Revision f944f4a7
Added by Jim Pingle over 5 years ago
| src/etc/inc/certs.inc | ||
|---|---|---|
| 1516 | 1516 |
*/ |
| 1517 | 1517 |
global $cert_strict_values; |
| 1518 | 1518 |
$cert_strict_values = array( |
| 1519 |
'max_server_cert_lifetime' => 825,
|
|
| 1519 |
'max_server_cert_lifetime' => 398,
|
|
| 1520 | 1520 |
'digest_blacklist' => array('md4', 'RSA-MD4', 'md5', 'RSA-MD5', 'md5-sha1',
|
| 1521 | 1521 |
'mdc2', 'RSA-MDC2', 'sha1', 'RSA-SHA1', |
| 1522 | 1522 |
'RSA-SHA1-2'), |
| src/etc/inc/system.inc | ||
|---|---|---|
| 1027 | 1027 |
} |
| 1028 | 1028 |
|
| 1029 | 1029 |
function system_webgui_create_certificate() {
|
| 1030 |
global $config, $g; |
|
| 1030 |
global $config, $g, $cert_strict_values;
|
|
| 1031 | 1031 |
|
| 1032 | 1032 |
init_config_arr(array('ca'));
|
| 1033 | 1033 |
$a_ca = &$config['ca']; |
| ... | ... | |
| 1045 | 1045 |
'commonName' => $cert_hostname, |
| 1046 | 1046 |
'subjectAltName' => "DNS:{$cert_hostname}");
|
| 1047 | 1047 |
$old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warnings directly to a page screwing menu tab */ |
| 1048 |
if (!cert_create($cert, null, 2048, 825, $dn, "self-signed", "sha256")) {
|
|
| 1048 |
if (!cert_create($cert, null, 2048, $cert_strict_values['max_server_cert_lifetime'], $dn, "self-signed", "sha256")) {
|
|
| 1049 | 1049 |
while ($ssl_err = openssl_error_string()) {
|
| 1050 | 1050 |
log_error(sprintf(gettext("Error creating WebGUI Certificate: openssl library returns: %s"), $ssl_err));
|
| 1051 | 1051 |
} |
| src/usr/local/www/system_certmanager.php | ||
|---|---|---|
| 764 | 764 |
$pconfig['csrsign_lifetime'] ? $pconfig['csrsign_lifetime']:$default_lifetime, |
| 765 | 765 |
['max' => $max_lifetime] |
| 766 | 766 |
))->setHelp('The length of time the signed certificate will be valid, in days. %1$s' .
|
| 767 |
'Server certificates should not have a lifetime over 825 days or some platforms ' .
|
|
| 768 |
'may consider the certificate invalid.', '<br/>'); |
|
| 767 |
'Server certificates should not have a lifetime over %2$s days or some platforms ' .
|
|
| 768 |
'may consider the certificate invalid.', '<br/>', $cert_strict_values['max_server_cert_lifetime']);
|
|
| 769 | 769 |
$section->addInput(new Form_Select( |
| 770 | 770 |
'csrsign_digest_alg', |
| 771 | 771 |
'*Digest Algorithm', |
| ... | ... | |
| 882 | 882 |
$pconfig['lifetime'], |
| 883 | 883 |
['max' => $max_lifetime] |
| 884 | 884 |
))->setHelp('The length of time the signed certificate will be valid, in days. %1$s' .
|
| 885 |
'Server certificates should not have a lifetime over 825 days or some platforms ' .
|
|
| 886 |
'may consider the certificate invalid.', '<br/>'); |
|
| 885 |
'Server certificates should not have a lifetime over %2$s days or some platforms ' .
|
|
| 886 |
'may consider the certificate invalid.', '<br/>', $cert_strict_values['max_server_cert_lifetime']);
|
|
| 887 | 887 |
|
| 888 | 888 |
$section->addInput(new Form_Input( |
| 889 | 889 |
'dn_commonname', |
| src/usr/local/www/wizards/openvpn_wizard.xml | ||
|---|---|---|
| 645 | 645 |
<field> |
| 646 | 646 |
<name>lifetime</name> |
| 647 | 647 |
<displayname>Lifetime</displayname> |
| 648 |
<description>Lifetime in days. Server certificates should not have a lifetime over 825 days or some platforms may consider the certificate invalid.</description>
|
|
| 648 |
<description>Lifetime in days. Server certificates should not have a lifetime over 398 days or some platforms may consider the certificate invalid.</description>
|
|
| 649 | 649 |
<type>input</type> |
| 650 | 650 |
<size>10</size> |
| 651 |
<value>825</value>
|
|
| 651 |
<value>398</value>
|
|
| 652 | 652 |
<bindstofield>ovpnserver->step9->lifetime</bindstofield> |
| 653 | 653 |
</field> |
| 654 | 654 |
<field> |
Also available in: Unified diff
Server cert lifetime reduced to 398. Fixes #9825
New requirements coming this fall will require new certs to be valid for at most
398 days. Setup this new requirement now, rather than waiting.
While here, reduce usage of hardcoded value where possible.