diff mbox series

[1/3] build: add libustream and certs to default pkgs

Message ID 20200827214708.915775-1-mail@aparcar.org
State Accepted
Delegated to: Daniel Golle
Headers show
Series [1/3] build: add libustream and certs to default pkgs | expand

Commit Message

Paul Spooren Aug. 27, 2020, 9:47 p.m. UTC 
To allow HTTPS usage on a router it requires both certificates
(ca-bundle) and a fitting libustream library (libustream-wolfssl)

By adding both, uclient-fetch and wget can connect to encrypted HTTP.

This allows opkg to update package lists in a more secure fashion.

Suggested-by: Petr Štetiar <ynezz@true.cz>
Suggested-by: Baptiste Jonglez <baptiste@bitsofnetworks.org>
Signed-off-by: Paul Spooren <mail@aparcar.org>
---
 include/target.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Karl Palsson Aug. 28, 2020, 9:12 a.m. UTC | #1 
Paul Spooren <mail@aparcar.org> wrote:
> To allow HTTPS usage on a router it requires both certificates
> (ca-bundle) and a fitting libustream library
> (libustream-wolfssl)
> 
> By adding both, uclient-fetch and wget can connect to encrypted
> HTTP.

Doesn't the availability of ustream-*ssl also trigger uhttpd to
generate self signed certs? That's still (IMO) a major step
backwards while browsers still obstinately treat them as
insecure.

That could be _separated_ of course....

Sincerely,
Karl Palsson
Petr Štetiar Aug. 28, 2020, 10:17 a.m. UTC | #2 
Karl Palsson <karlp@tweak.net.au> [2020-08-28 09:12:04]:

Hi,

> Doesn't the availability of ustream-*ssl also trigger uhttpd to
> generate self signed certs? 

no, the certs are generated via px5g-mbedtls, so this would need px5g-wolfssl
which is not available so far and needs to be done if we would like to ship
20.y with HTTPS by default.

-- ynezz
Henrique de Moraes Holschuh Sept. 15, 2020, 9:19 p.m. UTC | #3 
On 27/08/2020 18:47, Paul Spooren wrote:
> To allow HTTPS usage on a router it requires both certificates
> (ca-bundle) and a fitting libustream library (libustream-wolfssl)
> 
> By adding both, uclient-fetch and wget can connect to encrypted HTTP.
> 
> This allows opkg to update package lists in a more secure fashion.

It is also a FLASH pig IMHO: not as bad as, say, openssl, but ca-bundle 
is still Not Small[tm] :-(

ca-bundle could benefit from some Kconfig-enforced mega diet:


[ ] Let's Encrypt and its alternative roots
[ ] Openwrt.org's packages
[ ] custom path -> (some path where we can add custom certificates,
     with a default of certs/)
[ ] All other certificates we'd usually package in ca-bundle

Default would be something that gets us all the current certificates in 
ca-bundle, and maybe just the custom path or LE for the SMALL_FLASH version.
diff mbox series

Patch

diff --git a/include/target.mk b/include/target.mk
index 6ed6565bda..b0c563a0ef 100644
--- a/include/target.mk
+++ b/include/target.mk
@@ -13,7 +13,7 @@  __target_inc=1
 DEVICE_TYPE?=router
 
 # Default packages - the really basic set
-DEFAULT_PACKAGES:=base-files libc libgcc busybox dropbear mtd uci opkg netifd fstools uclient-fetch logd urandom-seed urngd
+DEFAULT_PACKAGES:=base-files busybox ca-bundle dropbear fstools libc libgcc logd libustream-wolfssl mtd netifd opkg uci uclient-fetch urandom-seed urngd
 # For the basic set
 DEFAULT_PACKAGES.basic:=
 # For nas targets