Auteur Sujet: HTTP/2 enfin disponible sur le forum (Lu 4776 fois)

vivien · « **Réponse #12 le:** 11 mai 2022 à 18:08:03 »

J'ai pris l'exemple du manpage vgu ALL = NOPASSWD: ALL cela ne fonctionne pas, même après reboot du pc.

contenu de visudo :

Code: [Sélectionner]

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
Defaults	use_pty

# This preserves proxy settings from user environments of root
# equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"

# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"

# Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"

# While you shouldn't normally run git as root, you need to with etckeeper
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"

# Per-user preferences; root won't have sensible values for them.
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"

# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"

# Ditto for GPG agent
#Defaults:%sudo env_keep += "GPG_AGENT_INFO"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL
vgu	ALL = NOPASSWD: ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d

Tests après reboot :
vgu@vivien:~$ sudo ping [sudo] Mot de passe de vgu : sudo: il est nécessaire de saisir un mot de passe vgu@vivien:~$ sudo /usr/bin/ping [sudo] Mot de passe de vgu : sudo: il est nécessaire de saisir un mot de passe

Cela semble cassé avec Ubuntu 22.04

Hugues · « **Réponse #13 le:** 11 mai 2022 à 18:20:49 »

ici ça marche sous ubuntu 22 :

hugues@speedtest:~$ sudo su
root@speedtest:/home/hugues# cat /etc/sudoers.d/hugues
hugues ALL=(ALL) NOPASSWD: ALL

pju91 · « **Réponse #14 le:** 11 mai 2022 à 18:27:21 »

Vivien, au lieu de :

Code: [Sélectionner]

vgu	ALL = NOPASSWD: ALL

essaie

Code: [Sélectionner]

vgu	ALL=(ALL) NOPASSWD:ALL

pour pouvoir lancer toutes les commandes sans mot de passe.

Free_me · « **Réponse #15 le:** 11 mai 2022 à 20:11:56 »

http2 juste comme ca, je pense que ca changera que dalle
il faudrait deja utiliser l'api preload et/ou prefetch et je la vois pas sur le forum (balises link ou headers specifiques), mais c'est meme independant d'http2 ca
ensuite avec http2 tu peux faire du server push en se basant sur ces elements, mais attention avec ca car du coup ca ignore le cache client, etc..

vivien · « **Réponse #16 le:** 11 mai 2022 à 21:52:00 »

Citation de: Hugues le 11 mai 2022 à 18:20:49

ici ça marche sous ubuntu 22 :

hugues@speedtest:~$ sudo su
root@speedtest:/home/hugues# cat /etc/sudoers.d/hugues
hugues ALL=(ALL) NOPASSWD: ALL

Merci Hugues !

J'ai essayé ta méthode via un fichier à mettre dans /etc/sudoers.d et cela fonctionne.

J'ai alors supposé que ma ligne n'était pas au bon endroit dans visudo et c'est le cas : Il faut rajouter la ligne en fin de fichier, en tout cas après la ligne %sudo ALL=(ALL:ALL) ALL qui est vers la fin du fichier.

Bon à savoir : l'emplacement dans le fichier est primordial et il faut rajouter ses commandes à la fin du fichier.

Hugues · « **Réponse #17 le:** 11 mai 2022 à 21:55:59 »

Pas de souci, nous on fait un fichier par utilisateur :-)

Anonyme · « **Réponse #18 le:** 12 mai 2022 à 05:33:36 »

Je crois surtout que vous comprenez pas ce que vous êtes entrain de faire :

Vous implémentez sudo pour des utilisateurs auxquels vous donnez des droits de root, sans mot de passe.
Bien joué !!

vivien · « **Réponse #19 le:** 12 mai 2022 à 07:29:59 »

Perso, je limite au maximum l'usage (un seul binaire), pour mon script.

Anonyme · « **Réponse #20 le:** 12 mai 2022 à 12:11:45 »

Et bien t'as intérêt à pas lui donner de shell

Anonyme · « **Réponse #21 le:** 12 mai 2022 à 13:00:04 »

Tiens, cela devrait te sécuriser ton user et ton "tc" ( vgu n'aura plus le droit de rien faire si ce n'est utilisé tc ):

Code: [Sélectionner]

# log in as vgu user
root@machine#
# su -l vgu
vgu@machine ~
# echo >| ~/.profile
# set up a limited PATH
vgu@machine ~
# echo "export PATH=/opt/vgu-bin" >| ~/.profile
vgu@machine ~
# exit
# render the profile dotfile immutable, the vgu user will not be able to truncate/edit it
root@machine ~
#very cool kind of magic command you may need to know
# chattr +i ~vgu/.profile
# change vgu user shell to restricted bash
root@vgu ~
# chsh -s /bin/rbash vgu
# set up the restricted PATH with the only necessary binaries simlinks
root@machine ~
# mkdir -p /opt/vgu-bin
root@machine ~
# for cmd in tc wathever-bin-you-want; do ln -s $(which $cmd) /opt/vgu-bin/;

Anonyme · « **Réponse #22 le:** 16 mai 2022 à 02:21:58 »

Citation de: kgersen le 15 mai 2022 à 20:25:08

quand je parlais de différence entre http/1 et http/2 en téléchargement c'est plus quand on attend les limites des cpu (dans la plupart des implémentations http/2 demande plus de cpu que http/1, hors opti style sendfile + ktls).

Bien !!
OSs That Do Not Support kTLS

The following OSs do not support kTLS, for the indicated reason:
Debian 10 and 11 – Kernel is built with the CONFIG_TLS=n option (see the Debian bug report logs).

Code: [Sélectionner]

root@host:~# lsmod | grep tls
tls                   114688  0
root@host:~# hostnamectl
 Static hostname: host
       Icon name: computer-vm
         Chassis: vm 🖴
      Machine ID: 4dad87426bdc4352bc6fbea1491af9f6
         Boot ID: df4707fb3a624080878e2a56a8edc62e
  Virtualization: kvm
Operating System: Debian GNU/Linux bookworm/sid
          Kernel: Linux 5.17.0-1-cloud-amd64
    Architecture: x86-64
 Hardware Vendor: OpenStack Foundation
  Hardware Model: OpenStack Nova
root@host:~# openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
root@host:~#

Sur lafibre :

Code: [Sélectionner]

CONNECTED(00000005)
OCSP response: no response sent
depth=0 CN = default.lan
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = default.lan
verify return:1
---
Certificate chain
 0 s:/CN=default.lan
   i:/CN=default.lan
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvDCCAaSgAwIBAgIJAPzjny6GPnVyMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC2RlZmF1bHQubGFuMB4XDTE3MDYyMzA5MDIxMVoXDTI3MDYyMTA5MDIxMVow
FjEUMBIGA1UEAwwLZGVmYXVsdC5sYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCV0a0f9BmcOpjK6mUHXRqqMbcjsDE/86Tw8oiG+merTdU7eptWKUtL
+TQzsKbp09ae/x6+rLjLHzbbGrw5HA7OTiyIJZFnubj4GDrWJbfJk78qzvWWopA9
WBb97kj+okzjLZy3aScTTj1AFYfYJD4xO2SSJ2j28ogudagP9KFI3NPOi6kD4+U4
E1Dy85Sb73/pTuntnob7kd/24UJ3vj8JmldcNGOrK7B5wFbihJ+W/slWMwCnMQHh
/EnO6Eh4kpHk1RIf5gVB4FCXA9fC0NFxjZCQ/7AS1JwxH496a6p3DKP7DUH+jwWV
QNtTLzgIf5fUuh6VrfjiNxya8U7p7dG1AgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJ
KoZIhvcNAQELBQADggEBAG7vvK70eJIMe7JS3FNr7CmcUmTLw7Sxlt3Ik1ZUYtYK
eODBO0IiyRI9fX9a1/qQS9RI+RVnquEWbHny0JGEPRINvd2ZBhBmxSZFKbRA9TVx
SS1/CW0kNZJVQqnUAUctVY/3Tqy6tc0vpLfkREZjyWonoLMPMxaf/r8UO34e6oBP
YYHf52272tCx6XnR0sKystFxAJLSVaMXPL3Sgexifmad8LReAolBHFMs+GU1oJvr
7dNpKq7yqJWKUGBIydtOhZNYDYhgnoFCeNxaJ0E4aE6nAuzJx/Zhm7YF4tRAxD4V
tuYeeZX5F9+J262qeu0tHaH0ADILGSmMnwHY3RYHpJA=
-----END CERTIFICATE-----
subject=/CN=default.lan
issuer=/CN=default.lan
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 1178 bytes and written 298 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 7705BAEB66EC8CE4FF5EFD7E056D1EDAA97E13EF4783098EE8AE3AEBBE0B7873
    Session-ID-ctx: 
    Master-Key: 27129C99EA23F282571ED5316A0EE418FF9AA7336E011AAC3B772CEE2483EE0C0466F3645FC0EEF5AC4DAEF8C031DAA3
    Start Time: 1652661436
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---

Le self-signed: default.lan
C'est construit comment ? cela m'intéresse

Chez moi

Code: [Sélectionner]

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = what else ?
verify return:1
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = R3
    Produced At: May 14 21:41:00 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
      Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
      Serial Number: 0357E4753CA1A7230193B6FA84726194205A
    Cert Status: good
    This Update: May 14 21:00:00 2022 GMT
    Next Update: May 21 20:59:58 2022 GMT

    Signature Algorithm: sha256WithRSAEncryption
         87:a0:6f:d0:b9:84:46:a0:0f:c5:29:64:c1:a8:73:1d:af:74:
         a9:88:ec:65:96:15:2c:76:1a:04:36:23:75:db:d4:cd:64:42:
         18:28:87:d3:74:1a:8b:fb:63:e2:f4:71:94:2c:c1:22:3d:5a:
         78:2b:8a:df:2f:d3:77:ef:a7:26:c2:ee:6b:1d:b1:92:53:4f:
         be:25:4a:21:71:d3:c3:8d:fe:a5:07:c0:c9:2e:59:28:b3:02:
         e3:72:d8:41:40:21:28:c1:bf:44:0e:43:fa:9d:70:80:7d:97:
         67:09:b5:66:2c:fb:09:2d:dd:53:3e:74:60:91:99:12:8a:13:
         5c:6f:e3:51:30:86:1e:37:2b:d2:4d:0e:92:c7:cb:b3:d5:30:
         de:f3:13:91:5a:0c:1d:7a:e0:57:98:96:3d:3c:84:34:55:2d:
         52:23:2d:d9:bd:e9:8f:85:0d:a0:13:c2:28:9e:80:68:95:2f:
         08:94:77:34:ae:47:81:5a:96:55:4d:6c:f4:0f:1d:09:33:6a:
         87:d2:94:f5:83:34:00:22:79:dd:b6:09:73:a0:28:da:ff:13:
         62:89:08:37:7d:2e:9a:02:a1:61:cb:63:f0:cf:72:a2:4e:b9:
         79:44:69:75:21:76:a9:1b:dd:8c:03:d2:ba:cb:02:02:14:95:
         92:1e:8c:f3
======================================
---
Certificate chain
 0 s:/CN=what else ?
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISA1fkdTyhpyMBk7b6hHJhlCBaMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA1MDkyMDQxNDdaFw0yMjA4MDcyMDQxNDZaMBwxGjAYBgNVBAMT
EXd3dy5hbHZhcmluaG8udmluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtqSUC1vuOXWNjgRepKO4xhtUDuOmmHsITzvtVMSYPue/aSk4G1wNxJmoGusy
l7lIaZ5TxJXfQYZIfuQNPQPikPvRfgSrlkvjz1HTTIivdnEwyYtXjzSSoeTNd7Zp
KNu/XcMIaePGtYJszV9PP3RnzsLwMv9IfhMwrieqYwBfYe0uqujzizypCVNavhj6
Gk3YAvXTmubr1q/Dm8V97IQ1KedU34tQIbJuCkum9LaCGchQ/79/xifWz2aXRBdK
8yrMRf/JQs6GuEqygnkT02mRCiZDbQkJfHv02t+5WM648ZkiNItAgcWFzh7feDLp
Rnt5H7+J3tOz78akNANRJuXcBwIDAQABo4ICSjCCAkYwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQR0idLa7sardtLDIM7RVNVDODgjDAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAcBgNVHREEFTATghF3d3cuYWx2YXJpbmhvLnZpbjBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1AN+lXqto
gk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgKrFbogAAAQDAEYwRAIgE2FA
itQkkA5CMMnyO3Yiqmw6pp77eNjaO5SdlIJqZrUCIH1ug6bcPbFpb4bKnFE1Qgx7
1xxYJDruvofwFTn7I8oFAHUARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+
bUcAAAGAqsVurwAABAMARjBEAiA7SRv+xQ5PF3px28r0Ym3deKc8FMQ2d1CU5eca
IBlp5AIgXJCG/kiltVPeIs8X0mcaGivhau1G0Bz3AhLHJYvMfg8wDQYJKoZIhvcN
AQELBQADggEBAKsSzNPgFytWMH+AFLT7Xi8iXHODgUzuR1k9SM4GXksZaxZMrAIR
ruJQolNXSnF/1L3vOHzV/uRI8YPSMibhe3StEX4I25hY7/3wU0MOn5WpE66ISnJq
BfIk7y5L6QUuov8KiA3WCXRmXPq0du9P085M6llhuxw/lV7nkyRRklmRz7p2OVKx
A6W9j0YNXeLWGIblzmPanS6uPXqmXnpNXX2ehjbGerZF03oydMXz+7hkVQPe6HcP
6PvGeY0A34qbguuKUOYYFI5pdfwJeDaBDqSy4UjAZuyEV6JRhGb4GCOVxoCzTPEM
vx8kiwrzbY1a7124IljlO8GSQWI9PtTrGcc=
-----END CERTIFICATE-----
subject=/CN=what else ?
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 5008 bytes and written 298 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: C87AF0ABD7A8CA8BD38B61D8EEFA10BEA8F1F340891F1AF5EBCF48C169DDE507
    Session-ID-ctx: 
    Master-Key: AFBED0F7AA6BD049155568ACC5741F2A1BF922A3A0D7B0C6A854DC93EE9232AEFF059996A1F0B27CDD4F306CF7F0581C
    Start Time: 1652661837
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Hormis "OCSP response" cela répond en 1.2 pour l'instant.

Il a pas aimé :

Code: [Sélectionner]

C0A291EA827F0000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:125:calling connect()
C0A291EA827F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:127:
C0A291EA827F0000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:125:calling connect()
C0A291EA827F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:127:
connect:errno=111

Basculé. Encore quelques optimisations à faire.

Code: [Sélectionner]

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = what else ? 
verify return:1
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = R3
    Produced At: May 15 21:52:00 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
      Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
      Serial Number: 04A59998F20E2B9C3C2E517C0D374C9FA36C
    Cert Status: good
    This Update: May 15 21:00:00 2022 GMT
    Next Update: May 22 20:59:58 2022 GMT

    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        37:77:1c:27:b1:7e:f8:9c:5a:c5:ad:80:2a:4c:04:d5:ec:34:
        dd:65:75:71:fd:5f:88:a8:e6:22:ce:c9:d5:a9:9c:69:06:28:
        b4:c6:d7:15:bc:2c:cd:b4:64:df:8a:c3:d1:a7:24:dc:1d:d4:
        29:f4:8e:e5:7b:15:40:7c:f9:9e:9c:50:96:88:0e:7c:be:57:
        30:9e:5b:ce:c2:c1:d1:c8:fe:85:78:6d:ed:e7:4e:53:9f:17:
        7a:1e:cc:71:29:1c:95:43:81:f8:2c:86:5b:eb:63:ed:bd:78:
        f5:e0:1c:f8:41:f2:f1:9e:bf:bd:bc:7f:7b:b7:b0:e6:a2:27:
        78:29:f7:a8:bc:44:c9:97:f0:2e:f8:f2:b9:c6:3f:87:41:49:
        a9:e0:4a:4a:0e:4e:cb:d0:5b:70:a6:48:21:8f:2a:69:36:5d:
        78:90:ff:24:34:7e:82:c1:79:84:3c:a7:6a:89:cc:98:da:1e:
        38:51:92:27:73:28:f3:8f:f9:d8:35:e2:92:aa:a3:8d:0a:b9:
        7b:95:15:9f:14:c1:a4:d7:5a:cb:54:42:8b:e5:e2:5e:e2:ba:
        e9:93:b1:33:c3:d4:81:bd:7c:36:f3:f0:fa:42:bc:36:ad:37:
        05:89:d6:ff:cc:1f:b4:a7:61:93:31:a4:ab:15:32:e1:6e:ec:
        25:e6:5e:81
======================================
---
Certificate chain
 0 s:CN = what else ?
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 15 20:52:46 2022 GMT; NotAfter: Aug 13 20:52:45 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFIjCCBAqgAwIBAgISBKWZmPIOK5w8LlF8DTdMn6NsMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA1MTUyMDUyNDZaFw0yMjA4MTMyMDUyNDVaMBkxFzAVBgNVBAMT
Dnd3dy5tYXJxdWVzLmJ6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
zDbu6zRF6LAovmRp2sEwNfAQzznQ7jGcQ27twbgPd/Vp77we2yrXldDgJOeBFUaJ
pLNjr9pnle8f2MjdP44KqK+c12tad6Rl2AMHIb/B5r/iGoZnxggZc/CrJU/s/p9G
zIf+p6tJABVIzi6lUptzpSdAjuVn4JKX9ZR6gv0lLDuhRcS9KtVVuHeHRxlsXq8o
2iSgrUYlTYJjptqbb/xoxXo6EwpipI7HMp+2f2PHiJE2wh25wSK87yvYDaoax+4E
cesM63la/4/lurh9JjaD8S/CuvnJCDUMk/VJRsIIE+4NebWR5bLvIOvoGOV/weAi
HZR3oqYFniIfyGpQojV7cQIDAQABo4ICSTCCAkUwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBQc3dITXyXB566n6U1sLaP5qItwKTAfBgNVHSMEGDAWgBQULrMXt1hWy65Q
CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y
My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn
LzAZBgNVHREEEjAQgg53d3cubWFycXVlcy5iejBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB1ACl5vvCeOTkh8FZz
n2Old+W+V32cYAr4+U1dJlwlXceEAAABgMm1qCQAAAQDAEYwRAIgTpTqwI4oz01R
UEQ2H9KaNm9YMqafLvw3eZg6JkvzZ3QCIHazCVCFZcbU+aBJOHuVylTvnitJwiL7
5ZvYo+RZjICfAHcA36Veq2iCTx9sre64X04+WurNohKkal6OOxLAIERcKnMAAAGA
ybWqGQAABAMASDBGAiEAoad8H9JVysPtgvboX6QOyNLxN/O62LyNvIBv5blilMsC
IQDSFBu5ziWm2m45sW04TPFSq30MuLIxWakuEXnJAwtrBzANBgkqhkiG9w0BAQsF
AAOCAQEAuGgR+HO05LKLqIKLPEubQ4uZOxfWOhQwNrkM09KYi9UKjKmrd2sKCQcD
d+PoldpOS3Q2a/j8JpxrriVyISH1zgDtqqQuOVxlLDJNprhgWMoZQPHPkA3pDKQt
soVIcq3hTC5dlBWRue8qZYJqndoijzCbwPXt5g7SS2wn7rbeBwL5A2OJH8RMxzVX
HveCIVfV0ohwJAJ8kobBfp5Dn29oDJIYwfP5RXZoDPRMNxdrRq8KqgpdjPmNfi1a
qSGBc8WDOy9/IczbAjouWSrytwx5/tGbcsYmalWRegtOiM41zk0/4CszblI3VHmv
UlTzmXbo209sM/aU9Q8wrGYXc1niEw==
-----END CERTIFICATE-----
subject=CN = what else ?
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5085 bytes and written 337 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: FD427BE368B8D9BF7F3DB632A39F8BF8804B6E3FD05D013E328583A586583A76
    Session-ID-ctx: 
    Resumption PSK: EAEED6872E405A880A833AB5E201830007DEA22E79055E014F7E494E6E2A472900F5E8595AE1DF01124F53BAE2972421
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - a5 37 e1 ab 0c 95 ba 5b-10 bf ba 63 2a 7d 6d 40   .7.....[...c*}m@
    0010 - db 19 ca a7 42 10 68 1a-2a 81 c4 85 07 a1 1b e4   ....B.h.*.......

    Start Time: 1652667916
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 13CFF7F597393AFFF8575350F49F046B1ECA5FCDC7F6163AD5B1CE4874DB46D8
    Session-ID-ctx: 
    Resumption PSK: 483B7189865398E574C6287BB8A530DDB0ABEE295926EA197CB5CCD0843BF477E3FA9CFB3594A191F129DBD5AFCF5F4F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - fc 51 c8 dd e2 61 87 12-27 b5 d6 60 23 20 63 76   .Q...a..'..`# cv
    0010 - ad 88 7c a8 d6 46 31 85-e3 b3 c8 86 44 41 a5 b4   ..|..F1.....DA..

    Start Time: 1652667916
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

vivien · « **Réponse #23 le:** 16 mai 2022 à 08:57:15 »

Citation de: Anonyme le 16 mai 2022 à 02:21:58

Le : default.lan
C'est construit comment ? cela m'intéresse

Si tu interroges mes serveurs sans mettre le bon nom de domaine dans le SNI, je te renvoi une page texte légère (car je suppose que c'est une attaque) et un certificat self-signed.

Tous les navigateurs ayant du SNI depuis plus de 15 ans, je préférè évacuer ce qui me semble du flux non légitime.