From patchwork Sat Aug 29 18:33:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 1353750 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=hauke-m.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=mbScjrkk; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bf4sh5Vxvz9sSJ for ; Sun, 30 Aug 2020 04:35:52 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=LKdKMY+ValTDzzkgPXeKshSmsRDzEPw1zaRCbmqogyQ=; b=mbScjrkk0Qn5y8tNFPSWzPaqWL ms5frC6UM/q8gzo+JRmL5ejF0pCWilvnv94YZXPULMGv6b1vdZNeQADn33OHKuP6Tdu8Db95plS+g O9cx+Baz0R8+DSJoZ36MoE2jCX2hr7fOCDenMbU4VzxW0pSNooDiKGa2v6HdOapJXb4mSWPM0Z2Ar 7h7vl3bAkksBoF4cUjW4vwIU53C6zAIVIgxW5Pst6R9yOxGuweQVd3d3cFFTDZowOviXLsg6FBVR0 nOfG2NNBh7A/tIrlJtj+4GtvyfeYXlAjaTYaofcxkCFhwAeuLS+t6Z+kuoc79sOpa4Qp4mibwtwsz +x0pCptQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kC5fb-000881-BY; Sat, 29 Aug 2020 18:33:43 +0000 Received: from mout-p-103.mailbox.org ([2001:67c:2050::465:103]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kC5fY-00087e-Is for openwrt-devel@lists.openwrt.org; Sat, 29 Aug 2020 18:33:41 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4Bf4q65h2fzKmjF; Sat, 29 Aug 2020 20:33:38 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173]) (amavisd-new, port 10030) with ESMTP id JlNIKa8J0LJR; Sat, 29 Aug 2020 20:33:35 +0200 (CEST) From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Subject: [PATCH] uhttpd: Increase default certificate validate from 2 to 10 years Date: Sat, 29 Aug 2020 20:33:21 +0200 Message-Id: <20200829183321.17675-1-hauke@hauke-m.de> MIME-Version: 1.0 X-MBO-SPAM-Probability: X-Rspamd-Score: -5.65 / 15.00 / 15.00 X-Rspamd-Queue-Id: D97EB99A X-Rspamd-UID: e6e6f3 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200829_143340_775317_70E0F5ED X-CRM114-Status: GOOD ( 20.41 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:67c:2050:0:0:0:465:103 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hauke Mehrtens Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org The user has to accept this specific certificate manually in his browser, the browser does not trust it automatically, in this process the user gets a scary message to approve. I am not aware of a way to improve this initial certificate approval. After the certificate expired the user gets a scary message from his browser again. This message looks very similar to a real Man in the middle (MitM) attack, in the MitM attack the warning would complain about a wrong key, in this case about an expired key. We should avoid that the user gets such messages the more he gets such messages the more likely it is that he will also approve this message when a real MitM attack is happening. When a normal certificate authority is used the user does not get a scary message when the certificate changed as long as it is stilled signed by a CA. In such cases it makes sense to have a short validity period because certificate revocation practically does not work in the Internet. Certificate revocation really does not work for self signed certificates, but exchanging certificates is hard because of the scary messages users see. Even with a certificate validity of 2 years an attacker which has access to the private key could use it for the rest of the time to do MitM attacks, which would not be noticed. If a key gets compromised the user has to manually remove the trust in all SSL clients anyway, no matter if it is valid for 2 or 10 years. Lets not increase it to more than 10 years, because the algorithms used in the certificate will probably not be sufficient any more in 10 years. The default self signed SSL certificate for Apache in Debian 10 is also valid for 10 years. To increase the security of the users and also make it more user friendly increase the validity to 10 years. Modern browser only restrict the validity of certificates signed by globally trusted CAs, not self signed certificates. Signed-off-by: Hauke Mehrtens --- package/network/services/uhttpd/files/uhttpd.config | 2 +- package/network/services/uhttpd/files/uhttpd.init | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/uhttpd/files/uhttpd.config b/package/network/services/uhttpd/files/uhttpd.config index 39089ca25b34..587c97402246 100644 --- a/package/network/services/uhttpd/files/uhttpd.config +++ b/package/network/services/uhttpd/files/uhttpd.config @@ -116,7 +116,7 @@ config uhttpd main config cert defaults # Validity time - option days 730 + option days 3650 # key type: rsa or ec option key_type rsa diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init index 869f79bea20f..5f870f6ad6e1 100755 --- a/package/network/services/uhttpd/files/uhttpd.init +++ b/package/network/services/uhttpd/files/uhttpd.init @@ -55,7 +55,7 @@ generate_keys() { [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der" [ -n "$GENKEY_CMD" ] && { $GENKEY_CMD \ - -days ${days:-730} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \ + -days ${days:-3650} -newkey ${KEY_OPTS} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \ -subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${commonname:-OpenWrt}$UNIQUEID"/CN="${commonname:-OpenWrt}" sync mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}"