mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-21 06:33:41 +00:00
wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
"Alternate certification chains, as oppossed to requiring full chain
validataion. Certificate validation behavior is relaxed, similar to
openssl and browsers. Only the peer certificate must validate to a trusted
certificate. Without this, all certificates sent by a peer must be
used in the trust chain or the connection will be rejected."
This fixes e.g. uclient-fetch and curl connecting to servers using a Let's
Encrypt certificate which are cross-signed by the now expired
DST Root CA X3, see [0].
This is the recommended solution from upstream [1].
The binary size increases by ~12.3kb:
1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
[0] https://github.com/openwrt/packages/issues/16674
[1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793
Signed-off-by: Andre Heider <a.heider@gmail.com>
[bump PKG_RELEASE]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 28d8e6a871
)
This commit is contained in:
parent
c43a5921fa
commit
4b212b1306
@ -58,7 +58,13 @@ define Package/libwolfssl/config
|
|||||||
source "$(SOURCE)/Config.in"
|
source "$(SOURCE)/Config.in"
|
||||||
endef
|
endef
|
||||||
|
|
||||||
TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer -flto
|
TARGET_CFLAGS += \
|
||||||
|
$(FPIC) \
|
||||||
|
-fomit-frame-pointer \
|
||||||
|
-flto \
|
||||||
|
-DFP_MAX_BITS=8192 \
|
||||||
|
-DWOLFSSL_ALT_CERT_CHAINS
|
||||||
|
|
||||||
TARGET_LDFLAGS += -flto
|
TARGET_LDFLAGS += -flto
|
||||||
|
|
||||||
# --enable-stunnel needed for OpenSSL API compatibility bits
|
# --enable-stunnel needed for OpenSSL API compatibility bits
|
||||||
|
Loading…
Reference in New Issue
Block a user