[PATCH] uhttpd: Increase default certificate validate from 2 to 10 years
Karl Palsson
karlp at tweak.net.au
Tue Sep 1 09:57:55 EDT 2020
Yousong Zhou <yszhou4tech at gmail.com> wrote:
> It's worth mentioning that recent versions of macos since 10.15
> have a restriction on certificate validity period, self-signed
> or not. It's a strong restriction that the browser ui will have
> no buttons or knobs to bypass the certificate validation,
> rendering such sites inaccessible. I remembered it's also a
> system wide enforcement that chrome on macos also respects
> this.
>
> [1] Requirements for trusted certificates in iOS 13 and macOS
> 10.15, https://support.apple.com/en-us/HT210176
>
> > TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
>
> [2] About upcoming limits on trusted certificates,
> https://support.apple.com/en-us/HT211025
>
> > TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.
>
Are they blocking or planning to block non-http sites? This would
be further arguments that self-signed certs by default for luci
are actively bad.
Latest reference I can find for chromium is that HTTP will be
marked as insecure, but not with the click through horror show of
self signed certs.
https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
Sincerely,
Karl Palsson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP-digital-signature.html
Type: application/pgp-signature
Size: 1175 bytes
Desc: OpenPGP Digital Signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200901/6ab33eb3/attachment-0001.sig>
More information about the openwrt-devel
mailing list