OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity High
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Pascal Ernster - 20.11.2020

FS#3465 - libustream-wolfssl20200215 doesn't validate TLS server certificates

It appears that libustream-wolfssl20200215, which is used as the default TLS client implementation in current OpenWRT snapshot images, checks only if the CN or SAN in the server certificate matches the hostname, but not if the certificate was actually issue/signed by a trusted CA (thus making all other checks completely pointless) or if the certificate has expired.

On a device running the most recent OpenWRT snapshot image, all of the following three commands would be expected to fail with certificate errors, but they succeed without giving any error:

root@vr200v:/tmp# uclient-fetch -O - 'https://self-signed.badssl.com/'
root@vr200v:/tmp# uclient-fetch -O - 'https://untrusted-root.badssl.com/'
root@vr200v:/tmp# uclient-fetch -O - 'https://expired.badssl.com/'

Manually specifying the CA doesn’t change the behavior, either:

root@vr200v:/tmp# uclient-fetch --ca-certificate=/rom/etc/ssl/certs/ca-certificates.crt -O - 'https://self-signed.badssl.com/'
root@vr200v:/tmp# uclient-fetch --ca-certificate=/tmp/ISRG_Root_X1.crt -O - 'https://self-signed.badssl.com/'

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing