[PATCH] uhttpd: Increase default certificate validate from 2 to 10 years

Rich Brown richb.hanover at gmail.com
Tue Sep 1 10:43:33 EDT 2020


Forgive me for chiming in now, for I have not been following the discussion closely.

Is this change (specifically, using these certs for "ordinary operation" of OpenWrt) being considered for the 20.0x release? Would it delay the RC1 release in any way?

If so, I believe we should move it off that critical path, since there's a lot of uncertainty here. (We already have plenty in 20.0x - I worry that adding more tasks/features will push us to 20.1x, or worse.)  If it's not included in 20.0x, we can definitely continue the experiments in snapshot to see whether its benefits are worth the difficulties. Thanks for listening.

Rich

> On Sep 1, 2020, at 9:57 AM, Karl Palsson <karlp at tweak.net.au> wrote:
> 
> 
> Yousong Zhou <yszhou4tech at gmail.com> wrote:
>> It's worth mentioning that recent versions of macos since 10.15
>> have a restriction on certificate validity period, self-signed
>> or not. It's a strong restriction that the browser ui will have
>> no buttons or knobs to bypass the certificate validation,
>> rendering such sites inaccessible. I remembered it's also a
>> system wide enforcement that chrome on macos also respects
>> this.
>> 
>> [1] Requirements for trusted certificates in iOS 13 and macOS
>> 10.15, https://support.apple.com/en-us/HT210176
>> 
>>> TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
>> 
>> [2] About upcoming limits on trusted certificates,
>> https://support.apple.com/en-us/HT211025
>> 
>>> TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.
>> 
> 
> Are they blocking or planning to block non-http sites? This would
> be further arguments that self-signed certs by default for luci
> are actively bad.
> 
> Latest reference I can find for chromium is that HTTP will be
> marked as insecure, but not with the click through horror show of
> self signed certs.
> 
> https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
> 
> Sincerely,
> Karl Palsson_______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel




More information about the openwrt-devel mailing list