Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gluon-autoupdater: allow https mirror urls #3264

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

kevin-olbrich
Copy link
Contributor

No description provided.

@github-actions github-actions bot added the 3. topic: package Topic: Gluon Packages label May 15, 2024
@kevin-olbrich
Copy link
Contributor Author

Features
TLS support
Gluon now provides HTTPS client support when the tls feature is included in the site configuration, allowing nodes to establish encrypted connections to autoupdater mirrors, opkg repositories and other HTTPS servers.
Source: https://gluon.readthedocs.io/en/latest/releases/v2023.2.html

TLS support can be enabled but the site check prevents https mirror urls in site.conf.

@neocturne
Copy link
Member

Hmm, the change is working as intended, but optimally we'd only allow HTTPS if the gluon-tls package is installed, to prevent accidentally building non-updateable firmwares (which could happen by removing the tls feature to save space, without thinking about updating the URL).

This could be implemented by having gluon-tls create a marker file like gluon-wireless-encryption-wpa3 does, and check for the existence of the marker in the site check script (similar to the check for the contents of the default_branch file).

@neocturne
Copy link
Member

neocturne commented May 15, 2024

Hmm, or does libustream fall back to HTTP anyways when HTTPS is requested, but not available?

Edit: It does not fall back.

@T0biii
Copy link
Contributor

T0biii commented Jun 3, 2024

maybe auto select the correct protocol if the tls feature is there or not.
if you want explicitly http:// set the URL to it. if you want http:// and/or https:// remove the prefix?
and if you have https:// set, try to fallback to http:// if all https:// mirrors are unreachable

@Djfe
Copy link
Contributor

Djfe commented Jun 8, 2024

In that case https has no advantages. Just drop all packets on port 443 and nodes will fall back to port 80.
either the community offers https or it doesn't.

the bigger issue imo are root certificates that need to be replaced from time to time.
if a node is offline for atleast x years then it won't be able to update anymore, right?
unless you build self-signed certificates into the firmware that won't expire

@rotanid rotanid added the 2. status: blocked Marked as blocked because it's waiting on something label Jul 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2. status: blocked Marked as blocked because it's waiting on something 3. topic: package Topic: Gluon Packages
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants