#18232: OpenWRT 14.07 creates SSL certs with identical serial numbers on
different
devices
-------------------------+-------------------------------------------------
Reporter: | Owner: developers
painterengr@… | Status: new
Type: defect | Milestone: Barrier Breaker 14.07
Priority: high | Version: Barrier Breaker 14.07
Component: packages | Keywords: ssl https serial number certificate
Resolution: |
-------------------------+-------------------------------------------------
Comment (by anonymous):
This sounds like a case about missing entropy, typical to embedded
devices. (See e.g. #9631 for more discussion.)
When the device boots, it has the defaults from ROM including date/time
etc., so the random number generator is always initialized the same way.
In this case the reason is probably the self-signed-key generator in px5g,
which uhttpd uses to generate the SSL key. In px5g the random number
generator is initialized with the device time just before the serial
generation, which during early boot is probably always 1.1.1970 or
something like that. (better havege-based randomization seems to be used
for the actual key, but this serial number is generated in a simple way.)
http://git.openwrt.org/?p=openwrt.git;a=blob;f=package/utils/px5g-
standalone/src/library/x509write.c;hb=HEAD#l1020
{{{
srand((unsigned int) time(NULL));
serial = rand();
if ((ret = asn1_add_int(serial, &chain->serial)) != 0)
return ret;
}}}
Actually, during the boot process the device time should be set based on
dates of files in /etc, but that may happen a few seconds later than this
key generation.
(Removing the key generated in the initial boot and restarting the uhttpd
service should enable it to generate more unique key)
--
Ticket URL: <https://dev.openwrt.org/ticket/18232#comment:1>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
