Opened 5 years ago

Closed 4 years ago

#13117 closed defect (obsolete)

uhttpd + cyassl responds poorly to TLS 1.1, TLS 1.2 and ssl 2.0 https requests

Reported by: vhrm Owned by: nbd
Priority: normal Milestone:
Component: packages Version: Trunk
Keywords: Cc:


The uhttpd in trunk works ok for SSLv3 and TLS 1.0 https requests, but it responds poorly to other types, at least as spoken by openssl s_client

SSLv2 and TLS 1.2 both cause the connection to hang and the server doesn't seem to provide any response

In response to a TLS 1.1 request it sends back a TLS 1.0 message (which may be a valid fall-back or not. don't know how the protocol is supposed to work).

cyassl's web-site says it supports TLS 1.1 and TLS 1.2 (and so does openssl ) so presumably it's an integration issue of some sort.

tested with
OpenSSL 1.0.1e 11 Feb 2013 running on cygwin with

echo -e "GET / HTTP/1.0\r\n\r\n" | openssl s_client -ign_eof -connect -msg -tls1

replace "-tls1" with "-ssl2" "-ssl3" "-tls1_1" or "-tls1_2" for the other cases.

(discovered this behavior because i was having a (turns out unrelated) problem with Firefox. Testing with openssl s_client also seemed to fail. Poking around a bit found out that openssl currently defaults to TLS 1.2 )

same build/image/system mentioned in #13112:

This is on a netgear WNR2000 ("AP81" platform) with a home built trunk image.

OpenWrt Barrier Breaker r35770
Linux OpenWrt 3.7.9 #13 Mon Feb 25 15:08:26 EST 2013 mips GNU/Linux

root@OpenWrt:/etc/config# opkg list-installed | egrep "uhttpd|ssl"
libcyassl - 1.6.5-2
libustream-cyassl - 2013-01-22-da607e6272d789ed5dae3b0efff90912fda6f81f
uhttpd - 2013-01-22-14e3971c37e6feb0ec5eda0988e07d8a786ba9f9
uhttpd-mod-lua - 2013-01-22-14e3971c37e6feb0ec5eda0988e07d8a786ba9f9
uhttpd-mod-tls - 2013-01-22-14e3971c37e6feb0ec5eda0988e07d8a786ba9f9
uhttpd-mod-ubus - 2013-01-22-14e3971c37e6feb0ec5eda0988e07d8a786ba9f9

px5g generated cert w/ 2048 bit key.

Attachments (0)

Change History (4)

comment:1 Changed 5 years ago by jow

  • Owner changed from developers to nbd
  • Status changed from new to assigned

comment:2 Changed 5 years ago by vhrm

One thing of note is that cyassl 1.6.5 is about 2.5 years old already and it looks like there has been a fair amount of development on it since then.

Including things like:
" improved TLSv1.2 through testing and better hash/sig algo ids "

2.x also adds support for stronger algorithms and supposedly some options for smaller code and memory usage:

-Lean PSK build (reduced code size, RAM usage, and stack usage)

No idea if this was discussed elsewhere (but i don't see anything on a quick search)

comment:3 Changed 5 years ago by nbd

You could try if polarssl works better, it is supported via ustream-ssl now.

comment:4 Changed 4 years ago by nbd

  • Resolution set to obsolete
  • Status changed from assigned to closed

the default implementation has been switched to polarssl in r38250

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.