In case of OpenWRT there is enough to put CA/server cert at "/etc/ssl/certs". It'll work on the fly.
I think that Nam uses test environment. Imho, if you try any solution then you don't need troubles with 3rd-party soft. I know about security issues... cause it is my bread and butter =) среда, 18 апреля 2018 г., 20:12:46 UTC+5 пользователь Federico Capoano написал: > > In that case the best solution would be to put the self created CA in the > system's trusted CA so the SSL verification would pass. > I haven't tried this yet but when I will do I'll report how to do this. > > Disabling SSL verification in a production environment is highly > discouraged in all cases. Routers could be subject to man in the middle > attacks, an attacker could pretend to be OpenWISP and inject an arbitrary > configuration, which would then allow him to root SSH into the routers. > So unless you are using OpenWISP in your home or in a small office in > which you trust everyone, SSL should never be disabled in production, > otherwise you incur in the risk of malicious people being able to do > criminal activities from your own routers which in turn send packets to the > public internet from your own IP addresses, in that case in most countries > the police would come to your door and ask questions. You won't go to jail > but if you run a business your reputation will be compromised. > > Saving time to properly configure SSL doesn't sound like a good investment > considered the risk involved, IMHO. > > Think about it and let it sink. > Federico > > > Il mer 18 apr 2018, 11:24 Артур Скок <[email protected] <javascript:>> > ha scritto: > >> Disabling the SSL verification may work, but it's not a good practice for >> production environments because it's insecure so it should be used only as >> a temporary solution. (c) >> May by they use self-signed cert in local network. In this case there is >> not big risk. >> >> 2018-04-18 19:01 GMT+05:00 Federico Capoano <[email protected] >> <javascript:>>: >> >>> From https://curl.haxx.se/libcurl/c/libcurl-errors.html >>> >>> CURLE_SSL_CACERT_BADFILE (77) >>> >>> Problem with reading the SSL CA cert (path? access rights?) >>> >>> Disabling the SSL verification may work, but it's not a good practice >>> for production environments because it's insecure so it should be used only >>> as a temporary solution. >>> >>> What SSL library are you using? openssl, mbedtls or cyassl? >>> >>> Federico >>> >>> On Wed, Apr 18, 2018 at 7:53 AM Артур Скок <[email protected] >>> <javascript:>> wrote: >>> >>>> Hi. >>>> Try to use "option verify_ssl '0'" >>>> >>>> 2018-04-18 15:41 GMT+05:00 Nam Lê <[email protected] <javascript:>>: >>>> >>>>> Hi all, >>>>> >>>>> I can't connect between openwisp agent and controller. >>>>> >>>>> Log agent show code 77 . >>>>> Wed Apr 18 10:35:49 2018 daemon.err openwisp: Failed to connect to >>>>> controller while getting checksum: curl exit code 77 >>>>> >>>>> I installed openwisp-config-no-sll on agent and this is >>>>> /etc/config/openwisp >>>>> >>>>> config controller 'http' >>>>> option url 'https://10.0.1.253' >>>>> #option interval '120' >>>>> #option verify_ssl '1' >>>>> #option shared_secret '' >>>>> #option consistent_key '1' >>>>> #option mac_interface 'eth0' >>>>> #option merge_config '1' >>>>> #option test_config '1' >>>>> #option test_script '/usr/sbin/mytest' >>>>> option uuid '01619bd52e3e4f468ab7xxxxxxxxxx' >>>>> option key 'SU0kQIV1Jkaa70UK9AYbxxxxxxxxx' >>>>> list unmanaged 'system.@led' >>>>> list unmanaged 'network.loopback' >>>>> list unmanaged 'network.@switch' >>>>> list unmanaged 'network.@switch_vlan' >>>>> # curl options >>>>> #option connect_timeout '15' >>>>> #option max_time '30' >>>>> #option capath '/etc/ssl/certs' >>>>> >>>>> And how I do? Please help me! Thanks everyone. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "OpenWISP" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected] <javascript:>. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "OpenWISP" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected] <javascript:>. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "OpenWISP" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "OpenWISP" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
