On 5/16/21 2:30 AM, Fernando Frediani wrote:
On 15/05/2021 18:57, Alberto Bursi wrote:<clip>If HTTPS is still an optional it makes no sense to treat it differently from all other optional packages. The only moment it should be included by default is when it becomes mandatory, and the HTTP interface is disabled.Maybe you are right here. Fernando-Alberto
Hi,Adding CONFIG_PACKAGE_luci-ssl to the image will add less then 10 KBytes to the image, my initramfs image for an ath79 got 2.2 KBytes bigger. This is about 0.05% of the image. We already include a full TLS library and use it for WPA3 and HTTPS downloads. Probably some extra size if used by the X.509 certificate we generate at first boot and store on flash.
With the current approach we would offer the web page under http://192.168.1.1 and https://192.168.1.1 by default, the user can choose what he would like o use. The http version will not forward to the https version. https is not deactivated by default, but the user can choose which url he uses in his browser.
The certificates are not signed by a certificate authority, so the browser will not trust them by default, but this already protects the users from a attacker passively listening on the connection between the browser and the OpenWrt device. The comparison with telnet and ssh is pretty good. For SSH we "waste" a lot more memory.
I am for activating it, if you do not want to use it, you can build a custom image with the image builder without luci-ssl and px5g-wolfssl.
Hauke
OpenPGP_0x93DD20630910B515.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
