diff options
| author | Josh Roys <roysjosh@gmail.com> | 2022-07-23 11:23:16 -0400 |
|---|---|---|
| committer | Petr Štetiar <ynezz@true.cz> | 2022-09-21 11:52:40 +0200 |
| commit | f0bca34f16327c6001515f9c73c2c284574c7b6d (patch) | |
| tree | e408167cf567fb7daa8cde7e689e5fbb0a9c6838 /config | |
| parent | c6d3f39ecce43c4a9858157e9e2ee8718750a9ab (diff) | |
| download | upstream-f0bca34f16327c6001515f9c73c2c284574c7b6d.tar.gz upstream-f0bca34f16327c6001515f9c73c2c284574c7b6d.tar.bz2 upstream-f0bca34f16327c6001515f9c73c2c284574c7b6d.zip | |
scripts: always check certificates
Remove flags from wget and curl instructing them to ignore bad server
certificates. Although other mechanisms can protect against malicious
modifications of downloads, other vectors of attack may be available
to an adversary.
TLS certificate verification can be disabled by turning oof the
"Enable TLS certificate verification during package download" option
enabled by default in the "Global build settings" in "make menuconfig"
Signed-off-by: Josh Roys <roysjosh@gmail.com>
[ add additional info on how to disable this option ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [backport]
(cherry picked from commit 90c6e3aedf167b0ae1baf376e7800a631681e69a)
Diffstat (limited to 'config')
| -rw-r--r-- | config/Config-build.in | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/config/Config-build.in b/config/Config-build.in index 342859b7c0..196d4e67a0 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -58,6 +58,10 @@ menu "Global build settings" bool "Enable signature checking in opkg" default SIGNED_PACKAGES + config DOWNLOAD_CHECK_CERTIFICATE + bool "Enable TLS certificate verification during package download" + default y + comment "General build options" config TESTING_KERNEL |