Tls 1.3 for uhttpd https

I have installed https package for luci and it seems to have installed some keys (I am not good with all the bits and pieces of https).
using the https port show a untrusted certificate, which is normal and I add an exeption.
but when I check the protocol it is in tls1.2 and uses RSA
is there anyway to change to tls1.3 and tls1.3 only and also ecdsa??
is this hardcoded in the https part of luci?
can I change this somehow?

You need OpenSSL 1.1.1 at least, which is in OpenWrt 19.07 or Snapshot:

1 Like

LuCI itself has no part in HTTPS/SSL. Neither has uhttpd any role in the actual encryption. It only knows if a compatible encryption library is found in the router via "libustream-X" wrapper for various SSL libraries.

It is all handled by the individual SSL libraries like openssl, mbedtls, wolfssl. These define the available compilation options in the compile time options.

EDIT:
one recent addition in master and 19.07:
you can specify the ecsda instead of RSA for the self-signed key generation.

2 Likes

in the first part about libustream-X, the key is created automatically and has no config for me to set.
shouldn't there be a text config for maybe city/country and org info for certification at least? or am I missing something

the second part: is the config for 19 branch in luci config? luci-app-uhttpd?
and why only rsa vs ecdsa and not key length for example?

You are missing /etc/config/uhttpd (you have access to the same options via luci's /cgi-bin/luci/admin/services/uhttpd).

oh.
I saw this now
https://openwrt.org/docs/guide-user/services/webserver/uhttpd
and it has setting for keysize and so on .

but it is still missing the rsa/ecdsa flip option and also it doesn't have an option for setting minimum tls version or something similar.

thank you.
I will now check it out myself.
btw on an unrelated note does openwrt use github for bugs (either packages or the base system) or it is somewhere else?

https://openwrt.org/bugs

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.