[PATCH] uhttpd: Increase default certificate validate from 2 to 10 years

Hauke Mehrtens hauke at hauke-m.de
Tue Sep 1 13:31:56 EDT 2020


On 9/1/20 12:45 AM, Yousong Zhou wrote:
> It's worth mentioning that recent versions of macos since 10.15 have a
> restriction on certificate validity period, self-signed or not.  It's
> a strong restriction that the browser ui will have no buttons or knobs
> to bypass the certificate validation, rendering such sites
> inaccessible.  I remembered it's also a system wide enforcement that
> chrome on macos also respects this.
> 
> [1] Requirements for trusted certificates in iOS 13 and macOS 10.15,
> https://support.apple.com/en-us/HT210176
> 
>> TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
> 
> [2] About upcoming limits on trusted certificates,
> https://support.apple.com/en-us/HT211025
> 
>> TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.
> 
> Regards,
>                yousong

Could someone please test how MacOS and iOS behave with a self signed
certificate, valid for 10 years which was issued no later than today please.

The changes which are applied today on 1. September are only affecting
certificates signed by preinstalled CAs. This information from Apple
does not tell how the system will behave with self signed certificates.
The older changes will reject certificates valid for longer than 825
days (27 months).

Apple also says this:
> TLS server certificates must present the DNS name of the server in the
> Subject Alternative Name extension of the certificate. DNS names in
> the CommonName of a certificate are no longer trusted.
Currently we do not set a "Subject Alternative Name", but we also do not
really know the host name. We could set this to openwrt.lan, the default
hostname.

We will still over normal http, using https is only an addition.

Hauke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200901/9c4058d2/attachment.sig>


More information about the openwrt-devel mailing list