| Message ID | 20200724142940.5264-4-ynezz@true.cz |
|---|---|
| State | Superseded |
| Delegated to: | Petr Štetiar |
| Headers | show |
| Series | Support TLS/SSL and WPA3-Personal/SAE by default | expand |
On 24/07/2020 11:29, Petr Štetiar wrote: > As there is now WolfSSL included by default due to SAE/WPA3 we can > finally switch to TLS/SSL in other parts as well. > +DEFAULT_PACKAGES:= \ > + base-files libc libgcc busybox dropbear mtd uci opkg netifd \ > + fstools uclient-fetch logd urandom-seed urngd libustream-wolfssl \ > + ca-certificates Can we fix anything that requires ca-bundle and consider that a bug that blocks new packages from being accepted? Because ca-certificates + ca-bundle on the same system is really awful FLASH-wise. Alternatively, fix anything that requires ca-certificates and keep ca-bundle. The issue is not which one is used (IMHO): as far as I am concerned, either one is fine as long as we never need *both* at the same time.
On 24.07.20 04:29, Petr Štetiar wrote: > As there is now WolfSSL included by default due to SAE/WPA3 we can > finally switch to TLS/SSL in other parts as well. > > Signed-off-by: Petr Štetiar <ynezz@true.cz> > --- > README | 2 +- > include/target.mk | 6 +++++- > include/version.mk | 2 +- > 3 files changed, 7 insertions(+), 3 deletions(-) > > diff --git a/README b/README > index c867c1fa4da8..d5c4ae3ec8e0 100644 > --- a/README > +++ b/README > @@ -29,6 +29,6 @@ chosen applications for your target system. > > Sunshine! > Your OpenWrt Community > - http://www.openwrt.org > + https://www.openwrt.org > > > diff --git a/include/target.mk b/include/target.mk > index 6ed6565bdaa2..3eae957cf75b 100644 > --- a/include/target.mk > +++ b/include/target.mk > @@ -13,7 +13,11 @@ __target_inc=1 > DEVICE_TYPE?=router > > # Default packages - the really basic set > -DEFAULT_PACKAGES:=base-files libc libgcc busybox dropbear mtd uci opkg netifd fstools uclient-fetch logd urandom-seed urngd > +DEFAULT_PACKAGES:= \ > + base-files libc libgcc busybox dropbear mtd uci opkg netifd \ > + fstools uclient-fetch logd urandom-seed urngd libustream-wolfssl \ > + ca-certificates > + > # For the basic set > DEFAULT_PACKAGES.basic:= > # For nas targets > diff --git a/include/version.mk b/include/version.mk > index 7d3c1ad6400f..b7f42e13bb1b 100644 > --- a/include/version.mk > +++ b/include/version.mk > @@ -32,7 +32,7 @@ VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE)) > VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),$(REVISION)) > > VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO)) > -VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/snapshots) > +VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),https://downloads.openwrt.org/snapshots) > > VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST)) > VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt) Exciting! Encrypted opkg downloads per default! Tested-by: Paul Spooren <mail@aparcar.org> > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Henrique de Moraes Holschuh <henrique@nic.br> [2020-07-24 13:02:30]: > On 24/07/2020 11:29, Petr Štetiar wrote: > > As there is now WolfSSL included by default due to SAE/WPA3 we can > > finally switch to TLS/SSL in other parts as well. > > > +DEFAULT_PACKAGES:= \ > > + base-files libc libgcc busybox dropbear mtd uci opkg netifd \ > > + fstools uclient-fetch logd urandom-seed urngd libustream-wolfssl \ > > + ca-certificates > > Can we fix anything that requires ca-bundle and consider that a bug that > blocks new packages from being accepted? Because ca-certificates + > ca-bundle on the same system is really awful FLASH-wise. > > Alternatively, fix anything that requires ca-certificates and keep > ca-bundle. The issue is not which one is used (IMHO): as far as I am > concerned, either one is fine as long as we never need *both* at the same > time. I've looked at it and it seems to me, that ca-bundle makes more sense. It's smaller and already used in curl and in hostapd for EAP (both having hardcoded path to the ca-bundle file). Those packages are using ca-certificates: admin/openwisp-config devel/asu multimedia/youtube-dl net/esniper net/gnunet net/inadyn utils/docker-ce and those ca-bundle: libs/measurement-kit mail/msmtp net/acme net/adblock net/banip net/dnscrypt-proxy2 net/https-dns-proxy net/lynx net/netifyd net/nextdns net/noddos utils/cache-domains So I assume you either install ca-certificates or add support for the ca-bundle to the corresponding application in order to avoid wasting the flash space. -- ynezz
On Mon, 27 Jul 2020 at 17:03, Petr Štetiar <ynezz@true.cz> wrote: > > Henrique de Moraes Holschuh <henrique@nic.br> [2020-07-24 13:02:30]: > > > On 24/07/2020 11:29, Petr Štetiar wrote: > > > As there is now WolfSSL included by default due to SAE/WPA3 we can > > > finally switch to TLS/SSL in other parts as well. > > > > > +DEFAULT_PACKAGES:= \ > > > + base-files libc libgcc busybox dropbear mtd uci opkg netifd \ > > > + fstools uclient-fetch logd urandom-seed urngd libustream-wolfssl \ > > > + ca-certificates > > > > Can we fix anything that requires ca-bundle and consider that a bug that > > blocks new packages from being accepted? Because ca-certificates + > > ca-bundle on the same system is really awful FLASH-wise. > > > > Alternatively, fix anything that requires ca-certificates and keep > > ca-bundle. The issue is not which one is used (IMHO): as far as I am > > concerned, either one is fine as long as we never need *both* at the same > > time. > > I've looked at it and it seems to me, that ca-bundle makes more sense. It's > smaller and already used in curl and in hostapd for EAP (both having hardcoded > path to the ca-bundle file). > > Those packages are using ca-certificates: > > admin/openwisp-config > devel/asu > multimedia/youtube-dl > net/esniper > net/gnunet > net/inadyn > utils/docker-ce > > and those ca-bundle: > > libs/measurement-kit > mail/msmtp > net/acme > net/adblock > net/banip > net/dnscrypt-proxy2 > net/https-dns-proxy > net/lynx > net/netifyd > net/nextdns > net/noddos > utils/cache-domains > > So I assume you either install ca-certificates or add support for the > ca-bundle to the corresponding application in order to avoid wasting the flash > space. Libopenssl can work with both out of the box. Likely those packages specifying "ca-certificates" as a dependency can switch to "ca-bundle" seamlessly. On CentOS, "ca-certificates" actually only contains the bundle. Maybe we can also remove "ca-certificates" and patch out relevant code in openssl ;) ➜ ~ rpm -ql ca-certificates /etc/pki/ca-trust /etc/pki/ca-trust/README /etc/pki/ca-trust/ca-legacy.conf /etc/pki/ca-trust/extracted /etc/pki/ca-trust/extracted/README /etc/pki/ca-trust/extracted/java /etc/pki/ca-trust/extracted/java/README /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl/README /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/pki/ca-trust/extracted/pem /etc/pki/ca-trust/extracted/pem/README /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/ca-trust/source /etc/pki/ca-trust/source/README /etc/pki/ca-trust/source/anchors /etc/pki/ca-trust/source/blacklist /etc/pki/ca-trust/source/ca-bundle.legacy.crt /etc/pki/java /etc/pki/java/cacerts /etc/pki/tls /etc/pki/tls/cert.pem /etc/pki/tls/certs /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.trust.crt /etc/ssl /etc/ssl/certs /usr/bin/ca-legacy /usr/bin/update-ca-trust /usr/share/doc/ca-certificates-2020.2.41/README /usr/share/man/man8/ca-legacy.8.gz /usr/share/man/man8/update-ca-trust.8.gz /usr/share/pki /usr/share/pki/ca-trust-legacy /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt /usr/share/pki/ca-trust-source /usr/share/pki/ca-trust-source/README /usr/share/pki/ca-trust-source/anchors /usr/share/pki/ca-trust-source/blacklist /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
diff --git a/README b/README index c867c1fa4da8..d5c4ae3ec8e0 100644 --- a/README +++ b/README @@ -29,6 +29,6 @@ chosen applications for your target system. Sunshine! Your OpenWrt Community - http://www.openwrt.org + https://www.openwrt.org diff --git a/include/target.mk b/include/target.mk index 6ed6565bdaa2..3eae957cf75b 100644 --- a/include/target.mk +++ b/include/target.mk @@ -13,7 +13,11 @@ __target_inc=1 DEVICE_TYPE?=router # Default packages - the really basic set -DEFAULT_PACKAGES:=base-files libc libgcc busybox dropbear mtd uci opkg netifd fstools uclient-fetch logd urandom-seed urngd +DEFAULT_PACKAGES:= \ + base-files libc libgcc busybox dropbear mtd uci opkg netifd \ + fstools uclient-fetch logd urandom-seed urngd libustream-wolfssl \ + ca-certificates + # For the basic set DEFAULT_PACKAGES.basic:= # For nas targets diff --git a/include/version.mk b/include/version.mk index 7d3c1ad6400f..b7f42e13bb1b 100644 --- a/include/version.mk +++ b/include/version.mk @@ -32,7 +32,7 @@ VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE)) VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),$(REVISION)) VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO)) -VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/snapshots) +VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),https://downloads.openwrt.org/snapshots) VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST)) VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)
As there is now WolfSSL included by default due to SAE/WPA3 we can finally switch to TLS/SSL in other parts as well. Signed-off-by: Petr Štetiar <ynezz@true.cz> --- README | 2 +- include/target.mk | 6 +++++- include/version.mk | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-)