[PATCH 3/3] treewide: switch to HTTPS by default

Yousong Zhou yszhou4tech at gmail.com
Mon Jul 27 06:16:15 EDT 2020


On Mon, 27 Jul 2020 at 17:03, Petr Štetiar <ynezz at true.cz> wrote:
>
> Henrique de Moraes Holschuh <henrique at nic.br> [2020-07-24 13:02:30]:
>
> > On 24/07/2020 11:29, Petr Štetiar wrote:
> > > As there is now WolfSSL included by default due to SAE/WPA3 we can
> > > finally switch to TLS/SSL in other parts as well.
> >
> > > +DEFAULT_PACKAGES:= \
> > > +   base-files libc libgcc busybox dropbear mtd uci opkg netifd \
> > > +   fstools uclient-fetch logd urandom-seed urngd libustream-wolfssl \
> > > +   ca-certificates
> >
> > Can we fix anything that requires ca-bundle and consider that a bug that
> > blocks new packages from being accepted?  Because ca-certificates +
> > ca-bundle on the same system is really awful FLASH-wise.
> >
> > Alternatively, fix anything that requires ca-certificates and keep
> > ca-bundle.  The issue is not which one is used (IMHO): as far as I am
> > concerned, either one is fine as long as we never need *both* at the same
> > time.
>
> I've looked at it and it seems to me, that ca-bundle makes more sense. It's
> smaller and already used in curl and in hostapd for EAP (both having hardcoded
> path to the ca-bundle file).
>
> Those packages are using ca-certificates:
>
>  admin/openwisp-config
>  devel/asu
>  multimedia/youtube-dl
>  net/esniper
>  net/gnunet
>  net/inadyn
>  utils/docker-ce
>
> and those ca-bundle:
>
>  libs/measurement-kit
>  mail/msmtp
>  net/acme
>  net/adblock
>  net/banip
>  net/dnscrypt-proxy2
>  net/https-dns-proxy
>  net/lynx
>  net/netifyd
>  net/nextdns
>  net/noddos
>  utils/cache-domains
>
> So I assume you either install ca-certificates or add support for the
> ca-bundle to the corresponding application in order to avoid wasting the flash
> space.

Libopenssl can work with both out of the box.  Likely those packages
specifying "ca-certificates" as a dependency can switch to "ca-bundle"
seamlessly.

On CentOS, "ca-certificates" actually only contains the bundle.  Maybe
we can also remove "ca-certificates" and patch out relevant code in
openssl ;)

➜  ~ rpm -ql ca-certificates
/etc/pki/ca-trust
/etc/pki/ca-trust/README
/etc/pki/ca-trust/ca-legacy.conf
/etc/pki/ca-trust/extracted
/etc/pki/ca-trust/extracted/README
/etc/pki/ca-trust/extracted/java
/etc/pki/ca-trust/extracted/java/README
/etc/pki/ca-trust/extracted/java/cacerts
/etc/pki/ca-trust/extracted/openssl
/etc/pki/ca-trust/extracted/openssl/README
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/ca-trust/extracted/pem
/etc/pki/ca-trust/extracted/pem/README
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/source
/etc/pki/ca-trust/source/README
/etc/pki/ca-trust/source/anchors
/etc/pki/ca-trust/source/blacklist
/etc/pki/ca-trust/source/ca-bundle.legacy.crt
/etc/pki/java
/etc/pki/java/cacerts
/etc/pki/tls
/etc/pki/tls/cert.pem
/etc/pki/tls/certs
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/ca-bundle.trust.crt
/etc/ssl
/etc/ssl/certs
/usr/bin/ca-legacy
/usr/bin/update-ca-trust
/usr/share/doc/ca-certificates-2020.2.41/README
/usr/share/man/man8/ca-legacy.8.gz
/usr/share/man/man8/update-ca-trust.8.gz
/usr/share/pki
/usr/share/pki/ca-trust-legacy
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
/usr/share/pki/ca-trust-source
/usr/share/pki/ca-trust-source/README
/usr/share/pki/ca-trust-source/anchors
/usr/share/pki/ca-trust-source/blacklist
/usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit



More information about the openwrt-devel mailing list