25.12.2 - How to install apk-openssl

pigeon35 · April 14, 2026, 4:53pm

Hello, just moved from 24.10.6 to 25.12.2 and the package manager is now apk.

I install the OpenSSL versions of packages and remove mbedtls / wolfssl. Which went ok until seeing there is apk-mbedtls installed, but apk-openssl available.

How can I replace apk-mbedtls with apk-openssl please?

I tried apk add apk-openssl but get the following output:

ERROR: unable to select packages:
apk-mbedtls-3.0.5-r3:
conflicts: apk-openssl-3.0.5-r3[apk=3.0.5-r3]
satisfies: world[apk-mbedtls]
apk-openssl-3.0.5-r3:
conflicts: apk-mbedtls-3.0.5-r3[apk=3.0.5-r3]
satisfies: world[apk-openssl]

Have been caught out in the past trying to figure it out on my own
For example, libustream, I download both the openssl and original mbedtls versions to /root/, so when I lose the ability to communicate with feeds after removing the mbed version, the opensssl package can be installed from local copy.

But not sure what the correct procedure for apk-openssl is. Tried Google and searching forum, but doesn’t look like many (any) do this, or figured it out.

Thank you!

ncompact · April 14, 2026, 7:13pm

Hi,

before trying to replace apk-mbedtls on a live system, I would strongly recommend taking a step back, as this can easily break your package manager and leave you without recovery options.

A couple of questions first:

What router / device are you using?
Do you have serial access available in case something goes wrong?

Since apk itself is linked against a specific TLS backend, switching from apk-mbedtls to apk-openssl is not just a package swap — it's effectively replacing a core system component.

A much safer and cleaner approach would be to build a custom image with the desired variants from the start using the Firmware Selector:
https://firmware-selector.openwrt.org/?version=25.12.2

There, you can replace the default packages:

apk-mbedtls → apk-openssl
wpad-basic-mbedtls → wpad-basic-openssl
libustream-mbedtls → libustream-openssl

(adjust depending on what your device includes by default)

This avoids conflicts with the "world" set and ensures everything is built consistently against OpenSSL.

Trying to switch these on a running system is possible, but risky — especially without serial access.

Curious what your setup is

pigeon35 · April 14, 2026, 8:51pm

Thanks for help! Am using x86 on a Dell 3050 micro. Installed on a usb stick which I “build” 95% on a VM on a PC using libvirt and Spreadsheet to compare source/target packages, restore the configs and then boot in the Dell router. I run custom packages of Crowdsec and GoCryptfs. Plus Exim MTA + Dovecot.
Been doing so for 5 years and while use ASU on a AP and WiFi Bridge, tend to stick to this manual process for the Router.

So everything on the Router is OpenSSL variants of packages…..but not Apk.

One of the reasons for running off USB stick, is ease of restoration when having done something daft

So can afford to be a bit daring if you think there might be a way to proceed without a full Firmware rebuild.

Happy to try something, can always dd the USB stick.

efahl · April 14, 2026, 9:35pm

(x86 is lovely for this sort of stuff, you can just thrash the hell out of things and recover in seconds.)

Maybe try

owut download --remove apk-mbedtls --add apk-openssl

and see what's in /tmp/firmware-manifest.json after the build completes...

Ok, I just gave it a roll and it seems like it should work fine (note that I did not make any attempt to remove the mbedtls libs like you did, hence their appearance here).

$ jsonfilter -i /tmp/firmware-manifest.json -e '$.manifest' | ./json_pp | grep -E 'apk|tls|ssl'
    "apk-openssl": "3.0.5-r3",
    "libmbedtls": "3.6.6-r1",
    "libopenssl": "3.5.6-r1",
    "libopenssl-conf": "3.5.6-r1",
    "libustream-mbedtls": "2026.03.01~99f1c0db-r1",
    "luci-ssl": "26.101.22673~0c81d2d",
    "openssl-util": "3.5.6-r1",
    "px5g-mbedtls": "11",

If you don't have a json_pp, here's a three-line ucode script:

#!/usr/bin/ucode -S
import { stdin } from "fs";
printf("%.4J\n", json(stdin.read("all")));

ncompact · April 15, 2026, 6:45am

Given your setup, I can see why you'd be tempted to try this live.

I’d still consider it a risky change, but if you do manage to switch apk over to OpenSSL cleanly without rebuilding, I’d be very interested in the details — especially how you handled dependencies and whether it remains stable.

Let us know how it goes.

Shine · April 15, 2026, 1:54pm

This is indeed a regression I noticed as well, while trying to upgrade my various automatic setup scripts from opkg to apk.

It wasn't easy before (with opkg) either, and involved pre-downloading the required pkgs, then installing from cache, but at least it was possible. Now, it appears it's not even possible anymore, to completely replace the SSL library at runtime.

pigeon35 · April 15, 2026, 8:45pm

Always the way, run out of time. I think I’ll just fire up the image on VM and then try a few things there first. Got a couple of (likely terrible) ideas, but can’t do any harm

Cheers all. Will report back (from the 58th restore from backup lol).

efahl · April 16, 2026, 12:22am

Maybe you can get apk to do it by just changing the world and fixing things...

$ vi /etc/apk/world
-- change 'apk-mbedtls' to 'apk-openssl' --

$ apk fix --simulate  # drop --simulate to actually do it...
(1/3) Purging apk-mbedtls (3.0.5-r3)
(2/3) Purging libmbedtls21 (3.6.5-r1)
(3/3) Installing apk-openssl (3.0.5-r3)
OK: 67.0 MiB in 280 packages

(The owut upgrade with swapping the packages is the easiest solution, I finally recalled that I did it a bunch back when we first got apk in snapshots like a year and a half ago, to make sure it did in fact work.)

Shine · April 17, 2026, 2:35pm

Thanks, that did the trick. This works:

sed -i s/^apk-mbedtls$/apk-openssl/ /etc/apk/world
apk fix
sed -i s/^luci-ssl$/luci-ssl-openssl/ /etc/apk/world
apk fix
apk del libustream-mbedtls* px5g-mbedtls libmbedtls* wpad-basic-mbedtls
apk add wpad-basic-openssl

Edit: See below for even shorter version.

efahl · April 17, 2026, 5:58pm

I'll bet you could consolidate that into a single update on the world file, followed by a single apk fix, since apk has a really smart solver. (The apk del/add commands are just doing exactly that, edit the world and launch a fix...)

If you're curious and want to see if there's any extra junk in your /etc/apk/world file, I've got a little scanner you can run https://github.com/efahl/tools/blob/main/src/world-cleaner.uc

$ ./world-cleaner.uc --why
Remove: firewall4
  Required by: adblock

Shine · April 17, 2026, 7:19pm

sed -i "s/^apk-mbedtls$/apk-openssl/;s/^luci-ssl$/luci-ssl-openssl/;s/^wpad-basic-mbedtls$/wpad-basic-openssl/" /etc/apk/world
apk fix
apk del libustream-mbedtls* px5g-mbedtls libmbedtls*

Alternatively, but a little more dangerous, shorten last line to apk del -r libmbedtls*.

Should be shortest. Removing libmbedtls/libustream-mbedtls too early would cause wget (invoked by apk) to fail due to missing TLS support.

Thanks for the little insight into apk, not really familiar with it.

efahl · April 17, 2026, 7:47pm

Yeah, apk takes a bit of getting used to as it is very different than traditional package managers, it's more of a database constraint manager that has side effects may cause packages to be installed or removed...

Although much of it is Alpine-specific, I've been recommending this as a pretty good read for background: https://whynothugo.nl/journal/2023/02/18/in-praise-of-alpine-and-apk/