SSL implementation on the fritzbox isn't secure enough / 2015-06-16

2015-06-16 SSL implementation on the fritzbox isn't secure enough 4 years ago
The latest OpenSSL updates cause me a new problem:
Connecting to fritz.koos.koffie.dot (fritz.koos.koffie.dot)|192.168.178.1|:49443... connected.
OpenSSL: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
Unable to establish SSL connection.
Which means the script to fetch the dsl status from the fritzbox can't connect until I find out how to convince wget how to negotiate a non-standard cipher set. Or switch to curl.

Getting the right answers with curl isn't working out either. I can get the SSL working and do a POST to the right URL but the 'best' thing I get back is:
<errorCode>502</errorCode>
<errorDescription>XML error</errorDescription>

Update: The solution was to keep using wget but disable(!) SSL, using the non-SSL port for upnp. The command now is:
wget --user=$FRITZUSER --password=$FRITZPASS --post-file=linkstatusrequest.xml \
--header="Content-Type: text/xml" \
--header="SOAPAction: \"urn:dslforum-org:service:WANCommonInterfaceConfig:1#GetCommonLinkProperties\"" \
http://192.168.178.1:49000/upnp/control/wancommonifconfig1 -O linkstatusanswer.xml
VDSL downstream speed 20150618 And now the data is available again and the graph is updated.

So the recent upgrade in OpenSSL which disabled less secure Diffie-Hellman key negotiation results in having to disable all encryption on the connection with the fritzbox. A security update on the fritzbox may solve this.

Tags: , , , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.002961 seconds.