{"id":142,"date":"2018-05-14T09:49:50","date_gmt":"2018-05-14T01:49:50","guid":{"rendered":"http:\/\/blog.qiaogen.com\/?p=142"},"modified":"2018-05-14T09:49:50","modified_gmt":"2018-05-14T01:49:50","slug":"openwrt-howtos-ssl-and-certificates-in-wget","status":"publish","type":"post","link":"https:\/\/www.sangqiao.com\/blog\/archives\/142","title":{"rendered":"OpenWrt HOWTOs \u00bb SSL and Certificates in wget"},"content":{"rendered":"

SSL and Certificates in wget<\/h2>\n
\n

This is a short tutorial on how to make wget (with libSSL) accept trusted certificate authorities. Without trusted certificate authorities, any party can pretend to be the site wget tries to contact. In addition to proving the server on the other end is who it says it is, using SSL means encryption will protect the request while in transit, e.g. a DDNS password.<\/p>\n

Note: This probably won’t work for wget(matrixtunnel) and it can’t work for wget(nossl) because wget looks for the certificates in a libSSL dependand way. Please add information for other flavors of wget.<\/em><\/p>\n<\/div>\n

A Caveat<\/h3>\n
\n

With the release of wget 1.13 in August 2011 this section is most probably outdated.<\/p>\n

There is a known bug (here<\/a>,\u00a0here<\/a>,\u00a0and here<\/a>) in wget 1.12 which prevents successful SSL connections to many sites. Dyndns.com is one such site, wget reports:\u00a0ERROR: certificate common name `*.dyndns.com' doesn't match requested host name `dyndns.com'.
\nTo connect to dyndns.com insecurely, use `\u2013no-check-certificate'.<\/code><\/p>\n

The bug has been fixed, but wget hasn’t had a release since 22-Sep-2009. As of 16-Mar-2011,\u00a0it looks like<\/a>\u00a0a new version of wget will be released “soon”, which will contain this patch.<\/del>\u00a0wget (1.13.4-1) is now available in the OpenWRT repositories.<\/p>\n<\/div>\n

Install wget (with SSL)<\/h3>\n
\n

The default wget in OpenWRT is provided by Busybox, which does not support SSL. If you want to use SSL (https) URLs, you can install the real wget:<\/p>\n

opkg update\r\nopkg install wget<\/pre>\n
\/usr\/bin\/wget points now to the full version.<\/p><\/div>\n
Certificate Directory<\/h3>\n
\n
    \n
  1. \n
    Create the wget\/libSSL certificate directory:<\/p>\n
    mkdir<\/span> -p<\/span> \/<\/span>etc\/<\/span>ssl\/<\/span>certs<\/pre>\n<\/div>\n<\/li>\n
  2. \n
    So wget knows where to look, update\u00a0\/etc\/profile<\/code>\u00a0and add the line:<\/p>\n
    export<\/span> SSL_CERT_DIR<\/span>=\/<\/span>etc\/<\/span>ssl\/<\/span>certs<\/pre>\n<\/div>\n<\/li>\n
  3. \n
    Update shell:<\/p>\n
    source<\/span> \/<\/span>etc\/<\/span>profile<\/pre>\n<\/div>\n<\/li>\n
  4. \n
    you can also use\u00a0\/etc\/ssl\/certs<\/code>\u00a0directory with\u00a0curl \u2013capath<\/code><\/div>\n<\/li>\n<\/ol>\n
    Note: if you need SSL in your DDNS client, look also here\u00a0using.wget<\/a><\/p>\n<\/div>\n
    Adding root certificates<\/h3>\n
    \n
    Most browsers\/distributions\/etc ship with root certificates from the major Certificate Authorities, such as VeriSign and GeoTrust. Root certificates are used to validate the certificates presented by servers. OpenWRT does not include root certificates, so it is up to you to install them.<\/p>\n<\/div>\n
    Adding certificates through opkg<\/h4>\n
    \n
    You can use opkg to install the certificates from the major CA<\/p>\n
    opkg install ca-certificates<\/pre>\n
    Now you have the major root certificates installed in \/etc\/ssl\/certs<\/p><\/div>\n
    Adding certificates manually<\/h4>\n
    \n
    Let say we want to install the root certificate authority for dyndns.org. The domain\u00a0https:\/\/members.dyndns.org<\/a>\u00a0is signed by the\u00a0“Equifax” root certificate<\/a><\/del>. We need to download the root certificate, then place it in the certificate directory. Certificates in \/etc\/ssl\/certs must be named after their hash value so that they can be found.<\/p>\n
    It is easier to find the root certificate with any modern web browser (e.g. firefox) by opening the site with https, viewing the certificate and exporting it from the browser to a pem or base64 cer file. Using openssl s_client allows for easy downloading of the remote server’s SSL certificate chain. You should verify the chain you get with another source such as your web browser.<\/p>\n
    The first step is installing\u00a0openssl-util<\/code>:<\/p>\n
    opkg install openssl-util<\/pre>\n
    Now you can use either the manual method or the add-cert.sh script below to install certs into \/etc\/ssl\/certs. Make sure to use openssl from the OpenWrt device because if you try this from your linux PC, you may get a completely different hash for the same exact certificate due to a difference in the version of openssl.<\/p>\n
    \n\n\n\n\n\n
    shell prompt<\/th>\n<\/tr>\n<\/thead>\n
    \n
    cd<\/span> \/<\/span>etc\/<\/span>ssl\/<\/span>certs\r\nopenssl s_client -connect<\/span> members.dyndns.org:443<\/span> <<\/span> \/<\/span>dev\/<\/span>null ><\/span> temporary.out\r\nopenssl x509 -outform<\/span> PEM <<\/span> temporary.out ><\/span> members.dyndns.org.cer\r\n\u00a0\r\n\u00a0\r\n##### create link using the hash value from openssl #####<\/span>\r\n# store certificate hash value in HASH append .0<\/span>\r\nHASH<\/span>=`<\/span>openssl x509 -hash<\/span> -noout<\/span> -in<\/span> members.dyndns.org.cer`<\/span>.0\r\n\u00a0\r\n# create link<\/span>\r\nln<\/span> -s<\/span> members.dyndns.org.cer $HASH<\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
    Note: If another cert has the same hash use suffix\u00a0.1<\/code>\u00a0or\u00a0.2<\/code>\u00a0instead of\u00a0.0<\/code>. To see the hash value type\u00a0echo $HASH<\/code>.<\/em><\/p>\n<\/div>\n
    Adding certificates with add-cert.sh<\/h4>\n
    \n
    Place this script in a file named add-cert.sh, using an editor like vi or nano (if installed). “chmod +x add-cert.sh“ to mark it executable, then use it like this:<\/p>\n
    wget example.com\/certificate.cer\r\n.\/add-cert.sh certificate.cer<\/pre>\n
    \n\n\n\n\n\n
    add-cert.sh<\/th>\n<\/tr>\n<\/thead>\n
    \n
    #!\/bin\/sh<\/span>\r\n# author: joda<\/span>\r\nopenssl<\/span>=\/<\/span>usr\/<\/span>bin\/<\/span>openssl\r\ncertdir<\/span>=$SSL_CERT_DIR<\/span>\r\nif<\/span> [<\/span> !<\/span> -f<\/span> $openssl<\/span> ]<\/span>; then<\/span>\r\n  echo<\/span> \"ERROR: Can't find $openssl<\/span>. openssl-util installed?\"<\/span> >&<\/span>2<\/span>\r\nfi<\/span>\r\nif<\/span> [<\/span>[<\/span> \"$1\"<\/span> = \"-f\"<\/span> ]<\/span>]<\/span>; then<\/span>\r\n   overwrite<\/span>=1<\/span>\r\n   shift<\/span> # remove $1<\/span>\r\nfi<\/span>\r\n\u00a0\r\nif<\/span> [<\/span> -f<\/span> \"$1\"<\/span> ]<\/span>; then<\/span>\r\n  certfile<\/span>=$1<\/span>\r\n  certname<\/span>=`<\/span>basename<\/span> $certfile<\/span>`<\/span>\r\n  echo<\/span> \"Certificate $certname<\/span>\"<\/span>\r\n  echo<\/span> \"  copy to $certdir<\/span>\"<\/span>\r\n  if<\/span> [<\/span> \"1\"<\/span> -ne<\/span> \"$overwrite<\/span>\"<\/span> ]<\/span> &&<\/span> [<\/span> -f<\/span> \"$certdir<\/span>\/$certname<\/span>\"<\/span> ]<\/span>; then<\/span>\r\n    echo<\/span> >&<\/span>2<\/span>\r\n    echo<\/span> \"ERROR: certificate $certname<\/span> exists\"<\/span> >&<\/span>2<\/span>\r\n    exit<\/span> 2<\/span>;\r\n  fi<\/span>\r\n  cp<\/span> \"$1\"<\/span> \"$certdir<\/span>\/$certname<\/span>\"<\/span>\r\n\u00a0\r\n  # create symbolic link from hash<\/span>\r\n  echo<\/span> -n<\/span> \"  generating hash: \"<\/span>\r\n  HASH<\/span>=`<\/span>$openssl<\/span> x509 -hash<\/span> -noout<\/span> -in<\/span> $certfile<\/span>`<\/span>\r\n  echo<\/span> \"$HASH<\/span>\"<\/span>\r\n\u00a0\r\n  # handle hash collisions<\/span>\r\n  suffix<\/span>=0<\/span>\r\n  while<\/span> [<\/span> \"1\"<\/span> -ne<\/span> \"$overwrite<\/span>\"<\/span> ]<\/span> &&<\/span> [<\/span> -h<\/span> \"$certdir<\/span>\/$HASH<\/span>.$suffix<\/span>\"<\/span> ]<\/span>; do<\/span>\r\n    let<\/span> \"suffix += 1\"<\/span>\r\n  done<\/span>\r\n  echo<\/span> \"  linking $HASH<\/span>.$suffix<\/span> -> $certname<\/span>\"<\/span>\r\n  if<\/span> [<\/span> $overwrite<\/span> ]<\/span>; then<\/span>\r\n    ln<\/span> -sf<\/span> \"$certname<\/span>\"<\/span> \"$certdir<\/span>\/$HASH<\/span>.$suffix<\/span>\"<\/span>\r\n  else<\/span>\r\n    ln<\/span> -s<\/span> \"$certname<\/span>\"<\/span> \"$certdir<\/span>\/$HASH<\/span>.$suffix<\/span>\"<\/span>\r\n  fi<\/span>\r\nelse<\/span>\r\n  echo<\/span> >&<\/span>2<\/span>\r\n  echo<\/span> \"ERROR: file does not exist $1\"<\/span> >&<\/span>2<\/span>\r\n  echo<\/span> >&<\/span>2<\/span>\r\n  echo<\/span> \"This script adds (root) certificates for wget(ssl) to $certdir<\/span>.\"<\/span> >&<\/span>2<\/span>\r\n  echo<\/span> \"SYNTAX: `basename $0`<\/span> [Options] [x509-certificate]\"<\/span> >&<\/span>2<\/span>\r\n  echo<\/span> >&<\/span>2<\/span>\r\n  echo<\/span> \"Option: -f      force overwriting if certificate exists\"<\/span> >&<\/span>2<\/span>\r\nfi<\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n
    Trouble Shooting<\/h2>\n
    <\/div>\n
    Backfire 10.3 Conflict: \/usr\/bin\/wget -> \/bin\/busybox blocks wget<\/h3>\n
    \n
    Solution: Move old wget until new wget is installed (“opkg install” needs wget)<\/p>\n
    Using SSH\/Telnet shell:<\/p>\n
    \n\n\n\n\n\n
    shell prompt<\/th>\n<\/tr>\n<\/thead>\n
    \n
    ln<\/span> -sf<\/span> \/<\/span>bin\/<\/span>busybox \/<\/span>bin\/<\/span>wget<\/span>\r\nrm<\/span> \/<\/span>usr\/<\/span>bin\/<\/span>wget<\/span>\r\nopkg install<\/span> wget<\/span>\r\nrm<\/span> \/<\/span>bin\/<\/span>wget<\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
    \u2014\u00a0joda<\/a>\u00a02010\/06\/19 20:57<\/em><\/p>\n<\/div>\n
    Confirm wget SSL root<\/h3>\n
    \n
    Example: wget\u00a0https:\/\/members.dyndns.org\/<\/a><\/p>\n<\/div>\n
     <\/p>\n
    \u5168\u6587\u8f6c\u81ea\uff1ahttps:\/\/wiki.openwrt.org\/doc\/howto\/wget-ssl-certs<\/p>\n","protected":false},"excerpt":{"rendered":"
    SSL and Certificates in wget This is a short tutorial o […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/www.sangqiao.com\/blog\/wp-json\/wp\/v2\/posts\/142"}],"collection":[{"href":"https:\/\/www.sangqiao.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sangqiao.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sangqiao.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sangqiao.com\/blog\/wp-json\/wp\/v2\/comments?post=142"}],"version-history":[{"count":1,"href":"https:\/\/www.sangqiao.com\/blog\/wp-json\/wp\/v2\/posts\/142\/revisions"}],"predecessor-version":[{"id":143,"href":"https:\/\/www.sangqiao.com\/blog\/wp-json\/wp\/v2\/posts\/142\/revisions\/143"}],"wp:attachment":[{"href":"https:\/\/www.sangqiao.com\/blog\/wp-json\/wp\/v2\/media?parent=142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sangqiao.com\/blog\/wp-json\/wp\/v2\/categories?post=142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sangqiao.com\/blog\/wp-json\/wp\/v2\/tags?post=142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}