A proposal of https certificate assignment system for luci

Bas Mevissen abuse at basmevissen.nl
Fri Oct 9 08:53:09 EDT 2020 

On 2020-10-09 14:33, abnoeh wrote:
> 20. 10. 9. 오후 8:29에 Bas Mevissen 이(가) 쓴 글:
>> So I think it is reasonably safe to do the initial setup over HTTP
>> (without the "S") at the first boot if there are no certificates
>> available from a previous OpenWRT install. Then the user can setup the
>> WAN side if needed and upload (from local PC), generate (self-signed)
>> or acquire (e.g. Let's Encrypt) the certificates for Luci. After that,
>> the connection is switched to HTTPS and HTTP switched off.
>> 
>> The only issue I see, is how to transfer admin, WAN and WiFi passwords
>> at first boot in a secure way. Even though the user/admin should be
>> alone on the connection, sending those unencrypted over the line is
>> not desirable. Maybe those can be encrypted using client side 
>> javascript.
>> 
> For things with USB port, firstboot loader script from load ssh
> autorized key/root password from usb drive and/or export script they
> when there is '.whoareyou' file touched in usb drive write it's ssh 
> host
> key and it's self signed certificate into the usb drive? I think later
> can be part of hotplug.d script.

Nice idea to be able to auto-load the config including key material. 
Might be very useful for larger installs.

>> The challenges IMHO are being able to safely retain previously
>> installed certificates over OpenWRT reflashes/upgrades and having user
>> friendly tools to get new certificates uploaded, generated or
>> acquired. For the latter part, some configurable service to
>> periodically download and install certificates from an external host
>> might be desirable (that's how I do it with my NAS boxes at home).


> for sysupgrade, like save config option, add new save-keys option that
> only save dropbear key and uhttpd certs?
>> 

Nice idea to save SSH server keys as well. That will avoid warnings when 
connecting to the new box (at the same IP) for the first time.
Obviously, one needs to be careful with plain text private keys and 
certs.

Cheers,

Bas.
>> 
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list