Https in r33607 doesn't work

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2  Next
Author Message
c7rax
DD-WRT Novice


Joined: 09 Nov 2017
Posts: 44

PostPosted: Wed Dec 06, 2017 0:28    Post subject: Https in r33607 doesn't work Reply with quote
I have activated https web access but still can't connect with any current browsers with router. And I was trying by LAN not WAN. Is this some known fault of dd-wrt fw or I need to set some additional setting for it? Or maybe "https" is only accessible with ssh tunneling method?
Sponsor
ian5142
DD-WRT Guru


Joined: 23 Oct 2013
Posts: 2318
Location: Canada

PostPosted: Wed Dec 06, 2017 14:16    Post subject: HTTPS Reply with quote
First of all, what model is your router? The reason I am asking is because not all builds include HTTPS

Second, yes, some configuration is required. I can't seem to find the appropriate page though.

This is a way of doing it but it requires Optware or Entware to be installed. Unlike what the page recommends, I would use a USB stick, not JFFS (flash space). https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-DD-WRT-with-lighttpd

Entware 3X is found here (mips is Atheros, mipsel is Broadcom): https://github.com/Entware-for-kernel-3x/Entware-ng-3x/wiki/General-installation-notes

Installation of Entware is found here, use links from other Entware page though: https://github.com/Entware-ng/Entware-ng/wiki/Install-on-DD-WRT

_________________
Before asking a question on the forums, update dd-wrt: Where do I download firmware? I suggest reading it all.
QCA Best WiFi Settings


Some dd-wrt wiki pages are up to date, others are not. PM me if you find an old one.

Atheros:
Netgear R7800 x3 - WDS AP / station, gateway, QoS
TP-Link Archer C7 v2 x2 - WDS Station
TP-Link TL-WDR3600 v1 - WDS Station
TP-Link 841nd v8 - NU
D-Link 615 C1/E3/I1 x 7 - 1 WDS station
D-Link 825 B1 - NU
D-Link 862L A1 x2 - WDS Station
Netgear WNDR3700v2 - NU
UBNT loco M2 x2 - airOS

Broadcom
Linksys EA6400 - Gateway, QoS
Asus N66U - AP
Netgear WNDR3700v3 - not used
MediaTek
UBNT EdgeRouter X - switch
sterlingh
DD-WRT User


Joined: 21 Apr 2009
Posts: 70

PostPosted: Wed Dec 06, 2017 16:59    Post subject: Reply with quote
Surely he is referring to https web administration? I have a unit that while it has https options, I am unable to pull up the http+ssl interface. I have another unit that https is functioning just fine. I would expect if the router doesn't support (have enough space for) the ssl bits it wouldn't be presented in the web interface, but this is just an assumption.
c7rax
DD-WRT Novice


Joined: 09 Nov 2017
Posts: 44

PostPosted: Wed Dec 06, 2017 20:18    Post subject: Reply with quote
I am referring to web administration pages of the router. Router TL-WR841N V8.4. I just wanted to use https web interface for maintain the router options and doesn't allow other users to put some sniffer into action to fetch the admin password which is of course is just a hypothetical threat for now. But if I have such options why not to use this I asked?
But it seems these https option doesn't do anything, just looks. Well, in my case I still can't connect to router with secure connection.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Wed Dec 06, 2017 20:25    Post subject: Reply with quote
guys i guess he talks for something totally different Razz
he cant access via web browser using https, where it says certificate error and than have to click to allow this connection or permit/continue, it depends from the browser... some ppl just cant see it... i guess that's what he is into...
back in the days there was a trick how to generate certificate for dd-wrt and upload it into nvram, to be able to use problem-less https access via web browser but I've never been bother with it.....

p.s. ooops c7rax you post it first Smile

and yes you can use https for local LAN GUI access just have to click to allow/permit this connection couse dd-wrt certificate is out of date but the connection is sill https, and this sniffer paranoia, those sniffers must be someone already connected to the router on the LAN side unless you don't expose https on the WAN than it will be brutal forced in a days

c7rax there are some tricks how to limit GUI via iptables so for example only particular IP's or MAC addresses will be permited to use GUI, you can even change GUI LAN port to something different than port 80

add those lines into administration>commands

iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br0 -p tcp --dport 80 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

and save in firewall script
replace xx:xx:xx:xx:xx with your mac address, use capital letters and numbers as it should

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
c7rax
DD-WRT Novice


Joined: 09 Nov 2017
Posts: 44

PostPosted: Thu Dec 07, 2017 9:34    Post subject: Reply with quote
It is not about certificate. The browsers can't connect, there is no question from browser about accepting invalid/old certificate. Maybe the SSL version is too old for modern browsers. I tried to set TLS min version in firefox to 0, but it didn't help.

The fact I must admit is that browsers connect to 443 (default) port much longer than any other given port, so maybe the router is listening for https connection. But the result is always the same - server didn't respond.

Shall I change anything else in dd-wrt configuration? SSH on 22 port works.

I have found on different forums posts of people with the same issue with web gui by https on whole dd-wrt timeline, but none of these threads gave any solution - they were just discontinued.
So I have thought that maybe https just not work in dd-wrt.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Thu Dec 07, 2017 12:19    Post subject: Reply with quote
just test it it on the last FFx its working, as i said ppl very often do not read what is on the screen...
it says connection is not secure (because dd-wrt certificate is not found in the browser lib) than you click on advanced than Add Exception click on Confirm and you are in with https connection...
if you want you can ggl how to add https certificate to browser or DD-WRT nvram, don't clearly remember but it was something like that...
it seems you cant see the elephant in the room..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
c7rax
DD-WRT Novice


Joined: 09 Nov 2017
Posts: 44

PostPosted: Thu Dec 07, 2017 15:07    Post subject: Reply with quote
Alozaros wrote:
just test it it on the last FFx its working, as i said ppl very often do not read what is on the screen...


Believe me, I know how dialog for accepting invalid/expired certificate looks like in FF. Here there is no dialog, no question, long time in "connecting" state, then "server didn't respond". There is no hiding window to accepting certificate. I am newbe or at most mediocre at router configuration but as a browsing internet or using other typical net services I am quite experienced.
Is there a possible SSL be broken in r33607 or only in my WR841 build?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Fri Dec 08, 2017 12:21    Post subject: Reply with quote
c7rax wrote:
Alozaros wrote:
just test it it on the last FFx its working, as i said ppl very often do not read what is on the screen...


Believe me, I know how dialog for accepting invalid/expired certificate looks like in FF. Here there is no dialog, no question, long time in "connecting" state, then "server didn't respond". There is no hiding window to accepting certificate. I am newbe or at most mediocre at router configuration but as a browsing internet or using other typical net services I am quite experienced.
Is there a possible SSL be broken in r33607 or only in my WR841 build?


ok, than post a picture to support your claim... as i already enabled it and test it on 3 different routers on the new build 33896 its working...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
c7rax
DD-WRT Novice


Joined: 09 Nov 2017
Posts: 44

PostPosted: Fri Dec 08, 2017 14:52    Post subject: Reply with quote
Alozaros wrote:

ok, than post a picture to support your claim... as i already enabled it and test it on 3 different routers on the new build 33896 its working...


I don't negate the https works in most situations, You have confirmed this with 3 different devices. But it doesn't work in WR841N which I have on desk and which wasn't tested by You. Each router has slighty different build, even WR841N has different builds for different subversion.
That is why I asked if I can check anything from shell commands to be sure everything is ok with configuration.

What kind of picture do You want from me? White screen with "Connecting..." on tab and "Initate TLS handshake..." on status bar? Or maybe the final screen with short message that server didn't respond?
I am using https daily, many sites works in https only. And I have few websites with expired certificate or certificate set for other domain or subdomain which I needed to added manually in browser to open such sites. There is no hidden dialog for accepting certificate.

Besides there is other guy with WR841N which tried to run https on latest fw and without success as well.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Fri Dec 08, 2017 16:35    Post subject: Reply with quote
well, GUI https access code is the same on all routers and its true it has been in that state for ages, the thing is you can find info how to put certificate in nvram and then it will work out of the box or just add exception to your browser and its working as well its the same https more often there a lot of user errors reported as dd-wrt errors due to poor knowledge or experience, in this case im out...
I can post you a pic of my router GUI logged via https access just to confirm my words...anyway good luck with your case and please do not report errors from different builds in the new build thread...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
c7rax
DD-WRT Novice


Joined: 09 Nov 2017
Posts: 44

PostPosted: Sun Dec 10, 2017 21:02    Post subject: Reply with quote
Alozaros wrote:
well, GUI https access code is the same on all routers and its true it has been in that state for ages


I don't know if it was in this state for ages, but I have upgraded to r33986 to be sure and it is still not working. Or rather https is not working on LAN side, because I didn't even tried to check WAN side (not WLAN). After upgrade https was the first what I have enabled.

This httpd server doesn't have any additional configuration, i mean nothing in /etc or I didn't find anything, so probably everything is in nvram settings.
From /etc/www file entries I can suspect it is lighthttpd.

With ps command i see two services: httpd -p 80 and httpd -S. Netstat -an gives me info that both 80 and 443 are listening and the status is TIME_WAIT. When browser tries to connect to SSL, the TIME_WAIT is replaced with ESTABLISHED. Syslogd also confirms https is running.
But the thing is that I can't connect to it. I tried with 2 different hosts (Win7 and XP), IE8, IE11, PaleMoon 26, FireFox 52 ESR. No browser can't pass the connecting state, and none of them is asking about certificate. I don't know what is wrong with that but it is not certificate. More, I can't even check if certificate is valid or not because if browser is not connected, there is no option for that.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Mon Dec 11, 2017 7:10    Post subject: Reply with quote
that's why i said post pic of your browser page
when you are trying to connect to https://192.168.1.1 or so
than you will see what i was talking about....
if you dial http://192.168.1.1:443 than you are terribly wrong

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
c7rax
DD-WRT Novice


Joined: 09 Nov 2017
Posts: 44

PostPosted: Mon Dec 11, 2017 9:31    Post subject: Reply with quote
Alozaros wrote:
that's why i said post pic of your browser page
when you are trying to connect to https://192.168.1.1


I can counterfeit any screenshot (pic) of this state because the screen is the same for every server (any IP address) which doesn't do anything with 443 port. There is no point to do that. If there was any specific error code, other than "not connected cause not" I would give the picture to try to diagnose an error.

Alozaros wrote:
if you dial http://192.168.1.1:443 than you are terribly wrong


Wrong, i am "dialing" (dial? it is not the phone or modem) https://192.168.1.1:443 and https://192.168.5.1:443 (WAN side and LAN side) and also https://192.168.1.1 and https://192.168.5.1 (without port number) and none of them working. So, if that is wrong then how i am supposed to connect to https?

It is like connecting to empty service - it is listened on specific port, but doesn't send anything back to browser so browser is closing such connection with error.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Mon Dec 11, 2017 15:17    Post subject: Reply with quote
hmm im not sure what you are doing but i can not reproduse your
error i usually enable https access from GUI and type
https://192.168.1.1 and add exception and voala im logged in
if you cannot do it on any build than either you are doing something
wrong or its very very router specific error...

the last thing that comes into my mind is to change microserver port to something else log in via telnet or ssh:

nvram set https_lanport 31339 <---- Or whatever port you want
nvram commit
reboot

Then access your router via
https://routeripaddress:31339

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum