From 9809e978afd4adb03bbd9569b439a585f040ccf8 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Sat, 2 Jun 2018 22:31:28 +0200 Subject: [PATCH] uhttpd: Use elliptic curve keys by default Instead of generating a RSA key pair generate an elliptic curve key pair by default. Elliptic curve signatures are much faster than RSA signatures with mbedtls on MIPS BE hardware. I measured these numbers with mbedtls 2.9.0 on a Lantiq xrx200 SoC with a 500 MHz MIPS BE CPU: * RSA-2048 : 143.700000 public/s * RSA-2048 : 1.300000 private/s * ECDSA-secp384r1 : 7.600000 verify/s * ECDSA-secp384r1 : 27.900000 sign/s * ECDSA-secp256r1 : 12.300000 verify/s * ECDSA-secp256r1 : 41.000000 sign/s * ECDSA-secp256k1 : 11.400000 verify/s * ECDSA-secp256k1 : 39.000000 sign/s The TLS server needs one signature or public key operation per handshake. ECDSA keys are support by all modern browsers starting with: * Internet Explorer 7 * Firefox 2 * Opera 8 (with TLS 1.1 enabled) * Google Chrome v5.0.342.0 * Safari 2.1 * Mobile Safari for iOS 4.0 * Android 3.0 (Honeycomb) and later * Windows Phone 7 Source: https://support.cloudflare.com/hc/en-us/articles/203041594-What-browsers-work-with-Cloudflare-s-SSL-certificates- Signed-off-by: Hauke Mehrtens --- package/network/services/uhttpd/files/uhttpd.init | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init index dc496b3e28..0a4697f354 100755 --- a/package/network/services/uhttpd/files/uhttpd.init +++ b/package/network/services/uhttpd/files/uhttpd.init @@ -35,7 +35,7 @@ generate_keys() { local cfg="$1" local key="$2" local crt="$3" - local days bits country state location commonname + local days bits country state location commonname type curve config_get days "$cfg" days config_get bits "$cfg" bits @@ -43,6 +43,8 @@ generate_keys() { config_get state "$cfg" state config_get location "$cfg" location config_get commonname "$cfg" commonname + config_get type "$cfg" type + config_get curve "$cfg" curve # Prefer px5g for certificate generation (existence evaluated last) local GENKEY_CMD="" @@ -50,8 +52,17 @@ generate_keys() { [ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -sha256 -outform der -nodes" [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der" [ -n "$GENKEY_CMD" ] && { + case "$type" in + rsa) + GENKEY_CMD=$GENKEY_CMD"-newkey rsa:${bits:-2048} " + ;; + ecdsa|*) + GENKEY_CMD=$GENKEY_CMD"-newkey ec:${curve:-secp256r1} " + ;; + esac + $GENKEY_CMD \ - -days ${days:-730} -newkey rsa:${bits:-2048} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \ + -days ${days:-730} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \ -subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${commonname:-OpenWrt}$UNIQUEID"/CN="${commonname:-OpenWrt}" sync mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}" -- 2.30.2