Why return to Mbed TLS?

This is getting a bit off topic. But I believe PPP is included by default because it might be required for Internet access. Which makes it hard to install as an addon package. At least if we are serious about OpenWrt as a firmware alternative for the main/only CPE. Depending on some other Internet access, even temporarily, is not really an option IMHO.

3 Likes

that makes sense.

Will performance get worse or better if I switch to wpad-mini?

There's one way to find out.

I'm wondering if mbedtls takes advantage of some hardware capabilities that wpad-mini can't for more performance.

BTW, when will openwrt migrate to mbedtls 3? It's released more than two years ago.

they'd only moved to LTS version so when arm release mbedtls 3.6 (Q1 24) + some
(sadly mbedtls only make LTS version of last version of major version, just before X.0)

1 Like

I read through this thread but am still unclear on which of these to choose (mbedtls, wolf, or openssl). My use case is a WPA3/WPA2 mixed SSID on a gl.inet-gl-mt6000.

You don't want the ABI mess WolfSSL is. If you have the flash space, go with OpenSSL.

1 Like

full openssl for that 8GB eMMC

1 Like

If I use openssl I think wpad-basic-openssl would be fine given my need for just regular WAP3/WAP2 mixed mode SSIDs, no? What would the full package offer me if I am not using RADIUS and the other advanced features?

1 Like

You don’t even need the full package for OpenVpn

I noticed a problem with mixed mode WAP3/WAP2, when connecting some devices, it depends on the device, if there are problems, then it’s better to choose one WAP2 or WAP3, not all devices support mixed mode normally.
and you can try installing wpad-mbedtls instead of wpad-basic-mbedtls, it works more stable

Among other things, hostapd-mini and wpad-mini don't include linkage to any tls libraries. As a consequence they drop support any of the use cases which would have invoked those tls libraries.

Rather than a major change in performance, I'd expect that the most prominent outcome would be a loss of features. Notably, you would not be able to create or join any network which uses WPA3 encryption.

If they consume less resources because they have less capabilities, then yes, they could improve performance by removing the full versions of wpad. That's my guess.

1 Like

Do note that current master uses mbedTLS 3.6, which has TLS 1.3 support. Which means next version of OpenWrt will bring support back for all missing features.

5 Likes