#52 generate unique HTTPS SSL Certificate and SSH certificate

App Beta 05
closed
firmware (13)
2013-10-11
2013-10-03
No

axhttpd need reconfiguration via "make menuconfig" in order to enable external key-files.

Uncheck "SSL Library->Enable default key"
And set "SSL Library->Private key file location" to "/etc/axhttpd.key"
Also set "SSL Library->Generate X.509 Certificate->X.509 Common Name" to "OggStreamer"

this config will let the axhttpd use the /etc/axhttpd.key File and generate the Certificate on startup.

the key-file is not generated on the OggStreamer - so on the (Linux-)PC issue the following commands:
generate the private key (a 1024 bit key is used in this example)

openssl genrsa -out my_private_key.pem 1024 

convert the private key into DER format

openssl rsa -in ./my_private_key.pem -out ./my_private_key -outform DER

and transfer my_private_key to /etc/axhttpd.key (on the OggStreamer)

=====================

dropbear - the Lantronix 2.0.0.3 SDK is using dropbear 0.52 - which has a vulnarability when using a public key (authorized_keys file) for user authentification - We don't use this feature - but OggStreamer-Users should be aware of this issue - using a newer dropbear-2013.59 with the Lantronix SDK was straight forward (same issues within scp.c #ifdef HAVE_CYGWIN setmode(O_BINARY) - which has to be commented out) - but dropbear-2013.59 shows aweful long connection setup times so we stick to dropbear 0.52 at the moment.

to regenerate the host_key_files - one has to consider that we are using AUFS so we first need to generate the directory /mnt/flash/etc/dropbear - before we can replace/overlay the files on the romfs (/etc/dropbear)

mkdir /mnt/flash/etc/dropbear
cd /mnt/flash/etc/dropbear
dropbearkey -t dss -f dropbear_dss_host_key
dropbearkey -t rsa -f dropbear_rsa_host_key
/sbin/reboot

note that this takes some minutes (espacially generating dss takes a while)

Discussion

  • Georg Ottinger

    Georg Ottinger - 2013-10-11
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -0,0 +1,35 @@
    +axhttpd need reconfiguration via "make menuconfig" in order to enable external key-files.
    +
    +Uncheck "SSL Library->Enable default key"
    +And set "SSL Library->Private key file location" to "/etc/axhttpd.key"
    +Also set "SSL Library->Generate X.509 Certificate->X.509 Common Name" to "OggStreamer"
    +
    +this config will let the axhttpd use the /etc/axhttpd.key File and generate the Certificate on startup. 
    +
    +the key-file is not generated on the OggStreamer - so on the (Linux-)PC issue the following commands:
    +generate the private key (a 1024 bit key is used in this example)
    +
    +> openssl genrsa -out my_private_key.pem 1024 
    +
    +convert the private key into DER format
    +
    +> openssl rsa -in ./my_private_key.pem -out ./my_private_key -outform DER
    +
    +and transfer my_private_key to /etc/axhttpd.key (on the OggStreamer) 
    +
    +=====================
    +
    +dropbear - the Lantronix 2.0.0.3 SDK is using dropbear 0.52 - which has a vulnarability when using a public key (authorized_keys file) for user authentification - We don't use this feature - but OggStreamer-Users should be aware of this issue - using a newer dropbear-2013.59 with the Lantronix SDK was straight forward (same issues within scp.c #ifdef HAVE_CYGWIN setmode(O_BINARY) - which has to be commented out) - but dropbear-2013.59 shows aweful long connection setup times so we stick to dropbear 0.52 at the moment.
    +
    +to regenerate the host_key_files - one has to consider that we are using AUFS so we first need to generate the directory /mnt/flash/etc/dropbear - before we can replace/overlay the files on the romfs (/etc/dropbear) 
    +
    +~~~~
    +mkdir /mnt/flash/etc/dropbear
    +cd /mnt/flash/etc/dropbear
    +dropbearkey -t dss -f dropbear_dss_host_key
    +dropbearkey -t rsa -f dropbear_rsa_host_key
    +/sbin/reboot
    +~~~~
    +
    +note that this takes some minutes (espacially generating dss takes a while)
    +
    
    • status: open --> closed
     
  • Georg Ottinger

    Georg Ottinger - 2013-10-11
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -9,11 +9,15 @@
     the key-file is not generated on the OggStreamer - so on the (Linux-)PC issue the following commands:
     generate the private key (a 1024 bit key is used in this example)
    
    -> openssl genrsa -out my_private_key.pem 1024 
    +~~~~~
    +openssl genrsa -out my_private_key.pem 1024 
    +~~~~~
    
     convert the private key into DER format
    
    -> openssl rsa -in ./my_private_key.pem -out ./my_private_key -outform DER
    +~~~~~
    +openssl rsa -in ./my_private_key.pem -out ./my_private_key -outform DER
    +~~~~~
    
     and transfer my_private_key to /etc/axhttpd.key (on the OggStreamer) 
    
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks