What are everyones thoughts on OpenSSL?

Darin755 · May 23, 2025, 11:26pm

So currently OpenWRT by default uses WolfSSL as the SSL library. However, what I've noticed is that WolfSSL generally has less support generally for different cryptographic algorithms. However, that means that some things are flat out not supported such as Argon2 and scrypt. I also know that OpenSSL seems to be required for WPA3.

When developing for OpenWRT, should I depend on WolfSSL or OpenSSL? I know that OpenSSL is much bigger in size but it also has support for Argon2 which would help with security. On the other hand, WolfSSL is the default but it only supports PBKDF2 which is a weaker hash since it doesn't need much memory.

efahl · May 24, 2025, 12:28am

I thought we switched to mbedtls back in 22.03 or thereabouts? What version of OpenWrt are you running?

RichardAmes · May 24, 2025, 1:39am

I'm a newbie; but my new install shows libopenssl:

Sat May 24 01:35:21 UTC 2025
root@OpenWrt:/mnt/ssd/log# ubus call system board
{
	"kernel": "6.6.86",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "OpenWrt One",
	"board_name": "openwrt,one",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.1",
		"revision": "r28597-0425664679",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.1 r28597-0425664679",
		"builddate": "1744562312"
	}
}
root@OpenWrt:/mnt/ssd/log# ubus call rpc-sys packagelist '{ "all": true }' | grep ssl
		"libopenssl": "3.0.16-r1",
		"luci-ssl": "25.103.51521~2ac26e5",
		"python3-openssl": "3.11.7-r2",

sfx2000 · May 24, 2025, 2:28am

noticed this on snapshot/master - mbedtls is still primary, but OpenSSL is still pulled into the build for many targets due to dependencies...

I suppose at some point, OpenSSL might be the default...

lantis1008 · May 24, 2025, 8:35am

OpenSSL is huge, that decision won’t go down lightly.

My advice for developing on OpenWrt, depend on mbedtls as it is default.
If you are willing to go to the effort, support mbedtls and OpenSSL with a configurable selection.

brada4 · May 24, 2025, 12:39pm

Dont you see the link Sherlock

python-openssl depends on openssl , just like perl-curl would depend on some sort of curl. Does not mean everyone else has to switch.

Darin755 · May 24, 2025, 11:25pm

Thanks, I think that is what I'll end up doing. It is a little sad that it doesn't have scrypt or argon2 but PBKDF2 should be fine.

sfx2000 · May 25, 2025, 1:53am

mbedtls is still the default - but porting everything upstream puts a lot of effort on the team...

seeing similar upstream with musl vs glibc for the c-library - core is still musl, but glibc is getting pulled in with more and more packages

Darin755 · May 27, 2025, 5:33pm

Is it possible to have OpenSSL and mbedtls installed side by side?

efahl · May 27, 2025, 5:38pm

Sure, the libraries anyhow. I've got both on a couple of my machines:

$ opkg list-installed | grep -iE 'ssl|tls'
libmbedtls21 - 3.6.3-r1
libopenssl3 - 3.0.16-r1
...

$ opkg whatdepends libmbedtls
Root set:
  libmbedtls21
What depends on root set
        libcurl4 8.10.1-r1      depends on libmbedtls21

$ opkg whatdepends libopenssl
Root set:
  libopenssl3
What depends on root set
        openssl-util 3.0.16-r1  depends on libopenssl3
        libustream-openssl20201210 2024.07.28~99bd3d2b-r1       depends on libopenssl3
        luci-ssl-openssl 25.130.38691~48b6321   depends on libustream-openssl20201210
        bind-libs 9.20.4-r1     depends on libopenssl3
        libopenssl-conf 3.0.16-r1       depends on libopenssl3
        bind-dig 9.20.4-r1      depends on bind-libs
        ntpdate 4.2.8_p17-r3    depends on libopenssl3
        wget-ssl 1.24.5-r1      depends on libopenssl3

bob.aitah · May 28, 2025, 5:58pm

The "Sherlock" part was a little rough? Hate to see condescension here, could edit out before thread closes, just sayin'.

andybjackson · May 29, 2025, 7:41pm

As a casual observer with no connection to either, and on rereading, I don't think it was meant harshly. More like, 'Elemental, my dear Watson."

We might try not to take offence when we can, alongside not causing offence where possible.

bob.aitah · June 6, 2025, 7:19pm

Giving the benefit of the doubt is always a welcome practice. To distinguish that from wearing rose-colored glasses here, please consider the two words that normally precede "Sherlock," in the commonly used English phrase, to see it was an insult. Or at minimum, ambiguous and negative.