I noticed that if I generate ECC certificates from https://github.com/Neilpang/acme.sh, they don't work with luci. The regular non-ECC ones work fine. I think this used to work before the .1 release, or maybe I've misconfigured something now. I tried swapping out openssl packages with the mbedtls versions, but it didn't make any difference. Since the non-ECC certs work fine, it rules out basic configuration issues on my end.
Neither LuCI nor uhttpd contains any SSL certificate functionality.
That comes directly from the SSL lib in use, either openssl, mbedtls, cyassl etc.
You might check the specific options used to compile those libs. Many ciphers are disabled to make the library smaller.
Any easy way to check if support was dropped recently ? AFAIK, this used to work earlier. Also, if there were no support in the libraries, would I be able to generate certs in the first place ? Doesn't acme rely on the ssl backend for creating and submitting CSRs ? For instance, I'm able to run commands listed on https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations on the router.
Do you use the ustream-openssl backend library?
Yes, but neither libustream-openssl nor libustream-mbedtls works. (I don't remember which one used to work earlier for me). Is there any way to enable debug messages for the error ? Nothing is logged right now. http continues to work, but https doesn't when I use the ECC certs. It starts working if I edit the cert & key path to point to the non-ECC certs. The client side error on running wget/curl is "OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure". Chrome says "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Just an update. Current libustream-mbedtls handles ECC certs properly. libustream-openssl doesn't though. If someone would like to report an RFE for libustream-openssl , please do so. I'm not sure where the tracker is.
1 Like