On Wed, Jul 20, 2016 at 11:56 PM, Jeremy Chadwick <[email protected]> wrote: > The problem of Busybox wget not supporting TLS SNI has come up a couple > times on the Tomato firmware board on linksysinfo.org. This impacts > sites like CloudFlare who are very strict about what SSL and TLS > parameters they require. > > Below is a patch against master that rectifies this. It should be easy > to backport to 1_{23,24,25}_stable. > > I should note that my patch trumps the one sent on 2015/10/23 here: > http://lists.busybox.net/pipermail/busybox/2015-October/083510.html > > That patch blindly violates RFC 6066 by blindly passing on whatever the > "host" argument is into -servername. The "host" argument can (will) > includes such values as ip, ip:port, and hostname:port. RFC 6066 is > very clear that the only allowed servername value permitted is a > string/hostname (i.e. only an FQDN). > > And regarding the additional patch from the same individual: > http://lists.busybox.net/pipermail/busybox/2015-October/083509.html > > That patch assumes the OpenSSL library on the client machine has a > properly configured openssl.cnf as well as a full CA root list (many > embedded devices do not). This is a precarious situation and not always > warranted. If this is to be done, then a --no-check-certificates flag > must be added so that it can be disabled.
Applied, thanks! _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
