[RFC] self-signed certificates for LuCI
Paul Spooren
mail at aparcar.org
Sun Aug 30 03:57:48 EDT 2020
Hi team,
I recently rewrote px5g[1] to use WolfSSL instead of MbedTLS, as the
former will be included in OpenWrt 20.x per default.
Both implementations support the generation of RSA and ECC keys, where
uhttpd currently defaults to RSA with 2048 keys.
The question came up if we really want RSA certificates for LuCI or if
the faster and "more modern" ECC P-256 wouldn't be a better choice.
If px5g is added to the next release, certificates are generated on
first boot and most users are unlikely to manually recreate RSA ones, not?
So the question, shouldn't we drop all crypto options from the new px5g
implementation and _only_ offer P-256? Whoever wants something else than
the default may use px5g-mbedtls or some OpenSSL based tool?
Best,
Paul
[1]: https://github.com/openwrt/openwrt/pull/3363
More information about the openwrt-devel
mailing list