Differences
This shows you the differences between two versions of the page.
|
inbox:dnscrypt [2012/07/25 23:56] 70d7a4f46 dnscrypt config file added |
inbox:dnscrypt [2012/10/11 11:22] (current) omonar |
||
|---|---|---|---|
| Line 116: | Line 116: | ||
| * <code>logread | grep "Proxying from"</code> | * <code>logread | grep "Proxying from"</code> | ||
| * <code>Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]: Proxying from 127.0.0.1:2053 to 208.67.220.220:443</code> | * <code>Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]: Proxying from 127.0.0.1:2053 to 208.67.220.220:443</code> | ||
| + | |||
| + | ==== Suspicious certificate received [brcm-2.4] ==== | ||
| + | If dnscrypt-proxy is compiled for brcm-2.4 with a standard [[http://wiki.openwrt.org/about/toolchain/|OpenWrt toolchain]], then reception of "suspicious" certificate is reported. | ||
| + | |''root@OpenWrtRouter:/tmp# ./dnscrypt-proxy -a 127.0.0.1:2053 | ||
| + | [INFO] Generating a new key pair | ||
| + | [INFO] Done | ||
| + | [ERROR] Suspicious certificate received | ||
| + | [ERROR] No useable certificates found | ||
| + | [INFO] Refetching server certificates | ||
| + | [ERROR] Suspicious certificate received | ||
| + | [ERROR] No useable certificates found''| | ||
| + | This kind of behavior is caused by a possible optimization bug in gcc-3.4.6 when the following CFLAGS are used | ||
| + | |''-Os -pipe -mips32 -mtune=mips32 -funit-at-a-time''| | ||
| + | It seems that crypto_hash_sha512() in dnscrypt-proxy/src/libnacl is wrongly optimized by gcc-3.4.6 because the dnscrypt-proxy/src/libnacl/tests/hash3.c test fails. | ||
| + | |''root@OpenWrtRouter:/tmp# ./hash3.exe > hash3.txt | ||
| + | root@OpenWrtRouter:/tmp# cat hash3.txt | ||
| + | 2b05e11a68d27841f23040799b036d1849bbc9d2b8dbd18b86073207e93e3ae5b74446174314163e67254466d89cb05cf995582f08547324f6b9aa45646d6c28 | ||
| + | root@OpenWrtRouter:/tmp# cat hash3.out | ||
| + | 24f950aac7b9ea9b3cb728228a0c82b67c39e96b4b344798870d5daee93e3ae5931baae8c7cacfea4b629452c38026a81d138bc7aad1af3ef7bfd5ec646d6c28''| | ||
| + | To fix the problem, one can compile dnscrypt-proxy with -O2 optimization flag. Run | ||
| + | <code>make menuconfig</code> | ||
| + | and put | ||
| + | |''-O2 -pipe -mips32 -mtune=mips32 -funit-at-a-time''| | ||
| + | in Advanced configuration options (for developers) -> Target Options. Then | ||
| + | |''make package/dnscrypt-proxy/compile V=99''| | ||
| + | produces correct dnscrypt-proxy package. | ||
| + | |||
| + | With -O2 optimization crypto_hash_sha512() in dnscrypt-proxy/src/libnacl is now correctly optimized | ||
| + | |''root@OpenWrtRouter:/tmp# ./hash3.exe > hash3.txt | ||
| + | root@OpenWrtRouter:/tmp# cat hash3.txt | ||
| + | 24f950aac7b9ea9b3cb728228a0c82b67c39e96b4b344798870d5daee93e3ae5931baae8c7cacfea4b629452c38026a81d138bc7aad1af3ef7bfd5ec646d6c28 | ||
| + | root@OpenWrtRouter:/tmp# cat hash3.out | ||
| + | 24f950aac7b9ea9b3cb728228a0c82b67c39e96b4b344798870d5daee93e3ae5931baae8c7cacfea4b629452c38026a81d138bc7aad1af3ef7bfd5ec646d6c28''| | ||
| + | and dnscrypt-proxy works flawlessly | ||
| + | |''root@OpenWrtRouter:/tmp# ./dnscrypt-proxy -a 127.0.0.1:2053 | ||
| + | [INFO] Generating a new key pair | ||
| + | [INFO] Done | ||
| + | [INFO] Server certificate #1346958918 received | ||
| + | [INFO] This certificate looks valid | ||
| + | [INFO] Server key fingerprint is 6228:62A6:CA4D:F1E8:37A7:C486:4F66:E692:0B5E:34F8:B110:597D:5BA0:BAB6:AF03:FA75 | ||
| + | [INFO] Proxying from 127.0.0.1:2053 to 208.67.220.220:443''| | ||
| ===== Notes ===== | ===== Notes ===== | ||
inbox/dnscrypt.1343253411.txt.bz2 · Last modified: 2012/07/25 23:56 by 70d7a4f46