The default busybox wget https support is suboptimal, it silently ignores checking certificate validity which isn't great for security.
Switch our defaults to disable the internal busybox tls code and the https support using it and configure the openssl backend instead. This this is done by spawning an openssl command, we don't need dependencies on openssl for build. For runtime, we can assume people would install openssl if they need/want this. These changes put our default busybox configuration in a more secure initial set of settings. [YOCTO #14125] Signed-off-by: Richard Purdie <[email protected]> --- meta/recipes-core/busybox/busybox/defconfig | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/recipes-core/busybox/busybox/defconfig b/meta/recipes-core/busybox/busybox/defconfig index f3d545dc3fb..8e3b6e480ca 100644 --- a/meta/recipes-core/busybox/busybox/defconfig +++ b/meta/recipes-core/busybox/busybox/defconfig @@ -983,7 +983,7 @@ CONFIG_FEATURE_TFTP_GET=y CONFIG_FEATURE_TFTP_PUT=y # CONFIG_FEATURE_TFTP_BLOCKSIZE is not set # CONFIG_TFTP_DEBUG is not set -CONFIG_TLS=y +# CONFIG_TLS is not set CONFIG_TRACEROUTE=y # CONFIG_TRACEROUTE6 is not set # CONFIG_FEATURE_TRACEROUTE_VERBOSE is not set @@ -997,8 +997,8 @@ CONFIG_FEATURE_WGET_STATUSBAR=y CONFIG_FEATURE_WGET_FTP=y CONFIG_FEATURE_WGET_AUTHENTICATION=y CONFIG_FEATURE_WGET_TIMEOUT=y -CONFIG_FEATURE_WGET_HTTPS=y -# CONFIG_FEATURE_WGET_OPENSSL is not set +# CONFIG_FEATURE_WGET_HTTPS is not set +CONFIG_FEATURE_WGET_OPENSSL=y # CONFIG_WHOIS is not set # CONFIG_ZCIP is not set CONFIG_UDHCPD=y
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201830): https://lists.openembedded.org/g/openembedded-core/message/201830 Mute This Topic: https://lists.openembedded.org/mt/107182328/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
