Building Image with openssl – Installing and Using OpenWrt

Hi there,
i’m finally coming around to update to 23.05 and just want to make sure to not F* up something :wink:
I want to keep TLS1.3 and thus openSSL. Of course, the image build fails if i just include libustream-openssl.
It build successfully if i also exclude libustream-mbedtls with -libustream-mbedtls. But in .config, there are a lot of defaults for mbedtls – is that an issue that needs to be tackled or are those defaults (like ciphers for example) automatically applied to openssl?

For reference, the whole build command:

make image PACKAGES="base-files busybox ca-bundle dnsmasq dropbear e2fsprogs firewall4 fstools grub2-bios-setup kmod-amazon-ena kmod-amd-xgbe kmod-bnx2 kmod-button-hotplug kmod-e1000 kmod-e1000e kmod-forcedeth kmod-fs-vfat kmod-igb kmod-igc kmod-ixgbe kmod-nft-offload kmod-r8169 kmod-tg3 libc libgcc libustream-openssl logd luci mkf2fs mtd netifd nftables odhcp6c odhcpd-ipv6only opkg partx-utils ppp ppp-mod-pppoe procd procd-seccomp procd-ujail uci uclient-fetch urandom-seed urngd luci-ssl-openssl openssl-util -libustream-mbedtls"

Thanks in advance!

As you’re on x86_64, just test the image beforehand – be it in a virtual machine (e.g. qemu/ kvm) or on the real iron booted from a USB stick, x86_64 is just easy in this regard (and even in the worst case you can recover easily).

The general “it works” can easily be tested, true. I’m more worried that some “hidden” configuration would maybe be amiss that could for example compromise security.

And there are no easy- or general answers to that, as it depends on the (unspecified) version you’re coming from, as well as what additional packages you have installed and how your configuration deviates from defaults.

The only generic answer would be not retain configurations over a major version upgrade, and/ or carefully audit default-state-of-old-version, default-state-of-new-version, as well as your existing configuration delta vs. default-state-of-old-version and what you end up after applying your configuration relative to default-state-of-new-version. Not that this really helps you finding a solution, but I’m actually am quite serious about it (and look into sysupgrade -u, which might help your goal – or it might not, usage of that requires careful auditing as well).

To get a bit closer to reality, I really like OpenWrt on x86_64 as router, exactly because you can easily test things (including the sysupgrade from old- to new) from a USB stick, without endangering your installed system, while that doesn’t help you omitting all care and auditing, it does make the process much nicer.



2 Likes

Thanks for the insights!
I’m currently on 22.03.3 and haven’t really installed any additional packages or have crazy configs, “just” the setup of vlans, dhcp/dns and so on. But never done a major release upgrade.

But it really sounds like i should finally get around to bite the bullet and recreate my config as an UCI script to ease the audition/prevent obsolete configs to be carried over.

sysupgrade -u really sounds important here, never gave it second thought because the help explanation ( “skip from backup files that are equal to those in /rom” ) didn’t ring a bell, but the explanation in openwrt.org/docs/techref/sysupgrade makes much more sense. Thanks for mentioning that!

I don’t remember the reasoning, but I remember that a person with a greater knowledge than me, suggested putting all the minus-packages before the substitution packages in the list of PACKAGES, so in your case, I’d try:

make image PACKAGES="base-files busybox ca-bundle dnsmasq dropbear e2fsprogs firewall4 fstools grub2-bios-setup kmod-amazon-ena kmod-amd-xgbe kmod-bnx2 kmod-button-hotplug kmod-e1000 kmod-e1000e kmod-forcedeth kmod-fs-vfat kmod-igb kmod-igc kmod-ixgbe kmod-nft-offload kmod-r8169 kmod-tg3 libc libgcc -libustream-mbedtls libustream-openssl logd luci mkf2fs mtd netifd nftables odhcp6c odhcpd-ipv6only opkg partx-utils ppp ppp-mod-pppoe procd procd-seccomp procd-ujail uci uclient-fetch urandom-seed urngd luci-ssl-openssl openssl-util"

Now, I don’t know about cyphers, but I can tell you for sure that with at least one package (curl) the SSL library is a build-time dependency, so if you were to add curl to the list, it would still pull whatever SSL library it was built for (if I remember correctly, wolfssl for 22.03 and mbedtls for 23.05).

So definitely, no, not all packages will depend on openssl in your image.

PS. You may want to reduce your PACKAGES variable by removing packages which are included on your platform by default, I believe the list is available if you run make info inside the IB directory. Like dropbox, dnsmasq, procd, uci and uclient-fetch most likely can be removed.
PPS. You may also be able to remove luci if luci-ssl-openssl has proper dependencies.



1 Like

opkg does not do smart dependency resolution, you will have to unravel the dependency conflicts for it – meaning you have to clear the conflicts (the whole dependency chain, in order) first, before you can include the otherwise conflicting packages.

I rarely build with imagebuilder, but having the removals with “-” at the end has worked for me with DL-WRX36 and MT6000.

Example, building MT6000 with OpenSSL instead of mbedtls:

make image \
 PROFILE="glinet_gl-mt6000" \
 PACKAGES="ccrypt diffutils gdbserver htop irqbalance mtr-nojson nano-full \
  openssh-sftp-server patch tcpdump-mini tree wget-ssl \
  block-mount kmod-usb-storage kmod-fs-cifs kmod-fs-exfat libblkid \
  kmod-fs-ext4 kmod-fs-msdos kmod-fs-ntfs3 kmod-nls-cp437 kmod-nls-iso8859-1 \
  kmod-nls-utf8 hostapd-utils wpad-openssl ca-certificates \
  luci-ssl-openssl \
  luci-app-adblock luci-app-banip luci-app-bcp38 luci-app-commands \
  luci-app-nlbwmon luci-app-opkg luci-app-sqm luci-app-uhttpd \
  luci-app-statistics collectd-mod-conntrack collectd-mod-cpufreq \
  collectd-mod-ping collectd-mod-thermal collectd-mod-uptime \
  iptables-nft ip6tables-nft ipset \
  -wpad-basic-mbedtls -libustream-mbedtls -libmbedtls" \
 FILES="../files"

wpad, libustream and mbedtls itself need to be removed and replaced with openssl variants (with wpad-openssl and luci-ssl-openssl)

Like hnyman already said, that doesn’t seem to be the case – it worked for me once i put -libustream-mbedtls at the end of the PACKAGES argument (without that, i would of course get a build error that mbedtls and openssl conflict). Just to be save, i’ve now put it at the beginning and slimmed down the list to the non-defaults, but at least there wasn’t an immediately obvious difference of putting the exclusion at the beginning or the end.

Read more here: Source link