diff -Nru busybox-1.30.1/debian/changelog busybox-1.30.1/debian/changelog
--- busybox-1.30.1/debian/changelog	2020-03-30 15:37:00.000000000 +0000
+++ busybox-1.30.1/debian/changelog	2020-05-19 15:16:23.000000000 +0000
@@ -1,3 +1,11 @@
+busybox (1:1.30.1-4ubuntu6.1) focal; urgency=medium
+
+  * Enable TLS verification with OpenSSL. LP: #1879533
+  * Enable TLS in initramfs flavour of wget applet, requires openssl. LP:
+    #1879525
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 19 May 2020 16:16:23 +0100
+
 busybox (1:1.30.1-4ubuntu6) focal; urgency=medium
 
   * debian/patches/stime-is-clock_settime.patch: stime is obsolete, use
diff -Nru busybox-1.30.1/debian/config/pkg/initramfs busybox-1.30.1/debian/config/pkg/initramfs
--- busybox-1.30.1/debian/config/pkg/initramfs	2019-11-04 16:35:27.000000000 +0000
+++ busybox-1.30.1/debian/config/pkg/initramfs	2020-05-19 15:16:23.000000000 +0000
@@ -956,7 +956,7 @@
 CONFIG_FEATURE_WGET_AUTHENTICATION=y
 # CONFIG_FEATURE_WGET_TIMEOUT is not set
 # CONFIG_FEATURE_WGET_HTTPS is not set
-# CONFIG_FEATURE_WGET_OPENSSL is not set
+CONFIG_FEATURE_WGET_OPENSSL=y
 # CONFIG_WHOIS is not set
 # CONFIG_ZCIP is not set
 # CONFIG_UDHCPD is not set
diff -Nru busybox-1.30.1/debian/patches/45fa3f18adf57ef9d743038743d9c90573aeeb91.patch busybox-1.30.1/debian/patches/45fa3f18adf57ef9d743038743d9c90573aeeb91.patch
--- busybox-1.30.1/debian/patches/45fa3f18adf57ef9d743038743d9c90573aeeb91.patch	1970-01-01 00:00:00.000000000 +0000
+++ busybox-1.30.1/debian/patches/45fa3f18adf57ef9d743038743d9c90573aeeb91.patch	2020-05-19 15:16:23.000000000 +0000
@@ -0,0 +1,90 @@
+From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <xnox@ubuntu.com>
+Date: Tue, 19 May 2020 18:20:39 +0100
+Subject: wget: implement TLS verification with ENABLE_FEATURE_WGET_OPENSSL
+
+When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
+verification by default. And only ignore verification errors, if
+--no-check-certificate was passed.
+
+Also note, that previously OPENSSL implementation did not implement
+TLS verification, nor printed any warning messages that verification
+was not performed.
+
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
+
+CVE-2018-1000500
+
+Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ networking/wget.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+Index: busybox-1.30.1/networking/wget.c
+===================================================================
+--- busybox-1.30.1.orig/networking/wget.c
++++ busybox-1.30.1/networking/wget.c
+@@ -91,6 +91,9 @@
+ //config:	patches, but do want to waste bandwidth expaining how wrong
+ //config:	it is, you will be ignored.
+ //config:
++//config:	FEATURE_WGET_OPENSSL does implement TLS verification
++//config:	using the certificates available to OpenSSL.
++//config:
+ //config:config FEATURE_WGET_OPENSSL
+ //config:	bool "Try to connect to HTTPS using openssl"
+ //config:	default y
+@@ -115,6 +118,9 @@
+ //config:	If openssl can't be executed, internal TLS code will be used
+ //config:	(if you enabled it); if openssl can be executed but fails later,
+ //config:	wget can't detect this, and download will fail.
++//config:
++//config:	By default TLS verification is performed, unless
++//config:	--no-check-certificate option is passed.
+ 
+ //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
+ 
+@@ -124,8 +130,11 @@
+ //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
+ //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
+ //usage:       "	[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]\n"
++//usage:	IF_FEATURE_WGET_OPENSSL(
++//usage:       "	[--no-check-certificate]\n"
++//usage:	)
+ /* Since we ignore these opts, we don't show them in --help */
+-/* //usage:    "	[--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
++/* //usage:    "	[--no-cache] [--passive-ftp] [-t TRIES]" */
+ /* //usage:    "	[-nv] [-nc] [-nH] [-np]" */
+ //usage:       "	[-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
+ //usage:	)
+@@ -137,7 +146,9 @@
+ //usage:       "Retrieve files via HTTP or FTP\n"
+ //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
+ //usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
+-///////:     "\n	--no-check-certificate	Don't validate the server's certificate"
++//usage:	IF_FEATURE_WGET_OPENSSL(
++//usage:     "\n	--no-check-certificate	Don't validate the server's certificate"
++//usage:	)
+ //usage:	)
+ //usage:     "\n	-c		Continue retrieval of aborted transfer"
+ //usage:     "\n	-q		Quiet"
+@@ -657,7 +668,7 @@ static int spawn_https_helper_openssl(co
+ 	pid = xvfork();
+ 	if (pid == 0) {
+ 		/* Child */
+-		char *argv[8];
++		char *argv[9];
+ 
+ 		close(sp[0]);
+ 		xmove_fd(sp[1], 0);
+@@ -684,6 +695,9 @@ static int spawn_https_helper_openssl(co
+ 			argv[5] = (char*)"-servername";
+ 			argv[6] = (char*)servername;
+ 		}
++		if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
++			argv[7] = (char*)"-verify_return_error";
++		}
+ 
+ 		BB_EXECVP(argv[0], argv);
+ 		xmove_fd(3, 2);
diff -Nru busybox-1.30.1/debian/patches/series busybox-1.30.1/debian/patches/series
--- busybox-1.30.1/debian/patches/series	2020-03-30 14:43:36.000000000 +0000
+++ busybox-1.30.1/debian/patches/series	2020-05-19 15:16:23.000000000 +0000
@@ -22,3 +22,4 @@
 58d998d2f927c20f2ba728611df587ac8ec8bda9.patch
 adjust-testsuite-for-fixed-bunzip2.patch
 stime-is-clock_settime.patch
+45fa3f18adf57ef9d743038743d9c90573aeeb91.patch
diff -Nru busybox-1.30.1/debian/tree/busybox/usr/share/initramfs-tools/hooks/zz-busybox busybox-1.30.1/debian/tree/busybox/usr/share/initramfs-tools/hooks/zz-busybox
--- busybox-1.30.1/debian/tree/busybox/usr/share/initramfs-tools/hooks/zz-busybox	2019-04-04 15:42:03.000000000 +0000
+++ busybox-1.30.1/debian/tree/busybox/usr/share/initramfs-tools/hooks/zz-busybox	2020-05-19 15:16:23.000000000 +0000
@@ -45,3 +45,26 @@
   [ -e "$DESTDIR/$alias" ] || \
     ln "$DESTDIR/bin/busybox" "$DESTDIR/$alias"
 done
+
+# Casper wants to have access to https, let busybox invoke openssl to
+# achieve that.
+# TODO: maybe have another variable like BUSYBOX_OPENSSL to include
+# openssl if wanted? maybe like cloud-initramfs wants it?
+if [ "$CASPER_GENERATE_UUID" ]; then
+    mkdir -p $DESTDIR/etc/ssl/certs $DESTDIR/usr/lib/ssl/
+    copy_exec /usr/bin/openssl
+    copy_file config /etc/ssl/openssl.cnf
+    update-ca-certificates --fresh --etccertsdir $DESTDIR/etc/ssl/certs --hooksdir /no-hooks
+    # Only use by-hash certs
+    rm -f $DESTDIR/etc/ssl/certs/ca-certificates.crt
+    for cert in $DESTDIR/etc/ssl/certs/* ; do
+        target=$(readlink $cert)
+        case $target in
+            /*)
+                copy_file cert $target
+                ;;
+        esac
+    done
+    ln -s /etc/ssl/certs $DESTDIR/usr/lib/ssl/certs
+    ln -s /etc/ssl/openssl.cnf $DESTDIR/usr/lib/ssl/openssl.cnf
+fi