On 30.08.20 12:32, Michael Richardson wrote:
Paul Spooren <[email protected]> wrote:
> I recently rewrote px5g[1] to use WolfSSL instead of MbedTLS, as the
former
> will be included in OpenWrt 20.x per default.
> Both implementations support the generation of RSA and ECC keys, where
uhttpd
> currently defaults to RSA with 2048 keys.
> The question came up if we really want RSA certificates for LuCI or if
the
> faster and "more modern" ECC P-256 wouldn't be a better choice.
Yes, it would be better.
> If px5g is added to the next release, certificates are generated on first
> boot and most users are unlikely to manually recreate RSA ones, not?
But, this will result in a security warning for a self-signed key, and then
we'd be training users to click through them.
I am divided on whether this is better or worse than unencrypted.
browsers are making doing that security exception more and more difficult,
with the desire to eliminating it entirely.
I think we should write a bit of documentation explaining that a cert
should be accepted only once or a router reset is required. That seems
more save than sticking to unencrypted connections. If browsers decide
to block self-signed certs, most UBNT devices will break, too.
I have running code that deploys LetsEncrypt certificates to devices in the
"factory". This requires a DNS name for dns-01 challenge.
That's clearly not feasible for random end-users who flash openwrt on their own.
I would like to explore some additional options here.
Mind sharing this code? Me (and Daniel) had the same idea, so some ACME
support for px5g would be interesting.
> So the question, shouldn't we drop all crypto options from the new px5g
> implementation and _only_ offer P-256? Whoever wants something else than
the
> default may use px5g-mbedtls or some OpenSSL based tool?
uhm, okay. I can live with that for sure.
I care more about what's in the certificate than the algorithm.
Fair, however this question is about the algorithm :)
Paul
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
