[PATCH] uhttpd: Increase default certificate validate from 2 to 10 years

Paul Oranje por at oranjevos.nl
Tue Sep 1 06:35:41 EDT 2020



> Op 1 sep. 2020, om 01:21 heeft Daniel Golle <daniel at makrotopia.org> het volgende geschreven:
> 
> On Tue, Sep 01, 2020 at 06:45:02AM +0800, Yousong Zhou wrote:
>> It's worth mentioning that recent versions of macos since 10.15 have a
>> restriction on certificate validity period, self-signed or not.  It's
>> a strong restriction that the browser ui will have no buttons or knobs
>> to bypass the certificate validation, rendering such sites
>> inaccessible.  I remembered it's also a system wide enforcement that
>> chrome on macos also respects this.
>> 
>> [1] Requirements for trusted certificates in iOS 13 and macOS 10.15,
>> https://support.apple.com/en-us/HT210176
>> 
>>> TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
>> 
>> [2] About upcoming limits on trusted certificates,
>> https://support.apple.com/en-us/HT211025
>> 
>>> TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.
> 
> There it also says:
> 'This change will not affect certificates issued from user-added or
> administrator-added Root CAs.'
> 
> So why not force users of devices owned by $$$megacorp to install the
> self-signed as an additional CA?
> 
> This could even be done via an installation tool, downloading the
> certificate from the router using a built-in copy of wolfssl or
> whatever, ignoring the certificates validity.
> 
> Executing the installation program on $$$megacorp-os will of course
> trigger a cascade of extremely scary looking warnings and may require
> changing system settings to even allow running it at all. Another
> cascade of warnings will have to be dealt with when adding the
> self-signed as user-added Root CA.
> I'm pretty sure things like this are needed quite often in Intranet
> environments and shouldn't be hard to implement or document the stepts
> in the Wiki.
> After all, I wouldn't worry about any of this too much as long as there
> is /some/ way to make it work. And users of $$$megacorp-os are
> completely used to these kind of procedures as they are required all
> the time to get things working (unless you bought them through
> $$$megacorp-store which prohibits the use of FOSS licences, despite the
> fact that $$$megacorp-os is of course built on the shoulders of the
> FOSS movement and itself in great parts published under FOSS licences).
> 
> Just my 2 cents...
> 
> 
> 
>> 
>> Regards,
>>               yousong
>> 
Why not apply kind of same policy as with the initial password?
So at first boot just HTTP and a message prompting the user to switch to https with instructions for importing/setting the certificate.

Bye,
Paul




More information about the openwrt-devel mailing list