[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH] wget: add TLS SNI support via openssl s_client
From: Denys Vlasenko <vda.linux () googlemail ! com>
Date: 2016-07-25 19:37:51
Message-ID: CAK1hOcOMLEqK2MNmq-Rxx2ivQSaT2EkKqo11+TPuHGzBm8NmSQ () mail ! gmail ! com
[Download RAW message or body]
On Wed, Jul 20, 2016 at 11:56 PM, Jeremy Chadwick <jdc@koitsu.org> wrote:
> The problem of Busybox wget not supporting TLS SNI has come up a couple
> times on the Tomato firmware board on linksysinfo.org. This impacts
> sites like CloudFlare who are very strict about what SSL and TLS
> parameters they require.
>
> Below is a patch against master that rectifies this. It should be easy
> to backport to 1_{23,24,25}_stable.
>
> I should note that my patch trumps the one sent on 2015/10/23 here:
> http://lists.busybox.net/pipermail/busybox/2015-October/083510.html
>
> That patch blindly violates RFC 6066 by blindly passing on whatever the
> "host" argument is into -servername. The "host" argument can (will)
> includes such values as ip, ip:port, and hostname:port. RFC 6066 is
> very clear that the only allowed servername value permitted is a
> string/hostname (i.e. only an FQDN).
>
> And regarding the additional patch from the same individual:
> http://lists.busybox.net/pipermail/busybox/2015-October/083509.html
>
> That patch assumes the OpenSSL library on the client machine has a
> properly configured openssl.cnf as well as a full CA root list (many
> embedded devices do not). This is a precarious situation and not always
> warranted. If this is to be done, then a --no-check-certificates flag
> must be added so that it can be disabled.
Applied, thanks!
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic