I ran into an issue yesterday with wget fetching the source packages for the iasl build from the acpica.org website. It seems that they have changed their SSL implementation. Specifically, this site, as of yesterday, uses TLS-SNI on the backend. Wget versions that I have tried, 1.12 and the latest 1.13.4, fail with:
ERROR: cannot verify www.acpica.org's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287': Issued certificate has expired. ERROR: certificate common name `ofono.org' doesn't match requested host name `www.acpica.org'. To connect to www.acpica.org insecurely, use `--no-check-certificate'.
The suggestion back from acpica.org is to use curl, which can properly handle TLS-SNI. It appears that there may be patches around for TLS-SNI implementation within wget. So, as an alternative, we can build our own wget in coreboot. Or, we could simply pass in --no-check-certificate.
In any case, it seems that a change needs to be made to the buildgcc script to get iasl to build. Does anyone have a preference on direction for this change?
Thanks, Ray
Am Sa 12 Mai 2012 00:18:58 CEST schrieb Raymond Danks:
In any case, it seems that a change needs to be made to the buildgcc script to get iasl to build. Does anyone have a preference on direction for this change?
Use --no-check-certificate. Building our own wget is somewhat excessive. If we want to improve trust about tarball integrity, we better check hashes or signatures than rely on https.
Patrick
Am 12.05.2012 00:18, schrieb Raymond Danks:
In any case, it seems that a change needs to be made to the buildgcc script to get iasl to build. Does anyone have a preference on direction for this change?
http://review.coreboot.org/#/c/1025/ should fix this (and some issues with proxies that dislike ftp transfers using wget).
Patrick