[PATCH 0/3] Support TLS/SSL and WPA3-Personal/SAE by default

Hauke Mehrtens hauke at hauke-m.de
Sun Jul 26 13:15:59 EDT 2020


On 7/24/20 4:29 PM, Petr Štetiar wrote:
> Hi,
> 
> it has been discussed several times and some of core developers would like to
> include SSL/TLS and WPA3-Personal/SAE support in the next release as we've
> dropped support for 4/32M devices officialy with 19.07 and it's time to move
> on and improve the default security features in official images.
> 
> wolfSSL and mbed TLS were pre-selected as possible crypto libraries due to the
> size. mbed TLS currently lacks support in hostapd so I went with wolfSSL for
> the start.
> 
> In order to keep the size as small as possible I've created
> `wpad-basic-wolfssl` variant of currently shipped `wpad-basic` package which
> just adds support for SAE.
> 
> I've tested the patchset on my Rambutan board with `sae` and `sae-mixed`
> encryption settings against my Android 10 phone and installed random package
> with opkg over HTTPS.
> 
> Size comparison of openwrt-ath79-nand-8dev_rambutan-squashfs-factory.bin:
> 
>  5373952 bytes for wolfSSL enabled image
>  5111808 bytes for current image as of r13926-f94b09867d
>  -------
>   262144 bytes is difference
> 
> I think, that those numbers are not that bad if you consider that the
> following patchset adds ca-certificates, libustream-wolfssl, libwolfssl and
> wpad-basic-wolfssl into default packages.
> 
> Cheers,
> 
> Petr
> 
> Petr Štetiar (3):
>   hostapd: add wpad-basic-wolfssl variant
>   treewide: use wpad-basic-wolfssl as default
>   treewide: switch to HTTPS by default

This looks good to me.

How stable is the ABI of wolfssl?

We probably have to update it to new versions in the lifetime and then
it would be nice if we only have to update the wolfssl package.

Is this also enough to make LUCI work with https when just luci is
activated?

Hauke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200726/f7758702/attachment.sig>


More information about the openwrt-devel mailing list