I'm adding support to create EC curves with px5g, and changing uhttpd to use it, adding two config options: key_type, and ec_curve.
* key_type should be set to either 'ec' or 'rsa'. In practice, it will silently use 'rsa' unless its value is 'ec'. * ec_curve takes an elliptic curve name, which should match one of the certificate generator's TLS library's name. Unfortunatly, they don't necessarity match between px5g (mbedtls), and openssl. Short names P-256 and P-384 were added to px5g to have an uniform set, and are guaranteed to work. P-521 is there too, but mbedtls is currently built without it. Right now the ciphersuites used with EC keys are stronger than with RSA keys, and I'm sending a patch to widen that gap further. That way you can use the key type to choose the level of strenght vs. broad compatibility you wish to use. A P-256 EC key offers a strenght equivalent of 3072-bit RSA key, and is generated much faster than even a 2048-bit RSA key. uhttpd currently generates a 2048-bit RSA key by default, and that has not been changed. Eneas U de Queiroz (3): openssl: always build with EC support px5g: support EC keys uhttpd: add support to generate EC keys package/libs/openssl/Config.in | 12 --- package/libs/openssl/Makefile | 9 +- package/network/services/uhttpd/Makefile | 2 +- .../services/uhttpd/files/uhttpd.config | 8 ++ .../network/services/uhttpd/files/uhttpd.init | 6 +- package/utils/px5g/Makefile | 4 +- package/utils/px5g/px5g.c | 86 +++++++++++++++---- 7 files changed, 87 insertions(+), 40 deletions(-) _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel