diff options
| author | Pat Fruth | 2024-05-01 10:50:23 +0000 |
|---|---|---|
| committer | Robert Marko | 2024-08-13 19:07:13 +0000 |
| commit | db4e8ef952f45e6b58467ffc82528cfae54dea42 (patch) | |
| tree | bcf05acf592e6cb2d1851cdd43d2b22b96e89da7 | |
| parent | efca89daefc0347c64209e4e588fe17536933cf6 (diff) | |
| download | openwrt-db4e8ef952f45e6b58467ffc82528cfae54dea42.tar.gz | |
uhttpd: Include new extensions in uhttpd self-signed certs
The introduction of MacOS Catalina includes new requirements for self-signed certificates.
See: https://support.apple.com/en-us/HT210176
These new requirements include the addition of two TLS server certificate extensions.
- extendedKeyUsage
- subjectAltName
The extendedKeyUsage must be set to serverAuth.
The subjectAltName must be set to the DNS name of the server.
In the absense of these new extensions, when the LUCI web interface is configured to use HTTPS and
self-signed certs, MacOS user running Google Chrome browsers will not be able to access the LUCI web enterface.
If you are generating self-signed certs which do not include that extension, Chrome will
report "NET::ERR_CERT_INVALID" instead of "NET::ERR_CERT_AUTHORITY_INVALID". You can click through to
ignore the latter, but not the former.
This change updates the uhttpd init script to generate self-signed cert that meets the new requirements.
Signed-off-by: Pat Fruth <pat@patfruth.com>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko@gmail.com>
| -rwxr-xr-x | package/network/services/uhttpd/files/uhttpd.init | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init index c4d0025d69..d9e742024d 100755 --- a/package/network/services/uhttpd/files/uhttpd.init +++ b/package/network/services/uhttpd/files/uhttpd.init @@ -57,7 +57,8 @@ generate_keys() { [ -n "$GENKEY_CMD" ] && { $GENKEY_CMD \ -days ${days:-730} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \ - -subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${organization:-OpenWrt$UNIQUEID}"/CN="${commonname:-OpenWrt}" + -subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${organization:-OpenWrt$UNIQUEID}"/CN="${commonname:-OpenWrt}" \ + -addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:"${commonname:-OpenWrt}" sync mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}" mv "${UHTTPD_CERT}.new" "${UHTTPD_CERT}" |