[PATCH] uhttpd: Increase default certificate validate from 2 to 10 years
Yousong Zhou
yszhou4tech at gmail.com
Tue Sep 1 01:02:05 EDT 2020
On Tue, 1 Sep 2020 at 06:45, Yousong Zhou <yszhou4tech at gmail.com> wrote:
>
> It's worth mentioning that recent versions of macos since 10.15 have a
> restriction on certificate validity period, self-signed or not. It's
> a strong restriction that the browser ui will have no buttons or knobs
> to bypass the certificate validation, rendering such sites
> inaccessible. I remembered it's also a system wide enforcement that
> chrome on macos also respects this.
>
> [1] Requirements for trusted certificates in iOS 13 and macOS 10.15,
> https://support.apple.com/en-us/HT210176
>
> > TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
>
> [2] About upcoming limits on trusted certificates,
> https://support.apple.com/en-us/HT211025
>
> > TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.
>
> Regards,
> yousong
The other thing that just occurred to me is, chrome will not cache
content fetched from links with invalid certificates. It's a WontFix
decision [1] . I would guess a 400MHz MIPS CPU might have a hard time
with this.
[1] Issue 110649: Browser not caching files if HTTPS is used even if
it's allowed by webserver via response headers,
https://bugs.chromium.org/p/chromium/issues/detail?id=110649#c8
Regards,
yousong
More information about the openwrt-devel
mailing list