Curl does not respect --insecure option? (wolfSSL)

Suddenly, curl on OpenWrt is not respecting the --insecure anymore?
When I try accessing the rpcd interface via https, I get

curl: (35) SSL_connect failed with error -152: ASN signature error, mismatched oid

If I use the --cacert option I have the same effect. :confused:

Check this:

curl -V
curl -I --insecure URL
curl -v --insecure URL

Sounds like a wolfSSL error code.

What does switching to wolfssl mean for the functionality? Are those options no longer possible?

root@OpenWrt:~# curl -V
curl 7.74.0 (mips-openwrt-linux-gnu) libcurl/7.74.0 wolfSSL/4.6.0
Release-Date: 2020-12-09
Protocols: file ftp ftps http https mqtt 
Features: alt-svc IPv6 Largefile SSL
root@OpenWrt:~# curl -I --insecure https://127.0.0.1
curl: (35) SSL_connect failed with error -152: ASN signature error, mismatched oid
root@OpenWrt:~# curl -v --insecure https://127.0.0.1
* SSL_connect failed with error -152: ASN signature error, mismatched oid
curl: (35) SSL_connect failed with error -152: ASN signature error, mismatched oid
1 Like

Try to isolate the issue using this way:
Trusting others routers https certificate? - #5 by vgaetera

If the issue persists, then you likely should remove the old cert and let the service generate a new one using the wolfSSL backend.

Already tried completely removing the crt and do a new one. :confused:

Configuring uhttpd.
4+0 records in
4+0 records out
Generating EC private key
Generating selfsigned certificate with subject '/C=ZZ/ST=Somewhere/L=Unknown/O=OpenWrt3ca99c2a/CN=OpenWrt' and validity 20210126103435-20230126103435
1 Like

might want to open an issue in the package feeds as that's where curl is packaged for OpenWrt https://github.com/openwrt/packages/blob/master/net/curl/Makefile

Also the default commandline downloader tool in OpenWrt (uclient-fetch, which is symlinked as "wget" as well if you didn't install wget) is able to download stuff ignoring the certificate, so you can use wget --no-check-certificate to work around this issue with that for now.

1 Like

wget is also not working?

wget --no-check-certificate https://127.0.0.1
Downloading 'https://127.0.0.1'
Connecting to 127.0.0.1:443
Connection error: Connection failed
wget --no-check-certificate -O- https://localhost/
1 Like

Is there anything listening?
netstat -lnp | grep 443

1 Like
root@OpenWrt:~#  netstat -lnp | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1592/uhttpd
tcp        0      0 :::443                  :::*                    LISTEN      1592/uhttpd

From my normal libopenssl pc it works. :wink:

curl --insecure https://10.0.0.3
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="refresh" content="0; URL=cgi-bin/luci/" />
</head>
<body style="background-color: white">
<a style="color: black; font-family: arial, helvetica, sans-serif;" href="cgi-bin/luci/">LuCI - Lua Configuration Interface</a>
</body>
</html>
1 Like
root@OpenWrt:~# uclient-fetch --no-check-certificate -O- https://localhost/
Downloading 'https://localhost/'
Connecting to ::1:443
Connection error: Connection failed

I think switching back to mbedtsl would work.

1 Like
1 Like

If I create the certificate with

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj "/CN=example.com"

it works.

@jow can you maybe say something to this as pkg maintainer of the tool that generates the keys?

1 Like

My OpenWrt builds are OpenSSL based, and curl, wget and uclient-fetch all succeed with the above examples. So this issue seems to be specific to wolfssl.

 OpenWrt SNAPSHOT, r15618-56c20f0a5a
 -----------------------------------------------------

root@router1:~# curl -I --insecure https://127.0.0.1
HTTP/1.1 200 OK
Connection: Keep-Alive
Keep-Alive: timeout=20
ETag: "a06-20a-60104774"
Last-Modified: Tue, 26 Jan 2021 16:46:44 GMT
Date: Tue, 26 Jan 2021 18:50:26 GMT
Content-Type: text/html
Content-Length: 522

root@router1:~# wget --no-check-certificate https://127.0.0.1
--2021-01-26 20:49:59--  https://127.0.0.1/
Connecting to 127.0.0.1:443... connected.
WARNING: cannot verify 127.0.0.1's certificate, issued by 'CN=OpenWrt,O=OpenWrt3c77dc87,L=Unknown,ST=Somewhere,C=ZZ':
  Self-signed certificate encountered.
    WARNING: certificate common name 'OpenWrt' doesn't match requested host name '127.0.0.1'.
HTTP request sent, awaiting response... 200 OK
Length: 522 [text/html]
Saving to: 'index.html'
index.html                  100%[==========================================>]     522  --.-KB/s in 0s
2021-01-26 20:49:59 (7.12 MB/s) - 'index.html' saved [522/522]

root@router1:~# uclient-fetch --no-check-certificate -O- https://localhost/
Downloading 'https://localhost/'
Connecting to ::1:443
Writing to stdout
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/                               DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" /                               >
<meta http-equiv="refresh" content="0; URL=cgi-bin/luci/" />
</head>
<body style="background-color: white">
<a style="color: black; font-family: arial, helvetica, sans-serif;" href="cgi-bi                               n/luci/">LuCI - Lua Configuration Interface</a>
</body>
</html>
-                    100% |*******************************|   522   0:00:00 ETA
Download completed (522 bytes)
2 Likes

Just to be sure, could u give me a crt and keyfile, so I can try?

I sent them to you by email.

Quite normal automatically generated keys for uhttpd, but naturally with using the OPENSSL_BIN option line, not the px5g version.

(these seem to have been generated 3 weeks ago. Current default in master is the elliptic curve, so this is a P-256 key (not RSA))

root@router1:/etc# openssl x509 -text -noout -inform der -in /etc/uhttpd.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
1a:8a:7b:92:a3:f8...
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrt3c77dc87, CN = OpenWrt
        Validity
            Not Before: Jan  6 07:11:51 2021 GMT
            Not After : Jan  6 07:11:51 2023 GMT
        Subject: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrt3c77dc87, CN = OpenWrt
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:e3:c2:74:a...
                    d4:ec:95:94:af
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Subject Key Identifier:
3A:34:99:4A:6...
            X509v3 Authority Key Identifier:
keyid:3A:34:99:4...

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02...
1 Like

Your certificates work! :slight_smile:

So the issue should be (or wolfssl since openssl is working...)

I was wrong. The maintainer is @aparcar . :wink:

3 Likes

Looking at the woflssl sources, the explanation for for that error is:

case ASN_SIG_OID_E :
return "ASN signature error, mismatched oid";
Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file

In my openssl-generated key, both the cert and signature are made with the same crypto algorithm:

        Signature Algorithm: ecdsa-with-SHA256
...
    Signature Algorithm: ecdsa-with-SHA256

While in your example (in curl github), the cert is RSA sha1 and signature with elliptic:

        Signature Algorithm: sha1WithRSAEncryption
...
    Signature Algorithm: ecdsa-with-SHA256

2 Likes

If u follow through the code apacar wrote, it looks correct... But I'm kind of tired and just looked if the type and signature is correct. I think I need to add more debug output what is happenning. But I also tried rsa and that did not work either.

Basically this:

Doing only RSA is also not working? :confused: (created with px5g-wolfssl).

Here are again different algorithms:

Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3d:e1:a8:a9:31:e0:5e:a1:5f:00:9b:e8:49:f0:88:56
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrtc973989d, CN = OpenWrt
        Validity
            Not Before: Jan 25 21:15:51 2021 GMT
            Not After : Jan 26 21:15:51 2023 GMT
        Subject: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrtc973989d, CN = OpenWrt
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b5:98:65:b9:c5:5f:98:0e:6e:16:98:b0:09:b8:
                    4e:39:a2:d2:91:c9:8a:40:90:43:fa:3e:9f:17:2e:
                    a7:b4:30:ba:41:fc:80:4c:cc:24:d4:86:22:8d:ed:
                    af:5a:69:aa:fa:0e:cc:5b:ac:09:d9:c6:51:62:6f:
                    db:cf:41:82:19:81:d9:e3:ed:d1:ae:0c:6c:c5:a0:
                    54:9c:c4:0f:b7:2f:13:f4:29:1d:87:55:6d:4a:f4:
                    44:a3:81:26:93:df:bb:12:ef:07:5e:b3:67:85:68:
                    5d:11:07:b7:b1:f1:24:71:0b:dd:83:c4:3c:40:5f:
                    8e:65:ca:86:af:b7:8b:73:96:43:64:72:3b:df:bc:
                    3b:3c:30:db:b7:43:16:08:f4:68:87:20:e5:56:49:
                    16:6e:77:1b:b5:5f:57:97:bf:0d:85:db:7a:14:a6:
                    b2:eb:ff:16:b9:3f:8c:59:20:c6:4b:00:80:ca:f2:
                    77:c8:26:d0:bb:8a:04:72:59:7b:cc:9b:32:31:fc:
                    7c:c7:ff:fd:73:d2:11:99:c9:0c:8e:40:76:cd:b2:
                    66:af:2a:ea:b3:68:b3:cd:f4:cc:53:9b:db:5a:ba:
                    2d:93:96:db:3c:c8:8c:30:9d:3f:5d:c7:24:3c:c0:
                    9f:d4:9c:e8:82:28:48:99:ce:48:f9:fa:d9:09:3c:
                    38:0b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         48:16:5c:28:ae:67:7b:54:09:a1:45:3d:dd:e6:70:53:a6:9f:
         b0:25:a9:fe:25:d8:8b:b4:6c:17:22:ba:8e:d2:a0:82:f7:80:
         70:7c:a2:f8:de:1a:fc:91:af:c1:eb:de:98:6c:d1:92:ed:a8:
         c0:88:08:2d:b2:17:9c:ce:04:0e:24:7f:71:c0:29:c5:60:a3:
         db:e4:81:6b:28:1f:0a:51:5a:31:10:51:aa:1f:d8:80:db:af:
         4d:fb:26:32:90:37:67:7d:56:32:2e:de:87:b2:4c:56:ff:46:
         b0:57:10:d4:25:26:2b:f9:2d:f4:7f:79:40:87:6b:cc:6c:ac:
         41:0e:9d:27:17:bd:62:bc:ba:f9:24:b2:52:a0:4d:ce:f1:63:
         ab:f3:3b:ff:4b:25:6f:cc:fb:74:79:7c:cb:ff:94:15:8a:9f:
         4b:18:06:33:fe:63:28:f4:32:03:3c:e3:27:64:b3:b6:0d:77:
         b5:a4:7a:58:b7:04:c8:69:24:e4:e2:c9:d2:a0:91:45:66:7d:
         31:c4:70:56:d4:cb:69:22:09:75:78:99:49:69:d4:bf:3c:7b:
         d3:67:e7:59:a7:de:3f:80:60:ed:13:25:1f:ad:27:7c:98:ee:
         1e:53:a3:50:f5:62:b9:f1:d8:0c:e3:12:2b:0e:3f:dd:5f:36:
         1d:1a:43:59
config cert 'defaults'
	option days '730'
	option key_type 'rsa'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'