SSL support in OpenWrt on devices with 4 MiB flash
Published: 2015-11-04Updated: 2015-11-09
I recently decided to move my remote firmware update process to HTTPS. The most
obvious and ubiquitous candidate was the wget utility. The downside is it
only supports OpenSSL. While modern routers with 8 MiB or more flash, like my
Netgear WNDR3700, have no trouble accomodating the bigger library (libopenssl
alone being 680 KiB), it did prove too much for 4 MiB devices like the
TL-WR841N.
I have tried to throw out pretty much everything that I didn't strictly need on
the TP-Link - LuCI, PPP, etc., but only when I removed IPv6 support I was able to
cram libopenssl onto the device. That doesn't really help in the long term though,
so I decided to drop the project and just move my >4 MiB routers onto the HTTPS
upgrade path. That is, until I learned curl supports multiple SSL libraries,
among which PolarSSL, now property of ARM and rebranded mbed TLS, and clocking
in at a (relatively) mere 132 KiB. So I started tinkering, threw out PPP again (the
owners operating one are all on cable) and was able to add curl and libpolarssl in
while keeping LuCI.
You can use a forward slash to open a search prompt in OpenWrt's buildroot. When you
select curl under Network > File Transfer, then go to libcurl under Libraries,
you should see PolarSSL selected as its default SSL library.
You may want to include some certificates. The 4 MiB do not allow for the full
ca-certificates package to be included, but you can work around that by creating a
files/etc/ssl/certs/ directory yourself - including custom files in your OpenWrt build
has more info if you want - and drop the certificate(s) in that dir.
I also disabled some of the debugging stuff like CONFIG_KALLSYMS but since the
kernel resides on its own partition, I am wondering if that really frees up any
space. Either way, just keep in mind with a bit of tinkering you can have HTTPS
support on your 4 MiB OpenWrt router without needing to compromise too much!