[PATCH] uhttpd: Increase default certificate validate from 2 to 10 years

Hauke Mehrtens hauke at hauke-m.de
Wed Sep 2 08:02:15 EDT 2020


On 9/2/20 12:05 PM, Yousong Zhou wrote:
> On Wed, 2 Sep 2020 at 01:32, Hauke Mehrtens <hauke at hauke-m.de> wrote:
>>
>> On 9/1/20 12:45 AM, Yousong Zhou wrote:
>>> It's worth mentioning that recent versions of macos since 10.15 have a
>>> restriction on certificate validity period, self-signed or not.  It's
>>> a strong restriction that the browser ui will have no buttons or knobs
>>> to bypass the certificate validation, rendering such sites
>>> inaccessible.  I remembered it's also a system wide enforcement that
>>> chrome on macos also respects this.
>>>
>>> [1] Requirements for trusted certificates in iOS 13 and macOS 10.15,
>>> https://support.apple.com/en-us/HT210176
>>>
>>>> TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
>>>
>>> [2] About upcoming limits on trusted certificates,
>>> https://support.apple.com/en-us/HT211025
>>>
>>>> TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.
>>>
>>> Regards,
>>>                yousong
>>
>> Could someone please test how MacOS and iOS behave with a self signed
>> certificate, valid for 10 years which was issued no later than today please.
> 
> Tried with chrome on macos 10.15 (catalina), no way to proceed on the
> certificate warning page.
> 
> With macos 10.13 (high sierra), chrome will allow you to ignore the
> check and continue on, but safari will warn after clicking "visit this
> website" that "You will have to modify your system settings to allow
> this." and prompt for a password to change "Certificate Trust
> Settings".

Hi Yousong,

Thanks for testing this.

based on these restrictions I would NACK this change and stay with the 2
years we currently have. This way the user can "easily" acknowledge the
self signed certificate. Easy means here without modifying system
settings to installing an own certificate authority.

We should probably add a process easily renew a certificate after 2 years.

Hauke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200902/3f1fbb73/attachment.sig>


More information about the openwrt-devel mailing list