aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndre Heider <a.heider@gmail.com>2021-10-06 10:54:48 +0200
committerDavid Bauer <mail@david-bauer.net>2021-10-17 16:26:54 +0200
commit4b212b1306a93b6ebd450a4b1066ddf906035f4d (patch)
tree4a9a08a2467ad1b5861a0700ecdb70c70cd16bb2
parentc43a5921fa7288ba183cc56da8f110a6ed0cd958 (diff)
downloadupstream-4b212b1306a93b6ebd450a4b1066ddf906035f4d.tar.gz
upstream-4b212b1306a93b6ebd450a4b1066ddf906035f4d.tar.bz2
upstream-4b212b1306a93b6ebd450a4b1066ddf906035f4d.zip
wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
"Alternate certification chains, as oppossed to requiring full chain validataion. Certificate validation behavior is relaxed, similar to openssl and browsers. Only the peer certificate must validate to a trusted certificate. Without this, all certificates sent by a peer must be used in the trust chain or the connection will be rejected." This fixes e.g. uclient-fetch and curl connecting to servers using a Let's Encrypt certificate which are cross-signed by the now expired DST Root CA X3, see [0]. This is the recommended solution from upstream [1]. The binary size increases by ~12.3kb: 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f [0] https://github.com/openwrt/packages/issues/16674 [1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793 Signed-off-by: Andre Heider <a.heider@gmail.com> [bump PKG_RELEASE] Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 28d8e6a8711ba78f1684a205e11b0dbd4ff2b2f3)
-rw-r--r--package/libs/wolfssl/Makefile8
1 files changed, 7 insertions, 1 deletions
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 030a0224f5..539f16d399 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -58,7 +58,13 @@ define Package/libwolfssl/config
source "$(SOURCE)/Config.in"
endef
-TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer -flto
+TARGET_CFLAGS += \
+ $(FPIC) \
+ -fomit-frame-pointer \
+ -flto \
+ -DFP_MAX_BITS=8192 \
+ -DWOLFSSL_ALT_CERT_CHAINS
+
TARGET_LDFLAGS += -flto
# --enable-stunnel needed for OpenSSL API compatibility bits