[PATCH] uhttpd: Increase default certificate validate from 2 to 10 years

Hauke Mehrtens hauke at hauke-m.de
Sat Aug 29 14:33:21 EDT 2020


The user has to accept this specific certificate manually in his
browser, the browser does not trust it automatically, in this process
the user gets a scary message to approve. I am not aware of a way to
improve this initial certificate approval.

After the certificate expired the user gets a scary message from his
browser again. This message looks very similar to a real Man in the
middle (MitM) attack, in the MitM attack the warning would complain
about a wrong key, in this case about an expired key. We should avoid
that the user gets such messages the more he gets such messages the more
likely it is that he will also approve this message when a real MitM
attack is happening.

When a normal certificate authority is used the user does not get a
scary message when the certificate changed as long as it is stilled
signed by a CA. In such cases it makes sense to have a short validity
period because certificate revocation practically does not work in the
Internet. Certificate revocation really does not work for self signed
certificates, but exchanging certificates is hard because of the scary
messages users see.

Even with a certificate validity of 2 years an attacker which has access
to the private key could use it for the rest of the time to do MitM
attacks, which would not be noticed. If a key gets compromised the user
has to manually remove the trust in all SSL clients anyway, no matter if
it is valid for 2 or 10 years.

Lets not increase it to more than 10 years, because the algorithms used
in the certificate will probably not be sufficient any more in 10 years.

The default self signed SSL certificate for Apache in Debian 10 is
also valid for 10 years.

To increase the security of the users and also make it more user
friendly increase the validity to 10 years.

Modern browser only restrict the validity of certificates signed by
globally trusted CAs, not self signed certificates.

Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
 package/network/services/uhttpd/files/uhttpd.config | 2 +-
 package/network/services/uhttpd/files/uhttpd.init   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/network/services/uhttpd/files/uhttpd.config b/package/network/services/uhttpd/files/uhttpd.config
index 39089ca25b34..587c97402246 100644
--- a/package/network/services/uhttpd/files/uhttpd.config
+++ b/package/network/services/uhttpd/files/uhttpd.config
@@ -116,7 +116,7 @@ config uhttpd main
 config cert defaults
 
 	# Validity time
-	option days		730
+	option days		3650
 
 	# key type: rsa or ec
 	option key_type		rsa
diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init
index 869f79bea20f..5f870f6ad6e1 100755
--- a/package/network/services/uhttpd/files/uhttpd.init
+++ b/package/network/services/uhttpd/files/uhttpd.init
@@ -55,7 +55,7 @@ generate_keys() {
 	[ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der"
 	[ -n "$GENKEY_CMD" ] && {
 		$GENKEY_CMD \
-			-days ${days:-730} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
+			-days ${days:-3650} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
 			-subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${commonname:-OpenWrt}$UNIQUEID"/CN="${commonname:-OpenWrt}"
 		sync
 		mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}"
-- 
2.20.1




More information about the openwrt-devel mailing list