brentmagma has quit [Remote host closed the connection]
sbrown_ has quit [Remote host closed the connection]
sbrown_ has joined #openwrt-devel
brentmagma has joined #openwrt-devel
plntyk has joined #openwrt-devel
Grommish_ has joined #openwrt-devel
Grommish has quit [Ping timeout: 260 seconds]
linzst has quit [Quit: Leaving]
Grommish_ has quit [Read error: Connection reset by peer]
Grommish has joined #openwrt-devel
<russell-->
ynezz: you can add a Tested-by on the gs108t
Grommish has quit [Read error: Connection reset by peer]
Grommish has joined #openwrt-devel
brentmagma has quit [Remote host closed the connection]
brentmagma has joined #openwrt-devel
Borromini has joined #openwrt-devel
Grommish has quit [Read error: Connection reset by peer]
Grommish has joined #openwrt-devel
Grommish has quit [Read error: Connection reset by peer]
Grommish has joined #openwrt-devel
goliath has joined #openwrt-devel
victhor has joined #openwrt-devel
Borromini has quit [Ping timeout: 246 seconds]
rsalvate_ is now known as rsalvaterra
brentmagma has quit [Remote host closed the connection]
brentmagma has joined #openwrt-devel
urjaman has quit [Read error: Connection reset by peer]
urjaman has joined #openwrt-devel
sbrown has joined #openwrt-devel
black_ant has quit [Ping timeout: 260 seconds]
sbrown_ has quit [Ping timeout: 252 seconds]
ivanich has quit [Quit: Konversation terminated!]
ivanich has joined #openwrt-devel
brentmagma has quit [Remote host closed the connection]
brentmagma has joined #openwrt-devel
<Hauke>
should we activate luci-ssl in openwrt 21.02 by default?
<Hauke>
the initramfs for ath79 is 2.2kB bigger, the ipkgs luci-ssl and px5g-wolfssl are togther 6.2KByte
<Hauke>
where is this setting done?
<zorun>
Hauke: as far as I can remember, the question of self-signed certificate was not resolved
<zorun>
do you mean forcing HTTPS by default, or providing both HTTP and HTTPS?
<Hauke>
zorun: no not forcing it by default
<Hauke>
when someone is using http without TLS, it should stay there. The web server will just be avalibale under https in addition
<zorun>
fine with me
<PaulFertser>
Is the question with certificates a real one or an imaginary problem?
<russell-->
modern browsers get cranky
<PaulFertser>
How cranky? I couldn't notice anything bad about it lately.
<Hauke>
browsers do not like self signed certificates
<russell-->
i will say, i have *not* tried it recently
<PaulFertser>
The thing is, at my job we run OpenBMC web ui and it works only over https, so the generated self-signed certificates are getting tested by different browsers our networking folks using.
* russell--
not a habitual luci user
<PaulFertser>
And I do not remember that being problematic at all.
<zorun>
browsers are cranky when using insecure old algorithms
<PaulFertser>
With chromium as shipped by Debian it's just one additional click to proceed working with the web server.
<zorun>
self-signed with reasonable algorithms should still be working ok
<PaulFertser>
So we just need to check that uhttpd is using reasonable algorithms and default to https then :)
<Hauke>
OpenWrt 21.02 use TLS 1.3, so algorithems are not the problem
<PaulFertser>
Hauke: so did you observe any browser lately that wasn't happy with it?
<PaulFertser>
Or did anyone?
<Hauke>
some browser forget about the allowed self signed certificate after some time
<Hauke>
safari does not allow certificates which are valid more than 2 years
<PaulFertser>
I think it's not only about the transport but it's also about the hash algorithm used for signatures, including the Root CA.
<PaulFertser>
I use chromium incognito mode exclusively, it doesn't seem to be an issue if it forgets I trusted some server, I just press the "proceed to the website" link again, trivial, not problematic.
<PaulFertser>
Doesn't allow at all, even for self-signed?