Yousong Zhou <yszhou4t...@gmail.com> wrote: > It's worth mentioning that recent versions of macos since 10.15 > have a restriction on certificate validity period, self-signed > or not. It's a strong restriction that the browser ui will have > no buttons or knobs to bypass the certificate validation, > rendering such sites inaccessible. I remembered it's also a > system wide enforcement that chrome on macos also respects > this. > > [1] Requirements for trusted certificates in iOS 13 and macOS > 10.15, https://support.apple.com/en-us/HT210176 > > > TLS server certificates must have a validity period of 825 days or fewer > > (as expressed in the NotBefore and NotAfter fields of the certificate). > > [2] About upcoming limits on trusted certificates, > https://support.apple.com/en-us/HT211025 > > > TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC > > must not have a validity period greater than 398 days. >
Are they blocking or planning to block non-http sites? This would be further arguments that self-signed certs by default for luci are actively bad. Latest reference I can find for chromium is that HTTP will be marked as insecure, but not with the click through horror show of self signed certs. https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure Sincerely, Karl Palsson
OpenPGP-digital-signature.html
Description: OpenPGP Digital Signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel