Yousong Zhou <yszhou4t...@gmail.com> wrote:
> It's worth mentioning that recent versions of macos since 10.15
> have a restriction on certificate validity period, self-signed
> or not. It's a strong restriction that the browser ui will have
> no buttons or knobs to bypass the certificate validation,
> rendering such sites inaccessible. I remembered it's also a
> system wide enforcement that chrome on macos also respects
> this.
> 
> [1] Requirements for trusted certificates in iOS 13 and macOS
> 10.15, https://support.apple.com/en-us/HT210176
> 
> > TLS server certificates must have a validity period of 825 days or fewer 
> > (as expressed in the NotBefore and NotAfter fields of the certificate).
> 
> [2] About upcoming limits on trusted certificates,
> https://support.apple.com/en-us/HT211025
> 
> > TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC 
> > must not have a validity period greater than 398 days.
> 

Are they blocking or planning to block non-http sites? This would
be further arguments that self-signed certs by default for luci
are actively bad.

Latest reference I can find for chromium is that HTTP will be
marked as insecure, but not with the click through horror show of
self signed certs.

https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

Sincerely,
Karl Palsson

Attachment: OpenPGP-digital-signature.html
Description: OpenPGP Digital Signature

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to