On 01/07/17 16:13, Bob Beck wrote:
> On Fri, Jan 06, 2017 at 10:48:37AM -0500, RD Thrush wrote:
>> On 01/06/17 06:28, Stuart Henderson wrote:
>>> Related to this (and particularly thinking about autoinstalls),
>>> would it make sense to allow explicit protocols in the hostname?
>>> some.host -> https with http fallback
>>> http://some.host/ -> http only
>>> https://some.host/ -> https only, no fallback
>> That would totally work for my install problem.
>> FWIW, instead of running a patched install.sub, "rm /etc/ssl/cert.pem" makes 
>> the install bypass the https attempt.
> Note, if you're upgrading or otherwise have a way to et a cert.pem bundle 
> onto there to *replace*
> the default, you could always drop the signer for your private self-signed 
> server into the cert.pem
> bundle, at which point it would be accepted as trusted.

In an ideal world, I'd have a valid certificate for this local nas server...

> of course if you're just installing you have an interesting chicken and egg 
> problem, unless
> you put it somewhere on an https site that does have a real certificate, drop 
> out of the
> installer and do
> ftp -o /tmp/mysigner.pem https://my.secure.site/mysigner.pem
> cat /tmp/mysigner.pem >> /etc/ssl/cert.pem
> then continue the install, and you're good.

Thanks.  Unfortunately, I've been spoiled by the continually improving snapshot 
install methods and want to preserve typing "a" once for a new -current.

> Almost wonder if it's worth an extra question in the installer to ask
> for an https address to retrieve a certficiate bundle to be appended to 
> cert.pem
> for the install...

That would also solve the self signed cert problem.  Since the install 
/etc/ssl/cert.pem is transient, your method wouldn't trigger any /etc/daily 
alarm about a chang in cert.pem.

I hacked a bit on sthen's suggestion but ran into problems testing the https 
part w/ the OpenBSD servers.  I'm currently unable to do a snapshot autoinstall 
from ftp[35] via the latest bsd.rd.

FWIW, here's my weak attempt at sthen's suggestion:
Index: install.sub
RCS file: /cvs/src/distrib/miniroot/install.sub,v
retrieving revision 1.942
diff -u -p -u -p -r1.942 install.sub
--- install.sub 4 Jan 2017 13:47:29 -0000       1.942
+++ install.sub 7 Jan 2017 22:02:52 -0000
@@ -1502,9 +1502,11 @@ install_files() {
 # Get several parameters from the user, and xfer files from the http server.
 install_http() {
+       local _proto=$1
        local _file_list _prompt _mirror _url_base _err _idx=/tmp/i/index.txt
        local _idx_url _rc
+       HTTP_PROTO=$_proto
        # N.B.: 'http_proxy' is an environment variable used by ftp(1). DON'T
        # change the name or case!
        ask "HTTP proxy URL? (e.g. 'http://proxy:8080', or 'none')" \
@@ -1568,8 +1570,9 @@ install_http() {
        # Get list of files from the server.
        # Assumes index file is "index.txt" for http (or proxy).
        # We can't use index.html since the format is server-dependent.
-       # If ftp(1) has tls, fetch index.txt via https. If that fails
-       # tell the user about it and switch to http.
+       # If ftp(1) has tls and doesn't explicitly request http,
+       # fetch index.txt via https. If https fails tell the user about
+       # it and switch to http.
        rm -f $_idx
        if $FTP_TLS; then
@@ -2310,7 +2313,7 @@ feed_random() {
 # selects from that location. Repeat as many times as the user needs to get all
 # desired sets.
 install_sets() {
-       local _cddevs=$(get_cddevs) _d=$CGI_METHOD _im _locs="disk http" _src
+       local _cddevs=$(get_cddevs) _d=$CGI_METHOD _im _locs="disk http https" 
@@ -2343,7 +2346,9 @@ install_sets() {
                [dD]*)  install_disk && INSTALL_METHOD=disk
-               [hH]*)  isin http $_locs && install_http && INSTALL_METHOD=http
+               [hH]*s) isin https $_locs && install_http https && 
+                       ;;
+               [hH]*)  isin http $_locs && install_http http && 
                [nN]*)  isin nfs $_locs && install_nfs && INSTALL_METHOD=nfs

Reply via email to