Modify

Opened 5 years ago

Closed 3 years ago

#12457 closed enhancement (fixed)

uHTTPd does not support SSL certificate chains

Reported by: me@… Owned by: developers
Priority: low Milestone: Barrier Breaker 14.07
Component: base system Version: Trunk
Keywords: uhttpd ssl Cc:

Description

uHTTPd ignores multiple certificate sections in the supplied .crt file.

From what I understand, it is trivial to patch uHTTPd to read and supply multiple certificates to make browsers validate the chain.

My Amazon Kindle’s browser refuses to display LuCI due to the certificate not validating correctly, and some browsers do not validate without the intermediate certificate from my CA.

Attachments (2)

uhttpd.patch (489 bytes) - added by packet@… 5 years ago.
Patch to enable certificate chain support using OpenSSL / CyaSSL >= 2.0.0rc1
ustream.patch (431 bytes) - added by packet@… 5 years ago.
Untested patch for ustream-ssl to enable certificate chain loading

Download all attachments as: .zip

Change History (9)

comment:1 Changed 5 years ago by me@…

Another user who has encountered the need for chained certificates: https://forum.openwrt.org/viewtopic.php?id=29120

Changed 5 years ago by packet@…

Patch to enable certificate chain support using OpenSSL / CyaSSL >= 2.0.0rc1

comment:2 Changed 5 years ago by packet@…

The patch loads a whole certificate chain from a PEM encoded certificate file. If the certificate file only includes one certificate or if the file is not PEM encoded, the old behaviour is preserved.

The patch can be compiled with CyaSSL 1.4.0 (current version in backfire branch), but only loads the first certificate in the PEM file. CyaSSL 2.0.0rc1 and later should work, according to the changelog.

comment:3 Changed 5 years ago by packet@…

I can confirm that the patch works with OpenSSL 0.9.8x (current version in backfire branch).

Changed 5 years ago by packet@…

Untested patch for ustream-ssl to enable certificate chain loading

comment:4 Changed 5 years ago by packet@…

The ustream patch has the same constraints as the uhttpd patch: Should work with OpenSSL and CyaSSL >= 2.0.0rc1 and should at least compile with CyaSSL < 2.0.0rc1. When compiled with CyaSSL < 2.0.0rc1, it should only load the first certificate in the chain.

comment:5 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

comment:6 Changed 3 years ago by packet@…

I can confirm that OpenWrt Barrier Breaker 14.07 with uhttpd-mod-tls (2014-08-25-dabd7dea6445aaa0e5b8d9add1872fa7393b3a85) fixes this bug. It could now be closed.

comment:7 Changed 3 years ago by nbd

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.