Project

General

Profile

Feature #9825

Requirements for trusted certificates in iOS 13 and macOS 10.15

Added by Daniel Gutierrez about 1 year ago. Updated 8 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
10/13/2019
Due date:
% Done:

100%

Estimated time:

Description

Because Apple has shortened the maximum validity period of TLS server certificates to 825 days on iOS 13 & macOS Catalina (10.15), the default the PFSense CA interface uses (3650 days) should be shortened to 825 days or provide a warning if the user selects the Server Certificate type and the days exceed 825 days.

It may also be desired to update the interface to reflect the new Subject Alternative Name requirements for TLS server certificates as well (because "DNS names in the CommonName of a certificate are no longer trusted").

Requirements for trusted certificates in iOS 13 and macOS 10.15
https://support.apple.com/en-us/HT210176

I became aware of this article because access to pfSense broke for me in iOS 13 & macOS Catalina, and the error messages Safari gives you are generic and misleading (such as "certificate name does not match input" when it does).

Associated revisions

Revision 3f0b7bc3 (diff)
Added by Jim Pingle about 1 year ago

Certificate strength improvements. Fixes #9825

  • Change default GUI cert lifetime to 825 days
  • Add notes on CA/Cert pages about using potentially insecure parameter
    chocies
  • Add visible warnings on CA/Cert pages if paramers are insecure/not
    recommended.

Revision 71185882 (diff)
Added by Jim Pingle about 1 year ago

Reduce default GUI cert lifetime to 825 days. Issue #9825

Revision f944f4a7 (diff)
Added by Jim Pingle 8 months ago

Server cert lifetime reduced to 398. Fixes #9825

New requirements coming this fall will require new certs to be valid for at most
398 days. Setup this new requirement now, rather than waiting.

While here, reduce usage of hardcoded value where possible.

Revision 347ca360 (diff)
Added by Jim Pingle 8 months ago

Auto GUI/OpenVPN wizard cert lifetime reduced to 398. Fixes #9825

History

#1 Updated by Jim Pingle about 1 year ago

  • Category set to Certificates
  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

We have automatically filled in the SAN based on the CN for a while now. You can't make a new cert without a SAN, since those have been widely rejected for a couple years now. I'll look into the other changes.

#2 Updated by Jim Pingle about 1 year ago

Not a resolution, but a related note: I am adding code to renew certificates with an option to enforce these parameters upon renewal. See #9842 for details.

This still needs at least some guidance in the GUI to warn against using weak parameters. The default choice for key length and lifetime exceed those stated in the requirements, so that should be OK with just a note. Lifetime will need warning text as well, but may need a bump via JavaScript when selecting a server certificate, or at least a more visible warning.

#3 Updated by Jim Pingle about 1 year ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

I just pushed changes that should fully address the remaining concerns here.

Once on a snapshot with these changes, if a user needs a new GUI cert that conforms to the lifetime limit, they can run pfSsh.php playback generateguicert from an SSH or console shell.

#4 Updated by Viktor Gurov 12 months ago

Tested on 2.5.0.a.20191109.1723

Change default GUI cert lifetime to 825 days - OK
Add notes on CA/Cert pages about using potentially insecure parameter chocies - OK
Add visible warnings on CA/Cert pages if paramers are insecure/not recommended. - OK

Resolved

#5 Updated by Jim Pingle 12 months ago

  • Status changed from Feedback to Resolved

#6 Updated by Jim Pingle 11 months ago

  • Target version changed from 2.5.0 to 2.4.5

#7 Updated by Jim Pingle 11 months ago

  • Status changed from Resolved to Feedback

The default GUI cert lifetime of 825 days needs checked on 2.4.5 snapshots. If it's OK, move target back to 2.5.0 since there are other changes there that were not backported.

#8 Updated by Viktor Gurov 11 months ago

Jim Pingle wrote:

The default GUI cert lifetime of 825 days needs checked on 2.4.5 snapshots. If it's OK, move target back to 2.5.0 since there are other changes there that were not backported.

tested on 2.4.5.a.20191205.1442_3

Change default GUI cert lifetime to 825 days - OK
Add notes on CA/Cert pages about using potentially insecure parameter
chocies - NO
Add visible warnings on CA/Cert pages if paramers are insecure/not
recommended. - NO

#9 Updated by Viktor Gurov 11 months ago

reduce OpenVPN wizard server cert lifetime to 825:
https://github.com/pfsense/pfsense/pull/4126

#10 Updated by Viktor Gurov 11 months ago

mark certificates with lifetime > 825 days:
https://github.com/pfsense/pfsense/pull/4127

#11 Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved

Viktor Gurov wrote:

Change default GUI cert lifetime to 825 days - OK

That's all that needed testing, so it's fine.

#12 Updated by Jim Pingle 11 months ago

  • Target version changed from 2.4.5 to 2.5.0

#13 Updated by Jim Pingle 8 months ago

  • Status changed from Resolved to In Progress

This has now been dropped to 398 days for certs made after September 1, so we may as well adjust that down now (maybe just in 2.5.0?)

https://www.thesslstore.com/blog/ssl-certificate-validity-will-be-limited-to-one-year-by-apples-safari-browser/

#14 Updated by Jim Pingle 8 months ago

Made the change on both. Better to be safe.

#15 Updated by Jim Pingle 8 months ago

  • Status changed from In Progress to Feedback

#16 Updated by Viktor Gurov 8 months ago

  • Status changed from Feedback to Resolved

tested on 2.5.0.a.20200221.1911:
default cert creation, openvpn wizard, new cert creation, renew/reissue cert - ok

tested on 2.4.5.r.20200221.2100:
default cert creation - ok

Also available in: Atom PDF