[PATCH 0/3] Support TLS/SSL and WPA3-Personal/SAE by default

Rosen Penev rosenp at gmail.com
Sun Jul 26 13:29:17 EDT 2020



> On Jul 26, 2020, at 10:19 AM, Hauke Mehrtens <hauke at hauke-m.de> wrote:
> 
> On 7/24/20 4:29 PM, Petr Štetiar wrote:
>> Hi,
>> 
>> it has been discussed several times and some of core developers would like to
>> include SSL/TLS and WPA3-Personal/SAE support in the next release as we've
>> dropped support for 4/32M devices officialy with 19.07 and it's time to move
>> on and improve the default security features in official images.
>> 
>> wolfSSL and mbed TLS were pre-selected as possible crypto libraries due to the
>> size. mbed TLS currently lacks support in hostapd so I went with wolfSSL for
>> the start.
>> 
>> In order to keep the size as small as possible I've created
>> `wpad-basic-wolfssl` variant of currently shipped `wpad-basic` package which
>> just adds support for SAE.
>> 
>> I've tested the patchset on my Rambutan board with `sae` and `sae-mixed`
>> encryption settings against my Android 10 phone and installed random package
>> with opkg over HTTPS.
>> 
>> Size comparison of openwrt-ath79-nand-8dev_rambutan-squashfs-factory.bin:
>> 
>> 5373952 bytes for wolfSSL enabled image
>> 5111808 bytes for current image as of r13926-f94b09867d
>> -------
>>  262144 bytes is difference
>> 
>> I think, that those numbers are not that bad if you consider that the
>> following patchset adds ca-certificates, libustream-wolfssl, libwolfssl and
>> wpad-basic-wolfssl into default packages.
>> 
>> Cheers,
>> 
>> Petr
>> 
>> Petr Štetiar (3):
>>  hostapd: add wpad-basic-wolfssl variant
>>  treewide: use wpad-basic-wolfssl as default
>>  treewide: switch to HTTPS by default
> 
> This looks good to me.
> 
> How stable is the ABI of wolfssl?
> 
> We probably have to update it to new versions in the lifetime and then
> it would be nice if we only have to update the wolfssl package.
> 
> Is this also enough to make LUCI work with https when just luci is
> activated?
Note that wolfSSL only exposes TLS 1.2 and 1.3 by default. 1.1 and below are compile time disabled. Probably not too big of a problem by now.
> 
> Hauke
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list