[PATCH 3/3] treewide: switch to HTTPS by default
Petr Štetiar
ynezz at true.cz
Mon Jul 27 05:00:06 EDT 2020
Henrique de Moraes Holschuh <henrique at nic.br> [2020-07-24 13:02:30]:
> On 24/07/2020 11:29, Petr Štetiar wrote:
> > As there is now WolfSSL included by default due to SAE/WPA3 we can
> > finally switch to TLS/SSL in other parts as well.
>
> > +DEFAULT_PACKAGES:= \
> > + base-files libc libgcc busybox dropbear mtd uci opkg netifd \
> > + fstools uclient-fetch logd urandom-seed urngd libustream-wolfssl \
> > + ca-certificates
>
> Can we fix anything that requires ca-bundle and consider that a bug that
> blocks new packages from being accepted? Because ca-certificates +
> ca-bundle on the same system is really awful FLASH-wise.
>
> Alternatively, fix anything that requires ca-certificates and keep
> ca-bundle. The issue is not which one is used (IMHO): as far as I am
> concerned, either one is fine as long as we never need *both* at the same
> time.
I've looked at it and it seems to me, that ca-bundle makes more sense. It's
smaller and already used in curl and in hostapd for EAP (both having hardcoded
path to the ca-bundle file).
Those packages are using ca-certificates:
admin/openwisp-config
devel/asu
multimedia/youtube-dl
net/esniper
net/gnunet
net/inadyn
utils/docker-ce
and those ca-bundle:
libs/measurement-kit
mail/msmtp
net/acme
net/adblock
net/banip
net/dnscrypt-proxy2
net/https-dns-proxy
net/lynx
net/netifyd
net/nextdns
net/noddos
utils/cache-domains
So I assume you either install ca-certificates or add support for the
ca-bundle to the corresponding application in order to avoid wasting the flash
space.
-- ynezz
More information about the openwrt-devel
mailing list