|
|
Subscribe / Log in / New account

OpenWrt and self-signed certificates

OpenWrt and self-signed certificates

Posted Nov 18, 2020 22:49 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
Parent article: OpenWrt and self-signed certificates

Why not provide HTTP interface on the LAN interface only? Yes, it's theoretically vulnerable but it should be fine for setting up the HTTPS initially.

to post comments

OpenWrt and self-signed certificates

Posted Nov 18, 2020 23:02 UTC (Wed) by gray_-_wolf (subscriber, #131074) [Link]

I believe that is alread the case (quoting from the article):

> By default, LuCI does not listen on the internet-facing side of the router, but is available via both wired and wireless access on the local network, though the wireless network is not enabled by default for OpenWrt.

I've "solved" this by tunelling the luci over ssh and connecting to localhost. Seems to work well enough.

OpenWrt and self-signed certificates

Posted Nov 18, 2020 23:41 UTC (Wed) by thumperward (guest, #34368) [Link] (7 responses)

https-only is coming to browsers. openwrt is far from the only place where this is going to cause problems. An overwhelming majority of net-oriented development tools (such as programming language dev servers, and cloud systems labs that assume flinging nginx onto a box will let its connectivity be tested) assume that browsers will accept unencrypted traffic.

openwrt is probably in a better situation than most of these use cases to be honest. At least there's plenty of work already in the wild permitting domestic routers to handle this.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 0:58 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (6 responses)

> https-only is coming to browsers.
There are no plans to disable HTTP completely. With the amount of other IoT stuff that uses HTTP internally.

And anyway, self-signed HTTPS certs are unlikely to go away either.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 10:36 UTC (Thu) by LtWorf (subscriber, #124958) [Link] (5 responses)

Try accepting a self signed on chrome on winows… Last I tried I failed to do it and had to use firefox.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 15:52 UTC (Thu) by Lennie (subscriber, #49641) [Link] (2 responses)

Well... https://www.zdnet.com/article/chrome-will-soon-have-its-o... :-)

OpenWrt and self-signed certificates

Posted Nov 21, 2020 17:33 UTC (Sat) by LtWorf (subscriber, #124958) [Link] (1 responses)

It's not all bad… because of reasons I was using windows XP the other day, and basically internet is unusable because of https and severely old certs that are on XP. I installed chrome on it.

OpenWrt and self-signed certificates

Posted Nov 23, 2020 22:52 UTC (Mon) by Lennie (subscriber, #49641) [Link]

You touch on an other subject: old software and encryption, etc.

I'm very much for something like archive.org making old software run again so people can use it as it used to be used.

I'm amazed at what has been possible: https://archive.org/details/win3_stock

https://bellard.org/jslinux/vm.html?url=win2k.cfg&mem...

But as we've seen for example Apple had a service which was used to check developer signing certificates. These kinds of things will make it harder and harder to keep old software running.

And full disk encryption will mean a device which isn't in use anymore because someone dies the data might be gone.

The reason the dark ages are called the dark ages is because we didn't have much books/records from then. We might be entering (if not already have) digital darkages.

OpenWrt and self-signed certificates

Posted Nov 22, 2020 10:24 UTC (Sun) by shx (guest, #105604) [Link]

I ran into similar issues but that turned out to be a problem with an malformed certificate create by an old Juniper. The unexpected new information was that still a lot of the browser TLS stack is bound to the TLS library shipped with your OS, which results in browsers behaving differently on different operating systems, especially Chromium based browser. Probably the most consistent experience has Firefox due to NSS and the root cert store they ship. But than again distro builds might differ.

OpenWrt and self-signed certificates

Posted Aug 4, 2021 3:24 UTC (Wed) by Divadeer (guest, #153561) [Link]

You have to add the certificate to the windows certificate store. There are several different "substores" to put it in. Do not put it in personal. Add it to the Trusted Root Certificates Directory. I just checked and chrome uses windows certificate store by default. So if it is trusted by your operating system then it will be trusted by chrome.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 12:22 UTC (Thu) by epa (subscriber, #39769) [Link] (12 responses)

Why not provide HTTPS with a single certificate shared between all OpenWrt devices? It's not particularly secure but it is not any worse than unencrypted HTTP. Again, it can be provided on the LAN interface only (and possibly restricted further, like only available when there is a single LAN client). Once initial setup is complete, a new certificate can be generated for HTTPS. The initial setup with a shared certificate would have to have a special hostname.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 15:58 UTC (Thu) by Lennie (subscriber, #49641) [Link] (9 responses)

This might be the right answer.

Have a local name: local.openwrt.org which has a known certificate and which can automatically be downloaded/updated.

It's not more secure, but at least more convenient.

The DNS-server on the OpenWRT device would overwrite* the name with it's own IP and thus a DHCP-client when resolving that name would point directly that OpenWRT device.

* For example Unbound has the local-data option:

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

OpenWrt and self-signed certificates

Posted Nov 19, 2020 22:42 UTC (Thu) by Fowl (subscriber, #65667) [Link] (4 responses)

Such a certificate would be immediately revoked. This has been tried before.

OpenWrt and self-signed certificates

Posted Nov 20, 2020 4:53 UTC (Fri) by tialaramex (subscriber, #21167) [Link] (1 responses)

And obtaining such a certificate with this intent is also a violation of your subscriber agreement. The issuer _probably_ won't do anything about that, but they're entitled to do so if they wish. Knock it off.

OpenWrt and self-signed certificates

Posted Nov 20, 2020 8:34 UTC (Fri) by Lennie (subscriber, #49641) [Link]

It would 100% need to be in agreement with the issuer.

And possibly the CA/B forum.

OpenWrt and self-signed certificates

Posted Nov 23, 2020 14:22 UTC (Mon) by epa (subscriber, #39769) [Link] (1 responses)

What happens if you make a certificate not for a hostname but for a particular IP address like 192.168.1.1? That address is reserved for local networks and not routable on the Internet. To get to the site, you have to enter the IP address in the URI bar (it can't be used for a hostname, even if DNS is changed to return 192.168.1.1 for that name). The certificate issuer might be prepared to allow a shared certificate under these restrictions, and Mozilla and others might be prepared to accept it. Possibly the browser, rather than its usual secure padlock item, should show a warning and require an explicit step to view the page.

OpenWrt and self-signed certificates

Posted Nov 23, 2020 22:29 UTC (Mon) by Lennie (subscriber, #49641) [Link]

Yeah maybe, I don't know what they would allow.

None of it is ideal obviously.

OpenWrt and self-signed certificates

Posted Dec 3, 2020 11:49 UTC (Thu) by akvadrako (guest, #131971) [Link] (3 responses)

Or you could use Let's Encrypt with a wildcard DNS certificate. Then you could make a public domain which can be used for each local IP:

router.small-2.local.net A 192.168.2.1
router.big-2.local.net A 10.0.2.1

OpenWrt and self-signed certificates

Posted Dec 3, 2020 23:38 UTC (Thu) by Fowl (subscriber, #65667) [Link] (2 responses)

You would then need to route/centrally re-encrypt the traffic too, otherwise you're leaking the private key.

OpenWrt and self-signed certificates

Posted Dec 4, 2020 18:19 UTC (Fri) by akvadrako (guest, #131971) [Link] (1 responses)

The private key is shared publicly with all servers. This is just to trying to be better than HTTP.

OpenWrt and self-signed certificates

Posted Dec 5, 2020 4:07 UTC (Sat) by Fowl (subscriber, #65667) [Link]

Once discovered (ie. almost immediately) such public “private” keys are revoked.

OpenWrt and self-signed certificates

Posted Nov 20, 2020 15:15 UTC (Fri) by mebrown (subscriber, #7960) [Link] (1 responses)

This opens users up to all kinds of man in the middle attacks. sharing certs between devices is a terrible idea.

OpenWrt and self-signed certificates

Posted Nov 22, 2020 4:52 UTC (Sun) by diamondlovesyou (subscriber, #119529) [Link]

MITM doesn't matter here though. HTTP (no S) also suffers from this issue but it isn't (currently) stopping anyone.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds