Re: [OpenWrt-Devel] [PATCH] Combine CA-certificates in one file
On 12.06.2015 21:20, micke.p...@telldus.se wrote:> 2015-06-12 09:39 skrev Cristian Morales Vega: > >> On 12 June 2015 at 08:30, wrote: >> >>> Some packages or libraries cannot use split ca cetificates in a folder. >>> This adds a config to combine all certificates into one file. >> >> I have nothing against this patch. But do you have a list of such >> packages? I may be interested in patching them. > > In python 2.7.9 there is a new class SSLContext that can load the system > certificates. This was not available previously. OpenWRT currently ships > 2.7.10. I have modified our code to use this instead. > > My patch can be discarded, I think. devices are getting bigger and your patch offers additional functionality. i'd vote to keep it, as it does not hurt (disabled by default) but may be useful to others. ..ede ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] Combine CA-certificates in one file
2015-06-12 09:39 skrev Cristian Morales Vega: On 12 June 2015 at 08:30, wrote: Some packages or libraries cannot use split ca cetificates in a folder. This adds a config to combine all certificates into one file. I have nothing against this patch. But do you have a list of such packages? I may be interested in patching them. In python 2.7.9 there is a new class SSLContext that can load the system certificates. This was not available previously. OpenWRT currently ships 2.7.10. I have modified our code to use this instead. My patch can be discarded, I think. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] Combine CA-certificates in one file
2015-06-12 09:39 skrev Cristian Morales Vega: On 12 June 2015 at 08:30, wrote: Some packages or libraries cannot use split ca cetificates in a folder. This adds a config to combine all certificates into one file. I have nothing against this patch. But do you have a list of such packages? I may be interested in patching them. Any application using Python should have this issue. I am not aware of any application in OpenWRT currently that have this issue but my company are developing some python software intended to run on OpenWRT boards. The function ssl.wrap_socket() has one parameter called ca_certs which takes only one file. The documentations says: The ca_certs file contains a set of concatenated “certification authority” certificates, which are used to validate certificates passed from the other end of the connection. See the discussion of Certificates for more information about how to arrange the certificates in this file. https://docs.python.org/2/library/ssl.html ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] Combine CA-certificates in one file
On 12 June 2015 at 08:30, wrote: > Some packages or libraries cannot use split ca cetificates in a folder. This > adds a config to combine all certificates into one file. I have nothing against this patch. But do you have a list of such packages? I may be interested in patching them. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] Combine CA-certificates in one file
From: Micke Prag Some packages or libraries cannot use split ca cetificates in a folder. This adds a config to combine all certificates into one file. Since this adds another ~300 Kb to the image this can be enabled by a config which is disabled by default. This also allows for packes to require this option in the DEPENDS section. Signed-off-by: Micke Prag --- package/system/ca-certificates/Config.in | 7 +++ package/system/ca-certificates/Makefile | 7 +++ 2 files changed, 14 insertions(+) create mode 100644 package/system/ca-certificates/Config.in diff --git a/package/system/ca-certificates/Config.in b/package/system/ca-certificates/Config.in new file mode 100644 index 000..36ebdc3 --- /dev/null +++ b/package/system/ca-certificates/Config.in @@ -0,0 +1,7 @@ +config CA_CERTIFICATES_COMBINE_CERTIFICATES + bool "Combine certificates" + depends on PACKAGE_ca-certificates + help + Combine all CA-certificates in /etc/ssl/certs/ca-certificates.crt + This might be required by some applications and adds ~300 Kb to the image + default n diff --git a/package/system/ca-certificates/Makefile b/package/system/ca-certificates/Makefile index 9c50fef..9fd1632 100644 --- a/package/system/ca-certificates/Makefile +++ b/package/system/ca-certificates/Makefile @@ -23,6 +23,10 @@ define Package/ca-certificates TITLE:=System CA certificates endef +define Package/ca-certificates/config + source "$(SOURCE)/Config.in" +endef + define Build/Install mkdir -p \ $(PKG_INSTALL_DIR)/usr/sbin \ @@ -41,6 +45,9 @@ define Package/ca-certificates/install let "SUFFIX += 1" ; \ done ; \ $(LN) "CERTFILE" "$(1)/etc/ssl/certs/HASH.SUFFIX" ; \ + if [ "$(CONFIG_CA_CERTIFICATES_COMBINE_CERTIFICATES)" == "y" ]; then \ + cat "$(1)/etc/ssl/certs/CERTFILE" >> "$(1)/etc/ssl/certs/ca-certificates.crt" ; \ + fi ; \ done endef -- 2.0.5 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
