Stubby-Installer-Asuswrt-Merlin

[Sebastien Bougie]

Please check the directory /rom/etc/ssl/certs/ and see if you have a file called ca-certificates.crt in the folder.

If still a problem, try installing ca-certificates and change the path reference to /opt/etc/ssl/certs.

Check OpenSSL version:

/tmp/home/root:#openssl version
OpenSSL 1.0.2p  14 Aug 2018

What router model and firmware version are you using?

Also, please paste code snip in the code brackets. You can use the View attachment 14882 icon. Helps with the formatting and readability. Thanks!

Hello,

Yes the file ca-certificates.crt is in the /rom/etc/ssl/cert

I have the same version of Openssl
1.0.2p

My router is a AC3100 with Merlin 384.8 Alpha 1

 

[Xentrk]

Hello,

Yes the file ca-certificates.crt is in the /rom/etc/ssl/cert

I have the same version of Openssl
1.0.2p

My router is a AC3100 with Merlin 384.8 Alpha 1

Maybe @skeal can run the command on his AC3100 to see if he has issues. Otherwise, try to install the package ca-certificates and specify the /opt/etc/ssl/cert directory as the CApath to see if you still get the error.

Are you passing the DNS over TLS tests at these sites okay?

https://www.cloudflare.com/ssl/encrypted-sni/
https://1.1.1.1/help

In the past day, the test team has been testing a Stubby config where the certificate parameter is not specified in stubby.yml and everything appears to be working fine without it!

Stubby is in the experimental phases and we are all learning it together!

 

[M@rco]

See my previous reply to @Sebastien Bougie.

It does work with ca-certificates installed on my end, it doesn't work though when specifying /rom/etc/ssl/cert even though the certificate is in the specified folder:

 

[skeal]

Maybe @skeal can run the command on his AC3100 to see if he has issues. Otherwise, try to install the package ca-certificates and specify the /opt/etc/ssl/cert directory as the CApath to see if you still get the error.

Are you passing the DNS over TLS tests at these sites okay?

https://www.cloudflare.com/ssl/encrypted-sni/
https://1.1.1.1/help

In the past day, the test team has been testing a Stubby config where the certificate parameter is not specified in stubby.yml and everything appears to be working fine without it!

Stubby is in the experimental phases and we are all learning it together!

Here are my results and I have the same error.

/tmp/home/root# echo | openssl s_client -veri
fy on -CApath /opt/etc/ssl/certs -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
719135664:error:14090086:SSL routines:ssl3_get_server_certificate:certificate ve                                                                                                                                                              rify failed:s3_clnt.c:1269:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 5F6D9392894BF61F18E2DA848E93B24C49061672F04FA129AB34466F67FE85A7
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1540390613
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

 

[skeal]

See my previous reply to @Sebastien Bougie.

It does work with ca-certificates installed on my end, it doesn't work though when specifying /rom/etc/ssl/cert even though the certificate is in the specified folder:

What sis the recommended line of code the one with /rom or the one without.? Can you show me the original we had before changinging to /rom/etc/ssl/cert ?

 

[M@rco]

What sis the recommended line of code the one with /rom or the one without.? Can you show me the original we had before changinging to /rom/etc/ssl/cert ?

In the current release we're using /rom/etc/ssl/cert (this was the last-minute change I was reffering to, before the script went live)
Originally we used /opt/etc/ssl/certs. This will only work if the ca-certificates packages is installed, because otherwise there will be no certificates in /opt/etc/ssl/certs.

Edit: ca-certificates is not necessary for stubby anymore, as stubby.yml points to /rom/etc/ssl/certs now. However, if you want to run this specific test, you can temporary install ca-certificates, as I haven't been able to this this with the certificates supplied in the firmware (i.e. /rom/etc/ssl/certs)

 

[skeal]

Are you passing the DNS over TLS tests at these sites okay?

https://www.cloudflare.com/ssl/encrypted-sni/
https://1.1.1.1/help

With ca-certificates installed I pass these tests, except for the encrypted sni part of the first above test. Not sure how to make that pass. Without the ca-certificates installed the Secure DNS would not pass as well. DNSSEC has always passed for me.

 

[Sebastien Bougie]

Maybe @skeal can run the command on his AC3100 to see if he has issues. Otherwise, try to install the package ca-certificates and specify the /opt/etc/ssl/cert directory as the CApath to see if you still get the error.

Are you passing the DNS over TLS tests at these sites okay?

https://www.cloudflare.com/ssl/encrypted-sni/
https://1.1.1.1/help

In the past day, the test team has been testing a Stubby config where the certificate parameter is not specified in stubby.yml and everything appears to be working fine without it!

Stubby is in the experimental phases and we are all learning it together!

On the https://www.cloudflare.com/ssl/encrypted-sni/ the first 2 test pass abnd the last 2 failed

 

[Sebastien Bougie]

With ca-certificates installed I pass these tests, except for the encrypted sni part of the first above test. Not sure how to make that pass. Without the ca-certificates installed the Secure DNS would not pass as well. DNSSEC has always passed for me.

how to you reinstall the ca-certificates?

 

[visortgw]

With ca-certificates installed I pass these tests, except for the encrypted sni part of the first above test. Not sure how to make that pass. Without the ca-certificates installed the Secure DNS would not pass as well. DNSSEC has always passed for me.

For encrypted SNI, you need to configure/use a browser that supports it -- Firefox Nightly is the only one that I am aware of at this time:

https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/​

 

[skeal]

how to you reinstall the ca-certificates?

opkg update
opkg install ca-certificates

 

[M@rco]

how to you reinstall the ca-certificates?

If you haven't installed it yet, execute

opkg update && opkg install ca-certificates

If you messed something up, and need to re-install, execute

opkg update && opkg install ca-certificates --force-reinstall

 

[DonnyJohnny]

For encrypted SNI, you need to configure/use a browser that supports it -- Firefox Nightly is the only one that I am aware of at this time:

https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/​

Firefox beta now support ESNI too.

 

[skeal]

Firefox beta now support ESNI too.

Hey @DonnyJohnny what's the best command line test, for end to end DoT and DNSSEC negotiation? We need a unified agreed upon test that is thorough. It is obvious we cannot rely on these test sites as different configurations breaks the site. Any ideas what we could use?

 

[strangeluck]

Fantastic work on this script, everything working as expected on my RT-AC68U. Passing all tests at https://www.cloudflare.com/ssl/encrypted-sni/ in Firefox Developer Edition after setting network.security.esni.enabled = true and network.trr.mode = 2.

 

[Xentrk]

Fantastic work on this script, everything working as expected on my RT-AC68U. Passing all tests at https://www.cloudflare.com/ssl/encrypted-sni/ in Firefox Developer Edition after setting network.security.esni.enabled = true and network.trr.mode = 2.

I tried this yesterday and could not get it to work. Per this post, the key is to refresh the about:config page after making the changes.

Another check is to type https://www.cloudflare.com/cdn-cgi/trace in the URL. Should see

sni=encrypted

in the last row of information

 

[Xentrk]

With the changes on Firefox, I now get a pass for the DoH test

 

[skeal]

With the changes on Firefox, I now get a pass for the DoH test
View attachment 14895

Same here!!

 

[skeal]

With the changes on Firefox, I now get a pass for the DoH test
View attachment 14895

On this page there is a step 4 it tests whether DoH is working. The command they use is:

dig +short @127.0.0.1 cloudflare.com AAAA     -not working
dig +short @192.168.14.1 cloudflare.com AAAA    -is working

The expected results are:

2400:cb00:2048:1::c629:d6a2
2400:cb00:2048:1::c629:d7a2

When I use 192.168.14.1 the command finishes and shows me the ipv6 addresses listed above.

 

[skeal]

I re-installed "ca-certificates" I get less dnssec type of errors at the command line.