[PATCH] uhttpd: Increase default certificate validate from 2 to 10 years
Yousong Zhou
yszhou4tech at gmail.com
Wed Sep 2 06:05:46 EDT 2020
On Wed, 2 Sep 2020 at 01:32, Hauke Mehrtens <hauke at hauke-m.de> wrote:
>
> On 9/1/20 12:45 AM, Yousong Zhou wrote:
> > It's worth mentioning that recent versions of macos since 10.15 have a
> > restriction on certificate validity period, self-signed or not. It's
> > a strong restriction that the browser ui will have no buttons or knobs
> > to bypass the certificate validation, rendering such sites
> > inaccessible. I remembered it's also a system wide enforcement that
> > chrome on macos also respects this.
> >
> > [1] Requirements for trusted certificates in iOS 13 and macOS 10.15,
> > https://support.apple.com/en-us/HT210176
> >
> >> TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
> >
> > [2] About upcoming limits on trusted certificates,
> > https://support.apple.com/en-us/HT211025
> >
> >> TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.
> >
> > Regards,
> > yousong
>
> Could someone please test how MacOS and iOS behave with a self signed
> certificate, valid for 10 years which was issued no later than today please.
Tried with chrome on macos 10.15 (catalina), no way to proceed on the
certificate warning page.
With macos 10.13 (high sierra), chrome will allow you to ignore the
check and continue on, but safari will warn after clicking "visit this
website" that "You will have to modify your system settings to allow
this." and prompt for a password to change "Certificate Trust
Settings".
Regards,
yousong
More information about the openwrt-devel
mailing list