[PATCH 1/3] build: add libustream and certs to default pkgs

Henrique de Moraes Holschuh henrique at nic.br
Tue Sep 15 17:19:33 EDT 2020


On 27/08/2020 18:47, Paul Spooren wrote:
> To allow HTTPS usage on a router it requires both certificates
> (ca-bundle) and a fitting libustream library (libustream-wolfssl)
> 
> By adding both, uclient-fetch and wget can connect to encrypted HTTP.
> 
> This allows opkg to update package lists in a more secure fashion.

It is also a FLASH pig IMHO: not as bad as, say, openssl, but ca-bundle 
is still Not Small[tm] :-(

ca-bundle could benefit from some Kconfig-enforced mega diet:


[ ] Let's Encrypt and its alternative roots
[ ] Openwrt.org's packages
[ ] custom path -> (some path where we can add custom certificates,
     with a default of certs/)
[ ] All other certificates we'd usually package in ca-bundle

Default would be something that gets us all the current certificates in 
ca-bundle, and maybe just the custom path or LE for the SMALL_FLASH version.

-- 
Henrique de Moraes Holschuh
www.nic.br



More information about the openwrt-devel mailing list