Re: [PATCH 1/3] build: add libustream and certs to default pkgs
On 27/08/2020 18:47, Paul Spooren wrote: To allow HTTPS usage on a router it requires both certificates (ca-bundle) and a fitting libustream library (libustream-wolfssl) By adding both, uclient-fetch and wget can connect to encrypted HTTP. This allows opkg to update package lists in a more secure fashion. It is also a FLASH pig IMHO: not as bad as, say, openssl, but ca-bundle is still Not Small[tm] :-( ca-bundle could benefit from some Kconfig-enforced mega diet: [ ] Let's Encrypt and its alternative roots [ ] Openwrt.org's packages [ ] custom path -> (some path where we can add custom certificates, with a default of certs/) [ ] All other certificates we'd usually package in ca-bundle Default would be something that gets us all the current certificates in ca-bundle, and maybe just the custom path or LE for the SMALL_FLASH version. -- Henrique de Moraes Holschuh www.nic.br ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 1/3] build: add libustream and certs to default pkgs
Karl Palsson [2020-08-28 09:12:04]: Hi, > Doesn't the availability of ustream-*ssl also trigger uhttpd to > generate self signed certs? no, the certs are generated via px5g-mbedtls, so this would need px5g-wolfssl which is not available so far and needs to be done if we would like to ship 20.y with HTTPS by default. -- ynezz ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 1/3] build: add libustream and certs to default pkgs
Paul Spooren wrote: > To allow HTTPS usage on a router it requires both certificates > (ca-bundle) and a fitting libustream library > (libustream-wolfssl) > > By adding both, uclient-fetch and wget can connect to encrypted > HTTP. Doesn't the availability of ustream-*ssl also trigger uhttpd to generate self signed certs? That's still (IMO) a major step backwards while browsers still obstinately treat them as insecure. That could be _separated_ of course Sincerely, Karl Palsson OpenPGP-digital-signature.html Description: OpenPGP Digital Signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 1/3] build: add libustream and certs to default pkgs
To allow HTTPS usage on a router it requires both certificates (ca-bundle) and a fitting libustream library (libustream-wolfssl) By adding both, uclient-fetch and wget can connect to encrypted HTTP. This allows opkg to update package lists in a more secure fashion. Suggested-by: Petr Štetiar Suggested-by: Baptiste Jonglez Signed-off-by: Paul Spooren --- include/target.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/target.mk b/include/target.mk index 6ed6565bda..b0c563a0ef 100644 --- a/include/target.mk +++ b/include/target.mk @@ -13,7 +13,7 @@ __target_inc=1 DEVICE_TYPE?=router # Default packages - the really basic set -DEFAULT_PACKAGES:=base-files libc libgcc busybox dropbear mtd uci opkg netifd fstools uclient-fetch logd urandom-seed urngd +DEFAULT_PACKAGES:=base-files busybox ca-bundle dropbear fstools libc libgcc logd libustream-wolfssl mtd netifd opkg uci uclient-fetch urandom-seed urngd # For the basic set DEFAULT_PACKAGES.basic:= # For nas targets -- 2.25.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel