Oui - Alors, c’est un peu le foutoir.
[Historique]
- J’ai moi-même mis un certificat (Let’s Encrypt) côté hébergeur (OVH) à une époque lointaine. Ce certificat marche tellement bien que je l’avais oublié.
- J’avais considéré ‹ non critique › l’avertissement sécuritaire des navigateurs du moment, et même plutôt positifs, sachant que rien n’était ‹ protégé › en ce temps (et que rien n’est ‹ protégeable › une fois sur le serveur)
- Je n’avais pas envisagé le durcissement paranoïde des navigateurs
[Stratégie]
- Les modifications à mettre en œuvre sur le module « GatewayServer » sont à première vue trop importantes pour envisager le support de WSS en plus du WS - ce sera l’un ou l’autre (ce qui évite aussi de revoir le reste de la conf, ouvertures de ports, etc) et WSS par défaut
[Fait hier soir]
- Essai de modification du code HTML/JS pour forcer l’appel en mode « insecure » ==> KO, les navigateurs ‹ modernes › repassent systématiquement en HTTPS si dispo.
- Modification du code HTML/JS pour appel en WSS en lieu et place du WS ==> OK
- Modification du code ‹ main__.py › pour prise en compte du paramètre supplémentaire ==> OK
- Modification du code ‹ GarewayServer.py › pour activation du TLS (cf ReadTheDocs) ==> Problème, je n’ai pas de vrai certificat sur mon RPi, le .PEM fourni dans l’exemple ne marche évidement pas, en conséquence, l’ouverture de session foire.
- J’ai fait une capture TCPDUMP de la foirade … comme tout est encodé, WireShark ne me donne rien d’exploitable.
- OPENSSL est un peu plus bavard - mais, de là a y comprendre quelque chose
pi@raspberrypi:~ $ openssl s_client -connect www.teletel.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = R10
verify return:1
depth=0 CN = teletel.org
verify return:1
Certificate chain
0 s:CN = teletel.org
i:C = US, O = Let’s Encrypt, CN = R10
1 s:C = US, O = Let’s Encrypt, CN = R10
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
Server certificate
-----BEGIN CERTIFICATE-----
MIIE+DCCA+CgAwIBAgISBJ3pFEwi138j4oh3WJJWsko4MA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQxMDIwMDI1NjQ1WhcNMjUwMTE4MDI1NjQ0WjAWMRQwEgYDVQQD
Ewt0ZWxldGVsLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALj5
yqMkPLO6sluI1nAm7acDDNK9vY4xWAIG8LCpG/Q6Dn1mehwfJlIAftwInz/8ukid
ofMHmhxc/lW9eqnw5+wo86KbzMGBnA7lS9N+N0BFkN9T10adpGnB8X+8AN6mjf/Y
sqcnCDCBCouXh1Vppvw4cL7PgbC0QttUMORWoPxbEdByKR8H+WBMUzr506jRvgWQ
YgICZ+Yswmgz075ylht5EXy/3f6B+Wmk0/GG3ZyPnv00R5qF10ckRvEKs/tTuJd3
2fWpiUTUi24j8hLo4oHnvRzWyKizkzKBwrzYjwpFx0kVexwRXrJJOvjjkS+PyAMX
M+WuMjogKqoAiIcZ7QMCAwEAAaOCAiEwggIdMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUl11wKX1e11k7/VsgLxUCqIjbSHwwHwYDVR0jBBgwFoAUu7zDR6XkvKnGw6Ry
DBCNojXhyOgwVwYIKwYBBQUHAQEESzBJMCIGCCsGAQUFBzABhhZodHRwOi8vcjEw
Lm8ubGVuY3Iub3JnMCMGCCsGAQUFBzAChhdodHRwOi8vcjEwLmkubGVuY3Iub3Jn
LzAnBgNVHREEIDAeggt0ZWxldGVsLm9yZ4IPd3d3LnRlbGV0ZWwub3JnMBMGA1Ud
IAQMMAowCAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAPxdLT9ci
R1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGSqBClhgAABAMASDBGAiEA+S8w
UM2Q1040AZBcTHrWNPp3SN9lK14WftEa6WvsOkMCIQCBuYtqSYBb/1eAhH/5m45e
qGmreCU4sarejrLWRHj6EAB2AOCSs/wMHcjnaDYf3mG5lk0KUngZinLWcsSwTaVt
b1QEAAABkqgQpeoAAAQDAEcwRQIgaILnp115XphM5U+JdCLKaq6jxTMqsCt/y8nV
57AgG74CIQCoJFZdBynatWjUDq10h63R7e6ok3bBkQZPNGmVs9LmGzANBgkqhkiG
9w0BAQsFAAOCAQEAhlfv00UDJXuiDAH37FJCLeLVsGNEFWQ2BmhwVaeZ5SAizkDA
e5jnVVUhzvrBpsVPSLYkBR5U/opdJL4RPuGSv8mEi4FOLtIOH0vrgOul61L53ZSD
fV48o58121IQQK2gQkPpwLJfIgQDhskUL3tdK0ZmX5evnG9ZE4k5XB9rlIDzJsLN
hPnFeAZMKCl0/Iju3cmkj0QFuQgylJqWz3AwTHhTkfqPF0CSce7CVJKUJFQz1QNt
pGHx/CK8XXaVfdlZPpBcu6M3caVMPdwWK5ffxqT/WHpw3qeiEYC2VkLl6OKxKgTk
q4eRy4FuDE8Y3NPN8pIqcmrTkTdWnXG4IotYog==
-----END CERTIFICATE-----
subject=CN = teletel.org
issuer=C = US, O = Let’s Encrypt, CN = R10
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 3130 bytes and written 387 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 8BBACCCDD26BC5129DFDD8785E6EA509BA93CDD42F52B1BDED521B3544F7BCCA
Session-ID-ctx:
Resumption PSK: A4956BC15F2F3F9A81894F3DBF8D66657484E539C79018A62D1D4CAF3D62154BE5F02A9EEED25A939491CBC3DC671885
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - c4 9b 75 e9 a0 cb 7c 1c-85 c5 6b dc be 6a 42 9b …u…|…k…jB.
0010 - b8 69 c7 e9 42 48 28 fe-32 97 43 8e e2 43 f7 6c .i…BH(.2.C…C.l
Start Time: 1730285295
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
read R BLOCK
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 3A4D4534882C4B2B947BC8B801C5492CA159BB79E8F55E192159890B5E69BCA7
Session-ID-ctx:
Resumption PSK: 5F74F3387BC6C629E58FCE368DA00ECACD46937B2B643E85E9D687C98E17CD7B4A9B203B0C09C8D2B3EDADB869F116A3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 16 5a 11 83 88 b0 22 01-e8 28 77 69 8d 59 3b de .Z…"…(wi.Y;.
0010 - 9f 2c 4d 95 4e cc 7a aa-ee e4 ea 45 20 21 5b dd .,M.N.z…E ![.
Start Time: 1730285295
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
read R BLOCK
closed
pi@raspberrypi:~ $
pi@raspberrypi:~ $ openssl s_client -connect home.teletel.org:9001
CONNECTED(00000003)
depth=0 C = FR, L = Paris, O = Aymeric Augustin, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = FR, L = Paris, O = Aymeric Augustin, CN = localhost
verify return:1
Certificate chain
0 s:C = FR, L = Paris, O = Aymeric Augustin, CN = localhost
i:C = FR, L = Paris, O = Aymeric Augustin, CN = localhost
Server certificate
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIJAOjte6l+03jvMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
BAYTAkZSMQ4wDAYDVQQHDAVQYXJpczEZMBcGA1UECgwQQXltZXJpYyBBdWd1c3Rp
bjESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTE4MDUwNTE2NTkyOVoYDzIwNjAwNTA0
MTY1OTI5WjBMMQswCQYDVQQGEwJGUjEOMAwGA1UEBwwFUGFyaXMxGTAXBgNVBAoM
EEF5bWVyaWMgQXVndXN0aW4xEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMbyINqThQGm6shNaNJ+onRhUb9LnqeGzB6G
6kJojO7TFDzCo9KzfqHm3WMx7Ek9l+/DK8WNxX6FimMswzTAwk/H2gFAR7RuyaUL
rp7xoXRSlJDDVpV9ijED0F6OATKsU0TtxFtA1gURv/ncd+pkp0RADZ+BBKVnRFNG
YusP6XvaI7mjbGXlu21emphkHZc6TI7v2P/FZ273MUSyBknnKxZuqhEAaCfGN1hi
v0MBF3xsgT+E3dJbuYO3m/guoIiEafVWavC1Pd3kC4ZA/PhgRubS3oY6WYWMgxgf
ljukAtFV+gkpGPoMY0hHUmJwv7CotXrqRxWePxYpuVrbSLt9Hs0CAwEAAaMwMC4w
LAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0G
CSqGSIb3DQEBCwUAA4IBAQC9TsTxTEvqHPUS6sfvF77eG0D6HLOONVN91J+L7LiX
v3bFeS1xbUS6/wIxZi5EnAt/te5vaHk/5Q1UvznQP4j2gNoM6lH/DRkSARvRitVc
H0qN4Xp2Yk1R9VEx4ZgArcyMpI+GhE4vJRx1LE/hsuAzw7BAdsTt9zicscNg2fxO
3ao/eBcdaC6n9aFYdE6CADMpB1lCX2oWNVdj6IavQLu7VMc+WJ3RKncwC9th+5OP
ISPvkVZWf25rR2STmvvb0qEm3CZjk4Xd7N+gxbKKUvzEgPjrLSWzKKJAWHjCLugI
/kQqhpjWVlTbtKzWz5bViqCjSbrIPpU2MgG9AUV9y3iV
-----END CERTIFICATE-----
subject=C = FR, L = Paris, O = Aymeric Augustin, CN = localhost
issuer=C = FR, L = Paris, O = Aymeric Augustin, CN = localhost
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 1405 bytes and written 388 bytes
Verification error: self signed certificate
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 3020D14379A33D8645AAABD35993D6BD86887E7C444A26B6F87C906C00F06570
Session-ID-ctx:
Resumption PSK: 069B16301593C61310201BC686C832FD2D8831DA13ACD7ED672ACCAB911B80055F17488ECF04D05D8FF0EE184018B4CE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 96 a2 59 6c 3c 81 23 93-a2 20 99 23 23 eb 7b b4 …Yl<.#… .##.{.
0010 - 21 99 51 76 83 5a 0c 70-c2 45 bf 0a e2 68 0c 38 !.Qv.Z.p.E…h.8
0020 - 61 fb 83 30 05 2d a1 75-69 01 c6 ed 92 8a 57 78 a…0.-.ui…Wx
0030 - 01 2a 76 b3 2b c3 d4 02-52 69 bc 18 fd 46 f1 b4 .v.+…Ri…F…
0040 - ea 6e df 1a f0 31 b1 6a-73 9c 2a 2f 2d e1 da 3a .n…1.js./-…:
0050 - 4e 8a b3 d0 4c 9c 7a cb-d1 72 eb 07 04 bb cb f8 N…L.z…r…
0060 - 47 9e bf 43 78 7b 16 71-dc 74 36 c4 67 ba f7 1b G…Cx{.q.t6.g…
0070 - f2 a9 bc 66 32 23 a0 0f-67 4a 9e cc 9c c6 f4 a3 …f2#…gJ…
0080 - 3e fc 20 f0 7d 05 f2 85-26 f0 f4 d1 e4 4e 8f 57 >. .}…&…N.W
0090 - d0 b6 b4 0e e7 5d 67 05-07 28 1b c0 91 92 c2 e5 …]g…(…
00a0 - 65 b7 d3 30 12 e9 2a 1c-95 38 0e 4c a6 20 c7 2c e…0……8.L. .,
00b0 - 96 2b 2a db 83 80 00 8d-ca 4b 87 42 5e dc a3 f5 .+…K.B^…
00c0 - 95 e4 f8 8d cf 5a 10 f6-ab 4d fd 21 c4 74 3d 68 …Z…M.!.t=h
Start Time: 1730285484
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
read R BLOCK
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 306D01C5833646F0DCC947CA33D5A449CDA9FBF35E40D07C8B5CBF7BF45FDFB4
Session-ID-ctx:
Resumption PSK: 5B224B45E20EF46EDE70239429DDA55F9704914CBF5D5D3799B9FDB6878324489FBE6DBE83571F59787C0E4875AA4530
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 96 a2 59 6c 3c 81 23 93-a2 20 99 23 23 eb 7b b4 …Yl<.#… .##.{.
0010 - 5b 1b e5 57 bb 11 58 76-68 ce c7 7e c7 1a ad 29 […W…Xvh…~…)
0020 - 34 36 a5 cd 94 c3 18 2a-b4 71 05 4b 9c 27 08 1b 46…*.q.K.'…
0030 - 66 80 bc 14 d0 5a fa 5e-c0 b7 0e 0c 36 c6 76 1d f…Z.^…6.v.
0040 - 87 45 75 45 1d 21 6f 7d-41 7a 3e 6e 42 7f 50 f3 .EuE.!o}Az>nB.P.
0050 - 1e bf 04 a9 68 4c ed 27-6e 4b 95 46 e5 b7 62 22 …hL.'nK.F…b"
0060 - 08 6e de eb 6c 21 f5 70-55 c0 b6 e8 cd 6a cc af .n…l!.pU…j…
0070 - f6 2e e5 e4 0c 81 94 75-f8 f4 da 1a cd 34 ac d0 …u…4…
0080 - 5c 3f 96 07 12 6b c3 47-a6 0f bf 29 c3 cb c7 07 ?…k.G…)…
0090 - 5a 05 1f 21 8a d7 4d b1-ba 38 74 58 99 86 0a c5 Z…!..M…8tX…
00a0 - a2 de eb 5b b8 16 75 5e-35 12 af 06 df a1 7f bf …[…u^5…
00b0 - 43 91 95 53 9c 55 24 09-41 50 9f 2e 3b b5 fe 8f C…S.U$.AP…;…
00c0 - 66 6b 9a 83 65 07 61 66-cf 4b 24 74 92 2e 02 cf fk…e.af.K$t…
Start Time: 1730285484
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
read R BLOCK
Avec çà, me v’là bien ! Les certificats, c’est tout ce que j’aime.
Sur le principe, de ce que j’ai compris, il faudrait que je récupère le certificat fourni par Let’sEncrypt sur OVH [comment ? pas encore vraiment cherché mais rien vu de flagrant], que j’y mette l’emprunte de mon RPi [là, pareil, comment ?] afin de faire un PEM valide en concaténant tout ça.
==> Pourquoi faire simple ?? En attendant, c’est en carrafe, sauf en Telnet.