Activate https server support in 21.02 by default

Hauke Mehrtens hauke at hauke-m.de
Sun May 16 06:16:02 PDT 2021


On 5/16/21 2:30 AM, Fernando Frediani wrote:
> On 15/05/2021 18:57, Alberto Bursi wrote:
>> <clip>
>>
>> If HTTPS is still an optional it makes no sense to treat it 
>> differently from all other optional packages.
>> The only moment it should be included by default is when it becomes 
>> mandatory, and the HTTP interface is disabled.
> 
> Maybe you are right here.
> 
> Fernando
>>
>> -Alberto

Hi,

Adding CONFIG_PACKAGE_luci-ssl to the image will add less then 10 KBytes 
to the image, my initramfs image for an ath79 got 2.2 KBytes bigger. 
This is about 0.05% of the image. We already include a full TLS library 
and use it for WPA3 and HTTPS downloads.
Probably some extra size if used by the X.509 certificate we generate at 
first boot and store on flash.

With the current approach we would offer the web page under 
http://192.168.1.1 and https://192.168.1.1 by default, the user can 
choose what he would like o use. The http version will not forward to 
the https version. https is not deactivated by default, but the user can 
choose which url he uses in his browser.

The certificates are not signed by a certificate authority, so the 
browser will not trust them by default, but this already protects the 
users from a attacker passively listening on the connection between the 
browser and the OpenWrt device. The comparison with telnet and ssh is 
pretty good. For SSH we "waste" a lot more memory.

I am for activating it, if you do not want to use it, you can build a 
custom image with the image builder without luci-ssl and px5g-wolfssl.

Hauke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x93DD20630910B515.asc
Type: application/pgp-keys
Size: 9895 bytes
Desc: OpenPGP public key
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20210516/a4ad12c3/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20210516/a4ad12c3/attachment.sig>


More information about the openwrt-devel mailing list