search

Ansuel / tch-nginx-gui

Modified file to apply to a stock technicolor GUI
GNU General Public License v3.0
341 stars 52 forks source link

Downloading DSL drivers via GUI goes wrong... #56

Closed meyergru closed 6 years ago

meyergru commented 6 years ago

I tried to switch the DSL driver via GUI. At first sight, it seems to work, i.e. that the dropdown showed the version A2pvfbH043o.d26r.

After a reboot, I get this message as long as the DSL connection is still down:

grafik

That is probably because xdslctl does not show a version at all (or that one cannot be translated to a correct display value).

However, /etc/adsl/adsl_phy.bin was not replaced.

I think that the works at ilpuntotecnico could be the culprit. When I try to download any file with curl from there, I see a certificate error:

# curl -O https://repository.ilpuntotecnico.com/files/Ansuel/AGTEF/version
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Ansuel commented 6 years ago

umm yes i need to add -K to the script as normally the modem doesn't have certificate

about version... well it's another bug... problem is that you are not connected to dslam i think

(or can you give me xdslctl info --vendor output ? )

meyergru commented 6 years ago

Yes, I think so. Here is the output.

# xdslctl info --vendor
xdslctl: ADSL driver and PHY status
Status: Idle
Last Retrain Reason:    0
Last initialization procedure status:   0

ChipSet Vendor Id:
ChipSet VersionNumber:
ChipSet SerialNumber:

The '-k' switch would be needed for version checks as well, in fact everywhere when curl is used for ilpuntotecnico repo (e.g. the cron script). The better option woul be to add Letsencrypt CA to the cert chain. I can look into that...

Ansuel commented 6 years ago

and it's already like that ;)

anyway i fixed the error with no dsl

meyergru commented 6 years ago

The "-k" option is potentially unsafe against MITM-attacks.

About the "better" option: curl can use a --cacert (bundle or single cert) or a --capath parameter.

The Letsencrypt CA certs are not contained in the default path /etc/ssl/certs - nor are most other CAs. One could provide a standard set of CAs in a bundle.

Alas, the usual cert bundle file is named ca-certificates.crt, but it is not compiled into the curl version in openwrt, so what would be needed is:

  1. Providing an /etc/ssl/certs/ca-certificates.crt with the usual root CAs.
  2. Setting a system-wide environment variable CURL_CA_BUNDLE pointing to that bundle.

or:

  1. Calling curl with --ca-bundle "/etc/ssl/certs/ca-certificates.crt" every time.