From: Hannu Nyman Date: Wed, 1 May 2024 10:53:34 +0000 (+0300) Subject: uhttpd: Decrease the default validity time of certificate X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=0b7d99147b721c9bc95e9a0caacd300227d10375;p=openwrt%2Fstaging%2Fwigyori.git uhttpd: Decrease the default validity time of certificate The recommended maximum validity period is currently 397 days and some browsers throw warning with longer periods. Reference to https://cabforum.org/working-groups/server/baseline-requirements/ 6.3.2 Certificate operational periods and key pair usage periods Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days. Signed-off-by: Hannu Nyman Link: https://github.com/openwrt/openwrt/pull/15366 Signed-off-by: Robert Marko --- diff --git a/package/network/services/uhttpd/Makefile b/package/network/services/uhttpd/Makefile index a373e62820..ea76fa65ea 100644 --- a/package/network/services/uhttpd/Makefile +++ b/package/network/services/uhttpd/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=uhttpd -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git diff --git a/package/network/services/uhttpd/files/uhttpd.config b/package/network/services/uhttpd/files/uhttpd.config index a9b8ff3d15..ce76fe6b6b 100644 --- a/package/network/services/uhttpd/files/uhttpd.config +++ b/package/network/services/uhttpd/files/uhttpd.config @@ -123,8 +123,8 @@ config uhttpd main # Defaults for automatic certificate and key generation config cert defaults - # Validity time - option days 730 + # Validity time, 397 days is maximum allowed by CA/Browser forum + option days 397 # key type: rsa or ec option key_type ec diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init index d9e742024d..6929fef421 100755 --- a/package/network/services/uhttpd/files/uhttpd.init +++ b/package/network/services/uhttpd/files/uhttpd.init @@ -56,7 +56,7 @@ generate_keys() { [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der" [ -n "$GENKEY_CMD" ] && { $GENKEY_CMD \ - -days ${days:-730} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \ + -days ${days:-397} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \ -subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${organization:-OpenWrt$UNIQUEID}"/CN="${commonname:-OpenWrt}" \ -addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:"${commonname:-OpenWrt}" sync