[PATCH 19.07] wolfssl: update to 4.8.1-stable
ynezz at true.cz
Tue Feb 8 01:32:57 PST 2022
Eneas U de Queiroz <cotequeiroz at gmail.com> [2021-12-14 14:54:44]:
> OpenWrt 19.07 support is officially limited to security maintenance,
> so we can cherry-pick a couple of wolfssl commits instead:
> 73076940a Fix CompareOcspReqResp.
> f93083be7 OCSP: improve handling of OCSP no check extension
> (excluding tests):
> src/ssl.c | 2 +-
> wolfcrypt/src/asn.c | 19 ++++++++++++-------
> wolfssl/wolfcrypt/asn.h | 1 +
> 3 files changed, 14 insertions(+), 8 deletions(-)
> Just let me know what's the best approach here.
lets see the diff, but it looks like a good proposal to me.
> After this is done--whether update or patch--I intend to propose a
> patch to build with WOLFSSL_ALT_CERT_CHAINS to avoid the problems with
> letsencrypt certificates. One can argue that it is a security fix,
> considering that the alternative is to skip certificate validation.
> If this is going to be NAKed, then I'll skip the trouble.
You mean cherry-picking 28d8e6a8711ba78f1684a205e11b0dbd4ff2b2f3 ? It's really
PITA without this as one needs to make server side compatible with those
broken clients, so I would be in favor to fixing this. I've just checked the
API/ABI compatibility and it should be fine, that flag adds 2 new symbols so
this shouldn't cause any harm (tm).
More information about the openwrt-devel