Re: [PATCH 1/3] build: add libustream and certs to default pkgs

2020-09-15 Thread Henrique de Moraes Holschuh

On 27/08/2020 18:47, Paul Spooren wrote:

To allow HTTPS usage on a router it requires both certificates
(ca-bundle) and a fitting libustream library (libustream-wolfssl)

By adding both, uclient-fetch and wget can connect to encrypted HTTP.

This allows opkg to update package lists in a more secure fashion.


It is also a FLASH pig IMHO: not as bad as, say, openssl, but ca-bundle 
is still Not Small[tm] :-(


ca-bundle could benefit from some Kconfig-enforced mega diet:


[ ] Let's Encrypt and its alternative roots
[ ] Openwrt.org's packages
[ ] custom path -> (some path where we can add custom certificates,
with a default of certs/)
[ ] All other certificates we'd usually package in ca-bundle

Default would be something that gets us all the current certificates in 
ca-bundle, and maybe just the custom path or LE for the SMALL_FLASH version.


--
Henrique de Moraes Holschuh
www.nic.br

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


Re: [PATCH 1/3] build: add libustream and certs to default pkgs

2020-08-28 Thread Petr Štetiar
Karl Palsson  [2020-08-28 09:12:04]:

Hi,

> Doesn't the availability of ustream-*ssl also trigger uhttpd to
> generate self signed certs? 

no, the certs are generated via px5g-mbedtls, so this would need px5g-wolfssl
which is not available so far and needs to be done if we would like to ship
20.y with HTTPS by default.

-- ynezz

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


Re: [PATCH 1/3] build: add libustream and certs to default pkgs

2020-08-28 Thread Karl Palsson



Paul Spooren  wrote:
> To allow HTTPS usage on a router it requires both certificates
> (ca-bundle) and a fitting libustream library
> (libustream-wolfssl)
> 
> By adding both, uclient-fetch and wget can connect to encrypted
> HTTP.

Doesn't the availability of ustream-*ssl also trigger uhttpd to
generate self signed certs? That's still (IMO) a major step
backwards while browsers still obstinately treat them as
insecure.

That could be _separated_ of course

Sincerely,
Karl Palsson

OpenPGP-digital-signature.html
Description: OpenPGP Digital Signature
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH 1/3] build: add libustream and certs to default pkgs

2020-08-27 Thread Paul Spooren
To allow HTTPS usage on a router it requires both certificates
(ca-bundle) and a fitting libustream library (libustream-wolfssl)

By adding both, uclient-fetch and wget can connect to encrypted HTTP.

This allows opkg to update package lists in a more secure fashion.

Suggested-by: Petr Štetiar 
Suggested-by: Baptiste Jonglez 
Signed-off-by: Paul Spooren 
---
 include/target.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/target.mk b/include/target.mk
index 6ed6565bda..b0c563a0ef 100644
--- a/include/target.mk
+++ b/include/target.mk
@@ -13,7 +13,7 @@ __target_inc=1
 DEVICE_TYPE?=router
 
 # Default packages - the really basic set
-DEFAULT_PACKAGES:=base-files libc libgcc busybox dropbear mtd uci opkg netifd 
fstools uclient-fetch logd urandom-seed urngd
+DEFAULT_PACKAGES:=base-files busybox ca-bundle dropbear fstools libc libgcc 
logd libustream-wolfssl mtd netifd opkg uci uclient-fetch urandom-seed urngd
 # For the basic set
 DEFAULT_PACKAGES.basic:=
 # For nas targets
-- 
2.25.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel