Re: [yocto-security] [PATCH] busybox: use openssl for TLS connections whenever possible
Andre McCurdy
On Tue, Apr 20, 2021 at 10:23 AM Randy MacLeod
<randy.macleod@...> wrote:
FEATURE_WGET_HTTPS should be disabled by default (ie giving anyone who
needs to fetch from https URLs to clear hint that that should be using
full featured wget or curl) rather than enabling a hacky solution to
have busybox call out to the openssl command line tool. Has something
changed since then?
<randy.macleod@...> wrote:
Add the oe-core list where patches are usually discussed.
On 2021-04-17 10:41 a.m., Shachar Menashe wrote:
This adds proper TLS verification to wget
I think you should add some of the comments you made in the bugzilla here:
---
By enabling the busybox feature: WGET_OPENSSL it means that in builds WITH openssl (ex. sato)
the issue will be completely fixed, and in builds WITHOUT openssl, busybox will fallback
to using the internal (insecure) client which will print out a message
"note: TLS certificate validation not implemented" Note that busybox does not rely in any way on the OpenSSL library
(it just executes the standalone binary, if it is found) so
we shouldn't have linkage issues is CONFIG_FEATURE_WGET_OPENSSL is enabled but OpenSSL is not getting built.
---
Thanks for the explanation.
We could add a RSUGGESTS make the coupling more clear:
http://docs.yoctoproject.org/ref-manual/variables.html?highlight=rrecommends#term-RSUGGESTS
I don't use that feature at all and it's not widely used in oe-core so hopefully someone
opinionated will reply and help us out.
../Randy
Signed-off-by: Shachar Menashe <shachar@...>This was discussed on the list last year. The conclusion was that
---
meta/recipes-core/busybox/busybox.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc
index 47fcb59302..8f274bd263 100644
--- a/meta/recipes-core/busybox/busybox.inc
+++ b/meta/recipes-core/busybox/busybox.inc
@@ -77,6 +77,7 @@ def features_to_busybox_settings(d):
busybox_cfg(bb.utils.contains('DISTRO_FEATURES', 'ipv4', True, False, d), 'CONFIG_FEATURE_IFUPDOWN_IPV4', cnf, rem)
busybox_cfg(bb.utils.contains('DISTRO_FEATURES', 'ipv6', True, False, d), 'CONFIG_FEATURE_IFUPDOWN_IPV6', cnf, rem)
busybox_cfg(bb.utils.contains_any('DISTRO_FEATURES', 'bluetooth wifi', True, False, d), 'CONFIG_RFKILL', cnf, rem)
+ busybox_cfg(True, 'CONFIG_FEATURE_WGET_OPENSSL', cnf, rem)
return "\n".join(cnf), "\n".join(rem)
# X, Y = ${@features_to_busybox_settings(d)}
--
2.17.1
FEATURE_WGET_HTTPS should be disabled by default (ie giving anyone who
needs to fetch from https URLs to clear hint that that should be using
full featured wget or curl) rather than enabling a hacky solution to
have busybox call out to the openssl command line tool. Has something
changed since then?