Opkg AND wget ignore --no-check-certificate [Solved]

wolfgangr · December 25, 2024, 1:13am

Try to save space with imageBuilder.
Wanna keep opkg, because you never know...

Expected to be able to still do the risky --no-check-certificate download.
(At least for package list. For package itself, I prefer secure download on another machine and transfer locally).

So I omitted https gear by -ca-bundle -libustream-mbedtls in imageBuilder make.
I thought I tried this before - but may be I was still using the web builder then?

Now both opkg and wget in direct call refuse download albeit called with --no-check-certificate

root@OpenWrt:~$ opkg --no-check-certificate update
Downloading https://downloads.openwrt.org/releases/23.05.5/targets/ath79/generic/packages/Packages.gz
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.5/targets/ath79/generic/packages/Packages.gz

and

root@OpenWrt:/tmp$ wget --no-check-certificate https://downloads.openwrt.org/releases/23.05.5/packages/mips_24kc/telephony/Packages.gz
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.

Is this a bug?
Or did I miss something else?
I also found that luci over https is not working.
Does this rely on -libustream-mbedtls, too?

root@OpenWrt:/tmp$ opkg list-installed
base-files - 1562-r24106-10cc5fcd00
bridge - 1.7.1-1
busybox - 1.36.1-1
cgi-io - 2022-08-10-901b0f04-21
collectd - 5.12.0-49
collectd-mod-cpu - 5.12.0-49
collectd-mod-df - 5.12.0-49
collectd-mod-iwinfo - 5.12.0-49
collectd-mod-network - 5.12.0-49
collectd-mod-wireless - 5.12.0-49
diffutils - 3.8-1
dropbear - 2022.82-6
firewall4 - 2023-09-01-598d9fbb-1
fstools - 2023-02-28-bfe882d5-1
fwtool - 2019-11-12-8f7fe925-1
getrandom - 2022-08-13-4c7b720b-2
hostapd-common - 2023-09-08-e5ccbfc6-8
hostapd-mbedtls - 2023-09-08-e5ccbfc6-8
ip-bridge - 6.3.0-1
iw - 5.19-1
iwinfo - 2023-07-01-ca79f641-1
jansson4 - 2.14-3
jshn - 2023-05-23-75a3b870-1
jsonfilter - 2024-01-23-594cfa86-1
kernel - 5.15.167-1-da89f936189e8280762513898b74a850
kmod-ath - 5.15.167+6.1.110-1-1
kmod-ath9k - 5.15.167+6.1.110-1-1
kmod-ath9k-common - 5.15.167+6.1.110-1-1
kmod-cfg80211 - 5.15.167+6.1.110-1-1
kmod-crypto-aead - 5.15.167-1
kmod-crypto-ccm - 5.15.167-1
kmod-crypto-cmac - 5.15.167-1
kmod-crypto-crc32c - 5.15.167-1
kmod-crypto-ctr - 5.15.167-1
kmod-crypto-gcm - 5.15.167-1
kmod-crypto-gf128 - 5.15.167-1
kmod-crypto-ghash - 5.15.167-1
kmod-crypto-hash - 5.15.167-1
kmod-crypto-hmac - 5.15.167-1
kmod-crypto-manager - 5.15.167-1
kmod-crypto-null - 5.15.167-1
kmod-crypto-rng - 5.15.167-1
kmod-crypto-seqiv - 5.15.167-1
kmod-crypto-sha512 - 5.15.167-1
kmod-gpio-button-hotplug - 5.15.167-3
kmod-lib-crc32c - 5.15.167-1
kmod-mac80211 - 5.15.167+6.1.110-1-1
kmod-nf-conntrack - 5.15.167-1
kmod-nf-conntrack6 - 5.15.167-1
kmod-nf-flow - 5.15.167-1
kmod-nf-log - 5.15.167-1
kmod-nf-log6 - 5.15.167-1
kmod-nf-nat - 5.15.167-1
kmod-nf-reject - 5.15.167-1
kmod-nf-reject6 - 5.15.167-1
kmod-nfnetlink - 5.15.167-1
kmod-nft-core - 5.15.167-1
kmod-nft-fib - 5.15.167-1
kmod-nft-nat - 5.15.167-1
kmod-nft-offload - 5.15.167-1
kmod-random-core - 5.15.167-1
libblobmsg-json20230523 - 2023-05-23-75a3b870-1
libc - 1.2.4-4
libcap - 2.69-1
libevent2-7 - 2.1.12-1
libgcc1 - 12.3.0-4
libiwinfo-data - 2023-07-01-ca79f641-1
libiwinfo20230701 - 2023-07-01-ca79f641-1
libjson-c5 - 0.16-3
libjson-script20230523 - 2023-05-23-75a3b870-1
libltdl7 - 2.4.7-1
liblua5.1.5 - 5.1.5-11
liblucihttp-ucode - 2023-03-15-9b5b683f-1
liblucihttp0 - 2023-03-15-9b5b683f-1
libmbedtls12 - 2.28.9-1
libmnl0 - 1.0.5-1
libnetsnmp - 5.9.1-7
libnftnl11 - 1.2.6-1
libnl-tiny1 - 2023-07-27-bc92a280-1
libpci - 3.10.0-1
libpcre2 - 10.42-1
libpopt0 - 1.19-1
libpthread - 1.2.4-4
libubox20230523 - 2023-05-23-75a3b870-1
libubus20230605 - 2023-06-05-f787c97b-1
libuci20130104 - 2023-08-10-5781664d-1
libuclient20201210 - 2023-04-13-007d9454-1
libucode20230711 - 2024-07-11-1a8a0bcf-3
lldpd - 1.0.17-5
logd - 2022-08-13-4c7b720b-2
luci - git-24.346.66847-1bb28ba
luci-app-firewall - git-24.346.66847-1bb28ba
luci-app-opkg - git-24.346.66847-1bb28ba
luci-base - git-24.346.66847-1bb28ba
luci-light - git-24.346.66847-1bb28ba
luci-mod-admin-full - git-24.346.66847-1bb28ba
luci-mod-network - git-24.346.66847-1bb28ba
luci-mod-status - git-24.346.66847-1bb28ba
luci-mod-system - git-24.346.66847-1bb28ba
luci-proto-ipv6 - git-24.346.66847-1bb28ba
luci-proto-ppp - git-24.346.66847-1bb28ba
luci-theme-bootstrap - git-24.346.66847-1bb28ba
mtd - 26
netifd - 2024-01-04-c18cc79d-2
nftables-json - 1.0.8-1
openssh-sftp-server - 9.8p1-1
openwrt-keyring - 2022-03-25-62471e69-2
opkg - 2022-02-24-d038e5b6-2
perl - 5.28.1-9
procd - 2023-06-25-2db83655-2
procd-seccomp - 2023-06-25-2db83655-2
procd-ujail - 2023-06-25-2db83655-2
rpcd - 2023-07-01-c07ab2f9-1
rpcd-mod-file - 2023-07-01-c07ab2f9-1
rpcd-mod-iwinfo - 2023-07-01-c07ab2f9-1
rpcd-mod-luci - 20240305-1
rpcd-mod-rrdns - 20170710
rpcd-mod-ucode - 2023-07-01-c07ab2f9-1
rssileds - 4
rsync - 3.2.7-1
snmpd - 5.9.1-7
swconfig - 12
uboot-envtools - 2023.04-1
ubox - 2022-08-13-4c7b720b-2
ubus - 2023-06-05-f787c97b-1
ubusd - 2023-06-05-f787c97b-1
uci - 2023-08-10-5781664d-1
uclient-fetch - 2023-04-13-007d9454-1
ucode - 2024-07-11-1a8a0bcf-3
ucode-mod-fs - 2024-07-11-1a8a0bcf-3
ucode-mod-html - 1
ucode-mod-math - 2024-07-11-1a8a0bcf-3
ucode-mod-nl80211 - 2024-07-11-1a8a0bcf-3
ucode-mod-rtnl - 2024-07-11-1a8a0bcf-3
ucode-mod-ubus - 2024-07-11-1a8a0bcf-3
ucode-mod-uci - 2024-07-11-1a8a0bcf-3
ucode-mod-uloop - 2024-07-11-1a8a0bcf-3
uhttpd - 2023-06-25-34a8a74d-2
uhttpd-mod-ubus - 2023-06-25-34a8a74d-2
urandom-seed - 3
urngd - 2023-11-01-44365eb1-1
usign - 2020-05-23-f1f65026-1
wireless-regdb - 2024.10.07-1
zlib - 1.2.13-1

wolfgangr · December 25, 2024, 1:33am

Idiot, me?
well - partly ...
by changing the address from https to http, at least, wget works:

wget --no-check-certificate http://downloads.openwrt.org/releases/23.05.5/packages/mips_24kc/telephony/Packages.gz

wolfgangr · December 25, 2024, 1:49am

Ah, I see, here are download links:
root@OpenWrt:/etc/opkg$ vi distfeeds.conf

Manually changing all entries from https to http does fix the problem and I can successfully perform a
$ opkg --no-check-certificate update

So, may I assume that a local imageBuilder does not automagically change to http links, if there is no secure wget available?

And in contrast, https://firmware-selector.openwrt.org/ does perform this change?

Can the imageBuilder be configured to do so?
Is it a bug? Or a feature request?

brada4 · December 25, 2024, 1:55am

Since you have mbedtls for hostap why are you trying to fend iff 30kB in glue packages?

wolfgangr · December 25, 2024, 9:55am

sorry, don't get your point.
What glue packages you are referring to?
What's 'iff'?
Glad for any pointer to safe space, of course.

brada4 · December 25, 2024, 11:19am

Off

uclient-ferch+cacerts are minuscule compared to lib+wpad itself

wolfgangr · December 25, 2024, 7:16pm

afaik wpa_psk is skd of by-product to radius and is not available on the basic versions of wpad / hostapd
is that what you mean?
so, yes, it's easier to use space in larce chunks than to regain in small steps

May be, by stepping into the sources, it were possible to fine tune the crypto gear to the minimum requirements of wpa_psk, but that's beyond my scope right now

system · January 4, 2025, 7:16pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.