Skip to content
Snippets Groups Projects
Select Git revision
  • experimental default protected
  • nrb/airmax-test
  • v2023.2.4-ffs
  • nrb/ar9344-reset-sequence
  • autinerd/experimental-openwrt-24.10
  • v2023.2.3-ffs
  • v2023.2.2-ffs
  • v2023.2-ffs
  • v2023.1-ffs
  • v2022.1.4-ffs
  • feature/addMikrotikwAP
  • v2022.1.3-ffs
  • v2021.1.2-ffs
  • v2022.1.1-ffs
  • master protected
  • v2021.1.1-ffs
  • nrb/gluon-master-cpe510
  • v2021.1-ffs
  • v2020.2.3-ffs
  • nrbffs/fastd-remove-delay
  • experimental-2025-05-27
  • experimental-2025-05-27-base
  • experimental-2025-05-18
  • experimental-2025-05-18-base
  • experimental-2025-05-15
  • experimental-2025-05-15-base
  • experimental-2025-05-13
  • experimental-2025-05-13-base
  • experimental-2025-05-08
  • experimental-2025-05-08-base
  • experimental-2025-05-05
  • experimental-2025-05-05-base
  • experimental-2025-05-02
  • experimental-2025-05-02-base
  • experimental-2025-05-01
  • experimental-2025-05-01-base
  • experimental-2025-04-29
  • experimental-2025-04-29-base
  • experimental-2025-04-27
  • experimental-2025-04-27-base
40 results

site.conf

Blame
    • Matthias Schiffer's avatar
      c800fe7f
      gluon-autoupdater: add support for HTTPS and protocol-less URLs · c800fe7f
      Matthias Schiffer authored 
      
The autoupdater supports HTTPS when a ustream TLS backend is installed,
but we did not allow this in site.conf. However, just allowing HTTPS
URLs unconditionally is also a bad idea, as it might result in nodes
being unable to reach the mirror, in particular if the `tls` feature is
enabled only for some devices.

Solve this by allowing https:// URLs only if the marker file installed
by gluon-tls is found, failing the site check with an error message like
the following otherwise:

    *** All of the following alternatives have failed:
        1) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern 'http://', but it is "https://..." (a string value)
        2) site.conf error: expected autoupdater.branches.test.mirrors.1 to use HTTPS only if the 'tls' feature is enabled, but it is "https://..." (a string value)
        3) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern '^//', but it is "https://..." (a string value)

In addition, introduce support for protocol-less //server/path URLs,
which will use either HTTP or HTTPS depending on the availablility of
the `tls` feature. No fallback happens when `tls` is available, but the
HTTPS connection fails, preventing downgrade attack.

Based-on-patch-by: default avatarKevin Olbrich <ko@sv01.de>
      Unverified
      c800fe7f
      History
      gluon-autoupdater: add support for HTTPS and protocol-less URLs
      Matthias Schiffer authored 
      
The autoupdater supports HTTPS when a ustream TLS backend is installed,
but we did not allow this in site.conf. However, just allowing HTTPS
URLs unconditionally is also a bad idea, as it might result in nodes
being unable to reach the mirror, in particular if the `tls` feature is
enabled only for some devices.

Solve this by allowing https:// URLs only if the marker file installed
by gluon-tls is found, failing the site check with an error message like
the following otherwise:

    *** All of the following alternatives have failed:
        1) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern 'http://', but it is "https://..." (a string value)
        2) site.conf error: expected autoupdater.branches.test.mirrors.1 to use HTTPS only if the 'tls' feature is enabled, but it is "https://..." (a string value)
        3) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern '^//', but it is "https://..." (a string value)

In addition, introduce support for protocol-less //server/path URLs,
which will use either HTTP or HTTPS depending on the availablility of
the `tls` feature. No fallback happens when `tls` is available, but the
HTTPS connection fails, preventing downgrade attack.

Based-on-patch-by: default avatarKevin Olbrich <ko@sv01.de>

    Impressum - Datenschutz