Activate https server support in 21.02 by default

Fernando Frediani fhfrediani at gmail.com
Sat Sep 18 13:21:48 PDT 2021


Hello Perry

I didn't understand your suggestion fully.

You wish to put some warning to users who are willing to use https about 
the self-signed certificate ou about users using http ?

Regards
Fernando

On 17/09/2021 09:07, Perry wrote:
> Hi all,
>
> This issue has come up recently in the Freifunk-Berlin community.  We
> have brainstormed a little bit and came up with a suggestion.
>
> Would it be possible to have all the headers in the themes to contain a
> link to https (iff the correct packages are installed)?  A bonus would
> be a nice mouse-over explaining to the user about the "potential secure
> risk ahead" with regards to the certificate.
>
> Greets,
> Perry
>
> On 5/17/21 4:48 PM, Fernando Frediani wrote:
>> Seems good to me.
>> The main question is: most home users will require it ? I don't think
>> so. But there may be others that may do, so as long http does not
>> forward to https seems a good approach so those who want can
>> deliberately use https.
>> I think as it stands now forcing https only would be a mistake.
>>
>> For those who don't want to use may build a custom image it should
>> really be the other way round since we are talking about something not
>> essential. But as mentioned if there is not space consumption impact and
>> not forcibly forward it seems a good approach in my view.
>>
>> Fernando
>>
>> On 16/05/2021 10:16, Hauke Mehrtens wrote:
>>> <clip>
>>> Hi,
>>>
>>> Adding CONFIG_PACKAGE_luci-ssl to the image will add less then 10
>>> KBytes to the image, my initramfs image for an ath79 got 2.2 KBytes
>>> bigger. This is about 0.05% of the image. We already include a full
>>> TLS library and use it for WPA3 and HTTPS downloads.
>>> Probably some extra size if used by the X.509 certificate we generate
>>> at first boot and store on flash.
>>>
>>> With the current approach we would offer the web page under
>>> http://192.168.1.1 and https://192.168.1.1 by default, the user can
>>> choose what he would like o use. The http version will not forward to
>>> the https version. https is not deactivated by default, but the user
>>> can choose which url he uses in his browser.
>>>
>>> The certificates are not signed by a certificate authority, so the
>>> browser will not trust them by default, but this already protects the
>>> users from a attacker passively listening on the connection between
>>> the browser and the OpenWrt device. The comparison with telnet and ssh
>>> is pretty good. For SSH we "waste" a lot more memory.
>>>
>>> I am for activating it, if you do not want to use it, you can build a
>>> custom image with the image builder without luci-ssl and px5g-wolfssl.
>>>
>>> Hauke
>>
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list