| Message ID | 1494514783-28782-1-git-send-email-ardeleanalex@gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
Hi Alexandru, 2017-05-11 7:59 GMT-07:00 Alexandru Ardelean <ardeleanalex@gmail.com>: > For cases when artifacts are stored on https:// accessible > location and you don't want to install ca-certificates > (for various reasons). > > I'll admit, using SSL like this is not recommended, > but since wget (even uclient-fetch) allows the > --no-check-certificate option, it would be nice > for opkg to support setting it if needed/configured. Why not name this option --no-check-certificate then ? Regards Etienne > > Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> > --- > libopkg/opkg_conf.c | 1 + > libopkg/opkg_conf.h | 1 + > libopkg/opkg_download.c | 5 ++++- > src/opkg-cl.c | 6 ++++++ > 4 files changed, 12 insertions(+), 1 deletion(-) > > diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c > index 589fc49..1890145 100644 > --- a/libopkg/opkg_conf.c > +++ b/libopkg/opkg_conf.c > @@ -54,6 +54,7 @@ opkg_option_t options[] = { > {"force_postinstall", OPKG_OPT_TYPE_BOOL, &_conf.force_postinstall}, > {"force_checksum", OPKG_OPT_TYPE_BOOL, &_conf.force_checksum}, > {"check_signature", OPKG_OPT_TYPE_BOOL, &_conf.check_signature}, > + {"force_ssl", OPKG_OPT_TYPE_BOOL, &_conf.force_ssl}, > {"ftp_proxy", OPKG_OPT_TYPE_STRING, &_conf.ftp_proxy}, > {"http_proxy", OPKG_OPT_TYPE_STRING, &_conf.http_proxy}, > {"no_proxy", OPKG_OPT_TYPE_STRING, &_conf.no_proxy}, > diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h > index 9cf7681..a8c4a9e 100644 > --- a/libopkg/opkg_conf.h > +++ b/libopkg/opkg_conf.h > @@ -78,6 +78,7 @@ struct opkg_conf { > int force_checksum; > int check_signature; > int force_signature; > + int force_ssl; > int nodeps; /* do not follow dependencies */ > int nocase; /* perform case insensitive matching */ > char *offline_root; > diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c > index db4c90f..c8e0013 100644 > --- a/libopkg/opkg_download.c > +++ b/libopkg/opkg_download.c > @@ -87,11 +87,14 @@ opkg_download(const char *src, const char *dest_file_name, > > { > int res; > - const char *argv[8]; > + const char *argv[9]; > int i = 0; > > argv[i++] = "wget"; > argv[i++] = "-q"; > + if (conf->force_ssl) { > + argv[i++] = "--no-check-certificate"; > + } > if (conf->http_proxy || conf->ftp_proxy) { > argv[i++] = "-Y"; > argv[i++] = "on"; > diff --git a/src/opkg-cl.c b/src/opkg-cl.c > index c518bfc..77f59ff 100644 > --- a/src/opkg-cl.c > +++ b/src/opkg-cl.c > @@ -52,6 +52,7 @@ enum { > ARGS_OPT_AUTOREMOVE, > ARGS_OPT_CACHE, > ARGS_OPT_FORCE_SIGNATURE, > + ARGS_OPT_FORCE_SSL, > ARGS_OPT_SIZE, > }; > > @@ -91,6 +92,8 @@ static struct option long_options[] = { > {"force_checksum", 0, 0, ARGS_OPT_FORCE_CHECKSUM}, > {"force-signature", 0, 0, ARGS_OPT_FORCE_SIGNATURE}, > {"force_signature", 0, 0, ARGS_OPT_FORCE_SIGNATURE}, > + {"force-ssl", 0, 0, ARGS_OPT_FORCE_SSL}, > + {"force_ssl", 0, 0, ARGS_OPT_FORCE_SSL}, > {"noaction", 0, 0, ARGS_OPT_NOACTION}, > {"download-only", 0, 0, ARGS_OPT_DOWNLOAD_ONLY}, > {"nodeps", 0, 0, ARGS_OPT_NODEPS}, > @@ -226,6 +229,8 @@ static int args_parse(int argc, char *argv[]) > case ARGS_OPT_FORCE_SIGNATURE: > conf->force_signature = 1; > break; > + case ARGS_OPT_FORCE_SSL: > + conf->force_ssl = 1; > case ':': > parse_err = -1; > break; > @@ -335,6 +340,7 @@ static void usage() > printf > ("\t--force-remove Remove package even if prerm script fails\n"); > printf("\t--force-checksum Don't fail on checksum mismatches\n"); > + printf("\t--force-ssl Don't validate the server's certificate\n"); > printf("\t--noaction No action -- test only\n"); > printf("\t--download-only No action -- download only\n"); > printf("\t--nodeps Do not follow dependencies\n"); > -- > 2.7.4 > > > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev
Hi, >> I'll admit, using SSL like this is not recommended, >> but since wget (even uclient-fetch) allows the >> --no-check-certificate option, it would be nice >> for opkg to support setting it if needed/configured. > > Why not name this option --no-check-certificate then ? Exactly my thoughts, lets simply pass-through --no-check-certificate. Otherwise, ACK on the suggestion. ~ Jow
On 5/11/17 11:13, Etienne Champetier wrote: > Hi Alexandru, > > 2017-05-11 7:59 GMT-07:00 Alexandru Ardelean <ardeleanalex@gmail.com>: >> For cases when artifacts are stored on https:// accessible >> location and you don't want to install ca-certificates >> (for various reasons). >> >> I'll admit, using SSL like this is not recommended, >> but since wget (even uclient-fetch) allows the >> --no-check-certificate option, it would be nice >> for opkg to support setting it if needed/configured. > Why not name this option --no-check-certificate then ? > > Regards > Etienne > I agree. --force-ssl sounds like you are forcing the use of SSL. Not that you are ignoring a validation check with the local certificate storage. I also prefer --no-check-certificate. It makes more sense to me at least. --Andrew >> Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> >> --- >> libopkg/opkg_conf.c | 1 + >> libopkg/opkg_conf.h | 1 + >> libopkg/opkg_download.c | 5 ++++- >> src/opkg-cl.c | 6 ++++++ >> 4 files changed, 12 insertions(+), 1 deletion(-) >> >> diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c >> index 589fc49..1890145 100644 >> --- a/libopkg/opkg_conf.c >> +++ b/libopkg/opkg_conf.c >> @@ -54,6 +54,7 @@ opkg_option_t options[] = { >> {"force_postinstall", OPKG_OPT_TYPE_BOOL, &_conf.force_postinstall}, >> {"force_checksum", OPKG_OPT_TYPE_BOOL, &_conf.force_checksum}, >> {"check_signature", OPKG_OPT_TYPE_BOOL, &_conf.check_signature}, >> + {"force_ssl", OPKG_OPT_TYPE_BOOL, &_conf.force_ssl}, >> {"ftp_proxy", OPKG_OPT_TYPE_STRING, &_conf.ftp_proxy}, >> {"http_proxy", OPKG_OPT_TYPE_STRING, &_conf.http_proxy}, >> {"no_proxy", OPKG_OPT_TYPE_STRING, &_conf.no_proxy}, >> diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h >> index 9cf7681..a8c4a9e 100644 >> --- a/libopkg/opkg_conf.h >> +++ b/libopkg/opkg_conf.h >> @@ -78,6 +78,7 @@ struct opkg_conf { >> int force_checksum; >> int check_signature; >> int force_signature; >> + int force_ssl; >> int nodeps; /* do not follow dependencies */ >> int nocase; /* perform case insensitive matching */ >> char *offline_root; >> diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c >> index db4c90f..c8e0013 100644 >> --- a/libopkg/opkg_download.c >> +++ b/libopkg/opkg_download.c >> @@ -87,11 +87,14 @@ opkg_download(const char *src, const char *dest_file_name, >> >> { >> int res; >> - const char *argv[8]; >> + const char *argv[9]; >> int i = 0; >> >> argv[i++] = "wget"; >> argv[i++] = "-q"; >> + if (conf->force_ssl) { >> + argv[i++] = "--no-check-certificate"; >> + } >> if (conf->http_proxy || conf->ftp_proxy) { >> argv[i++] = "-Y"; >> argv[i++] = "on"; >> diff --git a/src/opkg-cl.c b/src/opkg-cl.c >> index c518bfc..77f59ff 100644 >> --- a/src/opkg-cl.c >> +++ b/src/opkg-cl.c >> @@ -52,6 +52,7 @@ enum { >> ARGS_OPT_AUTOREMOVE, >> ARGS_OPT_CACHE, >> ARGS_OPT_FORCE_SIGNATURE, >> + ARGS_OPT_FORCE_SSL, >> ARGS_OPT_SIZE, >> }; >> >> @@ -91,6 +92,8 @@ static struct option long_options[] = { >> {"force_checksum", 0, 0, ARGS_OPT_FORCE_CHECKSUM}, >> {"force-signature", 0, 0, ARGS_OPT_FORCE_SIGNATURE}, >> {"force_signature", 0, 0, ARGS_OPT_FORCE_SIGNATURE}, >> + {"force-ssl", 0, 0, ARGS_OPT_FORCE_SSL}, >> + {"force_ssl", 0, 0, ARGS_OPT_FORCE_SSL}, >> {"noaction", 0, 0, ARGS_OPT_NOACTION}, >> {"download-only", 0, 0, ARGS_OPT_DOWNLOAD_ONLY}, >> {"nodeps", 0, 0, ARGS_OPT_NODEPS}, >> @@ -226,6 +229,8 @@ static int args_parse(int argc, char *argv[]) >> case ARGS_OPT_FORCE_SIGNATURE: >> conf->force_signature = 1; >> break; >> + case ARGS_OPT_FORCE_SSL: >> + conf->force_ssl = 1; >> case ':': >> parse_err = -1; >> break; >> @@ -335,6 +340,7 @@ static void usage() >> printf >> ("\t--force-remove Remove package even if prerm script fails\n"); >> printf("\t--force-checksum Don't fail on checksum mismatches\n"); >> + printf("\t--force-ssl Don't validate the server's certificate\n"); >> printf("\t--noaction No action -- test only\n"); >> printf("\t--download-only No action -- download only\n"); >> printf("\t--nodeps Do not follow dependencies\n"); >> -- >> 2.7.4 >> >> >> _______________________________________________ >> Lede-dev mailing list >> Lede-dev@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/lede-dev > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev
diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c index 589fc49..1890145 100644 --- a/libopkg/opkg_conf.c +++ b/libopkg/opkg_conf.c @@ -54,6 +54,7 @@ opkg_option_t options[] = { {"force_postinstall", OPKG_OPT_TYPE_BOOL, &_conf.force_postinstall}, {"force_checksum", OPKG_OPT_TYPE_BOOL, &_conf.force_checksum}, {"check_signature", OPKG_OPT_TYPE_BOOL, &_conf.check_signature}, + {"force_ssl", OPKG_OPT_TYPE_BOOL, &_conf.force_ssl}, {"ftp_proxy", OPKG_OPT_TYPE_STRING, &_conf.ftp_proxy}, {"http_proxy", OPKG_OPT_TYPE_STRING, &_conf.http_proxy}, {"no_proxy", OPKG_OPT_TYPE_STRING, &_conf.no_proxy}, diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h index 9cf7681..a8c4a9e 100644 --- a/libopkg/opkg_conf.h +++ b/libopkg/opkg_conf.h @@ -78,6 +78,7 @@ struct opkg_conf { int force_checksum; int check_signature; int force_signature; + int force_ssl; int nodeps; /* do not follow dependencies */ int nocase; /* perform case insensitive matching */ char *offline_root; diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c index db4c90f..c8e0013 100644 --- a/libopkg/opkg_download.c +++ b/libopkg/opkg_download.c @@ -87,11 +87,14 @@ opkg_download(const char *src, const char *dest_file_name, { int res; - const char *argv[8]; + const char *argv[9]; int i = 0; argv[i++] = "wget"; argv[i++] = "-q"; + if (conf->force_ssl) { + argv[i++] = "--no-check-certificate"; + } if (conf->http_proxy || conf->ftp_proxy) { argv[i++] = "-Y"; argv[i++] = "on"; diff --git a/src/opkg-cl.c b/src/opkg-cl.c index c518bfc..77f59ff 100644 --- a/src/opkg-cl.c +++ b/src/opkg-cl.c @@ -52,6 +52,7 @@ enum { ARGS_OPT_AUTOREMOVE, ARGS_OPT_CACHE, ARGS_OPT_FORCE_SIGNATURE, + ARGS_OPT_FORCE_SSL, ARGS_OPT_SIZE, }; @@ -91,6 +92,8 @@ static struct option long_options[] = { {"force_checksum", 0, 0, ARGS_OPT_FORCE_CHECKSUM}, {"force-signature", 0, 0, ARGS_OPT_FORCE_SIGNATURE}, {"force_signature", 0, 0, ARGS_OPT_FORCE_SIGNATURE}, + {"force-ssl", 0, 0, ARGS_OPT_FORCE_SSL}, + {"force_ssl", 0, 0, ARGS_OPT_FORCE_SSL}, {"noaction", 0, 0, ARGS_OPT_NOACTION}, {"download-only", 0, 0, ARGS_OPT_DOWNLOAD_ONLY}, {"nodeps", 0, 0, ARGS_OPT_NODEPS}, @@ -226,6 +229,8 @@ static int args_parse(int argc, char *argv[]) case ARGS_OPT_FORCE_SIGNATURE: conf->force_signature = 1; break; + case ARGS_OPT_FORCE_SSL: + conf->force_ssl = 1; case ':': parse_err = -1; break; @@ -335,6 +340,7 @@ static void usage() printf ("\t--force-remove Remove package even if prerm script fails\n"); printf("\t--force-checksum Don't fail on checksum mismatches\n"); + printf("\t--force-ssl Don't validate the server's certificate\n"); printf("\t--noaction No action -- test only\n"); printf("\t--download-only No action -- download only\n"); printf("\t--nodeps Do not follow dependencies\n");
For cases when artifacts are stored on https:// accessible location and you don't want to install ca-certificates (for various reasons). I'll admit, using SSL like this is not recommended, but since wget (even uclient-fetch) allows the --no-check-certificate option, it would be nice for opkg to support setting it if needed/configured. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> --- libopkg/opkg_conf.c | 1 + libopkg/opkg_conf.h | 1 + libopkg/opkg_download.c | 5 ++++- src/opkg-cl.c | 6 ++++++ 4 files changed, 12 insertions(+), 1 deletion(-)