[PATCH 3/3] treewide: switch to HTTPS by default
Yousong Zhou
yszhou4tech at gmail.com
Mon Jul 27 06:16:15 EDT 2020
On Mon, 27 Jul 2020 at 17:03, Petr Štetiar <ynezz at true.cz> wrote:
>
> Henrique de Moraes Holschuh <henrique at nic.br> [2020-07-24 13:02:30]:
>
> > On 24/07/2020 11:29, Petr Štetiar wrote:
> > > As there is now WolfSSL included by default due to SAE/WPA3 we can
> > > finally switch to TLS/SSL in other parts as well.
> >
> > > +DEFAULT_PACKAGES:= \
> > > + base-files libc libgcc busybox dropbear mtd uci opkg netifd \
> > > + fstools uclient-fetch logd urandom-seed urngd libustream-wolfssl \
> > > + ca-certificates
> >
> > Can we fix anything that requires ca-bundle and consider that a bug that
> > blocks new packages from being accepted? Because ca-certificates +
> > ca-bundle on the same system is really awful FLASH-wise.
> >
> > Alternatively, fix anything that requires ca-certificates and keep
> > ca-bundle. The issue is not which one is used (IMHO): as far as I am
> > concerned, either one is fine as long as we never need *both* at the same
> > time.
>
> I've looked at it and it seems to me, that ca-bundle makes more sense. It's
> smaller and already used in curl and in hostapd for EAP (both having hardcoded
> path to the ca-bundle file).
>
> Those packages are using ca-certificates:
>
> admin/openwisp-config
> devel/asu
> multimedia/youtube-dl
> net/esniper
> net/gnunet
> net/inadyn
> utils/docker-ce
>
> and those ca-bundle:
>
> libs/measurement-kit
> mail/msmtp
> net/acme
> net/adblock
> net/banip
> net/dnscrypt-proxy2
> net/https-dns-proxy
> net/lynx
> net/netifyd
> net/nextdns
> net/noddos
> utils/cache-domains
>
> So I assume you either install ca-certificates or add support for the
> ca-bundle to the corresponding application in order to avoid wasting the flash
> space.
Libopenssl can work with both out of the box. Likely those packages
specifying "ca-certificates" as a dependency can switch to "ca-bundle"
seamlessly.
On CentOS, "ca-certificates" actually only contains the bundle. Maybe
we can also remove "ca-certificates" and patch out relevant code in
openssl ;)
➜ ~ rpm -ql ca-certificates
/etc/pki/ca-trust
/etc/pki/ca-trust/README
/etc/pki/ca-trust/ca-legacy.conf
/etc/pki/ca-trust/extracted
/etc/pki/ca-trust/extracted/README
/etc/pki/ca-trust/extracted/java
/etc/pki/ca-trust/extracted/java/README
/etc/pki/ca-trust/extracted/java/cacerts
/etc/pki/ca-trust/extracted/openssl
/etc/pki/ca-trust/extracted/openssl/README
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/ca-trust/extracted/pem
/etc/pki/ca-trust/extracted/pem/README
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/source
/etc/pki/ca-trust/source/README
/etc/pki/ca-trust/source/anchors
/etc/pki/ca-trust/source/blacklist
/etc/pki/ca-trust/source/ca-bundle.legacy.crt
/etc/pki/java
/etc/pki/java/cacerts
/etc/pki/tls
/etc/pki/tls/cert.pem
/etc/pki/tls/certs
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/ca-bundle.trust.crt
/etc/ssl
/etc/ssl/certs
/usr/bin/ca-legacy
/usr/bin/update-ca-trust
/usr/share/doc/ca-certificates-2020.2.41/README
/usr/share/man/man8/ca-legacy.8.gz
/usr/share/man/man8/update-ca-trust.8.gz
/usr/share/pki
/usr/share/pki/ca-trust-legacy
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
/usr/share/pki/ca-trust-source
/usr/share/pki/ca-trust-source/README
/usr/share/pki/ca-trust-source/anchors
/usr/share/pki/ca-trust-source/blacklist
/usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
More information about the openwrt-devel
mailing list