Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stubby: should depend on ca-certificates and/or ca-bundle ? #6682

Closed
jonathanunderwood opened this Issue Aug 4, 2018 · 10 comments

Comments

Projects
None yet
6 participants
@jonathanunderwood
Copy link
Contributor

jonathanunderwood commented Aug 4, 2018

Issue template (remove lines from top till here)

Maintainer: @iamperson347
Environment: OpenWRT 18.06.0

Description:
I couldn't get stubby to work as initially installed. Then I noticed that ca-bundle and ca-certificates weren't installed on the system, so I used opkg to install them, and now stubby seems to be working fine. Should these be dependencies of the stubby package?

Before installing those packages and restarting stubby, I saw lots of these messages in the log:

Sat Aug  4 18:16:06 2018 daemon.err stubby[27773]: Could not schedule query: None of the configured upstreams could be used to send queries on the specified transports
@karlp

This comment has been minimized.

Copy link
Contributor

karlp commented Aug 4, 2018

@iamperson347 Given the readme: https://github.com/openwrt/packages/blame/master/net/stubby/files/README.md#L10-L15 yes, why wasn't this just added as a dependency of the package?

@guidosarducci

This comment has been minimized.

Copy link
Contributor

guidosarducci commented Aug 7, 2018

FYI, I have some fixes and improvements for stubby (including this issue) getting ready for PR.

@iamperson347

This comment has been minimized.

Copy link
Contributor

iamperson347 commented Aug 7, 2018

Hello All,

@karlp The reason I did not put ca-certificates as a dependency is because there are other ways to manage trusted certificates and I did not want to force ca-certificates on to users. This is why I put it in the openwrt-specific readme instead. However, for 90%+ of users, it probably makes sense to simply make ca-certificates a dependency.

@guidosarducci Please link the PR so we can see what fixes/improvements you are proposing.

@karlp

This comment has been minimized.

Copy link
Contributor

karlp commented Aug 7, 2018

honestly, the fact that you could manage certificates manually is irrelevant. It would be true of all dependencies of all packages.

@iamperson347

This comment has been minimized.

Copy link
Contributor

iamperson347 commented Aug 7, 2018

I have seen other openwrt packages that potentially depend on SSL/TLS connectivity that did not have a ca-cert dependency. However, per your recommendation, we can include it. For this package, since it requires SSL connectivity, it makes sense.

@karlp

This comment has been minimized.

Copy link
Contributor

karlp commented Aug 7, 2018

If you can find other packages that depend on certs in some form, and are not optional, then please just straight up file tickets on them.

@cshoredaniel

This comment has been minimized.

Copy link
Contributor

cshoredaniel commented Aug 13, 2018

@iamperson347 Can you check of (in master) ca-bundle is all you need? Another contributor had a PR that modified ca-bundle so that openssl and mbedtls should hopefully not need ca-certificates, and ca-bundle is smaller due to less file metadata, and on a number of supported devices this matters.

@iamperson347

This comment has been minimized.

Copy link
Contributor

iamperson347 commented Aug 13, 2018

@cshoredaniel I think that should work. I will have to check it, but I believe stubby (and the getdns library) use openssl for SSL connectivity and ca-bundle appears to have the the root CA that cloudflare's intermediate and cert hang off of.

@guidosarducci

This comment has been minimized.

Copy link
Contributor

guidosarducci commented Sep 22, 2018

@cshoredaniel Hi Daniel, IIRC you were also looking into the issues around bundled vs. unbundled certs. Is there a prospect of -- or timeline for -- standardizing on use of ca-bundle in OpenWrt due to its smaller size?

Until that can happen, installations might be using bundled or unbundled certs, and a hard stubby dependency on either package would often just consume users' flash needlessly. For that reason, I'm now leaning towards having stubby support using either ca-certificates or ca-bundle (needs a fix) if present, without hard-coding a dependency.

EDIT:
My last comment was based on review of the LEDE branch. After reviewing the master commit history, I see now that lede-project/source@191078e allows ca-bundle to be used without any further fixes, and also that multiple packages have been dropping ca-certificates dependencies in favour of ca-bundle (for the reasons outlined above). It makes sense for stubby to do the same.

@cshoredaniel

This comment has been minimized.

Copy link
Contributor

cshoredaniel commented Oct 9, 2018

@guidosarducci I'm glad you found the commit ... I mentioned somewhere else you mentioned me. Sorry for not getting back sooner. rl's been busy.

guidosarducci added a commit to guidosarducci/packages that referenced this issue Oct 11, 2018

stubby: standardize on ca-bundle cert dependency
Using ca-bundle package saves 10KB over using ca-certificates, and with
commit openwrt/openwrt@191078e is a drop-in
replacement for packages using openssl and CA certs. This has been noted
as the default in current trunk by other packages switching over e.g.
openwrt@e0a5ed9.

For further related discussion see:
openwrt#7030 (comment) and
openwrt#6682 (comment).

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.