The saga of Firefox Mobile, uhttpd, and openssl
uci set uhttpd.main.redirect_ssl=0
The story so far
If you install openssl on openwrt, then the install procedure will silently switch uhttpd to using ssl/tls. This is true for manual installs or for automatic dependency installs.
You will probably not notice anything different until you come across a browser that cannot handle the default self signed certificate that is generated by the /etc/init.d/uhttpd start script.
The prime example of this is version 16 and above of the Firefox Mobile Browser that is used on Android (and IOS).
Testing this certificate by converting it to pem format and using openssl verify gives the following.
roger@dragon:~/ssltest/test-certs$ openssl verify -verbose default-openwrt.crt C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrt, CN = OpenWrt error 18 at 0 depth lookup: self signed certificate error default-openwrt.crt: verification fails
Most desktop browsers including firefox show an error message and allow
you to add a temporary or permanent exception for this certificate. However Firefox Mobile shows the error message but when asked to add the exception silently fails and goes back to showing the error message.
The default /etc/ssl/openssl.cnf installed by opkg causes this certificate to be generated the following x509v3 extensions.
X509v3 Subject Key Identifier: 32:4A:35:79:43:5E:93:38:88:94:E0:DE:A2:8E:E3:97:16:C4:EE:D0 X509v3 Authority Key Identifier: keyid:32:4A:35:79:43:5E:93:38:88:94:E0:DE:A2:8E:E3:97:16:C4:EE:D0 X509v3 Basic Constraints: CA:TRUE
These extensions say that the key is a CA root certificate and is only valid
for use as a trust anchor at the top of a certificate chain. However, THIS
IS A RED HERRING(a distraction from the real problem).
The more fundamental problem is that uhttpd returns an encrypted alert the content of which causes Firefox Mobile to terminate the tcp connection. However it does continue to try a few different tls ssl all of which terminate with an unencrypted alert showing a self signed validation error. This is all invisible to the end user, who only sees the browser going back to show the self signed error message and ignoring the attempt to add a security exception.
To muddy the picture even further. If I add the exact same certificate and key to a test site hosted by apache then Firefox Mobile succeeds in adding the security exception and proceeds to connect to the site.
If anyone wants to investigate this further, they are welcome to, but I have had enough. Decoding encrypted alerts is not easy. I will help out if I can.
I have implemented my simple solution above. I do not need to secure my router admin with SSL.