Activate https server support in 21.02 by default

Perry isprotejesvalkata at gmail.com
Fri Sep 17 05:07:14 PDT 2021


Hi all,

This issue has come up recently in the Freifunk-Berlin community.  We
have brainstormed a little bit and came up with a suggestion.

Would it be possible to have all the headers in the themes to contain a
link to https (iff the correct packages are installed)?  A bonus would
be a nice mouse-over explaining to the user about the "potential secure
risk ahead" with regards to the certificate.

Greets,
Perry

On 5/17/21 4:48 PM, Fernando Frediani wrote:
> Seems good to me.
> The main question is: most home users will require it ? I don't think
> so. But there may be others that may do, so as long http does not
> forward to https seems a good approach so those who want can
> deliberately use https.
> I think as it stands now forcing https only would be a mistake.
> 
> For those who don't want to use may build a custom image it should
> really be the other way round since we are talking about something not
> essential. But as mentioned if there is not space consumption impact and
> not forcibly forward it seems a good approach in my view.
> 
> Fernando
> 
> On 16/05/2021 10:16, Hauke Mehrtens wrote:
>> <clip>
>> Hi,
>>
>> Adding CONFIG_PACKAGE_luci-ssl to the image will add less then 10
>> KBytes to the image, my initramfs image for an ath79 got 2.2 KBytes
>> bigger. This is about 0.05% of the image. We already include a full
>> TLS library and use it for WPA3 and HTTPS downloads.
>> Probably some extra size if used by the X.509 certificate we generate
>> at first boot and store on flash.
>>
>> With the current approach we would offer the web page under
>> http://192.168.1.1 and https://192.168.1.1 by default, the user can
>> choose what he would like o use. The http version will not forward to
>> the https version. https is not deactivated by default, but the user
>> can choose which url he uses in his browser.
>>
>> The certificates are not signed by a certificate authority, so the
>> browser will not trust them by default, but this already protects the
>> users from a attacker passively listening on the connection between
>> the browser and the OpenWrt device. The comparison with telnet and ssh
>> is pretty good. For SSH we "waste" a lot more memory.
>>
>> I am for activating it, if you do not want to use it, you can build a
>> custom image with the image builder without luci-ssl and px5g-wolfssl.
>>
>> Hauke
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list