ECC certificates are not working in WebUI

[chengr28]

Hi!

I was encountering a problem in ASUSWRT-Merlin 386.7_2 (offical build).

When I upload a WebUI HTTPS certificate (Algorithm: ECC), the WebUI rolls back to auto-generated. Uploading ECC certificates to jffs directly and reboot is the same as via WebUI (Administration - System - Provide your own certificate - Import or Persistent Auto-generated).

I have tried the same procedure using other certificates like RSA one and everything works good. I do believe this is a problem with the ECC support, because ECC certificates are works as expected until few years ago (not sure if 382.xx or early).

Could anyone confirm they are getting the same problem on their routers? Many thanks.

Below is the certificate detail and issuer of the first certificate is also an ECC. I will upload a test certificate if the information is not enough.

ECC Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            <hidden>
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: <hidden>
        Validity
            Not Before: <hidden>
            Not After : <hidden>
        Subject: <hidden>
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    <hidden>
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Alternative Name:
                <hidden>
    Signature Algorithm: ecdsa-with-SHA256
         <hidden>

RSA Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            <hidden>
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: <hidden>
        Validity
            Not Before: <hidden>
            Not After : <hidden>
        Subject: <hidden>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    <hidden>
                Exponent: <hidden>
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Alternative Name:
                <hidden>
    Signature Algorithm: sha256WithRSAEncryption
         <hidden>

 

[RMerlin]

ECC certificates are not supported by the webui.

 

[chengr28]

Got it, thanks for your help!

Just curious, does the project have any plans to add? Seems ECC certificates are also popular.

 

[RMerlin]

Got it, thanks for your help!

Just curious, does the project have any plans to add? Seems ECC certificates are also popular.

I tried a few months ago, and I couldn't figure out how to implement the key/certificate validation that ensures that the two are matching, so I gave up. OpenSSL documentation is very confusing to me.