Giter VIP home page Giter VIP logo

Comments (8)

git-bruh avatar git-bruh commented on July 24, 2024 2

Thanks, I'll add the patch then.

from repo.

git-bruh avatar git-bruh commented on July 24, 2024

mirror/busybox@fc2ce04 is the cause, will investigate further, might be due to libressl.

from repo.

git-bruh avatar git-bruh commented on July 24, 2024

It's because of this line. libressl does not have the -verify_hostname/-verify_ip flag available:

-> openssl s_client -quiet -connect duckduckgo.com:443 -servername duckduckgo.com -verify 100 -verify_return_error -verify_hostname duckduckgo.com

verify depth is 100
unknown option -verify_hostname
usage: s_client [-4 | -6] [-alpn protocols] [-bugs] [-CAfile file]...

@cemkeylan, have you encountered this on carbs ?

from repo.

cemkeylan avatar cemkeylan commented on July 24, 2024

On Carbs, we don't have ssl verification for busybox wget enabled, because we use bearssl, though I was planning to patch it to use bearssl. I see busybox's wget as the "if all else fails" option, and it already warns the user that the ssl verification is disabled, so I never bumped into such an issue.

from repo.

git-bruh avatar git-bruh commented on July 24, 2024

Hmm, so we can either revert the commit which fixed certificate verification or drop CONFIG_FEATURE_WGET_OPENSSL=y, both will lead to the verification being broken. For now atleast, i am just removing that option from .config and bumping release. Now wget will say wget: note: TLS certificate validation not implemented, people should use curl instead.

from repo.

cemkeylan avatar cemkeylan commented on July 24, 2024

Well, it is quite easy to patch out, so this should work with libressl.
libressl.patch.txt

By it should, I mean, I tried it with libressl and it works.

from repo.

git-bruh avatar git-bruh commented on July 24, 2024

Yes @cemkeylan, but is this actually effective in verifying the certificate stuff ? Because the linked commit "fixes" the openssl flags, so maybe it was silently "failing" to verify earlier due to missing flags ?

from repo.

cemkeylan avatar cemkeylan commented on July 24, 2024

It is effective for verification on most cases. Without the -verify_hostname bit, openssl will check whether the certificate is valid, has a trusted certificate authority, not self-singed, not revoked, and not expired. The verify_hostname bit also adds the check to verify that the hostname and DNS records match. This is also an important verification, though.

from repo.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.