SSL support in OpenWrt on devices with 4 MiB flash


Updated: 2015-11-09

I recently decided to move my remote firmware update process to HTTPS. The most obvious and ubiquitous candidate was the wget utility. The downside is it only supports OpenSSL. While modern routers with 8 MiB or more flash, like my Netgear WNDR3700, have no trouble accomodating the bigger library (libopenssl alone being 680 KiB), it did prove too much for 4 MiB devices like the TL-WR841N.

I have tried to throw out pretty much everything that I didn't strictly need on the TP-Link - LuCI, PPP, etc., but only when I removed IPv6 support I was able to cram libopenssl onto the device. That doesn't really help in the long term though, so I decided to drop the project and just move my >4 MiB routers onto the HTTPS upgrade path. That is, until I learned curl supports multiple SSL libraries, among which PolarSSL, now property of ARM and rebranded mbed TLS, and clocking in at a (relatively) mere 132 KiB. So I started tinkering, threw out PPP again (the owners operating one are all on cable) and was able to add curl and libpolarssl in while keeping LuCI.

You can use a forward slash to open a search prompt in OpenWrt's buildroot. When you select curl under Network > File Transfer, then go to libcurl under Libraries, you should see PolarSSL selected as its default SSL library.

You may want to include some certificates. The 4 MiB do not allow for the full ca-certificates package to be included, but you can work around that by creating a files/etc/ssl/certs/ directory yourself - including custom files in your OpenWrt build has more info if you want - and drop the certificate(s) in that dir.

I also disabled some of the debugging stuff like CONFIG_KALLSYMS but since the kernel resides on its own partition, I am wondering if that really frees up any space. Either way, just keep in mind with a bit of tinkering you can have HTTPS support on your 4 MiB OpenWrt router without needing to compromise too much!