Serve package index over HTTPS #5480
Comments
|
Switching to HTTPS for the package download is something we will be looking into before the next release, thanks for bringing this up. |
|
Short term I am using github https://github.com/esp8266/Arduino/releases/download/2.4.2/package_esp8266com_index.json |
|
Release 2.5.0-beta1 is out, in case you want to use that json instead. |
|
Thanks for the offer. |
|
I should rephrase: ... in case you want to try it out and provide feedback :) |
|
@igrr has there been any progress? |
|
@devyte Some progress — I have created a repo, but don't have a domain name at esp8266.com yet. Will ping the owner (Espressif) again. |
|
@igrr due date for 2.5.0 was yesterday. I assume this still needs more time and should be pushed back? |
|
Have set up https://arduino-test.esp8266.com/ which is generated from https://github.com/esp8266/esp8266.github.io. HTTPS seems to work. Next step is to upload existing package .json to that repo, and test that Arduino IDE can use that as a package manager URL. |
|
Hi @igrr! I can confirm that the Arduino IDE correctly works with HTTPS endpoints. Could you please enable HTTPS on arduino.esp8266.com as well? Is there anything we can help with, re: testing? |
|
@gvarisco Sure, can you try installing the package using this boards manager package URL? https://arduino-test.esp8266.com/stable/package_esp8266com_index.json (instead of the usual http://arduino.esp8266.com/stable/package_esp8266com_index.json) If that works, I'll ask the DNS record owner to switch |
|
One more thing to test, is that the http->https redirection works, i.e. if the boards manager package URL is set as
then Arduino will install the package successfully, after redirection to |
|
Hi @igrr! I can confirm that installing the package using the board manager's package URL you provided (the https one) works just fine on Arduino IDE. I can also confirm that the http->https redirection (via 301) WORKS as expected, and both the package's index as well the package itself get download without any problems. You should be good to switch the main host over it. |
|
Okay, done. The package is now available from arduino.esp8266.com both via http and https. I have not enabled automatic redirection from http to https just yet. Next step is to update release scripts in this repo to automatically upload the new package version for every release. |
* Upgrade to https: serving for JSON, links in docs Fixes #5480 * Update boards.rst documentation * Update more documentation http: refs to https: * Remove obsolete staging info * Drop obsolete versions from JSON programatically After the final merge is done on the JSON, strip out any named versions from the final product. Removing 1.6.5-* and 2.5.0-beta(1,2,3) for now. * Remove 2.4.0-rc(0/1) from JSON, too
|
@igrr thanks for working on #5992. I've noticed there's no 301 redirect on http://arduino.esp8266.com/ (http->https) or even better HSTS. Do you have any plan for it? |
|
@gvarisco Unfortunately, old versions of Arduino IDE can not verify the certificate of https://arduino.esp8266.com, so we can not enable the HTTP -> HTTPS redirect. |
Why is the board manager http://arduino.esp8266.com/stable/package_esp8266com_index.json not in https like ESP32 https://dl.espressif.com/dl/package_esp32_index.json ?
I cannot load ESP8266 in our work office, thus I need to hotspot my mobile to connect and download everytime the json file.
The text was updated successfully, but these errors were encountered: