[openwrt/openwrt] uhttpd: Decrease the default validity time of certificate
LEDE Commits
lede-commits at lists.infradead.org
Tue Aug 13 12:07:19 PDT 2024
robimarko pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/0b7d99147b721c9bc95e9a0caacd300227d10375
commit 0b7d99147b721c9bc95e9a0caacd300227d10375
Author: Hannu Nyman <hannu.nyman at iki.fi>
AuthorDate: Wed May 1 13:53:34 2024 +0300
uhttpd: Decrease the default validity time of certificate
The recommended maximum validity period is currently 397 days
and some browsers throw warning with longer periods.
Reference to
https://cabforum.org/working-groups/server/baseline-requirements/
6.3.2 Certificate operational periods and key pair usage periods
Subscriber Certificates issued on or after 1 September 2020
SHOULD NOT have a Validity Period greater than 397 days and
MUST NOT have a Validity Period greater than 398 days.
Signed-off-by: Hannu Nyman <hannu.nyman at iki.fi>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko at gmail.com>
---
package/network/services/uhttpd/Makefile | 2 +-
package/network/services/uhttpd/files/uhttpd.config | 4 ++--
package/network/services/uhttpd/files/uhttpd.init | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/network/services/uhttpd/Makefile b/package/network/services/uhttpd/Makefile
index a373e62820..ea76fa65ea 100644
--- a/package/network/services/uhttpd/Makefile
+++ b/package/network/services/uhttpd/Makefile
@@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=uhttpd
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git
diff --git a/package/network/services/uhttpd/files/uhttpd.config b/package/network/services/uhttpd/files/uhttpd.config
index a9b8ff3d15..ce76fe6b6b 100644
--- a/package/network/services/uhttpd/files/uhttpd.config
+++ b/package/network/services/uhttpd/files/uhttpd.config
@@ -123,8 +123,8 @@ config uhttpd main
# Defaults for automatic certificate and key generation
config cert defaults
- # Validity time
- option days 730
+ # Validity time, 397 days is maximum allowed by CA/Browser forum
+ option days 397
# key type: rsa or ec
option key_type ec
diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init
index d9e742024d..6929fef421 100755
--- a/package/network/services/uhttpd/files/uhttpd.init
+++ b/package/network/services/uhttpd/files/uhttpd.init
@@ -56,7 +56,7 @@ generate_keys() {
[ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der"
[ -n "$GENKEY_CMD" ] && {
$GENKEY_CMD \
- -days ${days:-730} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
+ -days ${days:-397} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
-subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${organization:-OpenWrt$UNIQUEID}"/CN="${commonname:-OpenWrt}" \
-addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:"${commonname:-OpenWrt}"
sync
More information about the lede-commits
mailing list