Fixing the broken SSL security in the GL-MT3000 routers
(and probably others GL-Inet routers from 2022)
I don't like this, do you?
This routers has two web interfaces, GL-Inet interface and Luci (standard OpenWrt interface). So let's start.
SSL package/configuration/certs are outdated on Luci side and as well for GL-MT3000 router default web interface behind NGINX.
Why I decide to do this
After scanning my network using OpenVAS (how to run OpenVAS using docker instructions can be found here: https://gist.github.com/ZEROF/fb790b35098be3bafcaf#gistcomment-5150042) I saw something that I really didn't expect. These devices are not old but still supporting TLS 1.0 and TLS 1.1. I was like WTH.
OpenVAS detection:
We must do a few things before going deep:
- Update GL-MT3000 LUCI packages
- Install package to support modern SSL chipersets
- Enable SSH if that is not already the case
Updating packages, it's easy. Access to your router Luci interface https://x.x.x.x/cgi-bin/luci/admin/system/opkg (replace x.x.x.x with your router IP) and click on:
After this, you will see a list of the packages you will need to update. Install all updates one by one.
We need to install package libuhttpd-mbedtls. On the same page mentioned before, you can search for this package and install it by clicking on "Install" button.
As we need SSH access, so let's jump to ..
Settings for SSH access are on this page: https://x.x.x.x/cgi-bin/luci/admin/system/admin/dropbear. Default settings are:
Not very secure, but you can play with that later on, for now we need just to login using SSH. I would advise you to add your SSH KEY and disable password login.
Login to your router: ssh [email protected] -p 2221
SSL Configuration
First check if you have all these packages installed with this command: opkg list-installed | grep "uhttpd*\|nginx*"
This default NGINX config look:
Yeah, if you have some web and sec knowledge, you will see directly what is wrong here. As usual, before touching anything backup this file:
cp /etc/nginx/conf.d/gl.conf .
Backup old SSL certs and keys to root home directory:
cp /etc/uhttpd.* .
cp /etc/nginx/nginx.cer /etc/nginx/nginx.key .
Let's fix SSL configuration for nginx (I always use: https://ssl-config.mozilla.org/ to get the best configuration). Be careful with replacing default configuration. And always check Nginx version before using a mentioned site.
Update Nginx config file vim /etc/nginx/conf.d/gl.conf
Replace this:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
ssl_session_tickets off;`
With this:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
Save :wq
Generate the new certificates for GL-Inet and Luci:
openssl req -x509 -newkey rsa:2048 -keyout /etc/uhttpd.key -out /etc/uhttpd.crt -days 365 -nodes -subj '/CN=yourdomain.com'
openssl req -x509 -newkey rsa:2048 -keyout /etc/nginx/nginx.key -out /etc/nginx/nginx.cer -days 365 -nodes -subj '/CN=yourdomain.com'
Run:
nginx -s reload
/etc/init.d/uhttpd reload
Scan again with OpenVAS or just check certificates in your browser.