Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: reduce TLS cert validity time #2457

Merged
merged 1 commit into from
Mar 28, 2024
Merged

fix: reduce TLS cert validity time #2457

merged 1 commit into from
Mar 28, 2024

Conversation

achingbrain
Copy link
Member

@achingbrain achingbrain commented Mar 28, 2024
edited
Loading

@peculiar/x509 cannot represent dates as far in advance as go-libp2p so the certs are rejected.

Reduce the maximum validity of certificates to keep them under 2050 - this can be re-evaluated after PeculiarVentures/x509#73 is fixed.

Change checklist

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation if necessary (this includes comments as well)
  • I have added tests that prove my fix is effective or that my feature works

@achingbrain
fix: reduce TLS cert validity time
4ae19fe 
`@peculiar/x509` may be representing everything as UTCTime - dates
after 2050 should be GeneralizedTime so are rejected by compliant
TLS implementations.

Reduce the maximum validty of certificates to keep them under 2050
- this can be re-evaluated after PeculiarVentures/x509#73
is fixed.
@achingbrain achingbrain requested a review from a team as a code owner March 28, 2024 12:26
@achingbrain achingbrain merged commit bf720c0 into main Mar 28, 2024
24 checks passed
@achingbrain achingbrain deleted the fix/reduce-tls-cert-time branch March 28, 2024 12:44
@achingbrain achingbrain mentioned this pull request Mar 28, 2024
Merged
SgtPooki
SgtPooki reviewed Mar 29, 2024
View reviewed changes
Copy link
Member

@SgtPooki SgtPooki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sgtm

achingbrain added a commit that referenced this pull request Apr 2, 2024
@achingbrain
fix: remove ms from TLS notAfter date
aa4533a 
Partial revert of #2457.  We can specify dates in the far future,
causing `@peculiar/x509` to use `GeneralizedTime` values, but it
doesn't strip fractional seconds as per RFC 5280 so do it ourselves.
@achingbrain achingbrain mentioned this pull request Apr 2, 2024
Merged
3 tasks
achingbrain added a commit that referenced this pull request Apr 2, 2024
@achingbrain
fix: remove ms from TLS notAfter date (#2464)
ab5f057 
Partial revert of #2457.  We can specify dates in the far future,
causing `@peculiar/x509` to use `GeneralizedTime` values, but it
doesn't strip fractional seconds as per RFC 5280 so do it ourselves.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SgtPooki SgtPooki SgtPooki left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@achingbrain @SgtPooki