[OpenWrt-Devel] [PATCH 4/6] openssl: add option to disable PSK support

Dirk Feytons dirk.feytons at gmail.com
Thu Jun 9 08:45:55 EDT 2016 

On 9 June 2016 at 13:55, Karl Palsson <karlp at tweak.net.au> wrote:
>
> This is turning off PSK by default right? I actually use that
> option, and it's a relatively common use with mosquitto, which
> supports PSK for client auth. Could you leave it on by default
> please? PSK, and SRP are badly treated by people who wants certs
> everywhere, but they're perfectly reasonable, if only people
> would remember they exist.

Yes, PSK would be off by default. My reasoning was that OpenSSL is
most often used for traditional HTTPS with certs and the default
OpenSSL would support that but not (much) more.
I know that Mosquitto requires it (IIRC it also needs
CONFIG_OPENSSL_WITH_DEPRECATED but that's still enabled by default).
I'm working on a patch for Mosquitto to depend on
CONFIG_OPENSSL_WITH_PSK and CONFIG_OPENSSL_WITH_DEPRECATED. Would that
be OK for you or do you still want the default for PSK to be 'y'?

>
> Cheers,
> Karl P
>
> Dirk Feytons <dirk.feytons at gmail.com> wrote:
>> Signed-off-by: Dirk Feytons <dirk.feytons at gmail.com>
>> ---
>>  package/libs/openssl/Config.in |    5 +++++
>>  package/libs/openssl/Makefile  |    7 ++++++-
>>  2 files changed, 11 insertions(+), 1 deletion(-)
>>
>> diff --git a/package/libs/openssl/Config.in
>> b/package/libs/openssl/Config.in index 492b042..47b9fb5 100644
>> --- a/package/libs/openssl/Config.in
>> +++ b/package/libs/openssl/Config.in
>> @@ -30,6 +30,11 @@ config OPENSSL_WITH_NPN
>>       default n
>>       prompt "Enable NPN support"
>>
>> +config OPENSSL_WITH_PSK
>> +     bool
>> +     default n
>> +     prompt "Enable PSK support"
>> +
>>  config OPENSSL_ENGINE_DIGEST
>>       bool
>>       depends on OPENSSL_ENGINE_CRYPTO
>> diff --git a/package/libs/openssl/Makefile
>> b/package/libs/openssl/Makefile index 61022dc..129061e 100644
>> --- a/package/libs/openssl/Makefile
>> +++ b/package/libs/openssl/Makefile
>> @@ -36,7 +36,8 @@ PKG_CONFIG_DEPENDS:= \
>>       CONFIG_OPENSSL_HARDWARE_SUPPORT \
>>       CONFIG_OPENSSL_WITH_DEPRECATED \
>>       CONFIG_OPENSSL_WITH_COMPRESSION \
>> -     CONFIG_OPENSSL_WITH_NPN
>> +     CONFIG_OPENSSL_WITH_NPN \
>> +     CONFIG_OPENSSL_WITH_PSK
>>
>>  include $(INCLUDE_DIR)/package.mk
>>
>> @@ -137,6 +138,10 @@ ifndef CONFIG_OPENSSL_WITH_NPN
>>    OPENSSL_OPTIONS += no-nextprotoneg
>>  endif
>>
>> +ifndef CONFIG_OPENSSL_WITH_PSK
>> +  OPENSSL_OPTIONS += no-psk
>> +endif
>> +
>>  ifeq ($(CONFIG_x86_64),y)
>>    OPENSSL_TARGET:=linux-x86_64-openwrt
>>    OPENSSL_MAKEFLAGS += LIBDIR=lib
>> --
>> 1.7.9.5
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list