diff options
| author | Hannu Nyman | 2024-05-01 10:53:34 +0000 |
|---|---|---|
| committer | Robert Marko | 2024-08-13 19:07:13 +0000 |
| commit | 0b7d99147b721c9bc95e9a0caacd300227d10375 (patch) | |
| tree | c60fcec87c644914a4069f422017fe5e0d619c84 | |
| parent | db4e8ef952f45e6b58467ffc82528cfae54dea42 (diff) | |
| download | openwrt-0b7d99147b721c9bc95e9a0caacd300227d10375.tar.gz | |
uhttpd: Decrease the default validity time of certificate
The recommended maximum validity period is currently 397 days
and some browsers throw warning with longer periods.
Reference to
https://cabforum.org/working-groups/server/baseline-requirements/
6.3.2 Certificate operational periods and key pair usage periods
Subscriber Certificates issued on or after 1 September 2020
SHOULD NOT have a Validity Period greater than 397 days and
MUST NOT have a Validity Period greater than 398 days.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko@gmail.com>
| -rw-r--r-- | package/network/services/uhttpd/Makefile | 2 | ||||
| -rw-r--r-- | package/network/services/uhttpd/files/uhttpd.config | 4 | ||||
| -rwxr-xr-x | package/network/services/uhttpd/files/uhttpd.init | 2 |
3 files changed, 4 insertions, 4 deletions
diff --git a/package/network/services/uhttpd/Makefile b/package/network/services/uhttpd/Makefile index a373e62820..ea76fa65ea 100644 --- a/package/network/services/uhttpd/Makefile +++ b/package/network/services/uhttpd/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=uhttpd -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git diff --git a/package/network/services/uhttpd/files/uhttpd.config b/package/network/services/uhttpd/files/uhttpd.config index a9b8ff3d15..ce76fe6b6b 100644 --- a/package/network/services/uhttpd/files/uhttpd.config +++ b/package/network/services/uhttpd/files/uhttpd.config @@ -123,8 +123,8 @@ config uhttpd main # Defaults for automatic certificate and key generation config cert defaults - # Validity time - option days 730 + # Validity time, 397 days is maximum allowed by CA/Browser forum + option days 397 # key type: rsa or ec option key_type ec diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init index d9e742024d..6929fef421 100755 --- a/package/network/services/uhttpd/files/uhttpd.init +++ b/package/network/services/uhttpd/files/uhttpd.init @@ -56,7 +56,7 @@ generate_keys() { [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der" [ -n "$GENKEY_CMD" ] && { $GENKEY_CMD \ - -days ${days:-730} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \ + -days ${days:-397} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \ -subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${organization:-OpenWrt$UNIQUEID}"/CN="${commonname:-OpenWrt}" \ -addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:"${commonname:-OpenWrt}" sync |