On 27/08/2020 18:47, Paul Spooren wrote:
To allow HTTPS usage on a router it requires both certificates
(ca-bundle) and a fitting libustream library (libustream-wolfssl)
By adding both, uclient-fetch and wget can connect to encrypted HTTP.
This allows opkg to update package lists in a more secure fashion.
It is also a FLASH pig IMHO: not as bad as, say, openssl, but ca-bundle
is still Not Small[tm] :-(
ca-bundle could benefit from some Kconfig-enforced mega diet:
[ ] Let's Encrypt and its alternative roots
[ ] Openwrt.org's packages
[ ] custom path -> (some path where we can add custom certificates,
with a default of certs/)
[ ] All other certificates we'd usually package in ca-bundle
Default would be something that gets us all the current certificates in
ca-bundle, and maybe just the custom path or LE for the SMALL_FLASH version.
--
Henrique de Moraes Holschuh
www.nic.br
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel