On 8/30/20 9:57 AM, Paul Spooren wrote: > Hi team, > > I recently rewrote px5g[1] to use WolfSSL instead of MbedTLS, as the > former will be included in OpenWrt 20.x per default. > > Both implementations support the generation of RSA and ECC keys, where > uhttpd currently defaults to RSA with 2048 keys. > > The question came up if we really want RSA certificates for LuCI or if > the faster and "more modern" ECC P-256 wouldn't be a better choice. > > If px5g is added to the next release, certificates are generated on > first boot and most users are unlikely to manually recreate RSA ones, not? > > So the question, shouldn't we drop all crypto options from the new px5g > implementation and _only_ offer P-256? Whoever wants something else than > the default may use px5g-mbedtls or some OpenSSL based tool?
I would suggest to use ECC P-256 for new certificates by default. If the user selects RSA we should create an RSA certificate. If there is already a certificate like in an OpenWrt sysupgrade we should continue using that. The best option would be to generate 2 certificates and let the SSL implementation select if it should use RSA or ECC for each connection based on the browser capabilities. All modern browsers support ECC certificates on the P-256 curve and using them is faster on low end CPUs like most of our MIPS SoCs. Opening a TLS connection took me about 1 second with RSA 2048 and mbedtls on a MIPS 24k CPU, I think ECC on the P-256 curve was about 0.3 seconds. I measured these numbers about 2 years ago and could have forgotten some of them. OpenSSL was significant faster than mbedtls on these MIPS CPUs, I did not check wolfssl. Chrome opens 5 connections in parallel, but we use the TLS cache of mbedtls now. If some people use this webserver not to access it with a more or less modern browser but with some other system, these users could could run into problems with ECC. Hauke
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
