JW0914
December 1, 2018, 6:19pm
46
arjuniet:
dude you are taking me wrong . yes a CA wont give a certificate for that i know this
but i am really not getting guys who are no doubt with too much knowledge couldnt find a way to secure you lan sites in such ?
Take this up with the OpenWrt devs who maintain the OpenWrt Git repo, as they've been made aware repeatedly that
A self-signed cert for LuCI opens the user to a MITM attack, and while it's a less probable scenario on a LAN, the risk is still there
It's insanely easy to fix by adding the proper commands to /etc/init.d/uhttpd
so that uhttpd auto generates a self-signed CA, then uses that CA to sign it's cert (a whopping total of 3 command strings)
My philosphy: take the time, don't half-ass it, and do it right the first time around
This would require OpenWrt to be configured with a local domain of com
, thereby breaking internet access for downstream devices.
2 Likes
do you just want to continue this discussion
i nvr asked to buy a certificate ( read about lets encrypt)
i never asked to buy different cerificate there are wildcard certificates / or the purpose that i want the certificate is to authenticate the router you can use same certificate too dude
dude i cant expalin you sorry ... i quit and cant reply you for this thread
I also mentioned needing to acquire a domain name for that cert.
You also have not proved the instructions you said you would provide. I know about Let's Encrypt!
This is invalid to issue on the Public Internet (hence needing a domain name)! WTF!!!
then why are you always saying about purchase
arjuniet:
what is invalid ?
Once again...I think you need to study...
The issuance of a wildcard cert to anyone on the Public Internet - is invalid.
JW0914
December 1, 2018, 6:25pm
52
Let's Encrypt, or any commercial CA / ICA, CANNOT sign a certificate for RFC1918 (LAN) IP addresses ... it is not possible, period.
I'd be surprised if this was also not disallowed in the RFC.
2 Likes
dude no one can issue for lan , i know
leave yaar , if you ever need one i ll show you for sure dude
lets stop this dicussion
@JW0914 i ll tell you @lleachii might not trust even after demo
arjuniet:
dude no one can issue for lan , i know
leave yaar , if you ever need one i ll show you for sure dude
lets stop this dicussion
You really don't get it...
So not only do you trust PKI for LAN
You want them ALL to issue * certs to ANYONE ON PLANET EARTH!!!
BEWARE OF @arjuniet and this theory for devices you own!
thx @lleachii was expected
Yes, it should have been excepted:
when anyone buy a router
Install firmware
Get internet
install ssl libraries
forget all other things
register a domain and get wildcard certificate for that for free
after that ask me how to use this certificate on private lan , you can even google
if not i ll install for you . if unsuccessful i will quit this group if installed successfully @lleachii ( anything you want to ssay ? )
OK...I understand...let me ask you:
When you say Wildcard ...do you mean ROOT DNS DOMAIN?
Because that's what I understand, and you are not owner of ROOT DOMAIN, so you cannot revive such a cert.
if you have a domain openwrt.org for example , if not a ETLD like gov.fr or other CA can issue *.openwrt.org certificate for you
you can use it on any subdomains anything.openwrt.org
arjuniet:
if you have a domain openwrt.org for example , if not a ETLD like gov.fr or other CA can issue *.openwrt.org certificate for you
you can use it on any subdomains anything.openwrt.org
CORRECT!
That is not the wildcard the OpenWrt device refers to. You can install a cert for a domain you purchased (or used Let's Encrypt for).
Please explain any vulnerability now. I am truly interested.
i am really not getting now what you want to know. I cant explain you dude , if you have any specific doubt tell me frankly i ll try to help
you got to know now what i was trying to explain ?
arjuniet:
i am really not getting now what you want to know. I cant explain you dude , if you have any specific doubt tell me frankly i ll try to help
you got to know now what i was trying to explain ?
The Router generates a Cert for this (you cannot legally buy one):
dude why you reached root name servers ?? i never talked about it
i am talking about ROOT CA