Issues installing dependencies for 'uhttpd-mod-tls'

Scratchy · September 13, 2019, 9:33pm

Unknown package 'libustream-polarssl'.
Collected errors:
 * opkg_install_cmd: Cannot install package libustream-polarssl

What do i do, if i want to add https support to uhttpd?

Pepe · September 14, 2019, 8:33am

Can you please share more details which router do you have, which version of OS do you have? By default in Turris OS we are using lighttpd even for LuCI instead of uhttpd. You can look here in our documentation how to access Foris/LuCI via HTTPS.

In Turris OS 3.x, there is libustream-[openssl][mbedtls].
In Turris OS 4.x, there is libustream-[openssl][mbedtls][wolfssl].

You are probably following some old guide somewhere, because PolarSSL is now known as Mbed TLS.

RomanHK · September 14, 2019, 8:44am

Temporary solution here (Omnia, OS 3.11.6):
https://forum.test.turris.cz/t/how-do-i-install-a-webserver-on-my-turris-omnia-3-11-6/11006/13

RomanHK · September 14, 2019, 8:53am

in repo.turris.cz:
In version <= 3.6.5, it contains the package, and since version >= 3.7, it is no longer available.

Scratchy · September 14, 2019, 9:01am

Dear Pepe,

This is not meant for LuCI. I am hosting another website on uhttpd (port 81) and would like to forward it to the internet, but with https enabled. With the help of roman HK, i managed to install uhttpd-mod-tls. After a restart of uhttpd it will generated uhttpd.cert & uhttpd.key in /etc (the paths in /etc/config/uhttpd are correct) but i still don’t get https functionality. Then i uninstalled the package(s) again and tried luci-ssl with mbedtls and still nothing.

Scratchy · September 14, 2019, 9:31am

Thx for all the input, i really appreciate it!
My uhttpd main looks like this:

        # HTTP listen addresses, multiple allowed
        list listen_http        192.168.1.1:81
        list listen_http        [::]:81

        # HTTPS listen addresses, multiple allowed
        list listen_https       192.168.1.1:444
        list listen_https       [::]:444

        # Redirect HTTP requests to HTTPS if possible
        option redirect_https   1

        # Server document root
        option home             /usr/share/htdocs

    # Certificate and private key for HTTPS.
    # If no listen_https addresses are given,
    # the key options are ignored.
    option cert             /etc/uhttpd.crt
    option key              /etc/uhttpd.key

# Certificate defaults for px5g key generator
config cert px5g

        # Validity time
        option days             730

        # RSA key size
        option bits             1024

        # Location
        option country          ZZ
        option state            Somewhere
        option location         Uknown

        # Common name
        option commonname       OpenWrt

PHP is running since yesterday already.
But i still cannot get an encrypted connection…

Scratchy · September 14, 2019, 10:04am

P.S. I am also unable to add an exception for Forsi/LuCl https. I’m on Mac OS and regardless which browser i try (yes, even firefox) there is no direct way to exempt this url. So i downloaded the certificate manually via openssl, imported it into my keychain and changed the trust settings to ‘Always trust’. Rebooted my computer. Rebooted my router. Nothing.

Pepe · September 14, 2019, 11:57am

I would not do that, you are suggesting to use some really old version of SSL wrapper from 2015. There can be memory leaks, potential security risks and so on. In Turris OS 3.x, there is a version from 2018 (almost same as in Turris OS 4.x). I looked at source repository and there are not many commits now, but I will look at it to have the latest version in Turris OS 3.x. The package Polar SSL was renamed to Mbed TLS, but uhttpd-mod-tls was still looking for libustream-polarssl, which was wrong and in the next release of Turris OS 3.11. it will be fixed. Most probably it won’t get to 3.11.7, which is in RC.

Anyway, I’m thinking why? Why are you suggesting to use uhttpd, when there is lighttpd installed. It is really not a good idea. If you have two apps, which are supposed to do the same, then you really know what you are doing. In my opinion, I wouldn’t recommend it to anyone.* The other thing, why to install Mbed TLS or any other SSL libraries, when there is OpenSSL. Mbed TLS is not large, but isn’t better to use what is already there? It can save you some space on your router. When there are multiple SSL libraries, it just adds overhead for you like checking if SSL library is not security vulnerable, your web servers are not vulnerable, that it runs as you should, it’s being updated and prevent to happened that you dont have both processes configured at the same port, so it can prevent to start one of those two web applications, which you have and so on.

You can edit a configuration file of lighttpd, add there virtual host, which will do the same.

*If you really do want to have separate process for web server, you can use apache/nginx for it, however, they are a lot of larger than uhttpd, but powerful.