@@ -983,7 +983,7 @@ CONFIG_FEATURE_TFTP_GET=y
CONFIG_FEATURE_TFTP_PUT=y
# CONFIG_FEATURE_TFTP_BLOCKSIZE is not set
# CONFIG_TFTP_DEBUG is not set
-CONFIG_TLS=y
+# CONFIG_TLS is not set
CONFIG_TRACEROUTE=y
# CONFIG_TRACEROUTE6 is not set
# CONFIG_FEATURE_TRACEROUTE_VERBOSE is not set
@@ -997,8 +997,8 @@ CONFIG_FEATURE_WGET_STATUSBAR=y
CONFIG_FEATURE_WGET_FTP=y
CONFIG_FEATURE_WGET_AUTHENTICATION=y
CONFIG_FEATURE_WGET_TIMEOUT=y
-CONFIG_FEATURE_WGET_HTTPS=y
-# CONFIG_FEATURE_WGET_OPENSSL is not set
+# CONFIG_FEATURE_WGET_HTTPS is not set
+CONFIG_FEATURE_WGET_OPENSSL=y
# CONFIG_WHOIS is not set
# CONFIG_ZCIP is not set
CONFIG_UDHCPD=y
The default busybox wget https support is suboptimal, it silently ignores checking certificate validity which isn't great for security. Switch our defaults to disable the internal busybox tls code and the https support using it and configure the openssl backend instead. This this is done by spawning an openssl command, we don't need dependencies on openssl for build. For runtime, we can assume people would install openssl if they need/want this. These changes put our default busybox configuration in a more secure initial set of settings. [YOCTO #14125] Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> --- meta/recipes-core/busybox/busybox/defconfig | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)