Wolfssl and openssl both?

For Developers
1

Hello, I'm not really a developer, but I do build my openwrt from source on a regular basis. I think questions about building belong in this subforum.

One of my target is a "tiny" Atheros, so every byte counts. Example: I recently had to give up curl because of image space.

Over time, I have added and removed packages in menuconfig, and now I noticed my personal config has both openssl and wolfssl. One of the two could be unneeded. Are they interchangeable? How do I go about removing one of them without leaving orphaned packages?

2

You should look at the output of scripts/diffconfig.sh that shows the package and settings You currently have. Take that as new .config and edit it and delete the unknown package lines and leave only those that you have actively selected. Then run make defconfig . That will fetch all needed dependencies and you will again have a normal .config file.

You may also need to select the package options suitably that you select the openssl variant of a package. Some packages have mbedssl as s default. E.g. ustreamtls for Luci https.

I have been tweaking my own build to be openssl-only, so there is no mbedtls or wolfssl

2 Likes
3

Like @hnyman, I build with OpenSSL only.

It seems that the order of adding packages can impact later additions bringing in other TLS libraries, so I typically will add OpenSSL first, then things that use TLS. Adding OpenSSL after, for example, wolfssl has been brought in by curl or the like, won't remove wolfssl from the build.

1 Like
4

It seems that the order of adding packages can impact later additions bringing in other TLS libraries, so I typically will add OpenSSL first, then things that use TLS. Adding OpenSSL after, for example, wolfssl has been brought in by curl or the like, won't remove wolfssl from the build.

Interesting... so if one wanted to completely remove openssl from the build to use 100% wolfssl stuff:

make menuconfig
   ### from the menuconfig disable wpad-openssl and enable wpad-wolfssl
./scripts/diffconfig.sh > new
vim new
   ### edit new removing all lines containing OPENSSL and place all lines containing WOLFSSL on top
mv new .config
make defconfig

That seems to have the desired effect. Here is a diff (new config on left and old config on right).

1 Like
5

Wow, a useful reply 2 years later... I wasn't hoping for it. Thank you @darksky!
(and of course @jeff and @hnyman, who were rather timely) :slight_smile:

1 Like
6

You're welcome. interestingly, just editing in menuconfig seems to create a clean .config with respect to the OPENSSL lines.

% ./scripts/diffconfig.sh | grep -i openssl
% echo $?
1
1 Like
7

Recently, I'm having problems building OpenWRT. There are conflicts between different openssl libraries. I'd like to use one such library only.

  1. Which library is advisable in your opinion?

  2. Is there a surefire way to create a config have that only builds that library?

8
  1. I use wolfssl
  2. What I described above seems to work as advertised. What is the output of that grep command for your .config?
9

You make sure to negate the unwanted library if that is default, and make sure that you specify the correct variant of those packages that support multiple ssl libraries. (curl, luci, wpad, ustreamssl, etc.)

My own selections in my .config recipe to disable wolfssl and enable openssl:

CONFIG_PACKAGE_wpad-openssl=y
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_libustream-wolfssl is not set
CONFIG_PACKAGE_luci-ssl-openssl=y
CONFIG_PACKAGE_curl=y
CONFIG_LIBCURL_OPENSSL=y

(luci-ssl-openssl pull in libustream-openssl, so I do not specify that)

10

Thank you, @darksky and @hnyman!

How about mbedtls? It seems to be default at least for some packages.

It's 1 indeed :slight_smile:

I like @hnyman's way because I can make sure visually and quickly (in a small config seed rather than a longer .config file) that I'm clean of other openssl variants. What do you mean, editing in menuconfig creates a clean .config file? It's more or less like just specifying a target and making defconfig, did I get it right? I suppose (correct me if I'm wrong) that it won't exclude "wrong" variants of some packages if they are already in the .config.

11

You can easily add packages with menuconfig, but there is no detection logic of unnecessary dependent packages. If package A depends on B, and you switch A to variant that requires C instead, B remains selected :frowning:

Thatswhy I arrived a few years ago to the solution, where I only keep the .config recipe with the packages I need, and then before build expand if to the full .config with "make defconfig" that pulls in all the necessary dependencies. But I still need to exclude the unwanted default variants in some cases, like my example above shows.

1 Like
12

Nice! Thanks. That's what I'm going to do as well. I just got to go through the full .config files (it's more than one device actually), reduce to a seed, make defconfig, diff until no difference.

I think this topic is ripe for marking solved. I'm just going to wait a few days just in case some related discussion ensues.

Thanks for all the useful contributions. Your help is appreciated, @hnyman, @jeff, @darksky!

EDIT Is there a way to make a recipe (I call it "seed": a minimal config to be expanded by make defconfig) that excludes some packages? In other words, will including a line like

CONFIG_PACKAGE_unwanted_package is not set

(without a comment) make sure that package is not linked in?

13

You can prune lots of dependent packages, so that you get a really slim .config recipe.

You can see examples in my community builds (R7800, Wndr3700). The .config.init files in my download dirs are the recipes that I use.

EDIT:

You can use the output of ./scripts/diffconfig.sh as the initial recipe and then remove more dependent packages.

1 Like
14

Exclusion is possible, but you need that "#" there in the exclusion lines:

# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_libustream-wolfssl is not set

Example, my full R7800 recipe. "#" can be used for comment, but is also needed on the exclusion lines.

# Use "make defconfig" to expand this to a full .config
CONFIG_TARGET_ipq806x=y
CONFIG_TARGET_ipq806x_generic=y
CONFIG_TARGET_ipq806x_generic_DEVICE_netgear_r7800=y

# Per-package build logs in <buildroot>/logs
CONFIG_DEVEL=y
CONFIG_BUILD_LOG=y

# Debugging options (build gdbserver, include package debug)
CONFIG_PACKAGE_gdbserver=m
CONFIG_DEBUG=y

# Include package list in build
CONFIG_INCLUDE_CONFIG=y

# exfat is patented
CONFIG_BUILD_PATENTED=y

# Longer waiting for failsafe button push
CONFIG_IMAGEOPT=y
CONFIG_PREINITOPT=y
CONFIG_TARGET_PREINIT_TIMEOUT=5

# Busybox tweaks
CONFIG_BUSYBOX_CUSTOM=y
CONFIG_BUSYBOX_CONFIG_FEATURE_EDITING_SAVEHISTORY=y
CONFIG_BUSYBOX_CONFIG_FEATURE_EDITING_SAVE_ON_EXIT=y
CONFIG_BUSYBOX_CONFIG_FEATURE_LESS_FLAGS=y
CONFIG_BUSYBOX_CONFIG_FEATURE_LESS_REGEXP=y
CONFIG_BUSYBOX_CONFIG_FEATURE_LESS_WINCH=y

# Add-on programs
CONFIG_PACKAGE_htop=y
CONFIG_PACKAGE_nano=y
CONFIG_PACKAGE_ccrypt=y
CONFIG_PACKAGE_curl=y
CONFIG_LIBCURL_OPENSSL=y
CONFIG_PACKAGE_wget=y
CONFIG_PACKAGE_patch=y
CONFIG_PACKAGE_diffutils=y
CONFIG_PACKAGE_tree=y
CONFIG_PACKAGE_irqbalance=y
CONFIG_DROPBEAR_ECC=y

# USB device mount & file systems support
CONFIG_PACKAGE_block-mount=y
CONFIG_PACKAGE_kmod-usb-storage=y
CONFIG_PACKAGE_kmod-fs-cifs=y
CONFIG_PACKAGE_kmod-fs-exfat=y
CONFIG_PACKAGE_libblkid=y
CONFIG_PACKAGE_kmod-fs-ext4=y
CONFIG_PACKAGE_kmod-fs-hfsplus=y
CONFIG_PACKAGE_kmod-fs-msdos=y
CONFIG_PACKAGE_kmod-fs-vfat=y
CONFIG_PACKAGE_ntfs-3g=y
CONFIG_PACKAGE_kmod-nls-cp1250=y
CONFIG_PACKAGE_kmod-nls-cp437=y
CONFIG_PACKAGE_kmod-nls-cp850=y
CONFIG_PACKAGE_kmod-nls-iso8859-1=y
CONFIG_PACKAGE_kmod-nls-iso8859-15=y
CONFIG_PACKAGE_kmod-nls-utf8=y

# IPv6 support
CONFIG_PACKAGE_6in4=y
CONFIG_PACKAGE_6to4=y
CONFIG_PACKAGE_6rd=y

# IPv6 NAT support (ip6tables NAT extensions, ipt-nat6 and nf-nat6 kmods)
CONFIG_PACKAGE_ip6tables-mod-nat=y

# WLAN/WPS support
CONFIG_PACKAGE_hostapd-utils=y
CONFIG_WPA_MSG_MIN_PRIORITY=4
CONFIG_PACKAGE_wpad-openssl=y
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_libustream-wolfssl is not set

# SSL certificates
CONFIG_PACKAGE_ca-certificates=y

# Luci (SSL from OpenSSL)
CONFIG_PACKAGE_luci-ssl-openssl=y
CONFIG_PACKAGE_luci-app-commands=y
CONFIG_PACKAGE_luci-app-ddns=y
CONFIG_PACKAGE_luci-app-sqm=y
CONFIG_PACKAGE_luci-app-upnp=y
CONFIG_PACKAGE_luci-app-wol=y

# Luci statistics
CONFIG_PACKAGE_luci-app-statistics=y
CONFIG_PACKAGE_collectd-mod-conntrack=y
CONFIG_PACKAGE_collectd-mod-cpufreq=y
CONFIG_PACKAGE_collectd-mod-entropy=y
CONFIG_PACKAGE_collectd-mod-ping=y
CONFIG_PACKAGE_collectd-mod-sqm=y
CONFIG_PACKAGE_collectd-mod-thermal=y
CONFIG_PACKAGE_collectd-mod-uptime=y

# Build material and openwrt-2020 themes, default is still bootstrap
CONFIG_PACKAGE_luci-theme-material=y
CONFIG_PACKAGE_luci-theme-openwrt-2020=y

# kernel support for tunnels, VPNs
CONFIG_PACKAGE_kmod-tun=y

# wireguard
CONFIG_PACKAGE_luci-app-wireguard=y

# PPTP support
CONFIG_PACKAGE_luci-proto-ppp=y
CONFIG_PACKAGE_ppp-mod-pptp=y

# iptables add-on ipsec
CONFIG_PACKAGE_iptables-mod-ipsec=y

# Support for IETF BCP38
CONFIG_PACKAGE_luci-app-bcp38=y

# Adblock package with Luci support, initially disabled
CONFIG_PACKAGE_luci-app-adblock=y

# BanIP package with Luci support, initially disabled
CONFIG_PACKAGE_luci-app-banip=y

# nlbwmon app
CONFIG_PACKAGE_luci-app-nlbwmon=y

# chaoskey TRNG USB dongle
CONFIG_PACKAGE_kmod-chaoskey=y
1 Like