A proposal of https certificate assignment system for luci

abnoeh abnoeh at mail.com
Fri Oct 9 08:33:50 EDT 2020


20. 10. 9. 오후 8:29에 Bas Mevissen 이(가) 쓴 글:
> So I think it is reasonably safe to do the initial setup over HTTP
> (without the "S") at the first boot if there are no certificates
> available from a previous OpenWRT install. Then the user can setup the
> WAN side if needed and upload (from local PC), generate (self-signed)
> or acquire (e.g. Let's Encrypt) the certificates for Luci. After that,
> the connection is switched to HTTPS and HTTP switched off.
>
> The only issue I see, is how to transfer admin, WAN and WiFi passwords
> at first boot in a secure way. Even though the user/admin should be
> alone on the connection, sending those unencrypted over the line is
> not desirable. Maybe those can be encrypted using client side javascript.
>
For things with USB port, firstboot loader script from load ssh
autorized key/root password from usb drive and/or export script they
when there is '.whoareyou' file touched in usb drive write it's ssh host
key and it's self signed certificate into the usb drive? I think later
can be part of hotplug.d script.
> The challenges IMHO are being able to safely retain previously
> installed certificates over OpenWRT reflashes/upgrades and having user
> friendly tools to get new certificates uploaded, generated or
> acquired. For the latter part, some configurable service to
> periodically download and install certificates from an external host
> might be desirable (that's how I do it with my NAS boxes at home).
for sysupgrade, like save config option, add new save-keys option that
only save dropbear key and uhttpd certs?
>
> Cheers,
>
> Bas.
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list