On Mon, 27 Jul 2020 at 17:03, Petr Štetiar <yn...@true.cz> wrote: > > Henrique de Moraes Holschuh <henri...@nic.br> [2020-07-24 13:02:30]: > > > On 24/07/2020 11:29, Petr Štetiar wrote: > > > As there is now WolfSSL included by default due to SAE/WPA3 we can > > > finally switch to TLS/SSL in other parts as well. > > > > > +DEFAULT_PACKAGES:= \ > > > + base-files libc libgcc busybox dropbear mtd uci opkg netifd \ > > > + fstools uclient-fetch logd urandom-seed urngd libustream-wolfssl \ > > > + ca-certificates > > > > Can we fix anything that requires ca-bundle and consider that a bug that > > blocks new packages from being accepted? Because ca-certificates + > > ca-bundle on the same system is really awful FLASH-wise. > > > > Alternatively, fix anything that requires ca-certificates and keep > > ca-bundle. The issue is not which one is used (IMHO): as far as I am > > concerned, either one is fine as long as we never need *both* at the same > > time. > > I've looked at it and it seems to me, that ca-bundle makes more sense. It's > smaller and already used in curl and in hostapd for EAP (both having hardcoded > path to the ca-bundle file). > > Those packages are using ca-certificates: > > admin/openwisp-config > devel/asu > multimedia/youtube-dl > net/esniper > net/gnunet > net/inadyn > utils/docker-ce > > and those ca-bundle: > > libs/measurement-kit > mail/msmtp > net/acme > net/adblock > net/banip > net/dnscrypt-proxy2 > net/https-dns-proxy > net/lynx > net/netifyd > net/nextdns > net/noddos > utils/cache-domains > > So I assume you either install ca-certificates or add support for the > ca-bundle to the corresponding application in order to avoid wasting the flash > space.
Libopenssl can work with both out of the box. Likely those packages specifying "ca-certificates" as a dependency can switch to "ca-bundle" seamlessly. On CentOS, "ca-certificates" actually only contains the bundle. Maybe we can also remove "ca-certificates" and patch out relevant code in openssl ;) ➜ ~ rpm -ql ca-certificates /etc/pki/ca-trust /etc/pki/ca-trust/README /etc/pki/ca-trust/ca-legacy.conf /etc/pki/ca-trust/extracted /etc/pki/ca-trust/extracted/README /etc/pki/ca-trust/extracted/java /etc/pki/ca-trust/extracted/java/README /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl/README /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/pki/ca-trust/extracted/pem /etc/pki/ca-trust/extracted/pem/README /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/ca-trust/source /etc/pki/ca-trust/source/README /etc/pki/ca-trust/source/anchors /etc/pki/ca-trust/source/blacklist /etc/pki/ca-trust/source/ca-bundle.legacy.crt /etc/pki/java /etc/pki/java/cacerts /etc/pki/tls /etc/pki/tls/cert.pem /etc/pki/tls/certs /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.trust.crt /etc/ssl /etc/ssl/certs /usr/bin/ca-legacy /usr/bin/update-ca-trust /usr/share/doc/ca-certificates-2020.2.41/README /usr/share/man/man8/ca-legacy.8.gz /usr/share/man/man8/update-ca-trust.8.gz /usr/share/pki /usr/share/pki/ca-trust-legacy /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt /usr/share/pki/ca-trust-source /usr/share/pki/ca-trust-source/README /usr/share/pki/ca-trust-source/anchors /usr/share/pki/ca-trust-source/blacklist /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
