From 0a494c8224b961dbfcf17f856d86038c8e5bae07 Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Fri, 12 Jul 2024 14:48:02 +0100 Subject: [PATCH] busybox: reconfigure wget https support by default for security The default busybox wget https support is suboptimal, it silently ignores checking certificate validity which isn't great for security. Switch our defaults to disable the internal busybox tls code and the https support using it and configure the openssl backend instead. This this is done by spawning an openssl command, we don't need dependencies on openssl for build. For runtime, we can assume people would install openssl if they need/want this. These changes put our default busybox configuration in a more secure initial set of settings. [YOCTO #14125] (From OE-Core rev: 5d4ad13462f12355ff0f2bc1773ab4b1814b165a) Signed-off-by: Richard Purdie --- meta/recipes-core/busybox/busybox/defconfig | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/recipes-core/busybox/busybox/defconfig b/meta/recipes-core/busybox/busybox/defconfig index f3d545dc3f..8e3b6e480c 100644 --- a/meta/recipes-core/busybox/busybox/defconfig +++ b/meta/recipes-core/busybox/busybox/defconfig @@ -983,7 +983,7 @@ CONFIG_FEATURE_TFTP_GET=y CONFIG_FEATURE_TFTP_PUT=y # CONFIG_FEATURE_TFTP_BLOCKSIZE is not set # CONFIG_TFTP_DEBUG is not set -CONFIG_TLS=y +# CONFIG_TLS is not set CONFIG_TRACEROUTE=y # CONFIG_TRACEROUTE6 is not set # CONFIG_FEATURE_TRACEROUTE_VERBOSE is not set @@ -997,8 +997,8 @@ CONFIG_FEATURE_WGET_STATUSBAR=y CONFIG_FEATURE_WGET_FTP=y CONFIG_FEATURE_WGET_AUTHENTICATION=y CONFIG_FEATURE_WGET_TIMEOUT=y -CONFIG_FEATURE_WGET_HTTPS=y -# CONFIG_FEATURE_WGET_OPENSSL is not set +# CONFIG_FEATURE_WGET_HTTPS is not set +CONFIG_FEATURE_WGET_OPENSSL=y # CONFIG_WHOIS is not set # CONFIG_ZCIP is not set CONFIG_UDHCPD=y