| Message ID | 1465468590-1961-6-git-send-email-dirk.feytons@gmail.com |
|---|---|
| State | Changes Requested |
| Headers | show |
This is turning off PSK by default right? I actually use that option, and it's a relatively common use with mosquitto, which supports PSK for client auth. Could you leave it on by default please? PSK, and SRP are badly treated by people who wants certs everywhere, but they're perfectly reasonable, if only people would remember they exist. Cheers, Karl P Dirk Feytons <dirk.feytons@gmail.com> wrote: > Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com> > --- > package/libs/openssl/Config.in | 5 +++++ > package/libs/openssl/Makefile | 7 ++++++- > 2 files changed, 11 insertions(+), 1 deletion(-) > > diff --git a/package/libs/openssl/Config.in > b/package/libs/openssl/Config.in index 492b042..47b9fb5 100644 > --- a/package/libs/openssl/Config.in > +++ b/package/libs/openssl/Config.in > @@ -30,6 +30,11 @@ config OPENSSL_WITH_NPN > default n > prompt "Enable NPN support" > > +config OPENSSL_WITH_PSK > + bool > + default n > + prompt "Enable PSK support" > + > config OPENSSL_ENGINE_DIGEST > bool > depends on OPENSSL_ENGINE_CRYPTO > diff --git a/package/libs/openssl/Makefile > b/package/libs/openssl/Makefile index 61022dc..129061e 100644 > --- a/package/libs/openssl/Makefile > +++ b/package/libs/openssl/Makefile > @@ -36,7 +36,8 @@ PKG_CONFIG_DEPENDS:= \ > CONFIG_OPENSSL_HARDWARE_SUPPORT \ > CONFIG_OPENSSL_WITH_DEPRECATED \ > CONFIG_OPENSSL_WITH_COMPRESSION \ > - CONFIG_OPENSSL_WITH_NPN > + CONFIG_OPENSSL_WITH_NPN \ > + CONFIG_OPENSSL_WITH_PSK > > include $(INCLUDE_DIR)/package.mk > > @@ -137,6 +138,10 @@ ifndef CONFIG_OPENSSL_WITH_NPN > OPENSSL_OPTIONS += no-nextprotoneg > endif > > +ifndef CONFIG_OPENSSL_WITH_PSK > + OPENSSL_OPTIONS += no-psk > +endif > + > ifeq ($(CONFIG_x86_64),y) > OPENSSL_TARGET:=linux-x86_64-openwrt > OPENSSL_MAKEFLAGS += LIBDIR=lib > -- > 1.7.9.5 > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
On 9 June 2016 at 13:55, Karl Palsson <karlp@tweak.net.au> wrote: > > This is turning off PSK by default right? I actually use that > option, and it's a relatively common use with mosquitto, which > supports PSK for client auth. Could you leave it on by default > please? PSK, and SRP are badly treated by people who wants certs > everywhere, but they're perfectly reasonable, if only people > would remember they exist. Yes, PSK would be off by default. My reasoning was that OpenSSL is most often used for traditional HTTPS with certs and the default OpenSSL would support that but not (much) more. I know that Mosquitto requires it (IIRC it also needs CONFIG_OPENSSL_WITH_DEPRECATED but that's still enabled by default). I'm working on a patch for Mosquitto to depend on CONFIG_OPENSSL_WITH_PSK and CONFIG_OPENSSL_WITH_DEPRECATED. Would that be OK for you or do you still want the default for PSK to be 'y'? > > Cheers, > Karl P > > Dirk Feytons <dirk.feytons@gmail.com> wrote: >> Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com> >> --- >> package/libs/openssl/Config.in | 5 +++++ >> package/libs/openssl/Makefile | 7 ++++++- >> 2 files changed, 11 insertions(+), 1 deletion(-) >> >> diff --git a/package/libs/openssl/Config.in >> b/package/libs/openssl/Config.in index 492b042..47b9fb5 100644 >> --- a/package/libs/openssl/Config.in >> +++ b/package/libs/openssl/Config.in >> @@ -30,6 +30,11 @@ config OPENSSL_WITH_NPN >> default n >> prompt "Enable NPN support" >> >> +config OPENSSL_WITH_PSK >> + bool >> + default n >> + prompt "Enable PSK support" >> + >> config OPENSSL_ENGINE_DIGEST >> bool >> depends on OPENSSL_ENGINE_CRYPTO >> diff --git a/package/libs/openssl/Makefile >> b/package/libs/openssl/Makefile index 61022dc..129061e 100644 >> --- a/package/libs/openssl/Makefile >> +++ b/package/libs/openssl/Makefile >> @@ -36,7 +36,8 @@ PKG_CONFIG_DEPENDS:= \ >> CONFIG_OPENSSL_HARDWARE_SUPPORT \ >> CONFIG_OPENSSL_WITH_DEPRECATED \ >> CONFIG_OPENSSL_WITH_COMPRESSION \ >> - CONFIG_OPENSSL_WITH_NPN >> + CONFIG_OPENSSL_WITH_NPN \ >> + CONFIG_OPENSSL_WITH_PSK >> >> include $(INCLUDE_DIR)/package.mk >> >> @@ -137,6 +138,10 @@ ifndef CONFIG_OPENSSL_WITH_NPN >> OPENSSL_OPTIONS += no-nextprotoneg >> endif >> >> +ifndef CONFIG_OPENSSL_WITH_PSK >> + OPENSSL_OPTIONS += no-psk >> +endif >> + >> ifeq ($(CONFIG_x86_64),y) >> OPENSSL_TARGET:=linux-x86_64-openwrt >> OPENSSL_MAKEFLAGS += LIBDIR=lib >> -- >> 1.7.9.5 >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Dirk Feytons <dirk.feytons@gmail.com> wrote: > On 9 June 2016 at 13:55, Karl Palsson <karlp@tweak.net.au> > wrote: > > > > This is turning off PSK by default right? I actually use that > > option, and it's a relatively common use with mosquitto, which > > supports PSK for client auth. Could you leave it on by default > > please? PSK, and SRP are badly treated by people who wants certs > > everywhere, but they're perfectly reasonable, if only people > > would remember they exist. > > Yes, PSK would be off by default. My reasoning was that OpenSSL > is most often used for traditional HTTPS with certs and the > default OpenSSL would support that but not (much) more. I know > that Mosquitto requires it (IIRC it also needs > CONFIG_OPENSSL_WITH_DEPRECATED but that's still enabled by > default). I'm working on a patch for Mosquitto to depend on > CONFIG_OPENSSL_WITH_PSK and CONFIG_OPENSSL_WITH_DEPRECATED. > Would that be OK for you or do you still want the default for > PSK to be 'y'? Can people still do opkg install mosquitto-ssl? If they have to recompile their own image, I think it's a no-go Cheers, Karl P
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index 492b042..47b9fb5 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -30,6 +30,11 @@ config OPENSSL_WITH_NPN default n prompt "Enable NPN support" +config OPENSSL_WITH_PSK + bool + default n + prompt "Enable PSK support" + config OPENSSL_ENGINE_DIGEST bool depends on OPENSSL_ENGINE_CRYPTO diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 61022dc..129061e 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -36,7 +36,8 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_HARDWARE_SUPPORT \ CONFIG_OPENSSL_WITH_DEPRECATED \ CONFIG_OPENSSL_WITH_COMPRESSION \ - CONFIG_OPENSSL_WITH_NPN + CONFIG_OPENSSL_WITH_NPN \ + CONFIG_OPENSSL_WITH_PSK include $(INCLUDE_DIR)/package.mk @@ -137,6 +138,10 @@ ifndef CONFIG_OPENSSL_WITH_NPN OPENSSL_OPTIONS += no-nextprotoneg endif +ifndef CONFIG_OPENSSL_WITH_PSK + OPENSSL_OPTIONS += no-psk +endif + ifeq ($(CONFIG_x86_64),y) OPENSSL_TARGET:=linux-x86_64-openwrt OPENSSL_MAKEFLAGS += LIBDIR=lib
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com> --- package/libs/openssl/Config.in | 5 +++++ package/libs/openssl/Makefile | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-)