[OpenWrt-Devel] [PATCH 0/3] support EC keys in px5g/uhttpd
Eneas U de Queiroz
cotequeiroz at gmail.com
Mon Aug 5 14:34:36 EDT 2019
I'm adding support to create EC curves with px5g, and changing uhttpd
to use it, adding two config options: key_type, and ec_curve.
* key_type should be set to either 'ec' or 'rsa'. In practice, it will
silently use 'rsa' unless its value is 'ec'.
* ec_curve takes an elliptic curve name, which should match one of the
certificate generator's TLS library's name. Unfortunatly, they don't
necessarity match between px5g (mbedtls), and openssl. Short names
P-256 and P-384 were added to px5g to have an uniform set, and are
guaranteed to work. P-521 is there too, but mbedtls is currently
built without it.
Right now the ciphersuites used with EC keys are stronger than with RSA
keys, and I'm sending a patch to widen that gap further. That way you
can use the key type to choose the level of strenght vs. broad
compatibility you wish to use.
A P-256 EC key offers a strenght equivalent of 3072-bit RSA key, and is
generated much faster than even a 2048-bit RSA key.
uhttpd currently generates a 2048-bit RSA key by default, and that has
not been changed.
Eneas U de Queiroz (3):
openssl: always build with EC support
px5g: support EC keys
uhttpd: add support to generate EC keys
package/libs/openssl/Config.in | 12 ---
package/libs/openssl/Makefile | 9 +-
package/network/services/uhttpd/Makefile | 2 +-
.../services/uhttpd/files/uhttpd.config | 8 ++
.../network/services/uhttpd/files/uhttpd.init | 6 +-
package/utils/px5g/Makefile | 4 +-
package/utils/px5g/px5g.c | 86 +++++++++++++++----
7 files changed, 87 insertions(+), 40 deletions(-)
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list