[source] uhttpd: create self-signed certificates with unique subjects

LEDE Commits lede-commits at lists.infradead.org
Wed Oct 26 06:22:33 PDT 2016 

blogic pushed a commit to source.git, branch master:
https://git.lede-project.org/9097dc5ad844c336020be11085e1c8c80390ac9c

commit 9097dc5ad844c336020be11085e1c8c80390ac9c
Author: Hannu Nyman <hannu.nyman at iki.fi>
AuthorDate: Thu Oct 6 20:37:59 2016 +0300

    uhttpd: create self-signed certificates with unique subjects
    
    Add a partially random O= item to the certificate subject in order
    to make the automatically generated certificates' subjects unique.
    
    Firefox has problems when several self-signed certificates
    with CA:true attribute and identical subjects have been
    seen (and stored) by the browser. Reference to upstream bugs:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1147544
    https://bugzilla.mozilla.org/show_bug.cgi?id=1056341
    https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34
    
    Certificates created by the OpenSSL one-liner fall into that category.
    
    Avoid identical certificate subjects by including a new 'O=' item
    with CommonName + a random part (8 chars). Example:
    /CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ
    
    That ensures that the browser properly sees the accumulating
    certificates as separate items and does not spend time
    trying to form a trust chain from them.
    
    Signed-off-by: Hannu Nyman <hannu.nyman at iki.fi>
---
 package/network/services/uhttpd/files/uhttpd.init | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init
index 35c1985..a2dbcd2 100755
--- a/package/network/services/uhttpd/files/uhttpd.init
+++ b/package/network/services/uhttpd/files/uhttpd.init
@@ -46,12 +46,13 @@ generate_keys() {
 
 	# Prefer px5g for certificate generation (existence evaluated last)
 	local GENKEY_CMD=""
+	local UNIQUEID=$(dd if=/dev/urandom bs=1 count=4 | hexdump -e '1/1 "%02x"')
 	[ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -outform der -nodes"
 	[ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der"
 	[ -n "$GENKEY_CMD" ] && {
 		$GENKEY_CMD \
 			-days ${days:-730} -newkey rsa:${bits:-2048} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
-			-subj /C="${country:-DE}"/ST="${state:-Saxony}"/L="${location:-Leipzig}"/CN="${commonname:-Lede}"
+			-subj /C="${country:-DE}"/ST="${state:-Saxony}"/L="${location:-Leipzig}"/O="${commonname:-Lede}$UNIQUEID"/CN="${commonname:-Lede}"
 		sync
 		mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}"
 		mv "${UHTTPD_CERT}.new" "${UHTTPD_CERT}"

More information about the lede-commits mailing list