> On Jul 26, 2020, at 10:19 AM, Hauke Mehrtens <[email protected]> wrote: > > On 7/24/20 4:29 PM, Petr Štetiar wrote: >> Hi, >> >> it has been discussed several times and some of core developers would like to >> include SSL/TLS and WPA3-Personal/SAE support in the next release as we've >> dropped support for 4/32M devices officialy with 19.07 and it's time to move >> on and improve the default security features in official images. >> >> wolfSSL and mbed TLS were pre-selected as possible crypto libraries due to >> the >> size. mbed TLS currently lacks support in hostapd so I went with wolfSSL for >> the start. >> >> In order to keep the size as small as possible I've created >> `wpad-basic-wolfssl` variant of currently shipped `wpad-basic` package which >> just adds support for SAE. >> >> I've tested the patchset on my Rambutan board with `sae` and `sae-mixed` >> encryption settings against my Android 10 phone and installed random package >> with opkg over HTTPS. >> >> Size comparison of openwrt-ath79-nand-8dev_rambutan-squashfs-factory.bin: >> >> 5373952 bytes for wolfSSL enabled image >> 5111808 bytes for current image as of r13926-f94b09867d >> ------- >> 262144 bytes is difference >> >> I think, that those numbers are not that bad if you consider that the >> following patchset adds ca-certificates, libustream-wolfssl, libwolfssl and >> wpad-basic-wolfssl into default packages. >> >> Cheers, >> >> Petr >> >> Petr Štetiar (3): >> hostapd: add wpad-basic-wolfssl variant >> treewide: use wpad-basic-wolfssl as default >> treewide: switch to HTTPS by default > > This looks good to me. > > How stable is the ABI of wolfssl? > > We probably have to update it to new versions in the lifetime and then > it would be nice if we only have to update the wolfssl package. > > Is this also enough to make LUCI work with https when just luci is > activated? Note that wolfSSL only exposes TLS 1.2 and 1.3 by default. 1.1 and below are compile time disabled. Probably not too big of a problem by now. > > Hauke > > _______________________________________________ > openwrt-devel mailing list > [email protected] > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
