[PATCH 3/3] treewide: switch to HTTPS by default
yszhou4tech at gmail.com
Mon Jul 27 06:16:15 EDT 2020
On Mon, 27 Jul 2020 at 17:03, Petr Štetiar <ynezz at true.cz> wrote:
> Henrique de Moraes Holschuh <henrique at nic.br> [2020-07-24 13:02:30]:
> > On 24/07/2020 11:29, Petr Štetiar wrote:
> > > As there is now WolfSSL included by default due to SAE/WPA3 we can
> > > finally switch to TLS/SSL in other parts as well.
> > > +DEFAULT_PACKAGES:= \
> > > + base-files libc libgcc busybox dropbear mtd uci opkg netifd \
> > > + fstools uclient-fetch logd urandom-seed urngd libustream-wolfssl \
> > > + ca-certificates
> > Can we fix anything that requires ca-bundle and consider that a bug that
> > blocks new packages from being accepted? Because ca-certificates +
> > ca-bundle on the same system is really awful FLASH-wise.
> > Alternatively, fix anything that requires ca-certificates and keep
> > ca-bundle. The issue is not which one is used (IMHO): as far as I am
> > concerned, either one is fine as long as we never need *both* at the same
> > time.
> I've looked at it and it seems to me, that ca-bundle makes more sense. It's
> smaller and already used in curl and in hostapd for EAP (both having hardcoded
> path to the ca-bundle file).
> Those packages are using ca-certificates:
> and those ca-bundle:
> So I assume you either install ca-certificates or add support for the
> ca-bundle to the corresponding application in order to avoid wasting the flash
Libopenssl can work with both out of the box. Likely those packages
specifying "ca-certificates" as a dependency can switch to "ca-bundle"
On CentOS, "ca-certificates" actually only contains the bundle. Maybe
we can also remove "ca-certificates" and patch out relevant code in
➜ ~ rpm -ql ca-certificates
More information about the openwrt-devel