[RFC] self-signed certificates for LuCI

Paul Spooren mail at aparcar.org
Sun Aug 30 03:57:48 EDT 2020


Hi team,

I recently rewrote px5g[1] to use WolfSSL instead of MbedTLS, as the 
former will be included in OpenWrt 20.x per default.

Both implementations support the generation of RSA and ECC keys, where 
uhttpd currently defaults to RSA with 2048 keys.

The question came up if we really want RSA certificates for LuCI or if 
the faster and "more modern" ECC P-256 wouldn't be a better choice.

If px5g is added to the next release, certificates are generated on 
first boot and most users are unlikely to manually recreate RSA ones, not?

So the question, shouldn't we drop all crypto options from the new px5g 
implementation and _only_ offer P-256? Whoever wants something else than 
the default may use px5g-mbedtls or some OpenSSL based tool?

Best,
Paul

[1]: https://github.com/openwrt/openwrt/pull/3363




More information about the openwrt-devel mailing list