[RFC] self-signed certificates for LuCI
Rosen Penev
rosenp at gmail.com
Sun Aug 30 04:08:31 EDT 2020
> On Aug 30, 2020, at 00:57, Paul Spooren <mail at aparcar.org> wrote:
>
> Hi team,
>
> I recently rewrote px5g[1] to use WolfSSL instead of MbedTLS, as the former will be included in OpenWrt 20.x per default.
>
> Both implementations support the generation of RSA and ECC keys, where uhttpd currently defaults to RSA with 2048 keys.
>
> The question came up if we really want RSA certificates for LuCI or if the faster and "more modern" ECC P-256 wouldn't be a better choice.
>
> If px5g is added to the next release, certificates are generated on first boot and most users are unlikely to manually recreate RSA ones, not?
>
> So the question, shouldn't we drop all crypto options from the new px5g implementation and _only_ offer P-256? Whoever wants something else than the default may use px5g-mbedtls or some OpenSSL based tool?
I’m all for removing code.
>
> Best,
> Paul
>
> [1]: https://github.com/openwrt/openwrt/pull/3363
>
More information about the openwrt-devel
mailing list