OpenWrt Forum Archive

Topic: curl, -k is NOT a solution! :)

The content of this topic has been archived on 10 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

At first, I thought my new server side ssl certs were not installed right, yet they work fine with different browsers.
When I tried using openwrt curl, I kept getting errors so thought the problem was at my end.


I spent hours looking for answers but have yet to find much which tells me anything.
Many dumb posts from people offering -k as a solution which it isn't*** other than a quick fix if you simply must connect but in my case, it's for a running script, not a one time use.


Found a couple of interesting posts which finally made me realize the problem wasn't at my end by testing other sites using https and sure enough I saw the following.


# curl -v https://google.com
* Cert verify failed: BADCERT_NOT_TRUSTED
curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED


# curl https://www.google.com/ --cacert /tmp/ca-bundle.crt
curl: (77) Error reading ca cert file /tmp/ca-bundle.crt - PolarSSL: (-0x2900) X509 - Read/write of file failed


My image builder version is 14.07,r42625 and the curl version is

curl 7.38.0 (mips-openwrt-linux-gnu) libcurl/7.38.0 PolarSSL/1.3.8
Protocols: file ftp ftps http https
Features: IPv6 Largefile SSL


I don't seem to have openssl installed and cannot confirm anywhere if that might be the problem or something else I need to install in my build.


Hoping someone can shed some light!

Thanks.

(Last edited by projects on 21 Jul 2015, 19:41)

I found an interesting article on google cache which touches on this;

http://webcache.googleusercontent.com/s … &gl=us

It says, if you get the above error, install ca-certificates

I did that. It then says if curl still doesn't work, you have to add the following in /etc/profile if it doesn't
exist;

export SSL_CERT_DIR=/etc/ssl/certs

Then it says, if things still don't work, you might have to run the following an re-try;

source /etc/profile

So, I gave it all a try and now get;

# curl -v https://google.com
* Error reading ca cert path /etc/ssl/certs - PolarSSL: (-0x2900) X509 - Read/write of file failed
curl: (77) Error reading ca cert path /etc/ssl/certs - PolarSSL: (-0x2900) X509 - Read/write of file failed

So obviously, adding the package changed something but how do I get past this now?

So I thought, ah, it's missing those directories...

# mkdir /etc/ssl
# mkdir /etc/ssl/certs

# curl -v https://google.com
* Cert verify failed: BADCERT_NOT_TRUSTED
curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED

Uh? Now I'm back to square one again.

This *seems* to be a lead but is way over my head.
http://wiki.openwrt.org/doc/howto/wget-ssl-certs

(Last edited by projects on 21 Jul 2015, 20:30)

By default no certificates are installed on OpenWrt
Install ca-certificates package and use "--capath /etc/ssl/certs" command option
or run

mkdir -p -m0755 /etc/ssl/certs
curl -o /etc/ssl/certs/ca-certificates.crt http://curl.haxx.se/ca/cacert.pem

and use "--cacert /etc/ssl/certs/ca-certificates.crt" command option for SSL connections
possibly use .curlrc file in your home directory.

Ok, That is where I was trying next.

I did this; mkdir -p -m0755 /etc/ssl/certs

I did this based on your input now. I assume you replace the domain with which ever domain I am trying to reach?
curl -o /etc/ssl/certs/ca-certificates.crt http://curl.haxx.se/ca/cacert.pem

Then I have been testing using -cacert

# curl -o --cacert /etc/ssl/certs/ca-certificates.crt https://google.com/
curl: (3) <url> malformed
curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED
root@FNC-TL703:~# curl -o /etc/ssl/certs/ca-certificates.crt https://google.com/ca/cacert.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED

# curl -o --cacert /etc/ssl/certs/ca-certificates.crt https://google.com/
curl: (3) <url> malformed
curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED


Obviously, I am still missing a step.

(Last edited by projects on 21 Jul 2015, 20:43)

Ah, I see, I needed to take you literally smile

curl -o /etc/ssl/certs/ca-certificates.crt http://curl.haxx.se/ca/cacert.pem

Now things seem to be working. Testing.

curl -o --ca...... what is this -o without parameter inside ?
malformed url should be the first thing to look at

curl -o - --cacert /etc/ssl/certs/ca-certificates.crt https://www.google.de

works fin for me.

Yes, my error but recovered and all is working now. Thank you so much for responding and helping!


Question. In my image builder builds, files structure, I'll add /etc/ssl/certs/ca-certificates.crt
Do I need to add anything in /etc/profile, as mentioned above, adding export SSL_CERT_DIR=/etc/ssl/certs into it?
Anything else I need to do in order to have this work immediately on a new build?

14.07 default libcurl SSL:

(X) PolarSSL                             
( ) CyaSSL                               
( ) axTLS                                
( ) OpenSSL                              
( ) GNUTLS                               
( ) No SSL support 

Select  OpenSSL then recompile libcurl?

I'm not a programmer so that is way over my head. It seems to work based on the input from chris5560 so all I need to do now is set this up in my image builder build so it will work when I build.

Seems all I needed to add was the root certs in files/etc/ssl/certs and nothing else.
Seems to be working.

I'm normally using ca-certificates package in my builds.
It uses nearby the same size like the one file http://curl.haxx.se/ca/cacert.pem
A package is easier to use in package builder or installable via opkg package manager.
I don't know what default path/file for is compiled into curl.
That's the reason why I always use --cacert or --capath option or using .curlrc file in my home directory.

I actually installed ca-certificates in my build but still had the problem until I downloaded the root file as you suggested.

Came across this problem too and it eats me :-( Interestingly, it does not work only with some sites with broken certificates and only on openwrt. There's reopened ticket, I hope it will be solved: https://dev.openwrt.org/ticket/19621

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* ssl_handshake returned - PolarSSL: (-0x4080) RSA - Bad input parameters to function
curl: (35) ssl_handshake returned - PolarSSL: (-0x4080) RSA - Bad input parameters to function

I just run into

curl: (35) ssl_handshake returned - PolarSSL: (-0x7780) SSL - A fatal alert message was received from our peer

issue on Xiaomi Mini Router running

root@OpenWrt-IoT:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='15.05.1'
DISTRIB_REVISION='r48532'
DISTRIB_CODENAME='chaos_calmer'
DISTRIB_TARGET='ramips/mt7620'
DISTRIB_DESCRIPTION='OpenWrt Chaos Calmer 15.05.1'
DISTRIB_TAINTS=''

I have ca-certificates installed as well as cacert.pem from htt-ps:-//-curl.haxx.se/docs/caextract.html

What is interesting is that some of the curled servers trigger this error and some are not.

Since I operate both kinds of those servers I was able to compare the settings and boiled the problem down to ssl ciphers.

With this settings I get curl: (35) ssl_handshake returned

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

with this one the page loads.

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';

This issue is only going to get bigger with time, because the above mentioned non functional cipher set is recommended by the TLS Observatory - htt-ps:-//-wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

Does this mean that openwrt curl needs to be updated or something else, like the ca-certificaes?

I don't think this is a particular problem of curl or ca-certificates for this matter. This issue lies deeper in the used SSL Library.

htt-ps://curl.haxx.se/docs/ssl-compared.html
Has a nice comparison of SSL Lib capabilities.

htt-ps://curl.haxx.se/docs/ssl-ciphers.html
And here is a list of supported Ciphers by some of the Libraries.

Upgrading PolarSSL now known under the name mbed TLS would be probably the right way to go.

The discussion might have continued from here.