[PATCH] uhttpd: Increase default certificate validate from 2 to 10 years

Daniel Golle daniel at makrotopia.org
Mon Aug 31 19:21:49 EDT 2020 

On Tue, Sep 01, 2020 at 06:45:02AM +0800, Yousong Zhou wrote:
> It's worth mentioning that recent versions of macos since 10.15 have a
> restriction on certificate validity period, self-signed or not.  It's
> a strong restriction that the browser ui will have no buttons or knobs
> to bypass the certificate validation, rendering such sites
> inaccessible.  I remembered it's also a system wide enforcement that
> chrome on macos also respects this.
> 
> [1] Requirements for trusted certificates in iOS 13 and macOS 10.15,
> https://support.apple.com/en-us/HT210176
> 
> > TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
> 
> [2] About upcoming limits on trusted certificates,
> https://support.apple.com/en-us/HT211025
> 
> > TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.

There it also says:
'This change will not affect certificates issued from user-added or
administrator-added Root CAs.'

So why not force users of devices owned by $$$megacorp to install the
self-signed as an additional CA?

This could even be done via an installation tool, downloading the
certificate from the router using a built-in copy of wolfssl or
whatever, ignoring the certificates validity.

Executing the installation program on $$$megacorp-os will of course
trigger a cascade of extremely scary looking warnings and may require
changing system settings to even allow running it at all. Another
cascade of warnings will have to be dealt with when adding the
self-signed as user-added Root CA.
I'm pretty sure things like this are needed quite often in Intranet
environments and shouldn't be hard to implement or document the stepts
in the Wiki.
After all, I wouldn't worry about any of this too much as long as there
is /some/ way to make it work. And users of $$$megacorp-os are
completely used to these kind of procedures as they are required all
the time to get things working (unless you bought them through
$$$megacorp-store which prohibits the use of FOSS licences, despite the
fact that $$$megacorp-os is of course built on the shoulders of the
FOSS movement and itself in great parts published under FOSS licences).

Just my 2 cents...



> 
> Regards,
>                yousong
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list