Paul Spooren <[email protected]> wrote: > I recently rewrote px5g[1] to use WolfSSL instead of MbedTLS, as the former > will be included in OpenWrt 20.x per default.
> Both implementations support the generation of RSA and ECC keys, where
uhttpd
> currently defaults to RSA with 2048 keys.
> The question came up if we really want RSA certificates for LuCI or if the
> faster and "more modern" ECC P-256 wouldn't be a better choice.
Yes, it would be better.
> If px5g is added to the next release, certificates are generated on first
> boot and most users are unlikely to manually recreate RSA ones, not?
But, this will result in a security warning for a self-signed key, and then
we'd be training users to click through them.
I am divided on whether this is better or worse than unencrypted.
browsers are making doing that security exception more and more difficult,
with the desire to eliminating it entirely.
I have running code that deploys LetsEncrypt certificates to devices in the
"factory". This requires a DNS name for dns-01 challenge.
That's clearly not feasible for random end-users who flash openwrt on their own.
I would like to explore some additional options here.
> So the question, shouldn't we drop all crypto options from the new px5g
> implementation and _only_ offer P-256? Whoever wants something else than
the
> default may use px5g-mbedtls or some OpenSSL based tool?
uhm, okay. I can live with that for sure.
I care more about what's in the certificate than the algorithm.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
