In May, we showed you the basic configuration of our Turris Omnia. The Omnia is a Czech router which runs open-source software and is mostly made of open hardware components. In this article, we configure the Omnia to use HTTPS-only and harden its TLS configuration.
- The defaults
- Step by step from HTTP to hardened HTTPS
Always stay in the loop!
Subscribe to our RSS/Atom feeds.
By default, our Turris Omnia is reachable via port 80 (HTTP) and 22 (SSH). HTTP is unencrypted. This means that other devices in our network can monitor and read the network traffic between a computer and the Omnia. Furthermore, we can’t be sure that we are really connected with our Omnia when connecting to 192.168.1.1. There is no cryptographic proof.
The solution: Get a certificate, enable HTTPS (port 443) and disable HTTP. Currently, Turris OS shows you a warning that you should enable HTTPS. You can enable this configuration which uses a Turris certificate and not so strict TLS cipher suites.
Subsequently, we want to use our own certificate and only strong cipher suites. If you don’t own a Turris Omnia, you can still try to find according guides for your home router.
This time, we need:
- our Turris Omnia which is connected with our computer and the internet
- an SSH client on our computer
- time (if you want to use DHE instead of ECDHE)
- tools like nmap, sslyze or sslscan
Step by step from HTTP to hardened HTTPS
Our plan is really straightforward: Our Omnia runs lighttpd for HTTP/HTTPS connections. We have to generate a certificate, change the configuration of lighttpd and restart our router.
Be aware: It is possible that you misconfigure lighttpd. Then you will be unable to connect to your Omnia via HTTP/HTTPS. However, you can always fall back to SSH which remains unaffected by the following guide.
Step 1: Connect via SSH
The first step is to establish an SSH connection between your computer and your Omnia. This requires that you installed an SSH client on your device (if you use Linux, it is very likely that you have it installed). Windows users can use PuTTY. The password is the “advanced password” which you can configure separately in Turris OS.
The simple command here is:
$ ssh root@[turris router ip].
Step 2: Generate strong DH parameters
The next step is to generate strong DH (Diffie–Hellman) parameters for key exchange. You only need this if you want to use cipher suites with DHE (Diffie–Hellman key exchange). An alternative is ECDHE (Elliptic-curve Diffie–Hellman key exchange). We recommend that you try to use ECDHE only. ECDHE is faster and require less resources.
Generating the following DH parameters can take several hours!
For DHE cipher suites only:
Step 3: Generate your certificate
Now we have to create a new folder:
After that, we have to generate our own certificate:
This generates a 4096 bit strong RSA certificate (
rsa:4096) which is valid for one year (
-days 365). We recommend to use the IP address of your Omnia as “Common Name (e.g. server FQDN or YOUR name)”.
Step 4: Harden your TLS configuration
We generated our RSA certificate. Now we configure TLS. Simply using the defaults here results in a warning when we test our connection:
The result shows that we use weak DH parameters and a weak elliptic curve. There are also several cipher suites without DHE/ECDHE. Let’s change this:
We are using Vim here. If you never used it before, read some beginner’s guides or use your favorite command line editor.
After opening the ssl-enable.conf, we change the configuration to:
Step 5: Restart and test your connection
After saving, we can restart lighttpd:
$ /etc/init.d/lighttpd restart. Try to connect to your Omnia using your web browser. Your router should change the connection to HTTPS.
- Errors like “NET::ERR_CERT_AUTHORITY_INVALID” or “MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT” are normal: We are using a self-signed certificate here. Self-signed certificates are always untrusted by our web browsers. This is normal behavior.
- If you can’t connect, try to use secp384r1 instead of secp521r1 in your ssl-enable.conf. This elliptic curve is weaker but strong enough for our purposes.
You can validate your configuration using nmap, sslyze and/or sslscan:
$ nmap --script +ssl-enum-ciphers -n -p 443 [turris omnia ip]
$ sslyze --regular [turris omnia ip]
$ sslscan [turris omnia ip]
Our result is shown in the following screenshot:
This article is part of the "Home network security" series.
Read other articles of this series.
This configuration example enables HTTPS-only and enforces strong TLS cipher suites. One weak point remains: We are using our own, untrusted certificate. However, this is sufficient for our purposes. Moreover, you can also try to configure an ECDSA certificate instead of our RSA certificate.
To harden your SSH configuration, your can check our Web server security series part 1.
In part 3a, you can read about using your Turris Omnia as network-attached storage which is a big plus for privacy.