busybox: reconfigure wget https support by default for security

The default busybox wget https support is suboptimal, it silently ignores
checking certificate validity which isn't great for security.

Switch our defaults to disable the internal busybox tls code and the
https support using it and configure the openssl backend instead.

This this is done by spawning an openssl command, we don't need
dependencies on openssl for build. For runtime, we can assume
people would install openssl if they need/want this.

These changes put our default busybox configuration in a more secure
initial set of settings.

[YOCTO #14125]

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-core/busybox/busybox/defconfig b/meta/recipes-core/busybox/busybox/defconfig
index f3d545dc3fbe883865cf4c645319148abb3438c7..8e3b6e480ca12daadfb2c7afb6426dc146e112b4 100644 (file)
--- a/meta/recipes-core/busybox/busybox/defconfig
+++ b/meta/recipes-core/busybox/busybox/defconfig
@@ -983,7 +983,7 @@ CONFIG_FEATURE_TFTP_GET=y
 CONFIG_FEATURE_TFTP_PUT=y
 # CONFIG_FEATURE_TFTP_BLOCKSIZE is not set
 # CONFIG_TFTP_DEBUG is not set
-CONFIG_TLS=y
+# CONFIG_TLS is not set
 CONFIG_TRACEROUTE=y
 # CONFIG_TRACEROUTE6 is not set
 # CONFIG_FEATURE_TRACEROUTE_VERBOSE is not set
@@ -997,8 +997,8 @@ CONFIG_FEATURE_WGET_STATUSBAR=y
 CONFIG_FEATURE_WGET_FTP=y
 CONFIG_FEATURE_WGET_AUTHENTICATION=y
 CONFIG_FEATURE_WGET_TIMEOUT=y
-CONFIG_FEATURE_WGET_HTTPS=y
-# CONFIG_FEATURE_WGET_OPENSSL is not set
+# CONFIG_FEATURE_WGET_HTTPS is not set
+CONFIG_FEATURE_WGET_OPENSSL=y
 # CONFIG_WHOIS is not set
 # CONFIG_ZCIP is not set
 CONFIG_UDHCPD=y