Glad to know we have a security expert :-) I just wanted to point that out for the record, so that we avoid that any people reading this post in the future will think disabling SSL verification is a valid solution also for production systems, unfortunately I've seen people doing that a lot..
Federico On Wednesday, April 18, 2018 at 4:15:51 PM UTC-3, BlancLoup wrote: > > In case of OpenWRT there is enough to put CA/server cert at > "/etc/ssl/certs". It'll work on the fly. > > I think that Nam uses test environment. Imho, if you try any solution then > you don't need troubles with 3rd-party soft. > I know about security issues... cause it is my bread and butter =) > > среда, 18 апреля 2018 г., 20:12:46 UTC+5 пользователь Federico Capoano > написал: >> >> In that case the best solution would be to put the self created CA in the >> system's trusted CA so the SSL verification would pass. >> I haven't tried this yet but when I will do I'll report how to do this. >> >> Disabling SSL verification in a production environment is highly >> discouraged in all cases. Routers could be subject to man in the middle >> attacks, an attacker could pretend to be OpenWISP and inject an arbitrary >> configuration, which would then allow him to root SSH into the routers. >> So unless you are using OpenWISP in your home or in a small office in >> which you trust everyone, SSL should never be disabled in production, >> otherwise you incur in the risk of malicious people being able to do >> criminal activities from your own routers which in turn send packets to the >> public internet from your own IP addresses, in that case in most countries >> the police would come to your door and ask questions. You won't go to jail >> but if you run a business your reputation will be compromised. >> >> Saving time to properly configure SSL doesn't sound like a good >> investment considered the risk involved, IMHO. >> >> Think about it and let it sink. >> Federico >> >> >> Il mer 18 apr 2018, 11:24 Артур Скок <[email protected]> ha scritto: >> >>> Disabling the SSL verification may work, but it's not a good practice >>> for production environments because it's insecure so it should be used only >>> as a temporary solution. (c) >>> May by they use self-signed cert in local network. In this case there is >>> not big risk. >>> >>> 2018-04-18 19:01 GMT+05:00 Federico Capoano <[email protected]>: >>> >>>> From https://curl.haxx.se/libcurl/c/libcurl-errors.html >>>> >>>> CURLE_SSL_CACERT_BADFILE (77) >>>> >>>> Problem with reading the SSL CA cert (path? access rights?) >>>> >>>> Disabling the SSL verification may work, but it's not a good practice >>>> for production environments because it's insecure so it should be used >>>> only >>>> as a temporary solution. >>>> >>>> What SSL library are you using? openssl, mbedtls or cyassl? >>>> >>>> Federico >>>> >>>> On Wed, Apr 18, 2018 at 7:53 AM Артур Скок <[email protected]> wrote: >>>> >>>>> Hi. >>>>> Try to use "option verify_ssl '0'" >>>>> >>>>> 2018-04-18 15:41 GMT+05:00 Nam Lê <[email protected]>: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I can't connect between openwisp agent and controller. >>>>>> >>>>>> Log agent show code 77 . >>>>>> Wed Apr 18 10:35:49 2018 daemon.err openwisp: Failed to connect to >>>>>> controller while getting checksum: curl exit code 77 >>>>>> >>>>>> I installed openwisp-config-no-sll on agent and this is >>>>>> /etc/config/openwisp >>>>>> >>>>>> config controller 'http' >>>>>> option url 'https://10.0.1.253' >>>>>> #option interval '120' >>>>>> #option verify_ssl '1' >>>>>> #option shared_secret '' >>>>>> #option consistent_key '1' >>>>>> #option mac_interface 'eth0' >>>>>> #option merge_config '1' >>>>>> #option test_config '1' >>>>>> #option test_script '/usr/sbin/mytest' >>>>>> option uuid '01619bd52e3e4f468ab7xxxxxxxxxx' >>>>>> option key 'SU0kQIV1Jkaa70UK9AYbxxxxxxxxx' >>>>>> list unmanaged 'system.@led' >>>>>> list unmanaged 'network.loopback' >>>>>> list unmanaged 'network.@switch' >>>>>> list unmanaged 'network.@switch_vlan' >>>>>> # curl options >>>>>> #option connect_timeout '15' >>>>>> #option max_time '30' >>>>>> #option capath '/etc/ssl/certs' >>>>>> >>>>>> And how I do? Please help me! Thanks everyone. >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "OpenWISP" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "OpenWISP" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "OpenWISP" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "OpenWISP" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
