📚 Improved SSL configuration and fix for browser compatibility in backend modules. 🌐🔒

2025-06-10 10:54:05 +02:00
parent a303624798
commit f21666e264
5 changed files with 938 additions and 1 deletions
--- a/backend/ssl_fix.py
+++ b/backend/ssl_fix.py
@ -0,0 +1,221 @@
+#!/usr/bin/env python3
+"""
+SSL Fix Tool für MYP Platform - ERR_SSL_KEY_USAGE_INCOMPATIBLE Lösung
+Behebt Browser-SSL-Kompatibilitätsprobleme durch Neugenerierung korrekter Zertifikate
+"""
+
+import os
+import subprocess
+import shutil
+from pathlib import Path
+
+def create_browser_compatible_ssl():
+    """Erstellt browser-kompatible SSL-Zertifikate für MYP"""
+    
+    print("🔧 SSL BROWSER-KOMPATIBILITÄTS-FIX")
+    print("=" * 50)
+    
+    # Basis-Verzeichnis
+    app_dir = Path.cwd()
+    ssl_dir = app_dir / "ssl"
+    
+    # Erstelle SSL-Verzeichnis
+    ssl_dir.mkdir(exist_ok=True)
+    
+    cert_path = ssl_dir / "cert.pem"
+    key_path = ssl_dir / "key.pem"
+    config_path = ssl_dir / "openssl_fix.conf"
+    
+    print(f"📁 SSL-Verzeichnis: {ssl_dir}")
+    
+    # Browser-kompatible OpenSSL-Konfiguration
+    openssl_config = """[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = DE
+ST = Baden-Wuerttemberg
+L = Stuttgart
+O = Mercedes-Benz AG
+OU = MYP Druckerverwaltung
+CN = m040tbaraspi001
+
+[v3_req]
+# Basic Constraints - KRITISCH für Browser
+basicConstraints = critical, CA:FALSE
+
+# Key Usage - KRITISCH für Browser-Kompatibilität
+keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
+
+# Extended Key Usage - TLS Server Authentication
+extendedKeyUsage = critical, serverAuth, clientAuth
+
+# Subject Alternative Names - Alle Domains/IPs
+subjectAltName = critical, @alt_names
+
+# Netscape Legacy-Kompatibilität
+nsCertType = server
+
+# Identifikations-Kommentar
+nsComment = "MYP SSL Fix - ERR_SSL_KEY_USAGE_INCOMPATIBLE Lösung"
+
+[alt_names]
+DNS.1 = localhost
+DNS.2 = *.localhost
+DNS.3 = m040tbaraspi001
+DNS.4 = m040tbaraspi001.local
+DNS.5 = m040tbaraspi001.de040.corpintra.net
+DNS.6 = *.de040.corpintra.net
+IP.1 = 127.0.0.1
+IP.2 = ::1
+IP.3 = 0.0.0.0
+"""
+    
+    # Schreibe OpenSSL-Konfiguration
+    with open(config_path, 'w') as f:
+        f.write(openssl_config)
+    
+    print("📝 OpenSSL-Konfiguration erstellt")
+    
+    try:
+        # Backup existierender Zertifikate
+        if cert_path.exists():
+            backup_cert = ssl_dir / f"cert_backup_{os.getpid()}.pem"
+            backup_key = ssl_dir / f"key_backup_{os.getpid()}.pem"
+            shutil.copy2(cert_path, backup_cert)
+            shutil.copy2(key_path, backup_key)
+            print(f"💾 Backup erstellt: {backup_cert}")
+        
+        # Private Key generieren
+        print("🔑 Generiere Private Key...")
+        key_cmd = [
+            "openssl", "genrsa",
+            "-out", str(key_path),
+            "2048"
+        ]
+        
+        result = subprocess.run(key_cmd, capture_output=True, text=True)
+        if result.returncode != 0:
+            raise Exception(f"Private Key Generierung fehlgeschlagen: {result.stderr}")
+        
+        print("✅ Private Key generiert")
+        
+        # Browser-kompatibles Zertifikat erstellen
+        print("📜 Generiere browser-kompatibles Zertifikat...")
+        cert_cmd = [
+            "openssl", "req",
+            "-new", "-x509",
+            "-key", str(key_path),
+            "-out", str(cert_path),
+            "-days", "365",
+            "-config", str(config_path),
+            "-extensions", "v3_req",
+            "-sha256"
+        ]
+        
+        result = subprocess.run(cert_cmd, capture_output=True, text=True)
+        if result.returncode != 0:
+            raise Exception(f"Zertifikat-Generierung fehlgeschlagen: {result.stderr}")
+        
+        print("✅ Browser-kompatibles Zertifikat generiert")
+        
+        # Berechtigungen setzen
+        os.chmod(key_path, 0o600)  # Nur Owner kann lesen
+        os.chmod(cert_path, 0o644)  # Alle können lesen
+        
+        print("🔒 Berechtigungen gesetzt")
+        
+        # Validierung
+        print("🔍 Validiere Zertifikat...")
+        
+        # Prüfe Key Usage Extensions
+        check_cmd = ["openssl", "x509", "-in", str(cert_path), "-noout", "-text"]
+        result = subprocess.run(check_cmd, capture_output=True, text=True)
+        
+        if result.returncode == 0:
+            cert_text = result.stdout
+            
+            # Browser-Kompatibilitäts-Checks
+            checks = {
+                "Digital Signature": "Digital Signature" in cert_text,
+                "Key Encipherment": "Key Encipherment" in cert_text,
+                "TLS Web Server Authentication": "TLS Web Server Authentication" in cert_text,
+                "Subject Alternative Name": "Subject Alternative Name" in cert_text,
+                "CA:FALSE": "CA:FALSE" in cert_text,
+                "SHA-256": "sha256WithRSAEncryption" in cert_text
+            }
+            
+            print("\n📋 BROWSER-KOMPATIBILITÄTS-PRÜFUNG:")
+            all_passed = True
+            for check_name, passed in checks.items():
+                status = "✅" if passed else "❌"
+                print(f"  {status} {check_name}")
+                if not passed:
+                    all_passed = False
+            
+            if all_passed:
+                print("\n🎉 ALLE BROWSER-KOMPATIBILITÄTS-CHECKS BESTANDEN!")
+            else:
+                print("\n⚠️ Einige Checks fehlgeschlagen - Zertifikat kann trotzdem funktionieren")
+        
+        # Aufräumen
+        config_path.unlink(missing_ok=True)
+        
+        print(f"\n📊 ERGEBNIS:")
+        print(f"  📄 Zertifikat: {cert_path}")
+        print(f"  🔑 Private Key: {key_path}")
+        print(f"  📅 Gültig bis: {365} Tage")
+        
+        print(f"\n🌐 NÄCHSTE SCHRITTE:")
+        print(f"  1. Browser-Cache leeren (Strg+Shift+Del)")
+        print(f"  2. MYP-Anwendung neu starten")
+        print(f"  3. https://localhost:5000 aufrufen")
+        print(f"  4. Bei SSL-Warnung: 'Erweitert' → 'Weiter zu localhost (unsicher)'")
+        
+        return True
+        
+    except Exception as e:
+        print(f"❌ FEHLER: {e}")
+        return False
+
+def check_openssl():
+    """Prüft ob OpenSSL verfügbar ist"""
+    try:
+        result = subprocess.run(["openssl", "version"], capture_output=True, text=True)
+        if result.returncode == 0:
+            print(f"✅ OpenSSL verfügbar: {result.stdout.strip()}")
+            return True
+        else:
+            print("❌ OpenSSL nicht verfügbar")
+            return False
+    except FileNotFoundError:
+        print("❌ OpenSSL nicht installiert")
+        print("💡 Installiere mit: sudo apt install openssl")
+        return False
+
+def main():
+    """Hauptfunktion"""
+    print("🔧 MYP SSL BROWSER-KOMPATIBILITÄTS-FIX")
+    print("Löst ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler")
+    print("=" * 60)
+    
+    # Prüfe OpenSSL
+    if not check_openssl():
+        return False
+    
+    # Erstelle browser-kompatible Zertifikate
+    success = create_browser_compatible_ssl()
+    
+    if success:
+        print("\n✅ SSL-Fix erfolgreich abgeschlossen!")
+        print("🌐 Browser-Fehler ERR_SSL_KEY_USAGE_INCOMPATIBLE sollte behoben sein.")
+    else:
+        print("\n❌ SSL-Fix fehlgeschlagen!")
+        print("📞 Prüfe COMMON_ERRORS.md für weitere Hilfe.")
+    
+    return success
+
+if __name__ == "__main__":
+    main()