Activate https server support in 21.02 by default

Fernando Frediani fhfrediani at gmail.com
Mon May 17 07:48:40 PDT 2021


Seems good to me.
The main question is: most home users will require it ? I don't think 
so. But there may be others that may do, so as long http does not 
forward to https seems a good approach so those who want can 
deliberately use https.
I think as it stands now forcing https only would be a mistake.

For those who don't want to use may build a custom image it should 
really be the other way round since we are talking about something not 
essential. But as mentioned if there is not space consumption impact and 
not forcibly forward it seems a good approach in my view.

Fernando

On 16/05/2021 10:16, Hauke Mehrtens wrote:
> <clip>
> Hi,
>
> Adding CONFIG_PACKAGE_luci-ssl to the image will add less then 10 
> KBytes to the image, my initramfs image for an ath79 got 2.2 KBytes 
> bigger. This is about 0.05% of the image. We already include a full 
> TLS library and use it for WPA3 and HTTPS downloads.
> Probably some extra size if used by the X.509 certificate we generate 
> at first boot and store on flash.
>
> With the current approach we would offer the web page under 
> http://192.168.1.1 and https://192.168.1.1 by default, the user can 
> choose what he would like o use. The http version will not forward to 
> the https version. https is not deactivated by default, but the user 
> can choose which url he uses in his browser.
>
> The certificates are not signed by a certificate authority, so the 
> browser will not trust them by default, but this already protects the 
> users from a attacker passively listening on the connection between 
> the browser and the OpenWrt device. The comparison with telnet and ssh 
> is pretty good. For SSH we "waste" a lot more memory.
>
> I am for activating it, if you do not want to use it, you can build a 
> custom image with the image builder without luci-ssl and px5g-wolfssl.
>
> Hauke




More information about the openwrt-devel mailing list