Protection: Prevents man-in-the-middle attacks
Certificate Storage
Location
~/.two-face/
└── simu.pem # eAccess server certificate
File Format
The certificate is stored in PEM format:
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIJAK... (base64 encoded)
-----END CERTIFICATE-----
Permissions
The certificate file should have restricted permissions:
# Linux/macOS
chmod 600 ~/.two-face/simu.pem
# Windows
# File inherits user permissions from .two-face folder
Certificate Lifecycle
First Connection
On first direct eAccess connection:
- Two-Face connects to
eaccess.play.net:7910 - Server sends its certificate during TLS handshake
- Two-Face saves certificate to
~/.two-face/simu.pem - Connection continues with authentication
Subsequent Connections
On later connections:
- Two-Face loads stored certificate
- During TLS handshake, compares server’s certificate
- If match: connection proceeds
- If mismatch: connection fails (security protection)
Certificate Renewal
If Simutronics updates their certificate:
- Connection will fail (certificate mismatch)
- Delete the old certificate:
rm ~/.two-face/simu.pem - Reconnect to download new certificate
- Future connections use new certificate
Managing Certificates
Viewing Certificate
# View certificate details
openssl x509 -in ~/.two-face/simu.pem -text -noout
# View expiration date
openssl x509 -in ~/.two-face/simu.pem -enddate -noout
# View fingerprint
openssl x509 -in ~/.two-face/simu.pem -fingerprint -noout
Example Output
Certificate:
Data:
Version: 3 (0x2)
Serial Number: ...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=..., O=Simutronics...
Validity
Not Before: Jan 1 00:00:00 2020 GMT
Not After : Dec 31 23:59:59 2030 GMT
Subject: CN=eaccess.play.net...
Deleting Certificate
To force certificate refresh:
# Linux/macOS
rm ~/.two-face/simu.pem
# Windows (PowerShell)
Remove-Item ~\.two-face\simu.pem
# Windows (Command Prompt)
del %USERPROFILE%\.two-face\simu.pem
Backing Up Certificate
If you want to preserve your certificate:
cp ~/.two-face/simu.pem ~/.two-face/simu.pem.backup
Troubleshooting
Certificate Verification Failed
Error: Certificate verification failed
Causes:
- Certificate changed on server
- Certificate file corrupted
- System time incorrect
Solutions:
- Delete and re-download:
rm ~/.two-face/simu.pem - Check system time is accurate
- Verify network isn’t intercepting traffic
Certificate Not Found
Error: Could not load certificate from ~/.two-face/simu.pem
Causes:
- First connection hasn’t occurred
- Certificate was deleted
- Permission issues
Solutions:
- Run direct connection to auto-download
- Check folder permissions
- Verify path is correct
TLS Handshake Error
Error: TLS handshake failed
Causes:
- OpenSSL version incompatibility
- Network proxy interference
- Server configuration changed
Solutions:
- Update OpenSSL
- Disable network proxies
- Delete certificate and retry
Self-Signed Certificate Warning
The eAccess certificate is self-signed, which is expected. Two-Face handles this through certificate pinning rather than chain validation.
Advanced Topics
Manual Certificate Download
If auto-download fails, manually retrieve:
# Connect and save certificate
openssl s_client -connect eaccess.play.net:7910 \
-servername "" \
</dev/null 2>/dev/null | \
openssl x509 -outform PEM > ~/.two-face/simu.pem
Note: The empty -servername "" disables SNI, which is required.
Certificate Validation
To manually verify a certificate:
# Compare fingerprints
openssl x509 -in ~/.two-face/simu.pem -fingerprint -sha256 -noout
Compare the fingerprint with known-good values from the community.
Multiple Certificates
If connecting to different game servers (test vs production):
~/.two-face/
├── simu.pem # Production eAccess
├── simu-test.pem # Test server (if different)
Configure via:
[connection]
certificate = "simu.pem" # or "simu-test.pem"
Security Best Practices
Do
- ✓ Keep certificate file permissions restrictive
- ✓ Verify certificate fingerprint periodically
- ✓ Delete and refresh if authentication fails unexpectedly
- ✓ Keep OpenSSL updated
Don’t
- ✗ Share your certificate file publicly
- ✗ Ignore certificate verification failures
- ✗ Use the same certificate across different machines (download fresh)
- ✗ Disable certificate verification
Technical Details
TLS Configuration
Two-Face’s TLS connection uses:
| Setting | Value | Reason |
|---|---|---|
| Protocol | TLS 1.2+ | Security |
| SNI | Disabled | Server requirement |
| Session caching | Disabled | Protocol compatibility |
| Cipher suites | System default | OpenSSL manages |
Single-Write Requirement
A critical implementation detail: commands must be sent as single TLS Application Data records. Two-Face ensures this by building complete messages in memory before writing to the TLS stream.
#![allow(unused)]
fn main() {
// Correct: Single write
let message = format!("{}\n", line);
stream.write_all(message.as_bytes())?;
// Incorrect: Multiple writes (would fail)
stream.write_all(line.as_bytes())?;
stream.write_all(b"\n")?;
}See Also
- Direct eAccess - Direct connection setup
- Troubleshooting - Connection problems
- Network Overview - Connection modes