1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Stubby-Installer-Asuswrt-Merlin

Discussion in 'Asuswrt-Merlin' started by Xentrk, Oct 22, 2018.

  1. Sebastien Bougie

    Sebastien Bougie Regular Contributor

    Joined:
    Feb 23, 2017
    Messages:
    89
    Hello,

    Yes the file ca-certificates.crt is in the /rom/etc/ssl/cert

    I have the same version of Openssl
    1.0.2p

    My router is a AC3100 with Merlin 384.8 Alpha 1
     
  2. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,652
    Location:
    The Land of Smiles
    Maybe @skeal can run the command on his AC3100 to see if he has issues. Otherwise, try to install the package ca-certificates and specify the /opt/etc/ssl/cert directory as the CApath to see if you still get the error.

    Are you passing the DNS over TLS tests at these sites okay?

    https://www.cloudflare.com/ssl/encrypted-sni/
    https://1.1.1.1/help

    In the past day, the test team has been testing a Stubby config where the certificate parameter is not specified in stubby.yml and everything appears to be working fine without it!

    Stubby is in the experimental phases and we are all learning it together!
     
  3. See my previous reply to @Sebastien Bougie.

    It does work with ca-certificates installed on my end, it doesn't work though when specifying /rom/etc/ssl/cert even though the certificate is in the specified folder:

    [​IMG]
     
  4. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,813
    Location:
    Riderville, SK
    Here are my results and I have the same error.
    Code:
    /tmp/home/root# echo | openssl s_client -veri
    fy on -CApath /opt/etc/ssl/certs -connect 1.1.1.1:853
    verify depth is 0
    CONNECTED(00000003)
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
    verify error:num=20:unable to get local issuer certificate
    719135664:error:14090086:SSL routines:ssl3_get_server_certificate:certificate ve                                                                                                                                                              rify failed:s3_clnt.c:1269:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 2074 bytes and written 7 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID: 5F6D9392894BF61F18E2DA848E93B24C49061672F04FA129AB34466F67FE85A7
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1540390613
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    
     
  5. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,813
    Location:
    Riderville, SK
    What sis the recommended line of code the one with /rom or the one without.? Can you show me the original we had before changinging to /rom/etc/ssl/cert ?
     
  6. In the current release we're using /rom/etc/ssl/cert (this was the last-minute change I was reffering to, before the script went live)
    Originally we used /opt/etc/ssl/certs. This will only work if the ca-certificates packages is installed, because otherwise there will be no certificates in /opt/etc/ssl/certs.

    Edit: ca-certificates is not necessary for stubby anymore, as stubby.yml points to /rom/etc/ssl/certs now. However, if you want to run this specific test, you can temporary install ca-certificates, as I haven't been able to this this with the certificates supplied in the firmware (i.e. /rom/etc/ssl/certs)
     
  7. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,813
    Location:
    Riderville, SK
    With ca-certificates installed I pass these tests, except for the encrypted sni part of the first above test. Not sure how to make that pass. Without the ca-certificates installed the Secure DNS would not pass as well. DNSSEC has always passed for me.
     
  8. Sebastien Bougie

    Sebastien Bougie Regular Contributor

    Joined:
    Feb 23, 2017
    Messages:
    89
    On the https://www.cloudflare.com/ssl/encrypted-sni/ the first 2 test pass abnd the last 2 failed
     
  9. Sebastien Bougie

    Sebastien Bougie Regular Contributor

    Joined:
    Feb 23, 2017
    Messages:
    89
    how to you reinstall the ca-certificates?
     
  10. visortgw

    visortgw Senior Member

    Joined:
    Jun 18, 2015
    Messages:
    358
    For encrypted SNI, you need to configure/use a browser that supports it -- Firefox Nightly is the only one that I am aware of at this time:

     
    skeal likes this.
  11. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,813
    Location:
    Riderville, SK
    opkg update
    opkg install ca-certificates
     
    [email protected] likes this.
  12. If you haven't installed it yet, execute
    Code:
    opkg update && opkg install ca-certificates
    If you messed something up, and need to re-install, execute
    Code:
    opkg update && opkg install ca-certificates --force-reinstall
     
    skeal likes this.
  13. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    746
  14. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,813
    Location:
    Riderville, SK
    Hey @DonnyJohnny what's the best command line test, for end to end DoT and DNSSEC negotiation? We need a unified agreed upon test that is thorough. It is obvious we cannot rely on these test sites as different configurations breaks the site. Any ideas what we could use?
     
  15. strangeluck

    strangeluck Regular Contributor

    Joined:
    Aug 11, 2015
    Messages:
    57
    Fantastic work on this script, everything working as expected on my RT-AC68U. Passing all tests at https://www.cloudflare.com/ssl/encrypted-sni/ in Firefox Developer Edition after setting network.security.esni.enabled = true and network.trr.mode = 2.

    [​IMG]
     
  16. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,652
    Location:
    The Land of Smiles
    I tried this yesterday and could not get it to work. Per this post, the key is to refresh the about:config page after making the changes.

    Another check is to type https://www.cloudflare.com/cdn-cgi/trace in the URL. Should see
    Code:
    sni=encrypted
    in the last row of information
     
    Last edited: Oct 24, 2018
  17. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,652
    Location:
    The Land of Smiles
    With the changes on Firefox, I now get a pass for the DoH test
    upload_2018-10-25_10-35-28.png
     
  18. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,813
    Location:
    Riderville, SK
    Same here!!
     
  19. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,813
    Location:
    Riderville, SK
    On this page there is a step 4 it tests whether DoH is working. The command they use is:
    Code:
    dig +short @127.0.0.1 cloudflare.com AAAA     -not working
    dig +short @192.168.14.1 cloudflare.com AAAA    -is working
    The expected results are:
    Code:
    2400:cb00:2048:1::c629:d6a2
    2400:cb00:2048:1::c629:d7a2
    When I use 192.168.14.1 the command finishes and shows me the ipv6 addresses listed above.
     
  20. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,813
    Location:
    Riderville, SK
    I re-installed "ca-certificates" I get less dnssec type of errors at the command line.