From 0b7d99147b721c9bc95e9a0caacd300227d10375 Mon Sep 17 00:00:00 2001 From: Hannu Nyman Date: Wed, 1 May 2024 13:53:34 +0300 Subject: [PATCH] uhttpd: Decrease the default validity time of certificate The recommended maximum validity period is currently 397 days and some browsers throw warning with longer periods. Reference to https://cabforum.org/working-groups/server/baseline-requirements/ 6.3.2 Certificate operational periods and key pair usage periods Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days. Signed-off-by: Hannu Nyman Link: https://github.com/openwrt/openwrt/pull/15366 Signed-off-by: Robert Marko --- package/network/services/uhttpd/Makefile | 2 +- package/network/services/uhttpd/files/uhttpd.config | 4 ++-- package/network/services/uhttpd/files/uhttpd.init | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/network/services/uhttpd/Makefile b/package/network/services/uhttpd/Makefile index a373e62820..ea76fa65ea 100644 --- a/package/network/services/uhttpd/Makefile +++ b/package/network/services/uhttpd/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=uhttpd -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git diff --git a/package/network/services/uhttpd/files/uhttpd.config b/package/network/services/uhttpd/files/uhttpd.config index a9b8ff3d15..ce76fe6b6b 100644 --- a/package/network/services/uhttpd/files/uhttpd.config +++ b/package/network/services/uhttpd/files/uhttpd.config @@ -123,8 +123,8 @@ config uhttpd main # Defaults for automatic certificate and key generation config cert defaults - # Validity time - option days 730 + # Validity time, 397 days is maximum allowed by CA/Browser forum + option days 397 # key type: rsa or ec option key_type ec diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init index d9e742024d..6929fef421 100755 --- a/package/network/services/uhttpd/files/uhttpd.init +++ b/package/network/services/uhttpd/files/uhttpd.init @@ -56,7 +56,7 @@ generate_keys() { [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der" [ -n "$GENKEY_CMD" ] && { $GENKEY_CMD \ - -days ${days:-730} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \ + -days ${days:-397} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \ -subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${organization:-OpenWrt$UNIQUEID}"/CN="${commonname:-OpenWrt}" \ -addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:"${commonname:-OpenWrt}" sync -- 2.30.2