[RFC] self-signed certificates for LuCI

Michael Richardson mcr at sandelman.ca
Sun Aug 30 18:32:25 EDT 2020 

Paul Spooren <mail at aparcar.org> wrote:
    > I recently rewrote px5g[1] to use WolfSSL instead of MbedTLS, as the former
    > will be included in OpenWrt 20.x per default.

    > Both implementations support the generation of RSA and ECC keys, where uhttpd
    > currently defaults to RSA with 2048 keys.

    > The question came up if we really want RSA certificates for LuCI or if the
    > faster and "more modern" ECC P-256 wouldn't be a better choice.

Yes, it would be better.

    > If px5g is added to the next release, certificates are generated on first
    > boot and most users are unlikely to manually recreate RSA ones, not?

But, this will result in a security warning for a self-signed key, and then
we'd be training users to click through them.
I am divided on whether this is better or worse than unencrypted.
browsers are making doing that security exception more and more difficult,
with the desire to eliminating it entirely.

I have running code that deploys LetsEncrypt certificates to devices in the
"factory".   This requires a DNS name for dns-01 challenge.
That's clearly not feasible for random end-users who flash openwrt on their own.
I would like to explore some additional options here.

    > So the question, shouldn't we drop all crypto options from the new px5g
    > implementation and _only_ offer P-256? Whoever wants something else than the
    > default may use px5g-mbedtls or some OpenSSL based tool?

uhm, okay.  I can live with that for sure.
I care more about what's in the certificate than the algorithm.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200830/aab29a74/attachment.sig>

More information about the openwrt-devel mailing list