[PATCH 19.07] wolfssl: update to 4.8.1-stable

Petr Štetiar ynezz at true.cz
Tue Feb 8 01:32:57 PST 2022


Eneas U de Queiroz <cotequeiroz at gmail.com> [2021-12-14 14:54:44]:

Hi,

> OpenWrt 19.07 support is officially limited to security maintenance,
> so we can cherry-pick a couple of wolfssl commits instead:
> 73076940a Fix CompareOcspReqResp.
> f93083be7 OCSP: improve handling of OCSP no check extension
> 
> (excluding tests):
> src/ssl.c               |  2 +-
>  wolfcrypt/src/asn.c     | 19 ++++++++++++-------
>  wolfssl/wolfcrypt/asn.h |  1 +
> 3 files changed, 14 insertions(+), 8 deletions(-)
> 
> Just let me know what's the best approach here.

lets see the diff, but it looks like a good proposal to me.

> After this is done--whether update or patch--I intend to propose a
> patch to build with WOLFSSL_ALT_CERT_CHAINS to avoid the problems with
> letsencrypt certificates.  One can argue that it is a security fix,
> considering that the alternative is to skip certificate validation.
> If this is going to be NAKed, then I'll skip the trouble.

You mean cherry-picking 28d8e6a8711ba78f1684a205e11b0dbd4ff2b2f3 ? It's really
PITA without this as one needs to make server side compatible with those
broken clients, so I would be in favor to fixing this. I've just checked the
API/ABI compatibility and it should be fine, that flag adds 2 new symbols so
this shouldn't cause any harm (tm).

-- ynezz



More information about the openwrt-devel mailing list