Stubby-Installer-Asuswrt-Merlin

Sebastien Bougie

Regular Contributor
Please check the directory /rom/etc/ssl/certs/ and see if you have a file called ca-certificates.crt in the folder.

If still a problem, try installing ca-certificates and change the path reference to /opt/etc/ssl/certs.

Check OpenSSL version:
Code:
/tmp/home/root:#openssl version
OpenSSL 1.0.2p  14 Aug 2018
What router model and firmware version are you using?

Also, please paste code snip in the code brackets. You can use the View attachment 14882 icon. Helps with the formatting and readability. Thanks!
Hello,

Yes the file ca-certificates.crt is in the /rom/etc/ssl/cert

I have the same version of Openssl
1.0.2p

My router is a AC3100 with Merlin 384.8 Alpha 1
 

Xentrk

Part of the Furniture
Hello,

Yes the file ca-certificates.crt is in the /rom/etc/ssl/cert

I have the same version of Openssl
1.0.2p

My router is a AC3100 with Merlin 384.8 Alpha 1
Maybe @skeal can run the command on his AC3100 to see if he has issues. Otherwise, try to install the package ca-certificates and specify the /opt/etc/ssl/cert directory as the CApath to see if you still get the error.

Are you passing the DNS over TLS tests at these sites okay?

https://www.cloudflare.com/ssl/encrypted-sni/
https://1.1.1.1/help

In the past day, the test team has been testing a Stubby config where the certificate parameter is not specified in stubby.yml and everything appears to be working fine without it!

Stubby is in the experimental phases and we are all learning it together!
 

skeal

Part of the Furniture
Maybe @skeal can run the command on his AC3100 to see if he has issues. Otherwise, try to install the package ca-certificates and specify the /opt/etc/ssl/cert directory as the CApath to see if you still get the error.

Are you passing the DNS over TLS tests at these sites okay?

https://www.cloudflare.com/ssl/encrypted-sni/
https://1.1.1.1/help

In the past day, the test team has been testing a Stubby config where the certificate parameter is not specified in stubby.yml and everything appears to be working fine without it!

Stubby is in the experimental phases and we are all learning it together!
Here are my results and I have the same error.
Code:
/tmp/home/root# echo | openssl s_client -veri
fy on -CApath /opt/etc/ssl/certs -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
719135664:error:14090086:SSL routines:ssl3_get_server_certificate:certificate ve                                                                                                                                                              rify failed:s3_clnt.c:1269:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 5F6D9392894BF61F18E2DA848E93B24C49061672F04FA129AB34466F67FE85A7
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1540390613
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
 

skeal

Part of the Furniture
See my previous reply to @Sebastien Bougie.

It does work with ca-certificates installed on my end, it doesn't work though when specifying /rom/etc/ssl/cert even though the certificate is in the specified folder:

What sis the recommended line of code the one with /rom or the one without.? Can you show me the original we had before changinging to /rom/etc/ssl/cert ?
 
What sis the recommended line of code the one with /rom or the one without.? Can you show me the original we had before changinging to /rom/etc/ssl/cert ?
In the current release we're using /rom/etc/ssl/cert (this was the last-minute change I was reffering to, before the script went live)
Originally we used /opt/etc/ssl/certs. This will only work if the ca-certificates packages is installed, because otherwise there will be no certificates in /opt/etc/ssl/certs.

Edit: ca-certificates is not necessary for stubby anymore, as stubby.yml points to /rom/etc/ssl/certs now. However, if you want to run this specific test, you can temporary install ca-certificates, as I haven't been able to this this with the certificates supplied in the firmware (i.e. /rom/etc/ssl/certs)
 

skeal

Part of the Furniture

Sebastien Bougie

Regular Contributor
Maybe @skeal can run the command on his AC3100 to see if he has issues. Otherwise, try to install the package ca-certificates and specify the /opt/etc/ssl/cert directory as the CApath to see if you still get the error.

Are you passing the DNS over TLS tests at these sites okay?

https://www.cloudflare.com/ssl/encrypted-sni/
https://1.1.1.1/help

In the past day, the test team has been testing a Stubby config where the certificate parameter is not specified in stubby.yml and everything appears to be working fine without it!

Stubby is in the experimental phases and we are all learning it together!
On the https://www.cloudflare.com/ssl/encrypted-sni/ the first 2 test pass abnd the last 2 failed
 

Sebastien Bougie

Regular Contributor
With ca-certificates installed I pass these tests, except for the encrypted sni part of the first above test. Not sure how to make that pass. Without the ca-certificates installed the Secure DNS would not pass as well. DNSSEC has always passed for me.
how to you reinstall the ca-certificates?
 

visortgw

Senior Member
With ca-certificates installed I pass these tests, except for the encrypted sni part of the first above test. Not sure how to make that pass. Without the ca-certificates installed the Secure DNS would not pass as well. DNSSEC has always passed for me.
For encrypted SNI, you need to configure/use a browser that supports it -- Firefox Nightly is the only one that I am aware of at this time:

 

skeal

Part of the Furniture

skeal

Part of the Furniture
Firefox beta now support ESNI too.
Hey @DonnyJohnny what's the best command line test, for end to end DoT and DNSSEC negotiation? We need a unified agreed upon test that is thorough. It is obvious we cannot rely on these test sites as different configurations breaks the site. Any ideas what we could use?
 

Xentrk

Part of the Furniture
Fantastic work on this script, everything working as expected on my RT-AC68U. Passing all tests at https://www.cloudflare.com/ssl/encrypted-sni/ in Firefox Developer Edition after setting network.security.esni.enabled = true and network.trr.mode = 2.

I tried this yesterday and could not get it to work. Per this post, the key is to refresh the about:config page after making the changes.

Another check is to type https://www.cloudflare.com/cdn-cgi/trace in the URL. Should see
Code:
sni=encrypted
in the last row of information
 
Last edited:

Xentrk

Part of the Furniture
With the changes on Firefox, I now get a pass for the DoH test
upload_2018-10-25_10-35-28.png
 

skeal

Part of the Furniture

skeal

Part of the Furniture
With the changes on Firefox, I now get a pass for the DoH test
View attachment 14895
On this page there is a step 4 it tests whether DoH is working. The command they use is:
Code:
dig +short @127.0.0.1 cloudflare.com AAAA     -not working
dig +short @192.168.14.1 cloudflare.com AAAA    -is working
The expected results are:
Code:
2400:cb00:2048:1::c629:d6a2
2400:cb00:2048:1::c629:d7a2
When I use 192.168.14.1 the command finishes and shows me the ipv6 addresses listed above.
 

skeal

Part of the Furniture
I re-installed "ca-certificates" I get less dnssec type of errors at the command line.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top