HTTPS connection with opkg

[Jean-Michel Hautbois]

Hi all,

I would like to use opkg through a HTTPS connection. I added --enable-ssl-curl and I added some options in the opkg.conf :
src/gz snapshots https://monip.local/snapshot
dest root /
dest ram /tmp
lists_dir ext /var/lib/opkg/
arch all 100
arch armv7 200

option ssl_ca_path /etc/ssl/certs
option ssl_key_type ENG

option ssl_cert_type PEM
option ssl_cert /etc/opkg/monclient.crt

On the other end, I have a SSL server in test using openssl :
sudo openssl s_server -cert $HOME/keys/server.crt -key $HOME/keys/server.key -CAfile $HOME/keys/ca.crt -accept 443 -HTTP

And all I get is :
opkg_download: Failed to download https://monip.local/snapshot/Packages.gz: Problem with the local SSL certificate.

On the server side I get :
140606968886944:error:140780E5:SSL routines:SSL23_READ:ssl handshake failure:s23_lib.c:131:

I am quite sure that my certificates are ok, but I would like to be sure that I don't miss a think with opkg configuration...
Is there any documentation on the subject BTW ?

Thanks in advance,
Regards,
JM

[Camille Moncelier]

2013/10/1 Jean-Michel Hautbois <jhau...@gmail.com>

Hi all,

I would like to use opkg through a HTTPS connection. I added --enable-ssl-curl and I added some options in the opkg.conf :
src/gz snapshots https://monip.local/snapshot
dest root /
dest ram /tmp
lists_dir ext /var/lib/opkg/
arch all 100
arch armv7 200

option ssl_ca_path /etc/ssl/certs

  

option ssl_key_type ENG

Are you sure about this line ? This is intended to be used with a pkcs11 engine (Usually a smartcard or a token)

If you're not using a smartcard then you opkg.conf file should *look* like this:

option ssl_ca_path 

 

/etc/ssl/certs

option ssl_cert 

/etc/opkg/monclient.crt

option ssl_cert_type PEM

option ssl_key  

/etc/opkg/monclient.key

option ssl_key_type PEM

With a smartcard you can try something like this:

option ssl_ca_path 

 

/etc/ssl/certs

option 

ssl_cert slot_0

option ssl_cert_type ENG

option ssl_engine pkcs11

option ssl_key slot_0

option ssl_key_type ENG

Assuming you are using a pkcs11 token with the correct openssl engine configured in openssl.cnf.

 

Is there any documentation on the subject BTW ?

Not really, these options are directly fed to libcurl, you could try libcurl documentation: http://curl.haxx.se/libcurl/c/curl_easy_setopt.html under the section "SSL and SECURITY OPTIONS"

Kind regards,

CM.

--

Camille Moncelier 
+33 (0)6 33 37 88 82 / cam...@moncelier.fr

 

[Jean-Michel Hautbois]

Hi Camille,

Thanks for this very fast answer :).

I am not using a smartcard, and I did modify my opkg.conf this way in order to make it work :
option ssl_ca_file /etc/ssl/certs/ca.crt
option ssl_key /etc/ssl/certs/monclient.key
option ssl_cert /etc/ssl/certs/monclient.crt
option ssl_dont_verify_peer

The last line is mandatory because if I don't have it, I get a "SSL peer certificate or SSH remote key was not OK." message.

2013/10/1 Camille Moncelier <cam...@moncelier.fr>

2013/10/1 Jean-Michel Hautbois <jhau...@gmail.com>

Hi all,

I would like to use opkg through a HTTPS connection. I added --enable-ssl-curl and I added some options in the opkg.conf :
src/gz snapshots https://monip.local/snapshot
dest root /
dest ram /tmp
lists_dir ext /var/lib/opkg/
arch all 100
arch armv7 200

option ssl_ca_path /etc/ssl/certs

  

option ssl_key_type ENG

Are you sure about this line ? This is intended to be used with a pkcs11 engine (Usually a smartcard or a token)

If you're not using a smartcard then you opkg.conf file should *look* like this:

option ssl_ca_path 

 

/etc/ssl/certs

option ssl_cert 

/etc/opkg/monclient.crt

option ssl_cert_type PEM

option ssl_key  

/etc/opkg/monclient.key

option ssl_key_type PEM

These are the default types, right ? So not needed ?

 

With a smartcard you can try something like this:

option ssl_ca_path 

 

/etc/ssl/certs

option 

ssl_cert slot_0

option ssl_cert_type ENG

option ssl_engine pkcs11

option ssl_key slot_0

option ssl_key_type ENG

Assuming you are using a pkcs11 token with the correct openssl engine configured in openssl.cnf.

 

Is there any documentation on the subject BTW ?

Not really, these options are directly fed to libcurl, you could try libcurl documentation: http://curl.haxx.se/libcurl/c/curl_easy_setopt.html under the section "SSL and SECURITY OPTIONS"

Yes, I was looking into it, and it helps ;-).

JM

 

[Camille Moncelier]

2013/10/1 Jean-Michel Hautbois <jhau...@gmail.com>

Hi Camille,

Thanks for this very fast answer :).

I am not using a smartcard, and I did modify my opkg.conf this way in order to make it work :
option ssl_ca_file

/etc/ssl/certs/ca.crt
option ssl_key /etc/ssl/certs/monclient.key
option ssl_cert /etc/ssl/certs/monclient.crt
option ssl_dont_verify_peer

The last line is mandatory because if I don't have it, I get a "SSL peer certificate or SSH remote key was not OK." message.

Do you have the full linked list of certificates until the root CA in

/etc/ssl/certs/ca.crt ?

 

If you can (re)compile opkg you can try to add: curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);  in opkg_curl_init inside opkg_download.c to see where it fails (just an idea)

[Jean-Michel Hautbois]

I only have the root CA in the file ca.crt.

When you say the full linked list, what do you mean ? server.crt+ca.crt ?

2013/10/1 Camille Moncelier <cam...@moncelier.fr>

2013/10/1 Jean-Michel Hautbois <jhau...@gmail.com>

Hi Camille,

Thanks for this very fast answer :).

I am not using a smartcard, and I did modify my opkg.conf this way in order to make it work :
option ssl_ca_file

/etc/ssl/certs/ca.crt
option ssl_key /etc/ssl/certs/monclient.key
option ssl_cert /etc/ssl/certs/monclient.crt
option ssl_dont_verify_peer

The last line is mandatory because if I don't have it, I get a "SSL peer certificate or SSH remote key was not OK." message.

Do you have the full linked list of certificates until the root CA in

/etc/ssl/certs/ca.crt ?

 

If you can (re)compile opkg you can try to add: curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);  in opkg_curl_init inside opkg_download.c to see where it fails (just an idea)

I will do that ASAP. Do you have a good pointer to a tutorial on how to create a SSL server certificate, how to create a SSL client certificate and the CA which will make it work ? I am using easy-rsa (from openvpn project) and its pkitool but maybe do I miss something... ?

JM

[Camille Moncelier]

2013/10/1 Jean-Michel Hautbois <jhau...@gmail.com>

I only have the root CA in the file ca.crt.

When you say the full linked list, what do you mean ? server.crt+ca.crt ?

If server.crt is signed only by the CA it should be OK. It was just in case you had intermediate CA.

 

 

If you can (re)compile opkg you can try to add: curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);  in opkg_curl_init inside opkg_download.c to see where it fails (just an idea)

I will do that ASAP. Do you have a good pointer to a tutorial on how to create a SSL server certificate, how to create a SSL client certificate and the CA which will make it work ? I am using easy-rsa (from openvpn project) and its pkitool but maybe do I miss something... ?

easy-rsa should do the trick. Just make sure you specified the correct servername (hostname) when you generated the server certificate.

If the server is accepting the client certificate, you are on the right tracks.

You can also use curl (the command line tool) to see if you're files are ok and curl is accepting the server's certificate.

Best regards,

CM.

 

JM

--
You received this message because you are subscribed to the Google Groups "opkg-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to opkg-devel+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Jean-Michel Hautbois]

2013/10/1 Camille Moncelier <cam...@moncelier.fr>

2013/10/1 Jean-Michel Hautbois <jhau...@gmail.com>

I only have the root CA in the file ca.crt.

When you say the full linked list, what do you mean ? server.crt+ca.crt ?

If server.crt is signed only by the CA it should be OK. It was just in case you had intermediate CA.

OK, this is what I thought :)

 

 

 

If you can (re)compile opkg you can try to add: curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);  in opkg_curl_init inside opkg_download.c to see where it fails (just an idea)

I will do that ASAP. Do you have a good pointer to a tutorial on how to create a SSL server certificate, how to create a SSL client certificate and the CA which will make it work ? I am using easy-rsa (from openvpn project) and its pkitool but maybe do I miss something... ?

easy-rsa should do the trick. Just make sure you specified the correct servername (hostname) when you generated the server certificate.

You are perfectly right, this is exactly the issue :
Here is what I get with my current file :
Downloading https://monip.local/snapshot/Packages.gz.
* About to connect() to monip.local port 443 (#0)
*   Trying X.X.X.X...
* connected
* Connected to monip.local (X.X.X.X) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca.crt
  CApath: none
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
*      subject: *****************************
*      start date: 201
*      expire date: 202
* SSL: certificate subject name 'server' does not match target host name 'monip.local'
* Closing connection #0
* SSL peer certificate or SSH remote key was not OK

 

If the server is accepting the client certificate, you are on the right tracks.

You can also use curl (the command line tool) to see if you're files are ok and curl is accepting the server's certificate.

I now have (with the correct hostname) :
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca.crt
  CApath: none
* SSL certificate problem: unsupported certificate purpose
* Closing connection #0
* Peer certificate cannot be authenticated with given CA certificates

So, this is probably a bad configuration of the certificate purpose, I will go deeper into it.

Thanks for all these informations !

JM

[Jean-Michel Hautbois]

And now this is weird, because my certificate is good, its purpose is ok :
openssl x509 -purpose -in ~/keys/monip.local.crt -noout -text
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

And I still get :

* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca.crt
  CApath: none
* SSL certificate problem: unsupported certificate purpose
* Closing connection #0
* Peer certificate cannot be authenticated with given CA certificates

Any idea ?

JM

2013/10/1 Jean-Michel Hautbois <jhau...@gmail.com>

[Jean-Michel Hautbois]

2013/10/1 Jean-Michel Hautbois <jhau...@gmail.com>

OK, I found it, my ca.crt was not the good one. In fact, I cannot make it work with my own PKI because here is what I get :

* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca.crt

  CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
 

And, As I don't have a root CA from a Verisign or similar, but created my own root CA, I cannot make it work... or I have to use the ssl_dont_verify_peer in opkg.conf and it passes without verifying the server certificate...

JM

[wfai...@googlemail.com]

Hi, I have the same problem as you describe here:

> * successfully set certificate verify locations:
> *   CAfile: /etc/ssl/certs/ca.crt
>   CApath: /etc/ssl/certs/
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
>
>
> * SSLv3, TLS alert, Server hello (2):
> * SSL certificate problem: unable to get local issuer certificate
> * Closing connection #0
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
>
>
> curl performs SSL certificate verification by default, using a "bundle"
>  of Certificate Authority (CA) public keys (CA certs). If the default
>  bundle file isn't adequate, you can specify an alternate file
>
>
>  using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
>  the bundle, the certificate verification probably failed due to a
>  problem with the certificate (it might be expired, or the name might
>
>
>  not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
>  the -k (or --insecure) option.

Is there any news on how to fix this?