[SOLVED]Tls1.3 for webui?

I have asked about this before and the answer was that in need openssl 1.1.1 which was not at that time the installed version.

now in 19.07 it is installed.
so how do I get uhttpd to use only tls1.3?
so that when I open webui if firefox I would get it tls1.3 and not tls1.2?

There are probably 2 ways to go about it:

  • via cert generator provided through UCI/LuCI (luci-app-uhttpd)
  • manually cert generation through userland

For the former is seems to support only RSA signature algorithm but not EdDSA or ECDSA, least could not get it to work. Cert generation settings are in the config cert section of /etc/config/uhttpd

In FX it shows as

ECDSA appears to be supported though (not documented and neither exposed through luci-app-uhttpd)

option key_type 'ec'

For EdDSA tried option key_type 'ed' but that fell back to RSA, thus does not seem supported.

I have put this as option:

config cert 'defaults'
        option days '730'
        option country 'ZZ'
        option state 'Somewhere'
        option location 'Unknown'
        option commonname 'openwrt'
        option key_type ec

but this just creates https cert and doesn't change the the tls version to 1.3 and only 1.2.
I don't think using a changed cert make a web server use tls1.3 ?

for example on desktop I have to specify tls version for nginx.
but I dont see anything like that for uhttpd.

I get this.

is this because uhttpd depends on mbedtls and not openssl?
never mind I got it .

I had to use luci-ssl-openssl and remove libustream-mbedtls20150806 luci-ssl

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.