SSL Certificate

The quality of our services is closely associated with the degree of security offered by our applications.

All enRoute products (https://enroute.atlassian.net/wiki/spaces/PUBLIC/pages/383287420, https://enroute.atlassian.net/wiki/spaces/PUBLIC/pages/409862145, etc), are only accessible in a secure way, so only via HTTPS. It guarantees the confidentiality of the data that passes between our servers and the browsers or API clients of our customers.

Our services use a single recent secured certificate, issued by a French certification authority.

Certification authority gandi.net

gandi.net is the SSL certification authority chosen by enRoute.

SSL certificates work on a chain of trust principle, from a Root certificate held by a certification authority to the certificate installed on the servers. In this context, Gandi provides us the certificates to be installed on our servers. Visitors to our sites (at least their browser) can automatically download and validate certificates from the entire chain of trust.

Audit by SSL Labs

SSL Labs can be used to audit the certificate of enRoute servers:

End of support of TLS 1.0 and TLS 1.1

As announced on Jun 12, 2020, all our HTTPs frontends are going to be updated to no longer support insecure TLS 1.0 and TLS 1.1 protocols.

Operation

An application respecting good practices must therefore be available via an HTTPS connection. This is visible on all our services, in particular thanks to a padlock displayed in the address bar of browsers (Chrome, Firefox, etc.). Users are informed in this way that the content of the site comes from a secure and non-pirated source.

The security provided by SSL is based on 2 principles:

  • Information encryption : All the data conveyed is made unintelligible except between the visitor establishing the connection and the server on which the website is located.

  • Authentication : it is carried out between a user and the enRoute servers, necessary for securing data transfers.

The authentication of a certificate generates the creation of a pair of digital keys for each website: a private and a public one.

The private key

It is installed on the enRoute server. It is this key that creates the certification stamp for a website.

The public key

This is the other part of the SSL certificate which is also installed on a website. It allows visitors to our site to encrypt their information. Data is encrypted before being sent. The public key is the mirror key, only this one can decipher the information.

Public key verification

Under normal conditions, the browser (or the HTTP client in the case of an API) has all the necessary informations to verify the certificates used by enRoute (like all HTTPS sites).

In the event of a browser or HTTP client failure for API (usually because it is used on an operating system that has not been updated), it is possible to manually download the elements of the chain.

This is, for example, possible by running a simple command line:

$ openssl s_client -showcerts -connect chouette.enroute.mobi:443 -prexit CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2 verify return:1 depth=0 CN = *.enroute.mobi verify return:1 --- Certificate chain 0 s:CN = *.enroute.mobi i:C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2 -----BEGIN CERTIFICATE----- MIIFujCCBKKgAwIBAgIQAbiNn5HSHthG38Xj6HyMbjANBgkqhkiG9w0BAQsFADBf MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w DAYDVQQKEwVHYW5kaTEgMB4GA1UEAxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIw HhcNMTkxMjEwMDAwMDAwWhcNMjAxMjEwMjM1OTU5WjAZMRcwFQYDVQQDDA4qLmVu cm91dGUubW9iaTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANHYpRic yvWqvAHIiPCvAPGitLeU+i5/gKXLQMcX1JcJb0Wc8a2y7QZfyi8mXM9M+yYb67Y6 f5T7PjL26+MwyKQJ6v7bARSjTgEni9b0hh6An52iYwx0VZ0ZRT4hG+/Gb6iPT+au EDAghSy0fuM57esYnpLgb24BIYXc9VWWZHpUxBrVb1XUbugy8HecAO7COZrR2v44 oPPLzf8WZGYUbSjrf+riXf/ipcqvi6W2IAV414kDF3ZcVJLmKsmQdiVRnObaTwpw Sb6QYyYsuwj1dTXGX3GgFR0ftXRawOb9p6pnJeI9WYM5Doj2jmoQzVix0pqagYof Dhy1HHE0DoTKXxMCAwEAAaOCArYwggKyMB8GA1UdIwQYMBaAFLOQp9jJr07NYTyf fK1df0H9aTDqMB0GA1UdDgQWBBRbnYKmgqGgoWt4IVi6bVbwl8bynjAOBgNVHQ8B Af8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB BQUHAwIwSwYDVR0gBEQwQjA2BgsrBgEEAbIxAQICGjAnMCUGCCsGAQUFBwIBFhlo dHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATBBBgNVHR8EOjA4MDag NKAyhjBodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vR2FuZGlTdGFuZGFyZFNTTENB Mi5jcmwwcwYIKwYBBQUHAQEEZzBlMDwGCCsGAQUFBzAChjBodHRwOi8vY3J0LnVz ZXJ0cnVzdC5jb20vR2FuZGlTdGFuZGFyZFNTTENBMi5jcnQwJQYIKwYBBQUHMAGG GWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wJwYDVR0RBCAwHoIOKi5lbnJvdXRl Lm1vYmmCDGVucm91dGUubW9iaTCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AAe3 XBvlfWj/8bDGHSMVx7rmV3xXlLdq7rxhOhpp06IcAAABb35MJIUAAAQDAEcwRQIg Hwpca64uoUasNE89BMHXwM9sD9fPbpDIH7QcvtM7Y6YCIQDRMtwWXKyfSJ462mTz caTaIlyWjbLVDfqDRiw3K1QlsgB1AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQY dZaBcUVYAAABb35MJEYAAAQDAEYwRAIgJfOlOvoTZOyxYaEUNwW4hy3Li4sC4D4u iYxmBiABcCECIA4nJT0iawrDzJjVEGjh5o/p9rIjTUZVnY7t6VAwg1qSMA0GCSqG SIb3DQEBCwUAA4IBAQAfFGN3iroGROveHihSClY+wKQAljHyibCJZBeZrBc9xK12 wOR8mXo5HHaeVH/zoXKEYIDB41+zSKcuzjLN0lq0B/RfK2NF54D18ilZwsJKyjsh iZb30YNyS99Fj4SU1m54mhS8uIfoESSzXMhAKJzX0pHT1mGUoNHXSw+vtr+EfiRl LW7pqr+jTHVRzEqe/T/ZbBxjHfmhaRlAtN/eaN6hiH/FbH1w9E76JOcylXeQMvSn evBH7FGeLMW/wmbf/1w6s6bhkfOF0wRHO5Y2KKBzhgzxuv8vNJc5THY+S9WOVetg 2SfF/IuEv4qf/ePkR5x7mJeUJ+I+l911tzHNJB3H -----END CERTIFICATE----- 1 s:C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2 i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority -----BEGIN CERTIFICATE----- MIIF6TCCA9GgAwIBAgIQBeTcO5Q4qzuFl8umoZhQ4zANBgkqhkiG9w0BAQwFADCB iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQw OTEyMDAwMDAwWhcNMjQwOTExMjM1OTU5WjBfMQswCQYDVQQGEwJGUjEOMAwGA1UE CBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4wDAYDVQQKEwVHYW5kaTEgMB4GA1UE AxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCUBC2meZV0/9UAPPWu2JSxKXzAjwsLibmCg5duNyj1ohrP0pIL m6jTh5RzhBCf3DXLwi2SrCG5yzv8QMHBgyHwv/j2nPqcghDA0I5O5Q1MsJFckLSk QFEW2uSEEi0FXKEfFxkkUap66uEHG4aNAXLy59SDIzme4OFMH2sio7QQZrDtgpbX bmq08j+1QvzdirWrui0dOnWbMdw+naxb00ENbLAb9Tr1eeohovj0M1JLJC0epJmx bUi8uBL+cnB89/sCdfSN3tbawKAyGlLfOGsuRTg/PwSWAP2h9KK71RfWJ3wbWFmV XooS/ZyrgT5SKEhRhWvzkbKGPym1bgNi7tYFAgMBAAGjggF1MIIBcTAfBgNVHSME GDAWgBRTeb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQUs5Cn2MmvTs1hPJ98 rV1/Qf1pMOowDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYD VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1UdIAQbMBkwDQYLKwYBBAGy MQECAhowCAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAWGf9 crJq13xhlhl+2UNG0SZ9yFP6ZrBrLafTqlb3OojQO3LJUP33WbKqaPWMcwO7lWUX zi8c3ZgTopHJ7qFAbjyY1lzzsiI8Le4bpOHeICQW8owRc5E69vrOJAKHypPstLbI FhfFcvwnQPYT/pOmnVHvPCvYd1ebjGU6NSU2t7WKY28HJ5OxYI2A25bUeo8tqxyI yW5+1mUfr13KFj8oRtygNeX56eXVlogMT8a3d2dIhCe2H7Bo26y/d7CQuKLJHDJd ArolQ4FCR7vY4Y8MDEZf7kYzawMUgtN+zY+vkNaOJH1AQrRqahfGlZfh8jjNp+20 J0CT33KpuMZmYzc4ZCIwojvxuch7yPspOqsactIGEk72gtQjbz7Dk+XYtsDe3CMW 1hMwt6CaDixVBgBwAc/qOR2A24j3pSC4W/0xJmmPLQphgzpHphNULB7j7UTKvGof KA5R2d4On3XNDgOVyvnFqSot/kGkoUeuDcL5OWYzSlvhhChZbH2UF3bkRYKtcCD9 0m9jqNf6oDP6N8v3smWe2lBvP+Sn845dWDKXcCMu5/3EFZucJ48y7RetWIExKREa m9T8bJUox04FB6b9HbwZ4ui3uRGKLXASUoWNjDNKD/yZkuBjcNqllEdjB+dYxzFf BT02Vf6Dsuimrdfp5gJ0iHRc2jTbkNJtUQoj1iM= -----END CERTIFICATE----- --- Server certificate subject=CN = *.enroute.mobi issuer=C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3482 bytes and written 407 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---