On Tue, Sep 01, 2020 at 06:45:02AM +0800, Yousong Zhou wrote: > It's worth mentioning that recent versions of macos since 10.15 have a > restriction on certificate validity period, self-signed or not. It's > a strong restriction that the browser ui will have no buttons or knobs > to bypass the certificate validation, rendering such sites > inaccessible. I remembered it's also a system wide enforcement that > chrome on macos also respects this. > > [1] Requirements for trusted certificates in iOS 13 and macOS 10.15, > https://support.apple.com/en-us/HT210176 > > > TLS server certificates must have a validity period of 825 days or fewer > > (as expressed in the NotBefore and NotAfter fields of the certificate). > > [2] About upcoming limits on trusted certificates, > https://support.apple.com/en-us/HT211025 > > > TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC > > must not have a validity period greater than 398 days.
There it also says: 'This change will not affect certificates issued from user-added or administrator-added Root CAs.' So why not force users of devices owned by $$$megacorp to install the self-signed as an additional CA? This could even be done via an installation tool, downloading the certificate from the router using a built-in copy of wolfssl or whatever, ignoring the certificates validity. Executing the installation program on $$$megacorp-os will of course trigger a cascade of extremely scary looking warnings and may require changing system settings to even allow running it at all. Another cascade of warnings will have to be dealt with when adding the self-signed as user-added Root CA. I'm pretty sure things like this are needed quite often in Intranet environments and shouldn't be hard to implement or document the stepts in the Wiki. After all, I wouldn't worry about any of this too much as long as there is /some/ way to make it work. And users of $$$megacorp-os are completely used to these kind of procedures as they are required all the time to get things working (unless you bought them through $$$megacorp-store which prohibits the use of FOSS licences, despite the fact that $$$megacorp-os is of course built on the shoulders of the FOSS movement and itself in great parts published under FOSS licences). Just my 2 cents... > > Regards, > yousong > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
