You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears that libustream-wolfssl20200215, which is used as the default TLS client implementation in current OpenWRT snapshot images, checks only if the CN or SAN in the server certificate matches the hostname, but not if the certificate was actually issue/signed by a trusted CA (thus making all other checks completely pointless) or if the certificate has expired.
On a device running the most recent OpenWRT snapshot image, all of the following three commands would be expected to fail with certificate errors, but they succeed without giving any error:
root@vr200v:/tmp# uclient-fetch -O - 'https://self-signed.badssl.com/'
root@vr200v:/tmp# uclient-fetch -O - 'https://untrusted-root.badssl.com/'
root@vr200v:/tmp# uclient-fetch -O - 'https://expired.badssl.com/'
Manually specifying the CA doesn't change the behavior, either:
root@vr200v:/tmp# uclient-fetch --ca-certificate=/rom/etc/ssl/certs/ca-certificates.crt -O - 'https://self-signed.badssl.com/'
root@vr200v:/tmp# uclient-fetch --ca-certificate=/tmp/ISRG_Root_X1.crt -O - 'https://self-signed.badssl.com/'
The text was updated successfully, but these errors were encountered:
I can confirm this on 19.07 as well. It's not related to version bump from wolfssl 4.4.0 to 4.5.0 (latest stable release), I've tried to downgrade and the problem is same with the previous version as well, so the problem is probably somewhere in the libustream-wolfssl library itself.
hardfalcon:
It appears that libustream-wolfssl20200215, which is used as the default TLS client implementation in current OpenWRT snapshot images, checks only if the CN or SAN in the server certificate matches the hostname, but not if the certificate was actually issue/signed by a trusted CA (thus making all other checks completely pointless) or if the certificate has expired.
On a device running the most recent OpenWRT snapshot image, all of the following three commands would be expected to fail with certificate errors, but they succeed without giving any error:
root@vr200v:/tmp# uclient-fetch -O - 'https://self-signed.badssl.com/'
root@vr200v:/tmp# uclient-fetch -O - 'https://untrusted-root.badssl.com/'
root@vr200v:/tmp# uclient-fetch -O - 'https://expired.badssl.com/'
Manually specifying the CA doesn't change the behavior, either:
root@vr200v:/tmp# uclient-fetch --ca-certificate=/rom/etc/ssl/certs/ca-certificates.crt -O - 'https://self-signed.badssl.com/'
root@vr200v:/tmp# uclient-fetch --ca-certificate=/tmp/ISRG_Root_X1.crt -O - 'https://self-signed.badssl.com/'
The text was updated successfully, but these errors were encountered: