uhttpd: Decrease the default validity time of certificate

The recommended maximum validity period is currently 397 days
and some browsers throw warning with longer periods.

Reference to
https://cabforum.org/working-groups/server/baseline-requirements/
 6.3.2 Certificate operational periods and key pair usage periods
 Subscriber Certificates issued on or after 1 September 2020
 SHOULD NOT have a Validity Period greater than 397 days and
 MUST NOT have a Validity Period greater than 398 days.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko@gmail.com>

diff --git a/package/network/services/uhttpd/Makefile b/package/network/services/uhttpd/Makefile
index a373e62820e7c7cd8c16b56ca1ec3a610b7582d8..ea76fa65ea8114c9034b890dc833a4e8ed39579a 100644 (file)
--- a/package/network/services/uhttpd/Makefile
+++ b/package/network/services/uhttpd/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=uhttpd
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git

diff --git a/package/network/services/uhttpd/files/uhttpd.config b/package/network/services/uhttpd/files/uhttpd.config
index a9b8ff3d15d551da5c3f446d0b9e60e73d9af898..ce76fe6b6b68a62437be4f4d340a153af79c88f8 100644 (file)
--- a/package/network/services/uhttpd/files/uhttpd.config
+++ b/package/network/services/uhttpd/files/uhttpd.config
@@ -123,8 +123,8 @@ config uhttpd main
 # Defaults for automatic certificate and key generation
 config cert defaults
 
-       # Validity time
-       option days             730
+       # Validity time, 397 days is maximum allowed by CA/Browser forum
+       option days             397
 
        # key type: rsa or ec
        option key_type         ec

diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init
index d9e742024d88884e9625d5a0b9a81ebd4f0f14e9..6929fef421d483b536046eb636a4a5ac6ee13076 100755 (executable)
--- a/package/network/services/uhttpd/files/uhttpd.init
+++ b/package/network/services/uhttpd/files/uhttpd.init
@@ -56,7 +56,7 @@ generate_keys() {
        [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der"
        [ -n "$GENKEY_CMD" ] && {
                $GENKEY_CMD \
-                       -days ${days:-730} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
+                       -days ${days:-397} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
                        -subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${organization:-OpenWrt$UNIQUEID}"/CN="${commonname:-OpenWrt}" \
                        -addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:"${commonname:-OpenWrt}"
                sync