Firefox SSL_ERROR_NO_CYPHER_OVERLAP, WolfSSL, Update Strategy

I am currently building an APU Board Router, replacing my old Alix Board running an older Instance of OpenWRT.
Most things went smooth so far, however, I have a rather annoying Problem, which I pinned down to WolfSSL (I guess) reading several Threads here.
I have a correct certificate and use it together with uhttpd. Everything works fine, except after I do a reboot. Whenever I try to access the router via its https URL, using Firefox on Ubuntu, I get a SSL_ERROR_NO_CYPHER_OVERLAP Error. After a few minutes this Problem is gone, and I am able to connect to my box.

Now, from what I gathered here, it is related to WolfSSL, and Indeed, replacing it with OpenSSL seems to fix that problem. However, that leads me to conflicts with my future upgrade Plans.
I am trying to keep things simple as possible, so I thought my strategy would be, get the correct Update File, restore backup, and restore installed packages with opkgscript. Unfortunately, As far as I can tell, that way it is just possible to add packages, not to remove them.

So questions:
-Is this indeed some Problem/Bug with WolfSSL?
-Is there a way to fix it?
-How can I find out, why after a few minutes, everything works as expected(checked system.log, but nothing unusual)?
-If, (and right now it looks like that) the solution to fix that would be using OpenSSL, how could I solve that install Problem automated? Building my own OpenWRT Images is not an option right now.
-Also, what other Problems to expect, when I switch? I noticed that there is no Curl Pendant compiled against OpenSSL, which probably breaks Packages depending on Curl.

Are you using the current version of Firefox?

Have you checked the TLS and SSL3 settings?

Certificate is valid, as I said, the problem is just for a few minutes, after I rebooted the router. If I wait a certain time, the problem is gone. Also if installing OpenSSL replacing WolfSSL, the problem is gone as well.

Read the new questions I posted.

1 Like

Firefox is current, yes.
But Again, I am pretty sure it is not Firefox related. I had also running ngnix a while until I moved it to docker, and while I had wolfssl with cert, I noticed, that it failed to come up. (Don't have the logs anymore, as I said, I am testing everything right now). That Problem disappeared as well, when I switched to OpenSSL.

hmm that sound like wolfssl refuesd to make nonce when it's short of entropy? can you openssl s_client to it to see the handshake?

3 Likes

Anything in particular I should take care of? Posting the whole result seems to be a bit long.I just did that, and got a response to an extend, I can see a certificate and so on. A first look seems to give me same results, fresh after start (Firefox error), and after a few minutes (Firefox working)

1 Like

I see a similar issue.

  • Fully up-to-date Firefox 94.0.2
  • OpenWRT 21.02.1
  • Luci running in uhttpd / ssl - I assume WolfSSL as I have not made changes
  • certificate signed by self signed certificate authority (imported into Firefox)
  • initially see SSL_ERROR_NO_CYPHER_OVERLAP, then 5-10 minutes later, it starts working - didn't precisely time
3 Likes

I agree, it seems the router may not have enough entropy.

Try: https://openwrt.org/packages/pkgdata/urngd

1 Like

I recommend that you use the Online Image Builder to build your custom OpenWrt firmware (with packages that you want already installed in the firmware, along with some commands to run on first boot):

Example:

  1. On "Custom package selection":

    1. DELETE:

      • libustream-wolfssl
      • wpad-basic-wolfssl
    2. Then ADD to the end of the last package, these packages:

      • libustream-openssl wpad-openssl luci-ssl-openssl auc luci-app-attendedsysupgrade

      (Install "auc" and "luci-app-attendedsysupgrade" to keep snapshots up to date)

  2. Request Build, wait and download the firmware, then flash the firmware and configure the router from scratch (don't use a backup).

P.S. Don't delete the packages that appear in "Custom package selection", they are necessary or you will brick the router, but you can replace those packages if you want.

@aparcar created that Online Image Builder:

1 Like

urngd is already installed. Perhaps because it is X86?

Good recommendation. Seems like a good Compromise between stock image and building myself! And it certainly helps to fix other problems I had

1 Like

I have been using Online Image Builder for months to create my custom OpenWrt firmware and to date it works without problems.

1 Like

Seems like you found a solution, but it is not clear what in this thread was the solution you liked. Could you post a follow up summary/post-mortem?

I'm having this problem as well. Symptoms are exactly as described in OP. I don't see a way to "switch" to openssl, however, since there is no libustream-openssl and no luci-ssl-openssl pkg in OpenWRT 20.02.1. Even if there was, it's not clear how to switch a live system. Also, it's not clear how to "delete packages" using imageBuilder. I use imageBuilder and I only know how to add packages to the core list.

1 Like

I also get that error intermittently, so it would be nice to know if the root cause was wolfssl or something else...

1 Like

I'm able to reproduce this on my EdgeRouter X by restarting uhttpd. It also occurs at boot.

Because I can reproduce it after the system has been booted for awhile, I don't think it is related to time sync or low kernel entropy.

I was able to confirm with packet capture that the Firefox message is correct, no cipher suite is selected by uhttpd in the Server Hello message.

This is pretty clearly a bug in my mind, so I made a github issue: https://github.com/openwrt/openwrt/issues/9247

2 Likes