Eneas U de Queiroz <cotequei...@gmail.com> [2021-12-14 14:54:44]: Hi,
> OpenWrt 19.07 support is officially limited to security maintenance, > so we can cherry-pick a couple of wolfssl commits instead: > 73076940a Fix CompareOcspReqResp. > f93083be7 OCSP: improve handling of OCSP no check extension > > (excluding tests): > src/ssl.c | 2 +- > wolfcrypt/src/asn.c | 19 ++++++++++++------- > wolfssl/wolfcrypt/asn.h | 1 + > 3 files changed, 14 insertions(+), 8 deletions(-) > > Just let me know what's the best approach here. lets see the diff, but it looks like a good proposal to me. > After this is done--whether update or patch--I intend to propose a > patch to build with WOLFSSL_ALT_CERT_CHAINS to avoid the problems with > letsencrypt certificates. One can argue that it is a security fix, > considering that the alternative is to skip certificate validation. > If this is going to be NAKed, then I'll skip the trouble. You mean cherry-picking 28d8e6a8711ba78f1684a205e11b0dbd4ff2b2f3 ? It's really PITA without this as one needs to make server side compatible with those broken clients, so I would be in favor to fixing this. I've just checked the API/ABI compatibility and it should be fine, that flag adds 2 new symbols so this shouldn't cause any harm (tm). -- ynezz _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel