diff options
| author | Josh Roys <roysjosh@gmail.com> | 2022-07-23 11:23:16 -0400 |
|---|---|---|
| committer | Christian Marangi <ansuelsmth@gmail.com> | 2022-09-10 15:24:22 +0200 |
| commit | 90c6e3aedf167b0ae1baf376e7800a631681e69a (patch) | |
| tree | e63fad68ee73899024f0dedeee0d8d690666347d /rules.mk | |
| parent | f522c27385d6f94e5dbcc3e84968f0e38609ff1c (diff) | |
| download | openwrt-90c6e3aedf167b0ae1baf376e7800a631681e69a.tar.gz openwrt-90c6e3aedf167b0ae1baf376e7800a631681e69a.tar.bz2 openwrt-90c6e3aedf167b0ae1baf376e7800a631681e69a.zip | |
scripts: always check certificates
Remove flags from wget and curl instructing them to ignore bad server
certificates. Although other mechanisms can protect against malicious
modifications of downloads, other vectors of attack may be available
to an adversary.
TLS certificate verification can be disabled by turning oof the
"Enable TLS certificate verification during package download" option
enabled by default in the "Global build settings" in "make menuconfig"
Signed-off-by: Josh Roys <roysjosh@gmail.com>
[ add additional info on how to disable this option ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Diffstat (limited to 'rules.mk')
| -rw-r--r-- | rules.mk | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -257,6 +257,9 @@ ESED:=$(STAGING_DIR_HOST)/bin/sed -E -i -e MKHASH:=$(STAGING_DIR_HOST)/bin/mkhash # MKHASH is used in /scripts, so we export it here. export MKHASH +# DOWNLOAD_CHECK_CERTIFICATE is used in /scripts, so we export it here. +DOWNLOAD_CHECK_CERTIFICATE:=$(CONFIG_DOWNLOAD_CHECK_CERTIFICATE) +export DOWNLOAD_CHECK_CERTIFICATE CP:=cp -fpR LN:=ln -sf XARGS:=xargs -r |