[OpenWrt-Devel] uhttpd: Cert error "sec_error_reused_issuer_and_serial"

Gui Iribarren gui at altermundi.net
Wed Jul 9 05:14:46 EDT 2014

Hello hackers,
so, we've been bumping lately into what seems to be a pretty well known
bug, that noone cared enough to fix yet?

the symptom of the issue is that after flashing several same-model
routers with the same openwrt binary, then accessing them over https,
and accepting the self-signed certificate, after a few iterations on
different hosts, firefox refuses to connect due to a "reused issuer and
serial number" on the certificate sent by the server (openwrt)

the root of the issue is that openwrt generates certificates with px5g,
which as far as i dug into, bases the generated serialNumber upon the
epoch (with up-to-the-second-precision)

same hardware, same binary, and with the same startup date at first
boot... the chances of two different routers running the
/etc/init.d/uhttpd start at the exact same second are pretty high (in
our experience - at least  3 in a lot of 10)

routers get the correct date afterwards, with ntpdate, but then it's too
late: px5g already generated the certificate with identical serialNumber
as the other routers.

this is aggravated by a (particularly long standing) bug in firefox
which makes it impossible to remove such information (already seen
issuer+serial) from the browser PKI internal database.

chromium overreacts in a comparable way.

the poor linksys customers complaining in mozilla's ticket are probably
doomed, after 6 years seeing the issue "Assigned To: Nobody; OK to take
it and work on it " :P

but maybe we can do our part on openwrt?

PX5G X.509 Certificate Generator Utility v0.1
Copyright (c) 2009 Steven Barth <steven at midlink.org>

Steven, do you think it would possible to add a bit of randomness to the
serialNumber generation function?
i understand entropy is scarce in embedded devices, especially on first
boot, and my C coding skills are null, so i'm hoping someone can throw a
pointer here?

relevant snippet AFAIU:

from feeds/luci/libs/px5g/src/library/x509write.c

     *  CertificateSerialNumber  ::=  INTEGER
    srand((unsigned int) time(NULL));
    serial = rand();
    if ((ret = asn1_add_int(serial, &chain->serial)) != 0)
        return ret;


openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list