Which version of curl?

I have a fair number of older tp-link tl-wr703n-v1 routers that I've re-used over the years.
I recently updated one to the newest/last version I could find for this hardware, lede 17.01.5.
When i try using curl, I get the following error; PRNG seeding failed.

Looking online for answers, I found that there was something broken in the version I'm using which is 7.52.1-10. I upgraded to 17.01.6 curl_7.52.1-10 which made no difference.
I then went with openwrt 18.06.0 curl_7.60.0-3 which made no difference. I also upgraded to matching libculr but eventually found a new error,

Error loading shared library libmbedcrypto.so.1: No such file or directory (needed by /usr/bin/curl)
Error loading shared library libmbedcrypto.so.1: No such file or directory (needed by /usr/lib/libcurl.so.4)

I found a post suggesting to make a simlink but I'd rather just use the correct versions but, are there any and where can I find curl that will work in this version of lede that I have?

Thanks.

The problem is likely lack of flash space. You're going to have to shoehorn a custom build to fit the SSL version of curl and a SSL library into 4M flash.

2 Likes

Hi,

Thanks for your reply.

There isn't much on these things. Can you suggest which packages I need to install. I thought curl handles SSL without anything extra.

curl (and most other programs) rely on a library and a certificate store for TLS.

To get it to fit in a router with only 4 MB of flash, you will most likely need to build your own firmware, especially as it appears that the builds with LuCI are too large for the device (as there are no current images that I could find).

The mbedTLS is one that was written with embedded devices in mind. It may be one of the smaller ones. I don't know much about wolfSSL, but it seems to be designed for embedded devices as well. OpenSSL and GNUTLS come from the desktop/server world and are probably larger, especially once dependencies are taken into account.

You will also need trusted certificates, such as provided by ca-certificates

I do have my own firmware on these. I have the very bare minimal. Running openwrt, there aren't any issues at all and only upgrading them to lede since this is the last version I can find has caused this.

However, something interesting is the following.

to be clear...

This following command works...
# curl --cacert /etc/ssl/certs/ca-certificates.crt -u xxx:xxx "https://www.site.com/files/getfile.sh" -o /filename

While this following command gets the error

# curl --cacert /etc/ssl/certs/ca-certificates.crt -u xxx:xxx "https://www.site.com/get.php" -F function=get_stats
* PRNG seeding failed

Both are connecting to an ssl site but one is failing. Does it really seem that I am actually missing a package since one of the https works while the other does not?

The only file I have for certs is

# ls -la /etc/ssl/certs/
drwxr-xr-x    1 root     root             0 Apr  2 00:18 .
drwxr-xr-x    1 root     root             0 Jul 20  2018 ..
-rw-r--r--    1 root     root        233394 Jul 20  2018 ca-certificates.crt

Which has always worked since the device is only connecting to one single site, no others. Maybe I have to install the ca-certificates package to figure out which cert I might be missing or has changed on the server side, something along those lines.

Edit:

https://github.com/curl/curl/issues/1268 -- suggests a problem with the old version, as you've noted. The description there suggests that it might be due to how the "other" server is expecting things.

curl -v from your desktop might provide some clues as to the difference. Take note of redirects and methods (GET/POST) in particular.



\https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html

Check what certificate is being offered (from your desktop). It might not be valid or its root not present in your bundle. You can probably do the same with your browser.

LOL, sorry, it's getting a little confusing now. Trying to keep up :).
I added ca-certificates and that didn't make any difference. I don't think it's anything on the server since other devices are connecting without such an error.

I ran the exact same curl command on other devices as well such as my openwrt 18.06 and it works also. No errors.

I don't think it's anything on the server side but something with curl on the tp-link as first posted. However, no matter what I do so far, I cannot get it to work. Is it possible it was left broken with no resolve at that last version for the tp-link?

The --insecure option will cause curl to not check the server certificate. In that case you don't need ca certificates. But there is no protection from man in the middle attacks.

The "Error loading shared library" is going to prevent anything from running, that is rather self-explanatory. Either the library file doesn't exist, or was compiled in a way that doesn't match the application program.

Yes, it is self explanatory except for what I posted above where one command works and the other doesn't. And more importantly, what packages/versions do I need to fix this is what I'm trying to figure out through this post :).

Add curl to your config, select, for example mbedTLS as the TLS library used by libcurl, add ca-certificates to your build.

I'm not sure what you mean by 'add curl to your config'. I have curl in my list of packages for building the firmware and also ca-certificates.

I'm looking for the package that you suggested but cannot find it.

Unknown package 'mbedtls'.
I found this libustream-mbedtls, but that didn't help either. Can you tell me specifically the name of the package/s I should be installing.

Select curl
Select mbedTLS for libcurl
Select ca-certificates

Part of the resulting ./scripts/diffconfig.sh output:

CONFIG_LIBCURL_MBEDTLS=y
CONFIG_PACKAGE_ca-bundle=y
CONFIG_PACKAGE_ca-certificates=y
CONFIG_PACKAGE_curl=y
CONFIG_PACKAGE_libcurl=y
CONFIG_PACKAGE_libmbedtls=y

I see the confusion now :).
I'm not using the menu tree method, I'm using the image builder method since I don't need anything all that special.

That said, I still don't find some of the packages you mention.

Unknown package 'mbedtls'.
Unknown package 'libcurl_mbedtls'.
Unknown package 'libcurl-mbedtls'.

curl (7.52.1-10) is up to date.
libmbedtls (2.7.5-1) is up to date.
libcurl (7.52.1-10) is up to date.

You'll need to move to something current if you're going to use the image builder. I'd recommend at least 18.06.2.

I didn't see anything newer for the old tp-link tl-wr703n-v1 other than lede 17.01.5.
Am I missing something? I'd hate to have to junk these tp-links.

You’ll need to build your own image from source. They’re just too under-resourced for a build with LuCI.

I'm not adding luci, no gui or web services of any sort. It's a very very simple build.

You can't get the version you need with what you're using, so you'll need to build from source.

I see. That's too bad. I was hoping maybe even going back to an older version of LEDE where curl was known to work.

I can't get into building, it's beyond my knowledge and time considering all I really want/need is curl on these.

I guess I'll be storing these routers and probably junking them at some point. That's too bad and only because I can't get curl to work.

Thanks very much for your help folks.

It's not too much more complicated than using the image builder.

Looking at the pre-reqs you already have from the wiki

apt-get install build-essential libncurses5-dev zlib1g-dev gawk git gettext libssl-dev xsltproc wget unzip python

there isn't really much more for the full build system

It looks like you already have all the pre-reqs installed already!

sudo apt install build-essential libncurses5-dev gawk git libssl-dev gettext zlib1g-dev swig unzip time

I don't think you need swig (I never have) and time is no longer needed,