[ARMv7/MIPSEL]Optware-ng[gcc-5.2.0][uClibc-ng-1.0.6]

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3

mipsel feed needed?
Yes
71%
 71%  [ 5 ]
No
14%
 14%  [ 1 ]
Maybe
14%
 14%  [ 1 ]
Total Votes : 7

Author Message
alllexx
DD-WRT Novice


Joined: 03 Aug 2014
Posts: 41
Location: Kyiv, Ukraine

PostPosted: Fri Apr 24, 2015 17:20    Post subject: Reply with quote
luiswu wrote:
It turns out that the build that I am using (Kong 25100M) comes with a pound executable and I haven't realized that until recently.

I was able to process https requests with that executable and a self-signed certificate, therefore I tend to believe that the problem with the optware pound must be a compilation issue, but I could't dig any further into that.

Still, it would be great if this issue can be fixed in the optware pound that you are managing, not all the builds come with this package and I suspect that sooner or later I will have to upgrade and will loose the "built-in" pound.

I'll upgrade the pound package and test if the other issues are fixed.


First of all, config and rc script are still flawed. I'll fix them soon. Second, I tried my self-signed certificate, and it works! This is how I create it:

Code:
# generate private key; this will take a while
/opt/bin/openssl genrsa -out privkey.pem 4096

# create a certificate signing request (CSR) file; some user input will be
# needed here, e.g., Country, State, Organization
/opt/bin/openssl req -new -key privkey.pem -out certreq.csr

# self-sign the CSR with your own private key
/opt/bin/openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.pem -out newcert.pem

# create the certificate and private key
/opt/bin/openssl x509 -in newcert.pem|cat - privkey.pem > server.pem


And use generated server.pem in pound's Cert option

UPD: fixed config and rc script. Though restart option doesn't work right on my test arm router: for some reason the script aborts after 'killall pound' command whatever I do. It's a mystery to me. But this may be my firmware bug Confused
Sponsor
luiswu
DD-WRT Novice


Joined: 07 Apr 2015
Posts: 13

PostPosted: Mon Apr 27, 2015 11:05    Post subject: Reply with quote
Thanks for the update, I can see the scripts now stop the pound processes.

Regarding the https issue, are you actually able to send https requests to a server behind the router? I've defined a service that listens on the https port and redirects the traffic to a server behind the router on port 80 using pem certificate as you do (pretty much like the pound tutorial instructs), however I am not able to pass the request to the server and I receive a message from the browser saying that it can't establish a secure connection.

However, If I try with the pound executable shipped with the build using the same config file and the same pem certificate I am able to get those requests through without problem.

This is apparently not consistent with your experience, any idea about what might we be doing differently?
alllexx
DD-WRT Novice


Joined: 03 Aug 2014
Posts: 41
Location: Kyiv, Ukraine

PostPosted: Mon Apr 27, 2015 12:05    Post subject: Reply with quote
luiswu wrote:
Thanks for the update, I can see the scripts now stop the pound processes.

Regarding the https issue, are you actually able to send https requests to a server behind the router? I've defined a service that listens on the https port and redirects the traffic to a server behind the router on port 80 using pem certificate as you do (pretty much like the pound tutorial instructs), however I am not able to pass the request to the server and I receive a message from the browser saying that it can't establish a secure connection.

However, If I try with the pound executable shipped with the build using the same config file and the same pem certificate I am able to get those requests through without problem.

This is apparently not consistent with your experience, any idea about what might we be doing differently?


https redirection works perfectly fine with a certificate generated the way I wrote earlier. Here's the relevant portion of the test config that I tried
Code:
ListenHTTPS
        Address 0.0.0.0
        Port    4413

        ## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
        xHTTP           0

        Cert    "/opt/etc/lighttpd/ssl/server.pem"

        Service
                BackEnd
                        Address 192.168.*.*
                        Port    8080
                End
        End
End


It redirected https requests to my LAN http server on port 8080 just fine, I could access it via https://<wan_ip>:4413

Probably, your own certificate is the more common 1024 bits RSA, unlike mine 4096 bits, and, as a wild guess, it may be rejected by latest pound due to security reasoning. Try to generate a certificate using the method I cited earlier.
luiswu
DD-WRT Novice


Joined: 07 Apr 2015
Posts: 13

PostPosted: Thu Apr 30, 2015 16:06    Post subject: Reply with quote
You were right! the problem was the length of the key (1024 vs 4096). I regenerated the certificate as per your instructions and it works smoothly now.

The only thing that caught my attention is that Pound is spawning 133 processes in my router in order to handle the requests (ps | grep pound), which sounds a bit too much to my taste.

Is this behavior normal? the "old" version used to spawn a couple of processes. Thanks in any case for the fix.
alllexx
DD-WRT Novice


Joined: 03 Aug 2014
Posts: 41
Location: Kyiv, Ukraine

PostPosted: Thu Apr 30, 2015 17:05    Post subject: Reply with quote
Great. I suppose, it doesn't really matter how many processes it spawns as long as they don't take up to much of the CPU. If they do, btw, you can edit startup script and set the 'nice' option to higher value to decrease pound's priority (see http://en.wikipedia.org/wiki/Nice_%28Unix%29)
alllexx
DD-WRT Novice


Joined: 03 Aug 2014
Posts: 41
Location: Kyiv, Ukraine

PostPosted: Wed Sep 16, 2015 11:00    Post subject: Reply with quote
As of now, uClibc-0.9.33.2 feeds are deprecated. New uClibc-ng-1.0.6 feeds should be used instead. See project home page for migrating instructions. Note that migrating script has been tested by me on tomatousb arm and mipsel firmwares only, since I don't run DD-WRT. But I hope it should work with DD-WRT too. Very Happy
Goto page Previous  1, 2, 3 Display posts from previous:    Page 3 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum