[PATCH 0/3] Support TLS/SSL and WPA3-Personal/SAE by default

Martin Weinelt martin at darmstadt.freifunk.net
Sun Jul 26 13:51:12 EDT 2020



On 26.07.20 19:29, Rosen Penev wrote:
> 
> 
>> On Jul 26, 2020, at 10:19 AM, Hauke Mehrtens <hauke at hauke-m.de> wrote:
>>
>> On 7/24/20 4:29 PM, Petr Štetiar wrote:
>>> Hi,
>>>
>>> it has been discussed several times and some of core developers would like to
>>> include SSL/TLS and WPA3-Personal/SAE support in the next release as we've
>>> dropped support for 4/32M devices officialy with 19.07 and it's time to move
>>> on and improve the default security features in official images.
>>>
>>> wolfSSL and mbed TLS were pre-selected as possible crypto libraries due to the
>>> size. mbed TLS currently lacks support in hostapd so I went with wolfSSL for
>>> the start.
>>>
>>> In order to keep the size as small as possible I've created
>>> `wpad-basic-wolfssl` variant of currently shipped `wpad-basic` package which
>>> just adds support for SAE.
>>>
>>> I've tested the patchset on my Rambutan board with `sae` and `sae-mixed`
>>> encryption settings against my Android 10 phone and installed random package
>>> with opkg over HTTPS.
>>>
>>> Size comparison of openwrt-ath79-nand-8dev_rambutan-squashfs-factory.bin:
>>>
>>> 5373952 bytes for wolfSSL enabled image
>>> 5111808 bytes for current image as of r13926-f94b09867d
>>> -------
>>>  262144 bytes is difference
>>>
>>> I think, that those numbers are not that bad if you consider that the
>>> following patchset adds ca-certificates, libustream-wolfssl, libwolfssl and
>>> wpad-basic-wolfssl into default packages.
>>>
>>> Cheers,
>>>
>>> Petr
>>>
>>> Petr Štetiar (3):
>>>  hostapd: add wpad-basic-wolfssl variant
>>>  treewide: use wpad-basic-wolfssl as default
>>>  treewide: switch to HTTPS by default
>>
>> This looks good to me.
>>
>> How stable is the ABI of wolfssl?
>>
>> We probably have to update it to new versions in the lifetime and then
>> it would be nice if we only have to update the wolfssl package.
>>
>> Is this also enough to make LUCI work with https when just luci is
>> activated?
> Note that wolfSSL only exposes TLS 1.2 and 1.3 by default. 1.1 and below are compile time disabled. Probably not too big of a problem by now.

Not an issue since browsers have moved to disable TLS 1.0 and 1.1 quite
recently.

> We have disabled TLS 1.0 and TLS 1.1 to improve your website
connections. Sites that don't support TLS version 1.2 will now show an
error page.

https://www.mozilla.org/en-US/firefox/78.0/releasenotes/

>>
>> Hauke
>>
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> 



More information about the openwrt-devel mailing list