summaryrefslogtreecommitdiff
path: root/package/network/services/uhttpd
diff options
context:
space:
mode:
authorHannu Nyman <hannu.nyman@iki.fi>2016-10-06 20:37:59 +0300
committerJohn Crispin <john@phrozen.org>2016-10-26 15:16:52 +0200
commit9097dc5ad844c336020be11085e1c8c80390ac9c (patch)
tree9ef04dec717c6f62ded30f4277537b5d110679cb /package/network/services/uhttpd
parent82132540a3efbc98f8f4379b26d4b4541013e69d (diff)
downloadmtk-20170518-9097dc5ad844c336020be11085e1c8c80390ac9c.zip
mtk-20170518-9097dc5ad844c336020be11085e1c8c80390ac9c.tar.gz
mtk-20170518-9097dc5ad844c336020be11085e1c8c80390ac9c.tar.bz2
uhttpd: create self-signed certificates with unique subjects
Add a partially random O= item to the certificate subject in order to make the automatically generated certificates' subjects unique. Firefox has problems when several self-signed certificates with CA:true attribute and identical subjects have been seen (and stored) by the browser. Reference to upstream bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1147544 https://bugzilla.mozilla.org/show_bug.cgi?id=1056341 https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34 Certificates created by the OpenSSL one-liner fall into that category. Avoid identical certificate subjects by including a new 'O=' item with CommonName + a random part (8 chars). Example: /CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ That ensures that the browser properly sees the accumulating certificates as separate items and does not spend time trying to form a trust chain from them. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Diffstat (limited to 'package/network/services/uhttpd')
-rwxr-xr-xpackage/network/services/uhttpd/files/uhttpd.init3
1 files changed, 2 insertions, 1 deletions
diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init
index 35c1985..a2dbcd2 100755
--- a/package/network/services/uhttpd/files/uhttpd.init
+++ b/package/network/services/uhttpd/files/uhttpd.init
@@ -46,12 +46,13 @@ generate_keys() {
# Prefer px5g for certificate generation (existence evaluated last)
local GENKEY_CMD=""
+ local UNIQUEID=$(dd if=/dev/urandom bs=1 count=4 | hexdump -e '1/1 "%02x"')
[ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -outform der -nodes"
[ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der"
[ -n "$GENKEY_CMD" ] && {
$GENKEY_CMD \
-days ${days:-730} -newkey rsa:${bits:-2048} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
- -subj /C="${country:-DE}"/ST="${state:-Saxony}"/L="${location:-Leipzig}"/CN="${commonname:-Lede}"
+ -subj /C="${country:-DE}"/ST="${state:-Saxony}"/L="${location:-Leipzig}"/O="${commonname:-Lede}$UNIQUEID"/CN="${commonname:-Lede}"
sync
mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}"
mv "${UHTTPD_CERT}.new" "${UHTTPD_CERT}"