Skip to content
Snippets Groups Projects
Select Git revision
  • experimental protected
  • v3.3 default protected
  • nrb/airmax-test
  • nrb/ro-flash-nanostation-airmax
  • nrb/add-node-whisperer
  • v3.2 protected
  • v3.1 protected
  • nrb-domains
  • v3.0 protected
  • nrb/dns-cache
  • v2.9 protected
  • feature/addMikrotikwAP
  • v2.8 protected
  • v2.5.1 protected
  • v2.7 protected
  • v2.6 protected
  • v2.5 protected
  • v2.4 protected
  • cpe510
  • nrb/gluon-master-cpe510
  • v3.2.1+2024-12-15
  • v3.2+2024-12-04
  • v3.1+2024-07-08
  • v2.9+2023-05-13
  • v2.9+2023-05-12
  • v2.9+2023-05-10
  • v2.8+2023-03-05
  • v2.7+2022-12-03
  • v2.6+2022-09-06
  • v2.5+2022-05-07
  • v2.5+2022-05-05
  • v2.4+2022-02-26
  • v2.3+2021-06-03
  • v2.3+2021-04-30
  • v2.2+2021-04-16
  • v2.2+2020-04-16
  • v2.1+2020-12-11
  • v2.1+2020-11-17
  • v2.0+2020-09-26
  • v2.0+2020-06-28
40 results

site-ffs

  • Clone with SSH
  • Clone with HTTPS
    • user avatar
    gluon-autoupdater: add support for HTTPS and protocol-less URLs
    Matthias Schiffer authored 
    The autoupdater supports HTTPS when a ustream TLS backend is installed,
but we did not allow this in site.conf. However, just allowing HTTPS
URLs unconditionally is also a bad idea, as it might result in nodes
being unable to reach the mirror, in particular if the `tls` feature is
enabled only for some devices.

Solve this by allowing https:// URLs only if the marker file installed
by gluon-tls is found, failing the site check with an error message like
the following otherwise:

    *** All of the following alternatives have failed:
        1) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern 'http://', but it is "https://..." (a string value)
        2) site.conf error: expected autoupdater.branches.test.mirrors.1 to use HTTPS only if the 'tls' feature is enabled, but it is "https://..." (a string value)
        3) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern '^//', but it is "https://..." (a string value)

In addition, introduce support for protocol-less //server/path URLs,
which will use either HTTP or HTTPS depending on the availablility of
the `tls` feature. No fallback happens when `tls` is available, but the
HTTPS connection fails, preventing downgrade attack.

Based-on-patch-by: default avatarKevin Olbrich <ko@sv01.de>
    c800fe7f
    History
    user avatar c800fe7f
    History
    Name Last commit Last update

    Impressum - Datenschutz