New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
luci-ssl is broken with the latest chrome (likely due to polarssl) #736
Comments
I have the same problem. Its not working anymore in google chrome version 51.0.2704.84 m (64-bit). I have changed the parameter redirect_https to 0 in /etc/config/uhttpd and now it works again, but not with ssl connection |
I noticed the same when trying to connect with my Android tablet. No more Luci :-( EDIT: |
Cannot do much about that. Sounds like something that needs to be addressed in the various crypto backends (ustream-ssl, polar/wolfssl, cyassl/mbedtls, openssl). |
Confirmed, swapping libustream-polarssl with libustream-cyassl works, so neither a LuCI, nor a uhttpd issue. Likely needs a library update to polarssl/mbedtls. |
I tested switching from polarssl to its new incarnation mbedtls, and that works with Chrome, too. Would it be time to switch the default from polarssl to mbedtls? |
whats the size difference ? |
Roughly: polarssl 141 kB, cyassl 147 kB, mdebtls 162 kB, openssl 735 kB from ar71xx:
|
Note that switching from polarssl to cyassl or mbedtls would have impact on a few non-core packages, as they do not have variants / config options for non-polarssl. (However, most apps using polarssl like transmission, umurmur, openvpn and shairport have also openssl versions, so they have a backup option.) px5g, the creator of the self-signed certificate for Luci / uhttpd, requires polarssl at the moment. That is probably the item on the critical path to change away from polarssl. As long as px5g only supports polarssl, there is no practical way to switch away from it. Ps. polarssl was ntoed to be difficult already a few motnsh ago: |
I believe the issuse is solved with lede-project/source@9e45f9d |
Issue is fixed. That's really bizarre that GCM is required now. Maybe google is more aggressive with TLS 1.2? A different solution would probably be to disable TLS 1.2 and keep 1.1. GCM is not available with 1.1. I'm not sure if size is a real concern here. |
Fixed in lede, but not openwrt? dircleaned, pulled, built and installed designated driver right now, issue still present. |
OpenWrt Designated Driver snapshot r49388 from June 21 still exhibits the symptoms. |
works fine with firefox. it just times out at establishing secure connection. no idea why.
i remember there was a news story on how google chrome disabled npn which broke some sites. no idea if luci-ssl also uses npn.
The text was updated successfully, but these errors were encountered: