On 9/1/20 12:45 AM, Yousong Zhou wrote: > It's worth mentioning that recent versions of macos since 10.15 have a > restriction on certificate validity period, self-signed or not. It's > a strong restriction that the browser ui will have no buttons or knobs > to bypass the certificate validation, rendering such sites > inaccessible. I remembered it's also a system wide enforcement that > chrome on macos also respects this. > > [1] Requirements for trusted certificates in iOS 13 and macOS 10.15, > https://support.apple.com/en-us/HT210176 > >> TLS server certificates must have a validity period of 825 days or fewer (as >> expressed in the NotBefore and NotAfter fields of the certificate). > > [2] About upcoming limits on trusted certificates, > https://support.apple.com/en-us/HT211025 > >> TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC >> must not have a validity period greater than 398 days. > > Regards, > yousong
Could someone please test how MacOS and iOS behave with a self signed certificate, valid for 10 years which was issued no later than today please. The changes which are applied today on 1. September are only affecting certificates signed by preinstalled CAs. This information from Apple does not tell how the system will behave with self signed certificates. The older changes will reject certificates valid for longer than 825 days (27 months). Apple also says this: > TLS server certificates must present the DNS name of the server in the > Subject Alternative Name extension of the certificate. DNS names in > the CommonName of a certificate are no longer trusted. Currently we do not set a "Subject Alternative Name", but we also do not really know the host name. We could set this to openwrt.lan, the default hostname. We will still over normal http, using https is only an addition. Hauke
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
