Forum |  HardWare.fr | News | Articles | PC | S'identifier | S'inscrire | Shop Recherche
2512 connectés 

  FORUM HardWare.fr
  Systèmes & Réseaux Pro
  Sécurité

  [HELP] Sécuriser un serveur http via stunnel et un certificat

 


 Mot :   Pseudo :  
 
Bas de page
Auteur Sujet :

[HELP] Sécuriser un serveur http via stunnel et un certificat

n°110606
h3bus
Troll Inside
Posté le 09-05-2013 à 18:06:30  profilanswer
 

Bonjour,
 
Je suis entrain de me perdre dans SSL et les certificats.
 
Ce que j'essaye de faire est simple:
Client <----- https -----> stunnel <----http ----> Serveur http
 
/inbefore, le serveur http final ne supporte pas le https.
 
J'ai configuré stunnel et j'arrive sans soucis à me connecter en https au serveur cible. Jusque là tout va bien.
 
Maintenant je veux vraiment sécuriser tout ça via un certificat sur le Client et stunnel, stunnel étant configuré pour rejeter toute connexion non certifiée.
J'ai donc généré un certificat auto-signé en suivant... euh j'ai essayé tellement de truc que je suis perdu. Typiquement voici le genre de tuto que j'ai utilisé: http://www.akadia.com/services/ssh [...] icate.html
 
Enfin bref de ce que je comprend c'est qu'il me faut un certificat client, et:
- faire savoir à stunnel que ce certificat est autorisé
- faire en sorte que le client s'identifie avec ce certificat quand il se connecte à mon site
 
Et là je suis perdu:
- générer le certificat s'avère ultra complexe avec des CA et autre fioriture du genre, moi je voudrai juste un truc bidon :/
- quand j'arrive à générer le certificat .crt il semble qu'il faille le covertir en .pem pour stunnel et ça foire (je peux donner l'erreur si besoin)
- quand j'ai généré le certificat, et enregistré celui-ci dans le gestionnaire windows, mes navigateurs (FF, chrome, Ie) ne présentent pas ledit certificat à stunnel (selon le log de stunnel)
 
Bref je suis paumé :/
Si quelqu'un à déjà fait ça et saurait m'aiguiller je suis preneur.
 
Merci d'avance  [:agkklr]  


---------------
sheep++
mood
Publicité
Posté le 09-05-2013 à 18:06:30  profilanswer
 

n°110626
h3bus
Troll Inside
Posté le 10-05-2013 à 13:51:23  profilanswer
 

Bon j'ai avancé.
 
J'arrive à créer un certificat CA, un client et un serveur à partir dudit CA.
J'ai sortit un certificat client PKCS12 et je l'ai importé sur Firefox, sur le gestionnaire de certificats Windows 8 et sur android.
 
Résultat, sur FF et android les navigateurs m'ont demandé un certificat à la connexion et se sont connectés sans soucis.
Sur IE et Chromium (qui utilise le gestionnaire windows), la connexion ne fonctionne pas:
- Chromium me sort: "Erreur 107 (net::ERR_SSL_PROTOCOL_ERROR) : Erreur de protocole SSL"
- et stunnel: "SSL_accept: 140890C7: error:140890C7:SSL routines: SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate"
 
Je n'arrive pas à savoir ce qui ne va pas, je continue d'investiguer.


---------------
sheep++
n°110628
Je@nb
Modérateur
Kindly give dime
Posté le 10-05-2013 à 14:02:20  profilanswer
 

Tu l'as mis dans Personnal le certificat client dans le store windows ? Avec la clé privée ?
 
Tu as bien la CA dans les Trusted root certificates ?

n°110693
h3bus
Troll Inside
Posté le 12-05-2013 à 23:19:13  profilanswer
 

J'ai supprimé et réimportés les certificats.
 
Le CA est bien dans les "Autorités de certification racine de confiance" et le certificat client est bien dans "Personne"l, avec sa clé.
 
Je pense que mon problème viens de la génération des certificats, comme si les navigateurs n'arrivaient à faire le lien entre le site et le certificat.
Il faut dire que je n'ai pas de nom de domaine, je ne sais pas si ça peut jouer.


---------------
sheep++
n°110694
_ToM_343
Posté le 12-05-2013 à 23:49:04  profilanswer
 

Si le CN de ton certificat serveur n'est pas égal à ton URL accédée, tu auras un message d'avertissement sur ton navigateur mais ça s'arrête là.  
 
Tes erreurs retournées indiquent une non présentation d'un certificat client, donc c'est autre chose.
 
T'as pas des logs plus complet en mode "debug" au niveau de stunnel pour trouver éventuellement d'autres pistes ?

n°110695
Je@nb
Modérateur
Kindly give dime
Posté le 12-05-2013 à 23:53:01  profilanswer
 

Il n'y a pas de lien entre le site et le certificat client. Ton certificat tu pourrais le présenter à n'importe quel site potentiellement. Après sur ton serveur tu peux configurer pour n'accepter des certificats émis que par telle ou telle CA. C'est là où tu peux faire un lien (enfin une restriction).

 

C'est ton certificat serveur qui est lié au site où le CN du certificat (ou un SAN) doit correspondre à l'url (donc soit une ip, soit un nom dns (externe, interne, ou juste nom de machine mais dans tous les cas c'est résolu par le dns) pour de l'https)

 

Faudrait comprendre l'erreur de chromium. Pour IE, regarder les options SSL.
Et regarder ce que tu as généré comme certificat aussi.
Perso je connais pas stunnel donc j'avoue là dessus je peux pas trop t'aider mais j'ai déjà mis en place du ssl sur du squid, de l'apache, du iis, et plein d'autres services, le principe reste le même.


Message édité par Je@nb le 12-05-2013 à 23:53:27
n°110696
h3bus
Troll Inside
Posté le 12-05-2013 à 23:58:31  profilanswer
 

Spam :o

 

Voilà ce que ça donne en mode debug avec une seule connexion de chromium:

Code :
  1. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Clients allowed=500
  2. May 12 23:52:50 raspberrypi stunnel: LOG5[2221:3069378560]: stunnel 4.53 on arm-unknown-linux-gnueabihf platform
  3. May 12 23:52:50 raspberrypi stunnel: LOG5[2221:3069378560]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
  4. May 12 23:52:50 raspberrypi stunnel: LOG5[2221:3069378560]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
  5. May 12 23:52:50 raspberrypi stunnel: LOG5[2221:3069378560]: Reading configuration from file /etc/stunnel/ssh.conf
  6. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Compression not enabled
  7. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Snagged 64 random bytes from /root/.rnd
  8. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Wrote 1024 new random bytes to /root/.rnd
  9. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: PRNG seeded successfully
  10. May 12 23:52:50 raspberrypi stunnel: LOG6[2221:3069378560]: Initializing service section [stunnel443]
  11. May 12 23:52:50 raspberrypi stunnel: LOG4[2221:3069378560]: Insecure file permissions on /root/sslCA/private/domotic-key.pem
  12. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Certificate: /root/sslCA/domotic-cert.pem
  13. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Certificate loaded
  14. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Key file: /root/sslCA/private/domotic-key.pem
  15. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Private key loaded
  16. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Could not load DH parameters from /root/sslCA/domotic-cert.pem
  17. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Using hardcoded DH parameters
  18. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: DH initialized with 2048-bit key
  19. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: ECDH initialized with curve prime256v1
  20. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: SSL options set: 0x00000004
  21. May 12 23:52:50 raspberrypi stunnel: LOG6[2221:3069378560]: Initializing service section [domotic]
  22. May 12 23:52:50 raspberrypi stunnel: LOG4[2221:3069378560]: Insecure file permissions on /root/sslCA/private/domotic-key.pem
  23. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Certificate: /root/sslCA/domotic-cert.pem
  24. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Certificate loaded
  25. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Key file: /root/sslCA/private/domotic-key.pem
  26. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Private key loaded
  27. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Loaded verify certificates from /root/sslCA/cacert.pem
  28. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Loaded /root/sslCA/cacert.pem revocation lookup file
  29. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Verify directory set to /etc/ssl/domotic_certs
  30. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Added /etc/ssl/domotic_certs revocation lookup directory
  31. May 12 23:52:50 raspberrypi stunnel: LOG6[2221:3069378560]: Peer certificate location /etc/ssl/domotic_certs
  32. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Could not load DH parameters from /root/sslCA/domotic-cert.pem
  33. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Using hardcoded DH parameters
  34. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: DH initialized with 2048-bit key
  35. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: ECDH initialized with curve prime256v1
  36. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: SSL options set: 0x00000004
  37. May 12 23:52:50 raspberrypi stunnel: LOG5[2221:3069378560]: Configuration successful
  38. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Service [stunnel443] (FD=12) bound to 192.168.1.8:443
  39. May 12 23:52:50 raspberrypi stunnel: LOG7[2221:3069378560]: Service [domotic] (FD=13) bound to 192.168.1.8:8080
  40. May 12 23:52:50 raspberrypi stunnel: LOG7[2227:3069378560]: Created pid file /tmp/stunnel.pid
  41. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=3) from xxxxx:1025
  42. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=14) from xxxxxx:1026
  43. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] started
  44. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Waiting for a libwrap process
  45. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Acquired libwrap process #0
  46. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Service [domotic] started
  47. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Waiting for a libwrap process
  48. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Acquired libwrap process #1
  49. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Releasing libwrap process #1
  50. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Released libwrap process #1
  51. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065349232]: Service [domotic] permitted by libwrap from xxxxx:1026
  52. May 12 23:52:59 raspberrypi stunnel: LOG5[2227:3065349232]: Service [domotic] accepted connection from xxxxx:1026
  53. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Releasing libwrap process #0
  54. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Released libwrap process #0
  55. May 12 23:52:59 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] permitted by libwrap from xxxxx:1025
  56. May 12 23:52:59 raspberrypi stunnel: LOG5[2227:3065455728]: Service [domotic] accepted connection from xxxxx:1025
  57. May 12 23:52:59 raspberrypi stunnel: LOG3[2227:3065349232]: SSL_accept: Peer suddenly disconnected
  58. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065349232]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
  59. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065349232]: Local socket (FD=14) closed
  60. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065349232]: Service [domotic] finished (1 left)
  61. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=14) from xxxxx:1027
  62. May 12 23:53:00 raspberrypi stunnel: LOG3[2227:3065455728]: SSL_accept: Peer suddenly disconnected
  63. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065455728]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
  64. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Local socket (FD=3) closed
  65. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] finished (0 left)
  66. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Service [domotic] started
  67. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Waiting for a libwrap process
  68. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Acquired libwrap process #1
  69. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Releasing libwrap process #1
  70. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Released libwrap process #1
  71. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Service [domotic] permitted by libwrap from xxxxx:1027
  72. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065209968]: Service [domotic] accepted connection from xxxxx:1027
  73. May 12 23:53:00 raspberrypi stunnel: LOG3[2227:3065209968]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
  74. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065209968]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
  75. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Local socket (FD=14) closed
  76. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065209968]: Service [domotic] finished (0 left)
  77. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=3) from xxxxx:1025
  78. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] started
  79. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Waiting for a libwrap process
  80. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Acquired libwrap process #1
  81. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Releasing libwrap process #1
  82. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Released libwrap process #1
  83. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] permitted by libwrap from xxxxx:1025
  84. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065455728]: Service [domotic] accepted connection from xxxxx:1025
  85. May 12 23:53:00 raspberrypi stunnel: LOG3[2227:3065455728]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
  86. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065455728]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
  87. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Local socket (FD=3) closed
  88. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] finished (0 left)
  89. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=3) from xxxxx:1026
  90. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] started
  91. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Waiting for a libwrap process
  92. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Acquired libwrap process #1
  93. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Releasing libwrap process #1
  94. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Released libwrap process #1
  95. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] permitted by libwrap from xxxxx:1026
  96. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065455728]: Service [domotic] accepted connection from xxxxx:1026
  97. May 12 23:53:00 raspberrypi stunnel: LOG3[2227:3065455728]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
  98. May 12 23:53:00 raspberrypi stunnel: LOG5[2227:3065455728]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
  99. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Local socket (FD=3) closed
  100. May 12 23:53:00 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] finished (0 left)
 

Et une connexion juste après avec FF (qui marche)

Code :
  1. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=3) from xxxxx:1025
  2. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] started
  3. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Waiting for a libwrap process
  4. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Acquired libwrap process #1
  5. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Releasing libwrap process #1
  6. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Released libwrap process #1
  7. May 12 23:56:22 raspberrypi stunnel: LOG7[2227:3065455728]: Service [domotic] permitted by libwrap from xxxxx:1025
  8. May 12 23:56:22 raspberrypi stunnel: LOG5[2227:3065455728]: Service [domotic] accepted connection from xxxxx:1025
  9. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065455728]: Starting certificate verification: depth=1, /C=FR/ST=France/O=H3bus/CN=xxxxx
  10. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065455728]: Certificate accepted: depth=1, /C=FR/ST=France/O=H3bus/CN=xxxxx
  11. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065455728]: Starting certificate verification: depth=0, /C=FR/ST=France/O=H3bus/CN=Client
  12. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: CERT: Locally installed certificate matched
  13. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065455728]: Certificate accepted: depth=0, /C=FR/ST=France/O=H3bus/CN=Client
  14. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: SSL accepted: new session negotiated
  15. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES256-SHA (256-bit encryption)
  16. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: Compression: null, expansion: null
  17. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: connect_blocking: connecting 192.168.1.8:80
  18. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065455728]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  19. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065455728]: connect_blocking: connected 192.168.1.8:80
  20. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065455728]: Service [domotic] connected remote server from 192.168.1.8:35393
  21. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065455728]: Remote socket (FD=14) initialized
  22. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=15) from xxxxx:1026
  23. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=16) from xxxxx:1027
  24. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=17) from xxxxx:1028
  25. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=18) from xxxxx:1029
  26. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3069378560]: Service [domotic] accepted (FD=19) from xxxxx:1030
  27. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Service [domotic] started
  28. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Waiting for a libwrap process
  29. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Acquired libwrap process #1
  30. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Service [domotic] started
  31. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Waiting for a libwrap process
  32. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Acquired libwrap process #2
  33. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Service [domotic] started
  34. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Waiting for a libwrap process
  35. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Acquired libwrap process #3
  36. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Service [domotic] started
  37. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Service [domotic] started
  38. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Waiting for a libwrap process
  39. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Acquired libwrap process #4
  40. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Releasing libwrap process #1
  41. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Released libwrap process #1
  42. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Service [domotic] permitted by libwrap from xxxxx:1029
  43. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065078896]: Service [domotic] accepted connection from xxxxx:1029
  44. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Waiting for a libwrap process
  45. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Acquired libwrap process #0
  46. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Releasing libwrap process #0
  47. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Released libwrap process #0
  48. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Service [domotic] permitted by libwrap from xxxxx:1028
  49. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065144432]: Service [domotic] accepted connection from xxxxx:1028
  50. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Releasing libwrap process #2
  51. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Released libwrap process #2
  52. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Service [domotic] permitted by libwrap from xxxxx:1027
  53. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065349232]: Service [domotic] accepted connection from xxxxx:1027
  54. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Releasing libwrap process #4
  55. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Releasing libwrap process #3
  56. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Released libwrap process #4
  57. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Service [domotic] permitted by libwrap from xxxxx:1030
  58. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3064972400]: Service [domotic] accepted connection from xxxxx:1030
  59. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Released libwrap process #3
  60. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Service [domotic] permitted by libwrap from xxxxx:1026
  61. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065209968]: Service [domotic] accepted connection from xxxxx:1026
  62. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065209968]: SSL accepted: previous session reused
  63. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065144432]: SSL accepted: previous session reused
  64. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065349232]: SSL accepted: previous session reused
  65. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065349232]: connect_blocking: connecting 192.168.1.8:80
  66. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065078896]: SSL accepted: previous session reused
  67. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065078896]: connect_blocking: connecting 192.168.1.8:80
  68. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065144432]: connect_blocking: connecting 192.168.1.8:80
  69. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  70. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065078896]: connect_blocking: connected 192.168.1.8:80
  71. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065078896]: Service [domotic] connected remote server from 192.168.1.8:35394
  72. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065078896]: Remote socket (FD=23) initialized
  73. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065209968]: connect_blocking: connecting 192.168.1.8:80
  74. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  75. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065209968]: connect_blocking: connected 192.168.1.8:80
  76. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065209968]: Service [domotic] connected remote server from 192.168.1.8:35397
  77. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  78. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065144432]: connect_blocking: connected 192.168.1.8:80
  79. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065144432]: Service [domotic] connected remote server from 192.168.1.8:35395
  80. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065144432]: Remote socket (FD=20) initialized
  81. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  82. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065349232]: connect_blocking: connected 192.168.1.8:80
  83. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3065349232]: Service [domotic] connected remote server from 192.168.1.8:35396
  84. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065349232]: Remote socket (FD=21) initialized
  85. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3064972400]: SSL accepted: previous session reused
  86. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3064972400]: connect_blocking: connecting 192.168.1.8:80
  87. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3065209968]: Remote socket (FD=22) initialized
  88. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: connect_blocking: s_poll_wait 192.168.1.8:80: waiting 10 seconds
  89. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3064972400]: connect_blocking: connected 192.168.1.8:80
  90. May 12 23:56:26 raspberrypi stunnel: LOG5[2227:3064972400]: Service [domotic] connected remote server from 192.168.1.8:35398
  91. May 12 23:56:26 raspberrypi stunnel: LOG7[2227:3064972400]: Remote socket (FD=24) initialized
 

EDIT: virage d'IP ;)


Message édité par h3bus le 13-05-2013 à 00:01:09

---------------
sheep++
n°110697
Je@nb
Modérateur
Kindly give dime
Posté le 13-05-2013 à 00:50:17  profilanswer
 

Hmmm, tu utilises les courbes élliptiques pour tes certificats ? :D
Peut être c'est pas géré par Chromium et IE. Perso je baisserai ça :D

n°110727
_ToM_343
Posté le 13-05-2013 à 21:28:42  profilanswer
 

Ouaip parce que de base je crois qu'IE ne gère pas au-delà du TLS 1.0.

n°110745
h3bus
Troll Inside
Posté le 14-05-2013 à 00:09:05  profilanswer
 

Je vais investiguer de ce côté.
 
Je n'ai en tout cas pas demandé à openSSL d'utiliser les courbes élliptiques mais il le fait peut-être par défaut.
 
Pour la version TLS, il semble qu'avec FF c'est un TLS 1.0 qui est négocié:

Code :
  1. May 12 23:56:26 raspberrypi stunnel: LOG6[2227:3065455728]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES256-SHA (256-bit encryption)


---------------
sheep++
mood
Publicité
Posté le 14-05-2013 à 00:09:05  profilanswer
 

n°110958
_ToM_343
Posté le 18-05-2013 à 18:27:18  profilanswer
 

Any news ?

n°110980
h3bus
Troll Inside
Posté le 19-05-2013 à 05:08:37  profilanswer
 

Pour l'instant je ne me suis pas re-penché dessus... j'aurai de nouveau du temps dans 2 semaines.


---------------
sheep++

Aller à :
Ajouter une réponse
  FORUM HardWare.fr
  Systèmes & Réseaux Pro
  Sécurité

  [HELP] Sécuriser un serveur http via stunnel et un certificat

 

Sujets relatifs
virtualiser un serveur win2008 standardAide sur serveur NIS
Serveur DDNS[HELP] Comment mettre en place un sandbox pour navigateur ?
Problème avec mon serveur FTPServeur zabbix en fonction : Non
Quel solution serveur pour une PME ?basoin d'aide pour serveur proxy avec trois WAN
Dimensionnement serveur impression 
Plus de sujets relatifs à : [HELP] Sécuriser un serveur http via stunnel et un certificat


Copyright © 1997-2022 Hardware.fr SARL (Signaler un contenu illicite / Données personnelles) / Groupe LDLC / Shop HFR