Bugtracker Freebox :: Tous les projets: Liste des tâches

	ID	Projet	Ouverte	Type	Catégorie	État	Résumé
	~~21728~~	Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)	26/08/2017	Anomalie	Serveur VPN	Fermée	~~Le serveur VPN utilise un certificat expiré~~	Description de la tâche Lors des tentatives d’établissement du VPN par un client, le serveur Freebox transmet un certificat Let’s Encrypt expiré. Voici les logs prises sur le client Strongswan: initiating IKE_SA vpn-freebox[1] to xx.xx.xx.xx generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] sending packet: from 192.168.0.15[500] to xx.xx.xx.xx[500] (724 bytes) received packet: from xx.xx.xx.xx[500] to 192.168.0.15[500] (456 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] remote host is behind NAT sending cert request for “C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3” sending cert request for “C=US, O=Internet Security Research Group, CN=ISRG Root X1” sending cert request for “C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3” no IDi configured, fall back on IP address establishing CHILD_SA vpn-freebox generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 192.168.0.15[4500] to xx.xx.xx.xx[4500] (428 bytes) retransmit 1 of request with message ID 1 sending packet: from 192.168.0.15[4500] to xx.xx.xx.xx[4500] (428 bytes) retransmit 2 of request with message ID 1 sending packet: from 192.168.0.15[4500] to xx.xx.xx.xx[4500] (428 bytes) retransmit 3 of request with message ID 1 sending packet: from 192.168.0.15[4500] to xx.xx.xx.xx[4500] (428 bytes) received packet: from xx.xx.xx.xx[4500] to 192.168.0.15[4500] (2860 bytes) parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] received end entity cert “CN=xxx.freeboxos.fr” received issuer cert “C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3” using certificate "CN=xxx.freeboxos.fr" using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" subject certificate invalid (valid from May 20 10:11:00 2017 to Aug 18 10:11:00 2017) no trusted RSA public key found for ‘xxx.freeboxos.fr’ generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] sending packet: from 192.168.0.15[4500] to 83.152.214.136[4500] (76 bytes) establishing connection ‘vpn-freebox’ failed Résultat de la commande ipsec listcerts: List of X.509 End Entity Certificates: altNames: xxx.freeboxos.fr subject: "CN=xxx.freeboxos.fr" issuer: "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" serial: 03:4c:98:fc:74:89:7b:80:14:d0:ff:b9:6d:fb:29:4a:ef:09 validity: not before May 20 10:11:00 2017, ok not after Aug 18 10:11:00 2017, expired (8 days ago) pubkey: RSA 2048 bits keyid: 3b:ba:bf:89:77:da:38:1e:c9:0e:d6:14:75:2a:89:ad:15:3f:78:f1 subjkey: 27:fd:76:44:4c:f2:2a:72:17:15:20:d7:b2:6b:c0:a7:b2:ed:d3:9d authkey: a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:f3:a8:ec:a1 Par ailleurs, sur l’interface web du serveur freebox, page “Nom de domaine personnalisé”, il est indiqué que le certificat est valide et expirera dans 68 jours. Existe-t-il une méthode pour forcer la mise d’un certificat Let’s Encrypt? Pourquoi y a-t-il une désynchronisation entre le certificat réellement utilisé et les indications de validité sur la page web d’administration?
	~~30288~~	Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)	22/03/2020	Évolution	SMB	Fermée	~~Version ancienne de SAMBA~~	Description de la tâche Bonjour, Pourquoi la version du serveur SAMBA utilisé est-elle si ancienne? Lu dans les “Mentions légales” des paramètres Freebox: SAMBA v3.0.37 Lu sur le site web de samba.org: Samba 3.0.37 Available for Download ============================== Release Notes for Samba 3.0.37 October, 1 2009 ============================== This is a security release in order to address CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906. Please note that Samba 3.0 is not maintained any longer. This security release is shipped on a voluntary basis. Cette version qui utilise le protocole SMB1 est de moins en moins supportée par les clients SAMBA. Merci de votre compréhension. Cordialement

État

Résumé

~~21728~~

Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)

26/08/2017

Anomalie

Serveur VPN

Fermée

~~Le serveur VPN utilise un certificat expiré~~

Description de la tâche

Lors des tentatives d’établissement du VPN par un client, le serveur Freebox transmet un certificat Let’s Encrypt expiré.
Voici les logs prises sur le client Strongswan:

initiating IKE_SA vpn-freebox[1] to xx.xx.xx.xx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.15[500] to xx.xx.xx.xx[500] (724 bytes)
received packet: from xx.xx.xx.xx[500] to 192.168.0.15[500] (456 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
remote host is behind NAT
sending cert request for “C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3” sending cert request for “C=US, O=Internet Security Research Group, CN=ISRG Root X1” sending cert request for “C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3” no IDi configured, fall back on IP address
establishing CHILD_SA vpn-freebox
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.15[4500] to xx.xx.xx.xx[4500] (428 bytes)
retransmit 1 of request with message ID 1
sending packet: from 192.168.0.15[4500] to xx.xx.xx.xx[4500] (428 bytes)
retransmit 2 of request with message ID 1
sending packet: from 192.168.0.15[4500] to xx.xx.xx.xx[4500] (428 bytes)
retransmit 3 of request with message ID 1
sending packet: from 192.168.0.15[4500] to xx.xx.xx.xx[4500] (428 bytes)
received packet: from xx.xx.xx.xx[4500] to 192.168.0.15[4500] (2860 bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
received end entity cert “CN=xxx.freeboxos.fr” received issuer cert “C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3”

using certificate "CN=xxx.freeboxos.fr"
using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"

subject certificate invalid (valid from May 20 10:11:00 2017 to Aug 18 10:11:00 2017)
no trusted RSA public key found for ‘xxx.freeboxos.fr’ generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.0.15[4500] to 83.152.214.136[4500] (76 bytes)
establishing connection ‘vpn-freebox’ failed

Résultat de la commande ipsec listcerts:

List of X.509 End Entity Certificates:

  altNames:  xxx.freeboxos.fr
  subject:  "CN=xxx.freeboxos.fr"
  issuer:   "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
  serial:    03:4c:98:fc:74:89:7b:80:14:d0:ff:b9:6d:fb:29:4a:ef:09
  validity:  not before May 20 10:11:00 2017, ok
             not after  Aug 18 10:11:00 2017, expired (8 days ago)
  pubkey:    RSA 2048 bits
  keyid:     3b:ba:bf:89:77:da:38:1e:c9:0e:d6:14:75:2a:89:ad:15:3f:78:f1
  subjkey:   27:fd:76:44:4c:f2:2a:72:17:15:20:d7:b2:6b:c0:a7:b2:ed:d3:9d
  authkey:   a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:f3:a8:ec:a1

Par ailleurs, sur l’interface web du serveur freebox, page “Nom de domaine personnalisé”, il est indiqué que le certificat est valide et expirera dans 68 jours.
Existe-t-il une méthode pour forcer la mise d’un certificat Let’s Encrypt?
Pourquoi y a-t-il une désynchronisation entre le certificat réellement utilisé et les indications de validité sur la page web d’administration?

~~30288~~

Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)

22/03/2020

Évolution

SMB

Fermée

~~Version ancienne de SAMBA~~

Description de la tâche

Bonjour,

Pourquoi la version du serveur SAMBA utilisé est-elle si ancienne?

Lu dans les “Mentions légales” des paramètres Freebox: SAMBA v3.0.37

Lu sur le site web de samba.org:

Samba 3.0.37 Available for Download

                 ==============================
                 Release Notes for Samba 3.0.37
                        October, 1 2009
                 ==============================

This is a security release in order to address CVE-2009-2813, CVE-2009-2948
and CVE-2009-2906.
Please note that Samba 3.0 is not maintained any longer. This security
release is shipped on a voluntary basis.

Cette version qui utilise le protocole SMB1 est de moins en moins supportée par les clients SAMBA.

Merci de votre compréhension.

Cordialement

Tâches 1 - 2 sur 2 Page 1 sur 1

Tous les projets

Activer les raccourcis clavier

Liste des tâches

Détails de la tâche

Édition de la tâche