Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS nachinstallieren #54

Open
genofire opened this issue Mar 30, 2023 · 3 comments
Open

TLS nachinstallieren #54

genofire opened this issue Mar 30, 2023 · 3 comments

Comments

@genofire
Copy link
Member

genofire commented Mar 30, 2023
edited
Loading

kA was genau mit SSL nachinstallieren hier gemeint ist:
https://wiki.ffhb.de/Treffen/2022_12_16.md

  • welches package soll ssl installieren?
  • sind package quellen default nun auf https? (in /etc/opkg/distfed.conf oder so)
    • curl http://downloads.bremen.freifunk.net/opkg/modules/gluon-ffhb-2022.1.1+bremen1/ -v funktioniert ohne https
@genofire
Copy link
Member Author

Edit /etc/opkg/distfeeds.conf to fetch base by http:

then

opkg update
opkg install ca-bundle ca-certificates libustream-openssl

Edit back and run again

opkg update

@oliver
Copy link
Contributor

oliver commented Jan 20, 2024

Ich kann das Problem bestätigen: auf der kommenden Testing-Firmware (2023.1.1+bremen1) funktioniert opkg update nicht mehr. Der versucht wohl, die Paketquellen per HTTPS runterzuladen, aber wir haben keine SSL-Unterstützung installiert. Beispiel (für ein Gerät mit 2023.1.1+bremen1):

# opkg update
Downloading https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/base/Packages.gz
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/luci/Packages.gz
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/packages/Packages.gz
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/routing/Packages.gz
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/telephony/Packages.gz
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/telephony/Packages.gz

Downloading http://downloads.bremen.freifunk.net/opkg/modules/gluon-ffhb-2023.1.1+bremen1/mpc85xx/p1010/Packages.gz
Updated list of available packages in /var/opkg-lists/modules
Downloading http://downloads.bremen.freifunk.net/opkg/modules/gluon-ffhb-2023.1.1+bremen1/mpc85xx/p1010/Packages.sig
Signature check passed.
Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/base/Packages.gz, wget returned 1.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/luci/Packages.gz, wget returned 1.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/packages/Packages.gz, wget returned 1.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/routing/Packages.gz, wget returned 1.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/powerpc_8540/telephony/Packages.gz, wget returned 1.

Auf einem Gerät mit 2022.1.4+bremen1 seh ich das Problem ebenfalls.

Ich seh zwei Lösungsmöglichkeiten:

  • a) wir ändern die Paketquellen-URLs von https auf http. Das müsste in der site.conf machbar sein, über den opkg-Key (s. https://gluon.readthedocs.io/en/latest/user/site.html)
  • b) wir installieren die Pakete für SSL-Unterstützung (z.B. ca-bundle, ca-certificates, libustream-openssl). Ich nehme an, dass das in der site.mk gemacht werden kann, oder?

Ich bin für Lösung b), weil da die Sicherheit besser sein sollte. Wenn ich das richtig sehe, werden damit insgesamt 254 kB Platz zusätzlich belegt (für libustream-openssl20201210 + ca-bundle + ca-certificates). Das finde ich aber vertretbar, zumal wir mit der Testing-FW sowieso nicht mehr die ganz kleinen Geräte unterstützen.

Meinungen dazu?

genofire added a commit that referenced this issue Jan 23, 2024
@genofire
fix(site.mk): add tls packages
4188219 
solves #54
@genofire
Copy link
Member Author

Ich bereite gerade v2023.2 vor und würde es für alle nicht tiny Geräte so einstellen.

genofire added a commit that referenced this issue Jan 23, 2024
@genofire
fix(image-customization.lua): move away from site.mk (required by v20…
aabed69 
…23.2) + add tls packages

solves #54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oliver @genofire