search

Somfy-Developer / Somfy-TaHoma-Developer-Mode

A collection of requests to use a local API with Somfy TaHoma gateways
147 stars 12 forks source link

SSL certificate uses incorrect CN #25

Closed fetzerch closed 2 years ago

fetzerch commented 2 years ago

First of all, thanks a lot for opening the local connection possibilities. This is amazing! 😃

I noticed that the SSL certificate configured in the local web server on port 8443 has the CN set to XXXX-XXXX-XXXX.local. The mDNS hostname used to reach the box however is gateway-XXXX-XXXX-XXXX.local. This leads to an SSL verification failure "Certificate subject name does not match target host name".

Would it be possible to fix the CN in one of the next firmware updates?

Steps to reproduce:

$ curl https://gateway-XXXX-XXXX-XXXX.local:8443 --verbose --cacert overkiz-root-ca-2048.crt

*   Trying 10.0.1.176:8443...
* TCP_NODELAY set
* Connected to gateway-XXXX-XXXX-XXXX.local (10.0.1.176) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: overkiz-root-ca-2048.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: O=Overkiz; OU=Overkiz Device Server; CN=XXXX-XXXX-XXXX.local
*  start date: Sep 25 17:05:28 2019 GMT
*  expire date: Sep 22 17:05:28 2029 GMT
* SSL: certificate subject name 'XXXX-XXXX-XXXX.local' does not match target host name 'gateway-XXXX-XXXX-XXXX.local'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: certificate subject name 'XXXX-XXXX-XXXX.local' does not match target host name 'gateway-XXXX-XXXX-XXXX.local'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

A workaround for curl would be to add a redirect:

$ curl --connect-to "XXXX-XXXX-XXXX.local:8443:gateway-XXXX-XXXX-XXXX.local" https://XXXX-XXXX-XXXX.local:8443/ --verbose --cacert overkiz-root-ca-2048.crt

* Connecting to hostname: gateway-XXXX-XXXX-XXXX.local
*   Trying 10.0.1.176:8443...
* TCP_NODELAY set                          
* Connected to gateway-XXXX-XXXX-XXXX.local (10.0.1.176) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:     
*   CAfile: overkiz-root-ca-2048.crt                                                  
  CApath: /etc/ssl/certs               
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1                                               
* Server certificate:                                                                 
*  subject: O=Overkiz; OU=Overkiz Device Server; CN=XXXX-XXXX-XXXX.local
*  start date: Sep 25 17:05:28 2019 GMT                                               
*  expire date: Sep 22 17:05:28 2029 GMT
*  common name: 1225-0849-0399.local (matched)
*  issuer: C=FR; O=Overkiz; OU=Overkiz Device Server CA; CN=Overkiz Device Server CA
*  SSL certificate verify ok.

Expected result:

Being able to pass certificate verification without workarounds.

Environment:

iMicknl commented 2 years ago

Duplicate of https://github.com/Somfy-Developer/Somfy-TaHoma-Developer-Mode/issues/5. However, you added great steps to reproduce. Hopefully Somfy will have a look and fix this issue...

fetzerch commented 2 years ago

Ups. Sorry for the noise.