User Tools

Site Tools


doc:howto:wget-ssl-certs

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:wget-ssl-certs [2012/12/03 21:04]
avalon a little IMO useful information
doc:howto:wget-ssl-certs [2014/06/29 20:33] (current)
motherjoker
Line 13: Line 13:
 To connect to dyndns.com insecurely, use `--no-check-certificate'​.''​ To connect to dyndns.com insecurely, use `--no-check-certificate'​.''​
  
-The bug has been fixed, but wget hasn't had a release since 22-Sep-2009. As of 16-Mar-2011,​ [[http://​lists.gnu.org/​archive/​html/​bug-wget/​2011-03/​msg00015.html|it looks like]] a new version of wget will be released "​soon",​ which will contain this patch.+<del>The bug has been fixed, but wget hasn't had a release since 22-Sep-2009. As of 16-Mar-2011,​ [[http://​lists.gnu.org/​archive/​html/​bug-wget/​2011-03/​msg00015.html|it looks like]] a new version of wget will be released "​soon",​ which will contain this patch.</​del> ​ wget (1.13.4-1) is now available in the OpenWRT repositories.
  
 ====Install wget (with SSL)==== ====Install wget (with SSL)====
Line 28: Line 28:
   - Update shell: <code bash>​source /​etc/​profile</​code>​   - Update shell: <code bash>​source /​etc/​profile</​code>​
   - you can also use ''/​etc/​ssl/​certs''​ directory with ''​curl --capath''​   - you can also use ''/​etc/​ssl/​certs''​ directory with ''​curl --capath''​
 +Note: if you need SSL in your DDNS client, look also here [[ddns.client#​using.wget]]
  
 ==== Adding root certificates ==== ==== Adding root certificates ====
Line 33: Line 34:
 Most browsers/​distributions/​etc ship with root certificates from the major Certificate Authorities,​ such as VeriSign and GeoTrust. Root certificates are used to validate the certificates presented by servers. OpenWRT does not include root certificates,​ so it is up to you to install them. Most browsers/​distributions/​etc ship with root certificates from the major Certificate Authorities,​ such as VeriSign and GeoTrust. Root certificates are used to validate the certificates presented by servers. OpenWRT does not include root certificates,​ so it is up to you to install them.
  
-Let say we want to install the root certificate authority for dyndns.org. The domain https://​members.dyndns.org is signed by the [[http://​www.geotrust.com/​resources/​root_certificates/​certificates/​Equifax_Secure_Certificate_Authority.cer | "​Equifax"​ root certificate]]. We need to download the root certificate,​ then place it in the certificate directory. Certificates in /​etc/​ssl/​certs must be named after their hash value so that they can be found.+Let say we want to install the root certificate authority for dyndns.org. The domain https://​members.dyndns.org is signed by the <del>[[http://​www.geotrust.com/​resources/​root_certificates/​certificates/​Equifax_Secure_Certificate_Authority.cer | "​Equifax"​ root certificate]]</​del>​. We need to download the root certificate,​ then place it in the certificate directory. Certificates in /​etc/​ssl/​certs must be named after their hash value so that they can be found.
  
-It is easier to find the root certificate with any modern web browser (e.g. firefox) by opening the site with https, viewing the certificate and exporting it from the browser to a pem file.+It is easier to find the root certificate with any modern web browser (e.g. firefox) by opening the site with https, viewing the certificate and exporting it from the browser to a pem or base64 cer file.  Using openssl s_client allows for easy downloading of the remote server'​s SSL certificate chain. ​ You should verify the chain you get with another source such as your web browser.
  
 The first step is installing ''​openssl-util'':<​code>​opkg install openssl-util</​code>​ The first step is installing ''​openssl-util'':<​code>​opkg install openssl-util</​code>​
  
-Now you can use either the manual method or the add-cert.sh script below to install certs into /​etc/​ssl/​certs. Make sure to use openssl from the OpenWrt device because if you try this from your linux PC, you may get a completely different hash for the same exact certificate.+Now you can use either the manual method or the add-cert.sh script below to install certs into /​etc/​ssl/​certs. Make sure to use openssl from the OpenWrt device because if you try this from your linux PC, you may get a completely different hash for the same exact certificate ​due to a difference in the version of openssl.
  
 ===Adding certificates manually=== ===Adding certificates manually===
Line 46: Line 47:
 |<code bash> |<code bash>
 cd /​etc/​ssl/​certs cd /​etc/​ssl/​certs
-wget http://www.geotrust.com/​resources/​root_certificates/​certificates/​Equifax_Secure_Certificate_Authority.cer+openssl s_client -connect members.dyndns.org:443 < /dev/null > temporary.out 
 +openssl x509 -outform PEM < temporary.out > members.dyndns.org.cer 
  
 ##### create link using the hash value from openssl ##### ##### create link using the hash value from openssl #####
 # store certificate hash value in HASH append .0 # store certificate hash value in HASH append .0
-HASH=`openssl x509 -hash -noout -in Equifax_Secure_Certificate_Authority.cer`.0+HASH=`openssl x509 -hash -noout -in members.dyndns.org.cer`.0
  
 # create link # create link
-ln -s Equifax_Secure_Certificate_Authority.cer $HASH+ln -s members.dyndns.org.cer $HASH
 </​code>​| </​code>​|
 //Note: If another cert has the same hash use suffix ''​.1''​ or ''​.2''​ instead of ''​.0''​. To see the hash value type ''​echo $HASH''​.//​ //Note: If another cert has the same hash use suffix ''​.1''​ or ''​.2''​ instead of ''​.0''​. To see the hash value type ''​echo $HASH''​.//​
Line 113: Line 116:
   echo "​Option:​ -f      force overwriting if certificate exists"​ >&2   echo "​Option:​ -f      force overwriting if certificate exists"​ >&2
 fi</​code>​| fi</​code>​|
 +
 +===Adding certificates through opkg===
 +You can use opkg to install the certificates from the major CA
 +<​code>​opkg install ca-certificates</​code>​
 +Now you have the major root certificates installed in /​etc/​ssl/​certs
  
 ===== Trouble Shooting ===== ===== Trouble Shooting =====
Line 130: Line 138:
  
  --- //[[joda]] 2010/06/19 20:57//  --- //[[joda]] 2010/06/19 20:57//
 +
 +
 +==== Confirm wget SSL root ====
 +
 +Example: ​ wget https://​members.dyndns.org/​
doc/howto/wget-ssl-certs.1354565090.txt.bz2 · Last modified: 2012/12/03 21:04 by avalon