Thanks for your help.
Just a quick question - this: https://dev.openwrt.org/browser/trunk/p … ?rev=42526 is the Makefile of the Cyassl 3.2.0 in OpenWRT. I managed to add the --enable-sha512 bit on my local version. Do you see any possibility to do both other changes (FP_MAX_BITS 8192 and MAX_DH_SZ 1036) via that Makefile - so that on does not to change the source files by hand?
That would be awesome smile!
Thanks!

Thanks a lot Chris,
that did it.
So in the end I had to define FP_MAX_BITS to 8192, then change the MAX_DH_SZ to 1036 and finally compile SHA-512 enabled (--enable-sha512).
Then it did work.

Regards

Yes, I have changed the files correctly to incorporate the changes needed for 4096 bit certificates.
However, it did not work.
Could be because of the fact that the version of stable CyaSSL package in OpenWRT 14.07 is fairly old (3.2.0).

Yes, its the same CA root.
I just tried it with yours again - and it did fail.
The current stable OpenWRT Release does only include CyaSSL 3.2.0.
Maybe thats too old.

"curl 7.38.0 (mipsel-openwrt-linux-gnu) libcurl/7.38.0 CyaSSL/3.2.0
Protocols: http https
Features: Largefile SSL "

However, I did also try with the trunk Version, I think it was version 3.6.0 - and it did not work with curl, only if curl was built with OpenSSL or gnutls. I would still like to use wolfSSL/CyaSSL, as I see it is more efficient.

OK, I could get it to work for Google, but only if I really give the needed cert to curl via --cacert by hand, like shown here:

curl --cacert /etc/ssl/certs/Equifax_Secure_CA.crt https://www.google.de

Otherwise, I get the usual error about CA signer not available for verification.

The Website I try to curl, https://www.jctixx.de does use Comodo Positive SSL, which does use the AddTrust External CA Root Certificate. I have that one in my cert space as well, and tried to curl jctixx.de the same way, however, it does not give back anything else than curl: (77) CA signer not available for verification error.

Any ideas how to solve that?

Thanks a lot!

Hello,

I tried to use multiple SSL Solutions with curl and found CyaSSL / wolfSSL and tried that one:
Infact, it is one of the only SSL engines "really working" on OpenWRT 14.07 without needing about 20 seconds on an older router to curl one https site - so kudos for that smile!

I am using OpenWRT 14.07, compiled by myself, for an WGT634U (Legacy Branch).
I left most settings on default, only changed CyaSSL to default SSL Engine, as well as I choose it in curl.
After installing on the router, I also installed ca-certificates.

I can access an site like google - but only with the use of the insecure switch -k.
Other than that, I get an curl: (77) CA signer not available for verification error.

The Website I try to access via curl does also use 4096 Bit Certificates, and I thought there was some problem with that size. Is there any possiblity to get that error fixed in the stable OpenWRT branch, or can I change something myself in the package to get myself up and running without --insecure?

Thanks a lot!


curl -v:
curl 7.38.0 (mipsel-openwrt-linux-gnu) libcurl/7.38.0 CyaSSL/3.2.0
Protocols: http https
Features: Largefile SSL