wget is also not working?
wget --no-check-certificate https://127.0.0.1
Downloading 'https://127.0.0.1'
Connecting to 127.0.0.1:443
Connection error: Connection failed
wget --no-check-certificate -O- https://localhost/
1 Like
Is there anything listening?
netstat -lnp | grep 443
1 Like
root@OpenWrt:~# netstat -lnp | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1592/uhttpd
tcp 0 0 :::443 :::* LISTEN 1592/uhttpd
From my normal libopenssl pc it works. 
curl --insecure https://10.0.0.3
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="refresh" content="0; URL=cgi-bin/luci/" />
</head>
<body style="background-color: white">
<a style="color: black; font-family: arial, helvetica, sans-serif;" href="cgi-bin/luci/">LuCI - Lua Configuration Interface</a>
</body>
</html>
1 Like
root@OpenWrt:~# uclient-fetch --no-check-certificate -O- https://localhost/
Downloading 'https://localhost/'
Connecting to ::1:443
Connection error: Connection failed
I think switching back to mbedtsl would work.
1 Like
1 Like
If I create the certificate with
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout example.key -out example.crt -subj "/CN=example.com"
it works.
@jow can you maybe say something to this as pkg maintainer of the tool that generates the keys?
1 Like
My OpenWrt builds are OpenSSL based, and curl, wget and uclient-fetch all succeed with the above examples. So this issue seems to be specific to wolfssl.
OpenWrt SNAPSHOT, r15618-56c20f0a5a
-----------------------------------------------------
root@router1:~# curl -I --insecure https://127.0.0.1
HTTP/1.1 200 OK
Connection: Keep-Alive
Keep-Alive: timeout=20
ETag: "a06-20a-60104774"
Last-Modified: Tue, 26 Jan 2021 16:46:44 GMT
Date: Tue, 26 Jan 2021 18:50:26 GMT
Content-Type: text/html
Content-Length: 522
root@router1:~# wget --no-check-certificate https://127.0.0.1
--2021-01-26 20:49:59-- https://127.0.0.1/
Connecting to 127.0.0.1:443... connected.
WARNING: cannot verify 127.0.0.1's certificate, issued by 'CN=OpenWrt,O=OpenWrt3c77dc87,L=Unknown,ST=Somewhere,C=ZZ':
Self-signed certificate encountered.
WARNING: certificate common name 'OpenWrt' doesn't match requested host name '127.0.0.1'.
HTTP request sent, awaiting response... 200 OK
Length: 522 [text/html]
Saving to: 'index.html'
index.html 100%[==========================================>] 522 --.-KB/s in 0s
2021-01-26 20:49:59 (7.12 MB/s) - 'index.html' saved [522/522]
root@router1:~# uclient-fetch --no-check-certificate -O- https://localhost/
Downloading 'https://localhost/'
Connecting to ::1:443
Writing to stdout
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/ DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" / >
<meta http-equiv="refresh" content="0; URL=cgi-bin/luci/" />
</head>
<body style="background-color: white">
<a style="color: black; font-family: arial, helvetica, sans-serif;" href="cgi-bi n/luci/">LuCI - Lua Configuration Interface</a>
</body>
</html>
- 100% |*******************************| 522 0:00:00 ETA
Download completed (522 bytes)
2 Likes
Just to be sure, could u give me a crt and keyfile, so I can try?
I sent them to you by email.
Quite normal automatically generated keys for uhttpd, but naturally with using the OPENSSL_BIN option line, not the px5g version.
(these seem to have been generated 3 weeks ago. Current default in master is the elliptic curve, so this is a P-256 key (not RSA))
root@router1:/etc# openssl x509 -text -noout -inform der -in /etc/uhttpd.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1a:8a:7b:92:a3:f8...
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrt3c77dc87, CN = OpenWrt
Validity
Not Before: Jan 6 07:11:51 2021 GMT
Not After : Jan 6 07:11:51 2023 GMT
Subject: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrt3c77dc87, CN = OpenWrt
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:e3:c2:74:a...
d4:ec:95:94:af
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
3A:34:99:4A:6...
X509v3 Authority Key Identifier:
keyid:3A:34:99:4...
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
30:44:02...
1 Like
Your certificates work! 
So the issue should be (or wolfssl since openssl is working...)
I was wrong. The maintainer is @aparcar .
3 Likes
Looking at the woflssl sources, the explanation for for that error is:
case ASN_SIG_OID_E :
return "ASN signature error, mismatched oid";
Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
In my openssl-generated key, both the cert and signature are made with the same crypto algorithm:
Signature Algorithm: ecdsa-with-SHA256
...
Signature Algorithm: ecdsa-with-SHA256
While in your example (in curl github), the cert is RSA sha1 and signature with elliptic:
Signature Algorithm: sha1WithRSAEncryption
...
Signature Algorithm: ecdsa-with-SHA256
2 Likes
If u follow through the code apacar wrote, it looks correct... But I'm kind of tired and just looked if the type and signature is correct. I think I need to add more debug output what is happenning. But I also tried rsa and that did not work either.
Basically this:
Doing only RSA is also not working? 
(created with px5g-wolfssl).
Here are again different algorithms:
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3d:e1:a8:a9:31:e0:5e:a1:5f:00:9b:e8:49:f0:88:56
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrtc973989d, CN = OpenWrt
Validity
Not Before: Jan 25 21:15:51 2021 GMT
Not After : Jan 26 21:15:51 2023 GMT
Subject: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrtc973989d, CN = OpenWrt
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b5:98:65:b9:c5:5f:98:0e:6e:16:98:b0:09:b8:
4e:39:a2:d2:91:c9:8a:40:90:43:fa:3e:9f:17:2e:
a7:b4:30:ba:41:fc:80:4c:cc:24:d4:86:22:8d:ed:
af:5a:69:aa:fa:0e:cc:5b:ac:09:d9:c6:51:62:6f:
db:cf:41:82:19:81:d9:e3:ed:d1:ae:0c:6c:c5:a0:
54:9c:c4:0f:b7:2f:13:f4:29:1d:87:55:6d:4a:f4:
44:a3:81:26:93:df:bb:12:ef:07:5e:b3:67:85:68:
5d:11:07:b7:b1:f1:24:71:0b:dd:83:c4:3c:40:5f:
8e:65:ca:86:af:b7:8b:73:96:43:64:72:3b:df:bc:
3b:3c:30:db:b7:43:16:08:f4:68:87:20:e5:56:49:
16:6e:77:1b:b5:5f:57:97:bf:0d:85:db:7a:14:a6:
b2:eb:ff:16:b9:3f:8c:59:20:c6:4b:00:80:ca:f2:
77:c8:26:d0:bb:8a:04:72:59:7b:cc:9b:32:31:fc:
7c:c7:ff:fd:73:d2:11:99:c9:0c:8e:40:76:cd:b2:
66:af:2a:ea:b3:68:b3:cd:f4:cc:53:9b:db:5a:ba:
2d:93:96:db:3c:c8:8c:30:9d:3f:5d:c7:24:3c:c0:
9f:d4:9c:e8:82:28:48:99:ce:48:f9:fa:d9:09:3c:
38:0b
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
48:16:5c:28:ae:67:7b:54:09:a1:45:3d:dd:e6:70:53:a6:9f:
b0:25:a9:fe:25:d8:8b:b4:6c:17:22:ba:8e:d2:a0:82:f7:80:
70:7c:a2:f8:de:1a:fc:91:af:c1:eb:de:98:6c:d1:92:ed:a8:
c0:88:08:2d:b2:17:9c:ce:04:0e:24:7f:71:c0:29:c5:60:a3:
db:e4:81:6b:28:1f:0a:51:5a:31:10:51:aa:1f:d8:80:db:af:
4d:fb:26:32:90:37:67:7d:56:32:2e:de:87:b2:4c:56:ff:46:
b0:57:10:d4:25:26:2b:f9:2d:f4:7f:79:40:87:6b:cc:6c:ac:
41:0e:9d:27:17:bd:62:bc:ba:f9:24:b2:52:a0:4d:ce:f1:63:
ab:f3:3b:ff:4b:25:6f:cc:fb:74:79:7c:cb:ff:94:15:8a:9f:
4b:18:06:33:fe:63:28:f4:32:03:3c:e3:27:64:b3:b6:0d:77:
b5:a4:7a:58:b7:04:c8:69:24:e4:e2:c9:d2:a0:91:45:66:7d:
31:c4:70:56:d4:cb:69:22:09:75:78:99:49:69:d4:bf:3c:7b:
d3:67:e7:59:a7:de:3f:80:60:ed:13:25:1f:ad:27:7c:98:ee:
1e:53:a3:50:f5:62:b9:f1:d8:0c:e3:12:2b:0e:3f:dd:5f:36:
1d:1a:43:59
config cert 'defaults'
option days '730'
option key_type 'rsa'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
Well, the wolfssl docs hint that the first function, called before your extract, on line 137, "wc_InitCert" always initialised it to RSA
initializes a default cert, with the default options:
version = 3 (0x2), serial = 0, sigType = SHA_WITH_RSA,
I have not tried to follow the upstream source to see if that gets overwritten later, but that might be at least one explanation why your cert showed the first sha1WithRSAEncryption
1 Like
I guess that this requires some input from the wolfssl people. We are too laymen to quickly get into the bottom of why there are mixed algorithm types even though our function calls should already be properly using only ec or rsa.
Hopefully we get some feedback from upstream.
1 Like
Fixed with:
3 Likes
random footnote... curl seems to be the only thing pulling wolfssl stuff into my imagebuilder image ( similar to hnyman my builds try to go with openssl everything )...
if anyone in the future is able to make curl not just depend on wolfssl that would be lovely... cheers.
If you compile with the full toolchain (like I do), you can nicely set curl to depend on openssl.
As explanation, the curl package has not been modified to have variants so that there would be different versions available for imagebuilder. The SSL library selection is just a compile time option, available when compiling from sources.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.