Luci Login Screen Certificate

bigsmile · October 14, 2024, 10:17am

This just struck me as curious, but I was browsing through my config files and opened /etc/config/uhttpd and looked at the Cert defaults.

config cert 'defaults'
	option days '397'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'

OpenWRT has removed any identifying information from the opening webpage. Doesn't that information present itself when its certificate is viewed from the browser and thereby revealing the device runs OpenWRT?

frollic · October 14, 2024, 10:22am

clicked on the padlock next to the address field, in your browser ?

bigsmile · October 14, 2024, 10:32am

Yeah, that should be the one. (I can't verify it because I'm not on HTTPS.)
In FF you then go to Connection secure>More Information>Security>View Certificate

bigsmile · October 14, 2024, 6:27pm

Certificate gives away that its OpenWRT.

OMG, installing OpenWRT in VirtualBox is a breeze nowadays.

Downloaded the latest OpenWrt SNAPSHOT, r27760-2d350fded6

$ wget https://downloads.openwrt.org/snapshots//targets/x86/64/openwrt-x86-64-generic-squashfs-combined.img.gz
$ gunzip -k openwrt-x86-64-generic-squashfs-combined.img.gz

Created a new VM OpenWRT Other Linux 64-bit

removed all storage devices
disabled audio,usb
added 2 nics, where nic1 forwarded port 8443 to 443

Then converted the OpenWRT image and added it to the VM with SATA-controller

$ VBoxManage convertfromraw --format VDI ../openwrt-x86-64-generic-squashfs-combined.img openwrt-x86-64-generic-squashfs-combined.vdi

Booted up OpenWRT, then from the console

passwd
uci set network.lan.proto=dhcp
uci commit network
service network restart
opkg update
opkg install luci-lib-px5g px5g-mbedtls luci

snippet from luci installation:

*Generating EC private key*
*Generating selfsigned certificate with subject 
'C=ZZ,ST=Somewhere,L=Unknown,O=OpenWrt80387a3b,CN=OpenWrt,' and validity 20241014175552-20251115175552*

certificate presented at https://localhost:8443

bigsmile · October 15, 2024, 2:53pm

The Organization option is missing from the default configuration resulting in OpenWRT-(random hex) in the certificate.

The option is also missing from certificate settings (should it be added here?)

But can be added via UCI and is used when creating a new certificate.

uci set uhttpd.defaults.organization='Your text here'

or by editing the config file: /etc/config/uhttpd

config cert 'defaults'
	option organization 'Your text here'

Deleting /etc/uhttpd.* will trigger the creation of a new self-signed certificate.

TLDR: Removing the "OpenWrt" name from the self-signed certificate:

uci set uhttpd.defaults.commonname='Your text here'
uci set uhttpd.defaults.organization='Your text here'
uci commit uhttpd
rm /etc/uhttpd.*
service uhttpd reload
service uhttpd restart

Should I file a bug report ?

lleachii · October 15, 2024, 3:19pm

Why?
I thought that random hex was intentional?
What [other] issues does it cause?
What organization are you proposing be added by default?

Done.

bigsmile · October 15, 2024, 5:17pm

Assuming the reason behind removing the OpenWrt logo from the login page was to not identify itself. Placing the name in the self-signed certificate kind of negates that.

(I understand that the default hostname corresponds to the CN, and since the default hostname=OpenWrt so must the CN. But is the cert recreated when the hostname changes?)

The random-hex is fine, its the OpenWrt part that identifies it.

The end-user does not have the ability to change the organization name since the option is missing from the default uhttpd config.

O=Self-Signed
O=Unknown
O=None

come to mind.

lleachii · October 15, 2024, 5:26pm

That's a big assumption. The UI was altered a few versions back. I think that has to do with removing the old logo, nothing more.

You can always change the config by adding the option. This includes any UCI options not included in the file by default. So your statement isn't clear.

Additionally, you can add these configs to UCI Defaults and have a custom value by using the Firmware Selector (if that's your concern).

Interesting ideas, personally I'm not sure they apply well.

Feel free to make a request, of course.

Certs (including SSH) are created on first boot/install.

What's your concern about "identification".

That's untrue. The page title still appears. Its default is "OpenWrt" (i.e., it identifies the device).

bigsmile · October 16, 2024, 6:19pm

Thanks for taking the time to answer my questions.

All I'm trying to say is that organization should be added to the default uhttpd config, so the end-user has the ability to change it.

config cert 'defaults'
	option organization ''

lleachii · October 16, 2024, 6:24pm

Cool.

I was only making note that the end user always had the ability to change it. The suggestion of adding a blank section (or anything else) merely adds bytes to the default file.