[openwrt/openwrt] uhttpd: Include new extensions in uhttpd self-signed certs

LEDE Commits lede-commits at lists.infradead.org
Tue Aug 13 12:07:18 PDT 2024 

robimarko pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/db4e8ef952f45e6b58467ffc82528cfae54dea42

commit db4e8ef952f45e6b58467ffc82528cfae54dea42
Author: Pat Fruth <pat at patfruth.com>
AuthorDate: Wed May 1 13:50:23 2024 +0300

    uhttpd: Include new extensions in uhttpd self-signed certs
    
    The introduction of MacOS Catalina includes new requirements for self-signed certificates.
    See: https://support.apple.com/en-us/HT210176
    These new requirements include the addition of two TLS server certificate extensions.
    - extendedKeyUsage
    - subjectAltName
    The extendedKeyUsage must be set to serverAuth.
    The subjectAltName must be set to the DNS name of the server.
    In the absense of these new extensions, when the LUCI web interface is configured to use HTTPS and
    self-signed certs, MacOS user running Google Chrome browsers will not be able to access the LUCI web enterface.
    If you are generating self-signed certs which do not include that extension, Chrome will
    report "NET::ERR_CERT_INVALID" instead of "NET::ERR_CERT_AUTHORITY_INVALID".  You can click through to
    ignore the latter, but not the former.
    
    This change updates the uhttpd init script to generate self-signed cert that meets the new requirements.
    Signed-off-by: Pat Fruth <pat at patfruth.com>
    Link: https://github.com/openwrt/openwrt/pull/15366
    Signed-off-by: Robert Marko <robimarko at gmail.com>
---
 package/network/services/uhttpd/files/uhttpd.init | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init
index c4d0025d69..d9e742024d 100755
--- a/package/network/services/uhttpd/files/uhttpd.init
+++ b/package/network/services/uhttpd/files/uhttpd.init
@@ -57,7 +57,8 @@ generate_keys() {
 	[ -n "$GENKEY_CMD" ] && {
 		$GENKEY_CMD \
 			-days ${days:-730} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
-			-subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${organization:-OpenWrt$UNIQUEID}"/CN="${commonname:-OpenWrt}"
+			-subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${organization:-OpenWrt$UNIQUEID}"/CN="${commonname:-OpenWrt}" \
+			-addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:"${commonname:-OpenWrt}"
 		sync
 		mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}"
 		mv "${UHTTPD_CERT}.new" "${UHTTPD_CERT}"

More information about the lede-commits mailing list