[OpenWrt-Devel] uhttpd: Cert error "sec_error_reused_issuer_and_serial"
Gui Iribarren
gui at altermundi.net
Wed Jul 9 05:14:46 EDT 2014
Hello hackers,
so, we've been bumping lately into what seems to be a pretty well known
bug, that noone cared enough to fix yet?
the symptom of the issue is that after flashing several same-model
routers with the same openwrt binary, then accessing them over https,
and accepting the self-signed certificate, after a few iterations on
different hosts, firefox refuses to connect due to a "reused issuer and
serial number" on the certificate sent by the server (openwrt)
the root of the issue is that openwrt generates certificates with px5g,
which as far as i dug into, bases the generated serialNumber upon the
epoch (with up-to-the-second-precision)
same hardware, same binary, and with the same startup date at first
boot... the chances of two different routers running the
/etc/init.d/uhttpd start at the exact same second are pretty high (in
our experience - at least 3 in a lot of 10)
routers get the correct date afterwards, with ntpdate, but then it's too
late: px5g already generated the certificate with identical serialNumber
as the other routers.
this is aggravated by a (particularly long standing) bug in firefox
https://bugzilla.mozilla.org/show_bug.cgi?id=435013
which makes it impossible to remove such information (already seen
issuer+serial) from the browser PKI internal database.
chromium overreacts in a comparable way.
the poor linksys customers complaining in mozilla's ticket are probably
doomed, after 6 years seeing the issue "Assigned To: Nobody; OK to take
it and work on it " :P
but maybe we can do our part on openwrt?
PX5G X.509 Certificate Generator Utility v0.1
Copyright (c) 2009 Steven Barth <steven at midlink.org>
Steven, do you think it would possible to add a bit of randomness to the
serialNumber generation function?
i understand entropy is scarce in embedded devices, especially on first
boot, and my C coding skills are null, so i'm hoping someone can throw a
pointer here?
relevant snippet AFAIU:
from feeds/luci/libs/px5g/src/library/x509write.c
/*
* CertificateSerialNumber ::= INTEGER
*/
srand((unsigned int) time(NULL));
serial = rand();
if ((ret = asn1_add_int(serial, &chain->serial)) != 0)
return ret;
cheers!
gui
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list