[PATCH] uhttpd: Increase default certificate validate from 2 to 10 years

Sun Aug 30 09:09:41 EDT 2020

Hi Hauke,

> -----Original Message-----
> From: openwrt-devel [mailto:openwrt-devel-bounces at lists.openwrt.org]
> On Behalf Of Hauke Mehrtens
> Sent: Samstag, 29. August 2020 20:33
> To: openwrt-devel at lists.openwrt.org
> Cc: Hauke Mehrtens <hauke at hauke-m.de>
> Subject: [PATCH] uhttpd: Increase default certificate validate from 2 to 10
> years
> 
> The user has to accept this specific certificate manually in his browser, the
> browser does not trust it automatically, in this process the user gets a scary
> message to approve. I am not aware of a way to improve this initial certificate
> approval.
> 
> After the certificate expired the user gets a scary message from his browser
> again. This message looks very similar to a real Man in the middle (MitM)
> attack, in the MitM attack the warning would complain about a wrong key, in
> this case about an expired key. We should avoid that the user gets such
> messages the more he gets such messages the more likely it is that he will
> also approve this message when a real MitM attack is happening.
> 
> When a normal certificate authority is used the user does not get a scary
> message when the certificate changed as long as it is stilled signed by a CA. In
> such cases it makes sense to have a short validity period because certificate
> revocation practically does not work in the Internet. Certificate revocation
> really does not work for self signed certificates, but exchanging certificates is
> hard because of the scary messages users see.
> 
> Even with a certificate validity of 2 years an attacker which has access to the
> private key could use it for the rest of the time to do MitM attacks, which
> would not be noticed. If a key gets compromised the user has to manually
> remove the trust in all SSL clients anyway, no matter if it is valid for 2 or 10
> years.
> 
> Lets not increase it to more than 10 years, because the algorithms used in the
> certificate will probably not be sufficient any more in 10 years.
> 
> The default self signed SSL certificate for Apache in Debian 10 is also valid for
> 10 years.
> 
> To increase the security of the users and also make it more user friendly
> increase the validity to 10 years.

I think you have a point, but due to the typical lifetime of our releases I'd choose 5 years.

Best

Adrian

> 
> Modern browser only restrict the validity of certificates signed by globally
> trusted CAs, not self signed certificates.
> 
> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
> ---
>  package/network/services/uhttpd/files/uhttpd.config | 2 +-
>  package/network/services/uhttpd/files/uhttpd.init   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/network/services/uhttpd/files/uhttpd.config
> b/package/network/services/uhttpd/files/uhttpd.config
> index 39089ca25b34..587c97402246 100644
> --- a/package/network/services/uhttpd/files/uhttpd.config
> +++ b/package/network/services/uhttpd/files/uhttpd.config
> @@ -116,7 +116,7 @@ config uhttpd main
>  config cert defaults
> 
>  	# Validity time
> -	option days		730
> +	option days		3650
> 
>  	# key type: rsa or ec
>  	option key_type		rsa
> diff --git a/package/network/services/uhttpd/files/uhttpd.init
> b/package/network/services/uhttpd/files/uhttpd.init
> index 869f79bea20f..5f870f6ad6e1 100755
> --- a/package/network/services/uhttpd/files/uhttpd.init
> +++ b/package/network/services/uhttpd/files/uhttpd.init
> @@ -55,7 +55,7 @@ generate_keys() {
>  	[ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der"
>  	[ -n "$GENKEY_CMD" ] && {
>  		$GENKEY_CMD \
> -			-days ${days:-730} -newkey ${KEY_OPTS} -keyout
> "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
> +			-days ${days:-3650} -newkey ${KEY_OPTS} -keyout
> "${UHTTPD_KEY}.new"
> +-out "${UHTTPD_CERT}.new" \
>  			-subj /C="${country:-ZZ}"/ST="${state:-
> Somewhere}"/L="${location:-Unknown}"/O="${commonname:-
> OpenWrt}$UNIQUEID"/CN="${commonname:-OpenWrt}"
>  		sync
>  		mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}"
> --
> 2.20.1
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200830/e7896f6e/attachment.sig>