HTTPS Problem (SSLv3)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
WhyComputer
DD-WRT Novice


Joined: 20 Nov 2008
Posts: 6

PostPosted: Mon Dec 01, 2014 18:38    Post subject: Re: SSL Testing Reply with quote
jyxavier wrote:
To the devs, if there is anyway I can assist, let me know. I'm happy to help.


Same thing here, Awesome work from the developers. if I can help let me know.
And thank you jyxavier for the detailed post.
Sponsor
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 3883
Location: Germany

PostPosted: Mon Dec 01, 2014 18:55    Post subject: Re: SSL Testing Reply with quote
jyxavier wrote:


Therefore, I believe there are two issues:
1) No support for TLS
2) Small keys - (which I believe can be overriden; more on that later)



1.TLS has been supported for long in all builds that come with openssl. But it does not fit in 4MB builds.

I just fixed firmware sizes for broadcom K26 builds, so next release will have big builds that should fit units with >=8MB flash.

2. Has been changed a long time ago to key length 2048.
jyxavier
DD-WRT Novice


Joined: 26 Oct 2008
Posts: 11

PostPosted: Tue Dec 02, 2014 5:35    Post subject: Reply with quote
I don't mean to be argumentative, but TLS is not working and the key size is clearly 512 bits in this build. I downloaded it from here http://ddwrt.stevejenkins.com/22000++/kingkong-nv60k-broadcom.bin, and believe that is a mega and comes with openssl as I was able to use the gencert.sh file to create a new cert on my router. I'm making no claims on whether or not the code is supposed to support what you are saying. It simply is not working as described.

To confirm, I used the follow command to check:

Code:
echo | openssl s_client -connect 192.168.1.1:443 -ssl3 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'


This returned the following cert:

-----BEGIN CERTIFICATE-----
MIICJDCCAc4CCQDMHVbqb0g5CzANBgkqhkiG9w0BAQUFADCBmDELMAkGA1UEBhMC
REUxDjAMBgNVBAgTBVNheG9uMRAwDgYDVQQHEwdEcmVzZGVuMRowGAYDVQQKExFO
ZXdNZWRpYS1ORVQgR21iSDEPMA0GA1UECxMGREQtV1JUMRowGAYDVQQDExFOZXdN
ZWRpYS1ORVQgR21iSDEeMBwGCSqGSIb3DQEJARYPaW5mb0BkZC13cnQuY29tMB4X
DTE0MDYwNzE5NTYyM1oXDTI0MDYwNDE5NTYyM1owgZgxCzAJBgNVBAYTAkRFMQ4w
DAYDVQQIEwVTYXhvbjEQMA4GA1UEBxMHRHJlc2RlbjEaMBgGA1UEChMRTmV3TWVk
aWEtTkVUIEdtYkgxDzANBgNVBAsTBkRELVdSVDEaMBgGA1UEAxMRTmV3TWVkaWEt
TkVUIEdtYkgxHjAcBgkqhkiG9w0BCQEWD2luZm9AZGQtd3J0LmNvbTBcMA0GCSqG
SIb3DQEBAQUAA0sAMEgCQQC9JhWMrYaKN7TJoH6vYs6ofjK5jdvacCTz5VWK4I9C
6BGNr4wQTeeuVbhnQIqx71LuYawZKUY4fs5GA+VLgVL/AgMBAAEwDQYJKoZIhvcN
AQEFBQADQQCe0olJ2K4GS104O1yQD0ziYfPnkkMzvsadtVFGG1DN0YXqmGFpoAI+
dsJ3MNQ0C/IhTPjYzw49Vw4E4opcQkWI
-----END CERTIFICATE-----

I tried the openssl command without the -ssl3 and only received an error. Trying with -tls1, -tls1_1, and -tls1_2 all received a TCP FIN,ACK response from the router closing the connection when those protocols were used.

I was able to generate and store a cert in the /tmp/ directory last night to confirm that the browser behavior returned to normal with 2048 bit certificate. As my previous post questioned, I'm not sure where to permanently store that cert since tmp is obviously wiped at reboot.

For those having browser issues, can you confirm the key size and which protocols work? For that matter, those whose setup is working, can you confirm what is working and post? You should be able to use the above command to retrieve the certificate and test the various protocols. On Windows, you can view the cert properties by saving the above text in a new text file with a .cer extension. Double-click the resulting file, and you should see bit size under the Details tab.

Kong, Is there anything else I can do to help? I've spent a decent amount of time testing and confirming so that I wasn't crying wolf and providing misleading info. I don't know if I have a corrupted build or need to reflash.

MD5 Hash for bin: 3598BF4B8D32EF03077CAD16FC41162F
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 3883
Location: Germany

PostPosted: Tue Dec 02, 2014 7:16    Post subject: Reply with quote
jyxavier wrote:
I don't mean to be argumentative, but TLS is not working and the key size is clearly 512 bits in this build. I downloaded it from here


That is an old build it just got a handful updates for apps, but as it says 22000 (+ the changes in the Changelog, nothing else), key length was changed 15 month ago in http://svn.dd-wrt.com/changeset/22285
amu5ed
DD-WRT Novice


Joined: 20 Feb 2014
Posts: 22

PostPosted: Wed Dec 03, 2014 9:05    Post subject: Reply with quote
What about the current BrainSlayer Builds?
I use the K3X Build 25408 on an E3000. This unit has 8MB, but TLS is not working either!

BR
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 3883
Location: Germany

PostPosted: Wed Dec 03, 2014 11:54    Post subject: Reply with quote
amu5ed wrote:
What about the current BrainSlayer Builds?
I use the K3X Build 25408 on an E3000. This unit has 8MB, but TLS is not working either!

BR


grep -q "tls" /usr/lib/libssl.so.1.0.0 2> /dev/null && echo "TLS is supported." || echo "TLS is not available in your build."
WhyComputer
DD-WRT Novice


Joined: 20 Nov 2008
Posts: 6

PostPosted: Thu Dec 04, 2014 15:44    Post subject: Did the K2.6 update trickle to the K3 build? Reply with quote
Just updated yesterday to:
DD-WRT v24-sp2 (12/02/14) mega - build 25527
dd-wrt.v24-25527_NEWD-2_K3.x_mega_RT-N66U

I am still having the same issue:
Error code: ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION

I will give r25544 a try when I go home.

P.S. I just found out that IE 11 works fine with it.
The issue I have is with Firefox and Chrome, so this?
http://svn.dd-wrt.com/ticket/3696#comment:17
amu5ed
DD-WRT Novice


Joined: 20 Feb 2014
Posts: 22

PostPosted: Mon Dec 08, 2014 12:47    Post subject: Reply with quote
@Kong
thanks for the grep - it says tht TLS is not supported.
The E3000 should be capable of using 8MB builds?!

BR
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 3883
Location: Germany

PostPosted: Mon Dec 08, 2014 13:33    Post subject: Reply with quote
amu5ed wrote:
@Kong
thanks for the grep - it says tht TLS is not supported.
The E3000 should be capable of using 8MB builds?!

BR


It is included in K26 builds. But the kernel in K3 builds is a lot larger so not all features from K26 will fit in.
amu5ed
DD-WRT Novice


Joined: 20 Feb 2014
Posts: 22

PostPosted: Mon Dec 15, 2014 19:37    Post subject: Reply with quote
@Kong thanks for the clarification Any possibilities that it will be included in any future builds?

BR
gmnenad
DD-WRT Novice


Joined: 17 Apr 2011
Posts: 7

PostPosted: Tue Dec 16, 2014 18:06    Post subject: Reply with quote
If anyone else have same problem as I did - unable to login to DD WRT router from any major browser - try Opera browser.

Unlike FireFox, Chrome or IE , Opera offers 'continue' option ... which was necessary for me, since I had disabled plain HTTP and only left HTTPS as working on router, so I needed to do HTTPS login even to upgrade.

BTW, upgraded now from build 21676 to build 25648, and now it works even from Firefox (after confirming certificate)
Dan902
DD-WRT Novice


Joined: 18 Dec 2012
Posts: 14

PostPosted: Thu Dec 18, 2014 2:01    Post subject: Re: Same issue with Reply with quote
WhyComputer wrote:
Issue seems present for:
Router Model Asus RT-N66U
Firmware Version DD-WRT v24-sp2 (11/20/14) mega - build 25408
K3 build (dd-wrt.v24-25408_NEWD-2_K3.x_mega_RT-N66U.trx)

but NOT for:
Router Model Linksys WRT54G/GL/GS
Firmware Version DD-WRT v24-sp2 (11/20/14) mega - build 25408
(dd-wrt.v24_mega_generic.bin)


I have a WRT54GL router. Where can I find the Firmware Version DD-WRT v24-sp2 (11/20/14) mega - build 25408? I thought the mega version was too big for my router?

Currently using DD-WRT v24-sp2 (08/12/10) vpn
(SVN revision 14929).

Thanks
Danny
w00tguy
DD-WRT Novice


Joined: 22 Dec 2014
Posts: 1

PostPosted: Mon Dec 22, 2014 0:22    Post subject: Reply with quote
I'm seeing the same issue in chrome 39. I'm using "v24-sp2 (07/17/13) kongac - build 22060" on a R6300v1.

<Kong> wrote:
grep -q "tls" /usr/lib/libssl.so.1.0.0 2> /dev/null && echo "TLS is supported." || echo "TLS is not available in your build."


This returned "TLS is supported" for me. Is there a way to turn it on?
databoy2k
DD-WRT Novice


Joined: 15 Sep 2007
Posts: 12

PostPosted: Mon Dec 22, 2014 20:24    Post subject: Reply with quote
I'm on 25648 (BS) on a 310N v.1 (std. gen. vpn). This issue is still here. Thanks for the tip to use Opera to bypass the issue.

TLS not supported using the grep -q "tls" /usr/lib/libssl.so.1.0.0 2> /dev/null && echo "TLS is supported." || echo "TLS is not available in your build." command. So no support for TLS on K24? Any way to add it?
WhyComputer
DD-WRT Novice


Joined: 20 Nov 2008
Posts: 6

PostPosted: Tue Mar 10, 2015 15:16    Post subject: K3.x built Reply with quote
This seems to have been fixed for K2.4 and K2.6 as Kong mentioned earlier. For K3.x kernel the firmware image becomes bigger than 8MB.

Now, question, isn't the K3.X targeted toward newer routers that often come with more than 8MB flash? For example there is a specific build for RT-N66U and that device comes with 32MB flash.

I am happy to "downgrade" to K2.6 but I don't know what CFE version I have. Is there a way to tell via shell or do I have to boot into CFE? Or switch temporarily to Asus firmware?

Thank you,
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum