wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
"Alternate certification chains, as oppossed to requiring full chain validataion. Certificate validation behavior is relaxed, similar to openssl and browsers. Only the peer certificate must validate to a trusted certificate. Without this, all certificates sent by a peer must be used in the trust chain or the connection will be rejected." This fixes e.g. uclient-fetch and curl connecting to servers using a Let's Encrypt certificate which are cross-signed by the now expired DST Root CA X3, see [0]. This is the recommended solution from upstream [1]. The binary size increases by ~12.3kb: 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f [0] https://github.com/openwrt/packages/issues/16674 [1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793 Signed-off-by: Andre Heider <a.heider@gmail.com> [bump PKG_RELEASE] Signed-off-by: David Bauer <mail@david-bauer.net>
This commit is contained in:
Andre Heider
David Bauer
parent
a1ac8728f8
commit
28d8e6a871
1 changed files with 8 additions and 2 deletions
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=wolfssl
|
||||
PKG_VERSION:=4.8.1-stable
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
|
||||
|
|
@ -59,7 +59,13 @@ define Package/libwolfssl/config
|
|||
source "$(SOURCE)/Config.in"
|
||||
endef
|
||||
|
||||
TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer -flto
|
||||
TARGET_CFLAGS += \
|
||||
$(FPIC) \
|
||||
-fomit-frame-pointer \
|
||||
-flto \
|
||||
-DFP_MAX_BITS=8192 \
|
||||
-DWOLFSSL_ALT_CERT_CHAINS
|
||||
|
||||
TARGET_LDFLAGS += -flto
|
||||
|
||||
# --enable-stunnel needed for OpenSSL API compatibility bits
|
||||
|
|
|
|||
Loading…
Reference in a new issue