TLS certificate for tracker.openzim.org seems not delivered

[kelson42]

$ openssl s_client -showcerts -connect tracker.openzim.org:6969
CONNECTED(00000003)
40D7ED69E77F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 328 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

[rgaudin]

I believe opentracker doesn't support SSL/TLS:

• there is no mention of it anywhere
• no option neither on the CLI
• source code doesn't reference neither ssl nor tls strings (actually there's one in sync_daemon.pl but that's for connecting to another tracker via https)

Remember this is an old project that received limited updates 18months ago

Closing as not supported

[kelson42]

Just a moment, the TLS should not be handled by the reverse proxy? If this is not possible to handle the https, we should handle http and update the mirrorbrain configuration

[rgaudin]

There is no reverse proxy. Port 6969 is exposed directly on both UDP and TCP.

Tracker speaks HTTP so we could add an nginx in the image and configure HTTPS proxying but we'd have to take care of the certificate handling ourselves and only work on TCP, leaving UDP for opentracker. https://nginx.org/en/docs/http/ngx_http_core_module.html#listen

That all seems like a lot of trouble. Is there an alternative to opentracker ?

[kelson42]

@rgaudin Please just secure the Mirrorbrain delivers links using http instead of https and we will be good.

[rgaudin]

Done in https://github.com/kiwix/k8s/commit/bfe9bf61bb1aaa27a42249af0944d71badbc31b2