Hi Hauke, > -----Original Message----- > From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org] > On Behalf Of Hauke Mehrtens > Sent: Samstag, 29. August 2020 20:33 > To: openwrt-devel@lists.openwrt.org > Cc: Hauke Mehrtens <ha...@hauke-m.de> > Subject: [PATCH] uhttpd: Increase default certificate validate from 2 to 10 > years > > The user has to accept this specific certificate manually in his browser, the > browser does not trust it automatically, in this process the user gets a scary > message to approve. I am not aware of a way to improve this initial > certificate > approval. > > After the certificate expired the user gets a scary message from his browser > again. This message looks very similar to a real Man in the middle (MitM) > attack, in the MitM attack the warning would complain about a wrong key, in > this case about an expired key. We should avoid that the user gets such > messages the more he gets such messages the more likely it is that he will > also approve this message when a real MitM attack is happening. > > When a normal certificate authority is used the user does not get a scary > message when the certificate changed as long as it is stilled signed by a CA. > In > such cases it makes sense to have a short validity period because certificate > revocation practically does not work in the Internet. Certificate revocation > really does not work for self signed certificates, but exchanging > certificates is > hard because of the scary messages users see. > > Even with a certificate validity of 2 years an attacker which has access to > the > private key could use it for the rest of the time to do MitM attacks, which > would not be noticed. If a key gets compromised the user has to manually > remove the trust in all SSL clients anyway, no matter if it is valid for 2 or > 10 > years. > > Lets not increase it to more than 10 years, because the algorithms used in the > certificate will probably not be sufficient any more in 10 years. > > The default self signed SSL certificate for Apache in Debian 10 is also valid > for > 10 years. > > To increase the security of the users and also make it more user friendly > increase the validity to 10 years.
I think you have a point, but due to the typical lifetime of our releases I'd
choose 5 years.
Best
Adrian
>
> Modern browser only restrict the validity of certificates signed by globally
> trusted CAs, not self signed certificates.
>
> Signed-off-by: Hauke Mehrtens <ha...@hauke-m.de>
> ---
> package/network/services/uhttpd/files/uhttpd.config | 2 +-
> package/network/services/uhttpd/files/uhttpd.init | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/network/services/uhttpd/files/uhttpd.config
> b/package/network/services/uhttpd/files/uhttpd.config
> index 39089ca25b34..587c97402246 100644
> --- a/package/network/services/uhttpd/files/uhttpd.config
> +++ b/package/network/services/uhttpd/files/uhttpd.config
> @@ -116,7 +116,7 @@ config uhttpd main
> config cert defaults
>
> # Validity time
> - option days 730
> + option days 3650
>
> # key type: rsa or ec
> option key_type rsa
> diff --git a/package/network/services/uhttpd/files/uhttpd.init
> b/package/network/services/uhttpd/files/uhttpd.init
> index 869f79bea20f..5f870f6ad6e1 100755
> --- a/package/network/services/uhttpd/files/uhttpd.init
> +++ b/package/network/services/uhttpd/files/uhttpd.init
> @@ -55,7 +55,7 @@ generate_keys() {
> [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der"
> [ -n "$GENKEY_CMD" ] && {
> $GENKEY_CMD \
> - -days ${days:-730} -newkey ${KEY_OPTS} -keyout
> "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
> + -days ${days:-3650} -newkey ${KEY_OPTS} -keyout
> "${UHTTPD_KEY}.new"
> +-out "${UHTTPD_CERT}.new" \
> -subj /C="${country:-ZZ}"/ST="${state:-
> Somewhere}"/L="${location:-Unknown}"/O="${commonname:-
> OpenWrt}$UNIQUEID"/CN="${commonname:-OpenWrt}"
> sync
> mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}"
> --
> 2.20.1
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
