TomatoUSB admin w/ SSL intermediate cert

Discussion in 'Tomato Firmware' started by peternm22, Feb 20, 2012.

  1. peternm22

    peternm22 Networkin' Nut Member

    I currently have the TomatoUSB admin interface setup to use a self signed SSL cert, and I am interested in getting a CA signed cert (free ones are available from StartSSL). I've looked at this tutorial: but it doesn't say how to install intermediate/chained certificates. Since pretty much all CA signed certificates nowadays are chained certificates, this seems like it would be a good thing to be able to do. See here for more info about intermediate/chained certificates:

    Does anyone know how to load intermediate SSL certs onto a TomatoUSB router? Does the built in webserver even support chained certs?

  2. shibby20

    shibby20 Network Guru Member

    I`ve got StartSSL cert installed on my tomato`s router.

    If you already have key and cert, all you need is run few commands:
    cat /tmp/your_cert.crt > /etc/cert.pem
    cat /tmp/your_key.key > /etc/key.pem
    service httpd restart
    tar -C / -czf /tmp/cert.tgz etc/cert.pem etc/key.pem
    nvram setfb64 https_crt_file /tmp/cert.tgz
    nvram commit

    and that`s all.

    here is my tutorial (polish) using Comodo SSL:
  3. heypete

    heypete Networkin' Nut Member

    Hi Shibby,

    First off, thanks for all your development work. You rock.

    That said, I'm afraid this doesn't work as expected: I have a StartSSL cert and included both my signed Class 2 certificate and the StartSSL Class 2 Server Intermediate certificate in the cert.pem file, and the Tomato httpd server (I'm using TomatoVPN, for what it's worth) only presents the signed certificate but not the intermediate. I've checked this with the following OpenSSL command:

    openssl s_client -tls1 -showcerts -connect hostname:443

    where hostname is the name of my router (and the same name included in the CN of the signed certificate). If you have OpenSSL on your computer, run the above command with the hostname of your router and the hostname of some other SSL-enabled site (say You'll note that OpenSSL outputs the entire certificate chain on the other site but only outputs the server certificate (and no intermediates) when you check the router.

    The reason everything works for you is because your browser has cached the intermediate cert from a previous connection that used the same intermediate certificate. However, if the httpd server on Tomato does not send the intermediate cert, then connecting using a browser that's never seen the intermediate cert before will fail.

    Unless the Tomato httpd server sends the intermediate, there are only two ways to prevent this problem from occurring:
    1. Manually download and install the appropriate intermediate certificate (for StartSSL, the intermediates are available at in your browser. In Firefox, one should *not* enable the various trust settings (that is, do not check the "This certificate can identify web sites/mail users/software makers.") -- the intermediate should not have any trust on its own, but rather inherits the trust from the trusted root. If using Windows and Internet Explorer, the certificate should be placed in the "Intermediate Certification Authorities" category. Chrome on Windows uses the same CA store as the OS, so use the IE instructions.

    2. Using the same browser as the one you intend to use to connect to Tomato and visit a site that uses the same intermediate certificate(s). The intermediates will be automatically cached in your browser for all future visits.
  4. peternm22

    peternm22 Networkin' Nut Member


    Thanks for the response, but as heypete pointed out better than I could, there can be problems if the intermediate certificates aren't loaded. Do you know if there is support in the built in Tomato webserver for intermediate certificates?
  5. psyubl

    psyubl Networkin' Nut Member

    I have been also very interested to this issue, so I analyzed the source code.
    I found that several source files need to be changed to support this feature.
    1. In mssl/mssl.c file, an additional function call of SSL_CTX_add_extra_chain_cert() may be required.
    2. In httpd/httpd.c file, an additional API call of the modified mssl may be needed.
    3. In www/admin_access.asp file, an additional configuration may be needed. (Note that not all users need that option.)
    However, supporting intermediate certificates needs a lot of nvram space due to the size of certificates. When it comes to commercial certificates, this problem would be more serious because they are typically 2048 bits.
  6. peternm22

    peternm22 Networkin' Nut Member

    Would the certificates have to be saved to nvram? Couldn't they be saved to jffs or even an attached USB drive?
  7. psyubl

    psyubl Networkin' Nut Member

    Theoretically yes, but it may require to change the whole ssl configuration process. Unfortunately this is a pretty effort-consuming job.
    I hope any volunteer to do that. :)
  8. lancethepants

    lancethepants Network Guru Member

    You could always install optware/stunnel if it's a necessary feature for you.
  9. psyubl

    psyubl Networkin' Nut Member

    What a clever idea!
  10. godyang

    godyang Serious Server Member

    I tried to use stunnel, and it worked well at first.

    However a few minutes later, it stops working, as it denies to accept a new connection. At this moment, all stunnel proceses seem freezed, so I have to kill them and restart the daemon via ssh.

    I'm currently resolving this issue by modifying the firmware source files so that optware is no longer needed. I'll post results later.
  11. MatteoV

    MatteoV Networkin' Nut Member

    Guys, sorry for bumping up a really old thread but I have always been particularly interested in this practice.
    When using Victek's Tomato firmware, I handled all of this with nginx doing a proxy for me, and it worked flawlessly honestly!
    More info here for those who are interested.

    Now, I upgraded to the Shibby's version together with AdvancedTomato gui and there's no nginx into it so I am unable to have the full chain presented.
    Are there news / other solutions, apart from installing nginx another time and making it do a proxy?
  12. AndreDVJ

    AndreDVJ LI Guru Member

    AIO build should have NGINX, unless your router cannot accommodate due its size.
  13. MatteoV

    MatteoV Networkin' Nut Member

    Thanks, I have seen AIO exists just after writing, but in fact it doesn't fit the e4200 memory.

    @shibby Are binaries available somewhere so I can grab nginx and its dependencies and try to let it work from usb memory?

    Inviato dal mio HTC One_M8 utilizzando Tapatalk
    Last edited: Sep 11, 2015
  14. lancethepants

    lancethepants Network Guru Member

  15. eelstrebor1

    eelstrebor1 Connected Client Member

    I see that this is an old thread but I'll post here anyway. I just installed a letsencrypt generated cert in my ea6900 router but tests are showing it to be an invalid cert. I followed the process of testing the self-signed cert and then installed my cert and key and restarted the webserver. Browsers (Chrome and Firefox) are still showing an "invalid"/self-signed cert also.The openssl test shown above indicates that the cert was issued by letsencrypt and does show my domain name. I got a couple of verify errors displayed also. I guess I can always try and get another cert from letsencrypt and try again.
  16. eelstrebor1

    eelstrebor1 Connected Client Member

    I can't get letsencrypt to work on my router. The following procedure doesn't work - it looks like when I restart the server it goes back to the "default" cert.pem and key.pem. Tomato Firmware 1.28.0000 -132 K26ARM USB AIO-64K runing on an EA6900.

    cat /tmp/your_cert.crt > /etc/cert.pem
    cat /tmp/your_key.key > /etc/key.pem
    service httpd restart
    tar -C / -czf /tmp/cert.tgz etc/cert.pem etc/key.pem
    nvram setfb64 https_crt_file /tmp/cert.tgz
    nvram commit
  17. jerrm

    jerrm Network Guru Member

    ARM nvram does not support any of the set file options. Use jffs, or use openssl to base 64 encode the file and restore it in the init script.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice