[HELP] Sécuriser un serveur http via stunnel et un certificat

Sécuriser un serveur http via stunnel et un certificat [HELP] - Sécurité - Systèmes & Réseaux Pro

Marsh Posté le 09-05-2013 à 18:06:30    

Bonjour,
 
Je suis entrain de me perdre dans SSL et les certificats.
 
Ce que j'essaye de faire est simple:
Client <----- https -----> stunnel <----http ----> Serveur http
 
/inbefore, le serveur http final ne supporte pas le https.
 
J'ai configuré stunnel et j'arrive sans soucis à me connecter en https au serveur cible. Jusque là tout va bien.
 
Maintenant je veux vraiment sécuriser tout ça via un certificat sur le Client et stunnel, stunnel étant configuré pour rejeter toute connexion non certifiée.
J'ai donc généré un certificat auto-signé en suivant... euh j'ai essayé tellement de truc que je suis perdu. Typiquement voici le genre de tuto que j'ai utilisé: http://www.akadia.com/services/ssh [...] icate.html
 
Enfin bref de ce que je comprend c'est qu'il me faut un certificat client, et:
- faire savoir à stunnel que ce certificat est autorisé
- faire en sorte que le client s'identifie avec ce certificat quand il se connecte à mon site
 
Et là je suis perdu:
- générer le certificat s'avère ultra complexe avec des CA et autre fioriture du genre, moi je voudrai juste un truc bidon :/
- quand j'arrive à générer le certificat .crt il semble qu'il faille le covertir en .pem pour stunnel et ça foire (je peux donner l'erreur si besoin)
- quand j'ai généré le certificat, et enregistré celui-ci dans le gestionnaire windows, mes navigateurs (FF, chrome, Ie) ne présentent pas ledit certificat à stunnel (selon le log de stunnel)
 
Bref je suis paumé :/
Si quelqu'un à déjà fait ça et saurait m'aiguiller je suis preneur.
 
Merci d'avance  [:agkklr]  


---------------
sheep++
Reply

Marsh Posté le 09-05-2013 à 18:06:30   

Reply

Marsh Posté le 10-05-2013 à 13:51:23    

Bon j'ai avancé.
 
J'arrive à créer un certificat CA, un client et un serveur à partir dudit CA.
J'ai sortit un certificat client PKCS12 et je l'ai importé sur Firefox, sur le gestionnaire de certificats Windows 8 et sur android.
 
Résultat, sur FF et android les navigateurs m'ont demandé un certificat à la connexion et se sont connectés sans soucis.
Sur IE et Chromium (qui utilise le gestionnaire windows), la connexion ne fonctionne pas:
- Chromium me sort: "Erreur 107 (net::ERR_SSL_PROTOCOL_ERROR) : Erreur de protocole SSL"
- et stunnel: "SSL_accept: 140890C7: error:140890C7:SSL routines: SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate"
 
Je n'arrive pas à savoir ce qui ne va pas, je continue d'investiguer.


---------------
sheep++
Reply

Marsh Posté le 10-05-2013 à 14:02:20    

Tu l'as mis dans Personnal le certificat client dans le store windows ? Avec la clé privée ?
 
Tu as bien la CA dans les Trusted root certificates ?

Reply

Marsh Posté le 12-05-2013 à 23:19:13    

J'ai supprimé et réimportés les certificats.
 
Le CA est bien dans les "Autorités de certification racine de confiance" et le certificat client est bien dans "Personne"l, avec sa clé.
 
Je pense que mon problème viens de la génération des certificats, comme si les navigateurs n'arrivaient à faire le lien entre le site et le certificat.
Il faut dire que je n'ai pas de nom de domaine, je ne sais pas si ça peut jouer.


---------------
sheep++
Reply

Marsh Posté le 12-05-2013 à 23:49:04    

Si le CN de ton certificat serveur n'est pas égal à ton URL accédée, tu auras un message d'avertissement sur ton navigateur mais ça s'arrête là.  
 
Tes erreurs retournées indiquent une non présentation d'un certificat client, donc c'est autre chose.
 
T'as pas des logs plus complet en mode "debug" au niveau de stunnel pour trouver éventuellement d'autres pistes ?

Reply

Marsh Posté le 12-05-2013 à 23:53:01    

Il n'y a pas de lien entre le site et le certificat client. Ton certificat tu pourrais le présenter à n'importe quel site potentiellement. Après sur ton serveur tu peux configurer pour n'accepter des certificats émis que par telle ou telle CA. C'est là où tu peux faire un lien (enfin une restriction).

 

C'est ton certificat serveur qui est lié au site où le CN du certificat (ou un SAN) doit correspondre à l'url (donc soit une ip, soit un nom dns (externe, interne, ou juste nom de machine mais dans tous les cas c'est résolu par le dns) pour de l'https)

 

Faudrait comprendre l'erreur de chromium. Pour IE, regarder les options SSL.
Et regarder ce que tu as généré comme certificat aussi.
Perso je connais pas stunnel donc j'avoue là dessus je peux pas trop t'aider mais j'ai déjà mis en place du ssl sur du squid, de l'apache, du iis, et plein d'autres services, le principe reste le même.


Message édité par Je@nb le 12-05-2013 à 23:53:27
Reply

Marsh Posté le 12-05-2013 à 23:58:31    

Spam :o

 

Voilà ce que ça donne en mode debug avec une seule connexion de chromium:

Code :
  1. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Clients allowed=500
  2. May 12 23:52:50 raspberrypi stunnel: LOG5[2221:3069378560]: stunnel 4.53 on arm-unknown-linux-gnueabihf platform
  3. May 12 23:52:50 raspberrypi stunnel: LOG5[2221:3069378560]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
  4. May 12 23:52:50 raspberrypi stunnel: LOG5[2221:3069378560]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
  5. May 12 23:52:50 raspberrypi stunnel: LOG5[2221:3069378560]: Reading configuration from file /etc/stunnel/ssh.conf
  6. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Compression not enabled
  7. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Snagged 64 random bytes from /root/.rnd
  8. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Wrote 1024 new random bytes to /root/.rnd
  9. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: PRNG seeded successfully
  10. May 12 23:52:50 raspberrypi stunnel: LOG6[2221:3069378560]: Initializing service section [stunnel443]
  11. May 12 23:52:50 raspberrypi stunnel: LOG4[2221:3069378560]: Insecure file permissions on /root/sslCA/private/domotic-key.pem
  12. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Certificate: /root/sslCA/domotic-cert.pem
  13. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Certificate loaded
  14. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Key file: /root/sslCA/private/domotic-key.pem
  15. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Private key loaded
  16. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Could not load DH parameters from /root/sslCA/domotic-cert.pem
  17. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Using hardcoded DH parameters
  18. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: DH initialized with 2048-bit key
  19. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: ECDH initialized with curve prime256v1
  20. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: SSL options set: 0x00000004
  21. May 12 23:52:50 raspberrypi stunnel: LOG6[2221:3069378560]: Initializing service section [domotic]
  22. May 12 23:52:50 raspberrypi stunnel: LOG4[2221:3069378560]: Insecure file permissions on /root/sslCA/private/domotic-key.pem
  23. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Certificate: /root/sslCA/domotic-cert.pem
  24. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Certificate loaded
  25. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Key file: /root/sslCA/private/domotic-key.pem
  26. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Private key loaded
  27. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Loaded verify certificates from /root/sslCA/cacert.pem
  28. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Loaded /root/sslCA/cacert.pem revocation lookup file
  29. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Verify directory set to /etc/ssl/domotic_certs
  30. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Added /etc/ssl/domotic_certs revocation lookup directory
  31. May 12 23:52:50 raspberrypi stunnel: LOG6[2221:3069378560]: Peer certificate location /etc/ssl/domotic_certs
  32. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Could not load DH parameters from /root/sslCA/domotic-cert.pem
  33. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Using hardcoded DH parameters
  34. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: DH initialized with 2048-bit key
  35. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: ECDH initialized with curve prime256v1
  36. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: SSL options set: 0x00000004
  37. May 12 23:52:50 raspberrypi stunnel: LOG5[2221:3069378560]: Configuration successful
  38. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Service [stunnel443] (FD=12) bound to 192.168.1.8:443
  39. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Service [domotic] (FD=13) bound to 192.168.1.8:8080
  40. May 12 23:52:50 raspberrypi stunnel: LOG7[2227:3069378560]: Created pid file /tmp/stunnel.pid
  41. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=3) from xxxxx:1025
  42. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=14) from xxxxxx:1026
  43. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] started
  44. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Waiting for a libwrap process
  45. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Acquired libwrap process #0
  46. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Service [domotic] started
  47. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Waiting for a libwrap process
  48. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Acquired libwrap process #1
  49. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Releasing libwrap process #1
  50. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Released libwrap process #1
  51. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Service [domotic] permitted by libwrap from xxxxx:1026
  52. May 12 23:52:59 raspberrypi stunnel: LOG5[2227:3065349232]: Service [domotic] accepted connection from xxxxx:1026
  53. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Releasing libwrap process #0
  54. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Released libwrap process #0
  55. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] permitted by libwrap from xxxxx:1025
  56. May 12 23:52:59 raspberrypi stunnel: LOG5[2227:3065455728]: Service [domotic] accepted connection from xxxxx:1025
  57. May 12 23:52:59 raspberrypi stunnel: LOG3[2227:3065349232]: SSL_accept: Peer suddenly disconnected
  58. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065349232]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
  59. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065349232]: Local socket (FD=14) closed
  60. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065349232]: Service [domotic] finished (1 left)
  61. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=14) from xxxxx:1027
  62. May 12 23:53:00 raspberrypi stunnel: LOG3[2227:3065455728]: SSL_accept: Peer suddenly disconnected
  63. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065455728]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
  64. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Local socket (FD=3) closed
  65. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] finished (0 left)
  66. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Service [domotic] started
  67. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Waiting for a libwrap process
  68. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Acquired libwrap process #1
  69. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Releasing libwrap process #1
  70. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Released libwrap process #1
  71. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Service [domotic] permitted by libwrap from xxxxx:1027
  72. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065209968]: Service [domotic] accepted connection from xxxxx:1027
  73. May 12 23:53:00 raspberrypi stunnel: LOG3[2227:3065209968]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
  74. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065209968]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
  75. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Local socket (FD=14) closed
  76. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Service [domotic] finished (0 left)
  77. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=3) from xxxxx:1025
  78. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] started
  79. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Waiting for a libwrap process
  80. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Acquired libwrap process #1
  81. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Releasing libwrap process #1
  82. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Released libwrap process #1
  83. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] permitted by libwrap from xxxxx:1025
  84. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065455728]: Service [domotic] accepted connection from xxxxx:1025
  85. May 12 23:53:00 raspberrypi stunnel: LOG3[2227:3065455728]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
  86. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065455728]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
  87. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Local socket (FD=3) closed
  88. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] finished (0 left)
  89. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=3) from xxxxx:1026
  90. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] started
  91. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Waiting for a libwrap process
  92. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Acquired libwrap process #1
  93. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Releasing libwrap process #1
  94. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Released libwrap process #1
  95. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] permitted by libwrap from xxxxx:1026
  96. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065455728]: Service [domotic] accepted connection from xxxxx:1026
  97. May 12 23:53:00 raspberrypi stunnel: LOG3[2227:3065455728]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
  98. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065455728]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
  99. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Local socket (FD=3) closed
  100. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] finished (0 left)
 

Et une connexion juste après avec FF (qui marche)

Code :
  1. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=3) from xxxxx:1025
  2. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] started
  3. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Waiting for a libwrap process
  4. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Acquired libwrap process #1
  5. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Releasing libwrap process #1
  6. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Released libwrap process #1
  7. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] permitted by libwrap from xxxxx:1025
  8. May 12 23:56:22 raspberrypi stunnel: LOG5[2227:3065455728]: Service [domotic] accepted connection from xxxxx:1025
  9. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065455728]: Starting certificate verification: depth=1, /C=FR/ST=France/O=H3bus/CN=xxxxx
  10. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065455728]: Certificate accepted: depth=1, /C=FR/ST=France/O=H3bus/CN=xxxxx
  11. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065455728]: Starting certificate verification: depth=0, /C=FR/ST=France/O=H3bus/CN=Client
  12. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: CERT: Locally installed certificate matched
  13. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065455728]: Certificate accepted: depth=0, /C=FR/ST=France/O=H3bus/CN=Client
  14. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: SSL accepted: new session negotiated
  15. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES256-SHA (256-bit encryption)
  16. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: Compression: null, expansion: null
  17. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: connect_blocking: connecting 192.168.1.8:80
  18. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065455728]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  19. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065455728]: connect_blocking: connected 192.168.1.8:80
  20. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065455728]: Service [domotic] connected remote server from 192.168.1.8:35393
  21. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065455728]: Remote socket (FD=14) initialized
  22. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=15) from xxxxx:1026
  23. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=16) from xxxxx:1027
  24. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=17) from xxxxx:1028
  25. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=18) from xxxxx:1029
  26. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=19) from xxxxx:1030
  27. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Service [domotic] started
  28. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Waiting for a libwrap process
  29. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Acquired libwrap process #1
  30. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Service [domotic] started
  31. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Waiting for a libwrap process
  32. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Acquired libwrap process #2
  33. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Service [domotic] started
  34. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Waiting for a libwrap process
  35. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Acquired libwrap process #3
  36. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Service [domotic] started
  37. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Service [domotic] started
  38. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Waiting for a libwrap process
  39. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Acquired libwrap process #4
  40. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Releasing libwrap process #1
  41. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Released libwrap process #1
  42. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Service [domotic] permitted by libwrap from xxxxx:1029
  43. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065078896]: Service [domotic] accepted connection from xxxxx:1029
  44. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Waiting for a libwrap process
  45. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Acquired libwrap process #0
  46. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Releasing libwrap process #0
  47. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Released libwrap process #0
  48. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Service [domotic] permitted by libwrap from xxxxx:1028
  49. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065144432]: Service [domotic] accepted connection from xxxxx:1028
  50. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Releasing libwrap process #2
  51. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Released libwrap process #2
  52. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Service [domotic] permitted by libwrap from xxxxx:1027
  53. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065349232]: Service [domotic] accepted connection from xxxxx:1027
  54. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Releasing libwrap process #4
  55. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Releasing libwrap process #3
  56. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Released libwrap process #4
  57. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Service [domotic] permitted by libwrap from xxxxx:1030
  58. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3064972400]: Service [domotic] accepted connection from xxxxx:1030
  59. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Released libwrap process #3
  60. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Service [domotic] permitted by libwrap from xxxxx:1026
  61. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065209968]: Service [domotic] accepted connection from xxxxx:1026
  62. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065209968]: SSL accepted: previous session reused
  63. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065144432]: SSL accepted: previous session reused
  64. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065349232]: SSL accepted: previous session reused
  65. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065349232]: connect_blocking: connecting 192.168.1.8:80
  66. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065078896]: SSL accepted: previous session reused
  67. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065078896]: connect_blocking: connecting 192.168.1.8:80
  68. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065144432]: connect_blocking: connecting 192.168.1.8:80
  69. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  70. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065078896]: connect_blocking: connected 192.168.1.8:80
  71. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065078896]: Service [domotic] connected remote server from 192.168.1.8:35394
  72. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Remote socket (FD=23) initialized
  73. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065209968]: connect_blocking: connecting 192.168.1.8:80
  74. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  75. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065209968]: connect_blocking: connected 192.168.1.8:80
  76. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065209968]: Service [domotic] connected remote server from 192.168.1.8:35397
  77. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  78. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065144432]: connect_blocking: connected 192.168.1.8:80
  79. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065144432]: Service [domotic] connected remote server from 192.168.1.8:35395
  80. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Remote socket (FD=20) initialized
  81. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  82. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065349232]: connect_blocking: connected 192.168.1.8:80
  83. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065349232]: Service [domotic] connected remote server from 192.168.1.8:35396
  84. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Remote socket (FD=21) initialized
  85. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3064972400]: SSL accepted: previous session reused
  86. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3064972400]: connect_blocking: connecting 192.168.1.8:80
  87. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Remote socket (FD=22) initialized
  88. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  89. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3064972400]: connect_blocking: connected 192.168.1.8:80
  90. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3064972400]: Service [domotic] connected remote server from 192.168.1.8:35398
  91. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Remote socket (FD=24) initialized
 

EDIT: virage d'IP ;)


Message édité par h3bus le 13-05-2013 à 00:01:09

---------------
sheep++
Reply

Marsh Posté le 13-05-2013 à 00:50:17    

Hmmm, tu utilises les courbes élliptiques pour tes certificats ? :D
Peut être c'est pas géré par Chromium et IE. Perso je baisserai ça :D

Reply

Marsh Posté le 13-05-2013 à 21:28:42    

Ouaip parce que de base je crois qu'IE ne gère pas au-delà du TLS 1.0.

Reply

Marsh Posté le 14-05-2013 à 00:09:05    

Je vais investiguer de ce côté.
 
Je n'ai en tout cas pas demandé à openSSL d'utiliser les courbes élliptiques mais il le fait peut-être par défaut.
 
Pour la version TLS, il semble qu'avec FF c'est un TLS 1.0 qui est négocié:

Code :
  1. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES256-SHA (256-bit encryption)


---------------
sheep++
Reply

Marsh Posté le 14-05-2013 à 00:09:05   

Reply

Marsh Posté le 18-05-2013 à 18:27:18    

Any news ?

Reply

Marsh Posté le 19-05-2013 à 05:08:37    

Pour l'instant je ne me suis pas re-penché dessus... j'aurai de nouveau du temps dans 2 semaines.


---------------
sheep++
Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed