[PATCH] wget: add TLS SNI support via openssl s_client
Denys Vlasenko
vda.linux at googlemail.com
Mon Jul 25 19:37:51 UTC 2016
On Wed, Jul 20, 2016 at 11:56 PM, Jeremy Chadwick <jdc at koitsu.org> wrote:
> The problem of Busybox wget not supporting TLS SNI has come up a couple
> times on the Tomato firmware board on linksysinfo.org. This impacts
> sites like CloudFlare who are very strict about what SSL and TLS
> parameters they require.
>
> Below is a patch against master that rectifies this. It should be easy
> to backport to 1_{23,24,25}_stable.
>
> I should note that my patch trumps the one sent on 2015/10/23 here:
> http://lists.busybox.net/pipermail/busybox/2015-October/083510.html
>
> That patch blindly violates RFC 6066 by blindly passing on whatever the
> "host" argument is into -servername. The "host" argument can (will)
> includes such values as ip, ip:port, and hostname:port. RFC 6066 is
> very clear that the only allowed servername value permitted is a
> string/hostname (i.e. only an FQDN).
>
> And regarding the additional patch from the same individual:
> http://lists.busybox.net/pipermail/busybox/2015-October/083509.html
>
> That patch assumes the OpenSSL library on the client machine has a
> properly configured openssl.cnf as well as a full CA root list (many
> embedded devices do not). This is a precarious situation and not always
> warranted. If this is to be done, then a --no-check-certificates flag
> must be added so that it can be disabled.
Applied, thanks!
More information about the busybox
mailing list