Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate HTTPS certificates accepted by iOS 13 / macOS Catalina #6036

Closed
calmh opened this issue Sep 30, 2019 · 8 comments
Closed

Generate HTTPS certificates accepted by iOS 13 / macOS Catalina #6036

calmh opened this issue Sep 30, 2019 · 8 comments
Labels
Milestone

Comments

@calmh
Copy link
Member

@calmh calmh commented Sep 30, 2019

Some new requirements have been added in new OSes. One thing we will run afoul of:

TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate). (https://support.apple.com/en-us/HT210176)

We generate GUI certs with very long validity time. We'd need to cut this down to two years, and then also be prepared to re-generate the cert before it expires.

(I haven't yet tested whether the "fuck it, I trust this cert anyway" dialog for self-signed certs maybe overrides this requirement too.)

@calmh calmh added the enhancement label Sep 30, 2019
@janprzy

This comment has been minimized.

Copy link

@janprzy janprzy commented Oct 12, 2019

I installed Syncthing on two Macs, one running Mojave and the other running Catalina. When trying to access the web GUI using https, it warns of the invalid certificate, but, after dismissing that dialog and entering my password, it works. This is the same on both machines.

Syncing works perfectly and without a warning, I have only tested it within my LAN though.

@AudriusButkevicius

This comment has been minimized.

Copy link
Member

@AudriusButkevicius AudriusButkevicius commented Oct 12, 2019

That warning (self signed cert), cannot be avoided.

@GermanCoding

This comment has been minimized.

Copy link

@GermanCoding GermanCoding commented Oct 12, 2019

That warning (self signed cert), cannot be avoided.

Yes, but this issue talks about a potential new problem (certificates valid for too long), which does not apply for syncthing - no change in behavior for macOS 10.15, since the cert was untrusted anyway.

As formulated by calmh: "The "fuck it, I trust this cert anyway" dialog for self-signed certs does override this requirement too.".

The issue can be closed from my point of view.

@calmh

This comment has been minimized.

Copy link
Member Author

@calmh calmh commented Oct 12, 2019

That's not my interpretation at all. I upgraded yesterday and a newly generated Syncthing certificate shows this now in Safari:

Screen Shot 2019-10-12 at 20 59 21

Note "revoked" status and complete lack of "visit this website anyway". A certificate with shorter lifetime works as expected.

Note that none of this applies to certificates created before June or July or something, so it's likely you're looking at an older certificate.

@janprzy

This comment has been minimized.

Copy link

@janprzy janprzy commented Oct 12, 2019

That's strange, because that warning looks completely different for me:
(It's in German but I translated the important parts)
Bildschirmfoto 2019-10-12 um 18 09 40 Kopie
This was taken when connecting to a different machine on my LAN, but it looks the same with localhost.
I think it is about the same warning earlier versions of Safari would show, but I don't have one around for testing. I'm currently using 13.0.2.

so it's likely you're looking at an older certificate

The certificate was generated today (2019-10-12) and is valid until 2050.

Also: Why is there "Microsoft Edge" in your screenshot? I thought this was about Safari.

calmh added a commit to calmh/syncthing that referenced this issue Oct 12, 2019
This adds a certificate lifetime parameter to our certificate generation
and hard codes it to twenty years in some uninteresting places. In the
main binary there are a couple of constants but it results in twenty
years for the device certificate and 820 days for the HTTPS one. 820 is
less than the 825 maximum Apple allows nowadays.

This also means we must be prepared for certificates to expire, so I add
some handling for that and generate a new certificate when needed. For
our own certificates (common name Syncthing) we regenerate a month ahead
of time. For other certificates we leave well enough alone.
@calmh

This comment has been minimized.

Copy link
Member Author

@calmh calmh commented Oct 12, 2019

That's interesting! I messed up the testing in that I though I was testing with Safari as that's the most Mac:y browser, but Syncthing opened the page in my default browser (Edge) and I just rolled with it.

In Safari I see the same as you and @GermanCoding - it works fine when force-accepted. In Edge I see the more aggressive behavior - the long certificate is not possible to accept as it's considered "revoked". In Chrome (on which Edge is based) I see the same thing: "revoked" and no option to continue:

Screen Shot 2019-10-12 at 21 48 33

Summing up I conclude the problem remains, but not in Safari specifically.

@calmh

This comment has been minimized.

Copy link
Member Author

@calmh calmh commented Oct 12, 2019

Maybe this is not intentional from the Chrome/Edge side and just a side effect of the CERT_ERR_REVOKED rather than CERT_ERR_INVALID_AUTHORITY from the backend.

@janprzy

This comment has been minimized.

Copy link

@janprzy janprzy commented Oct 12, 2019

That's probably it. I tried it with Chromium and got different error messages:

Mojave:
Mojave

Catalina:
Catalina

calmh added a commit to calmh/syncthing that referenced this issue Oct 13, 2019
This adds a certificate lifetime parameter to our certificate generation
and hard codes it to twenty years in some uninteresting places. In the
main binary there are a couple of constants but it results in twenty
years for the device certificate and 820 days for the HTTPS one. 820 is
less than the 825 maximum Apple allows nowadays.

This also means we must be prepared for certificates to expire, so I add
some handling for that and generate a new certificate when needed. For
self signed certificates we regenerate a month ahead of time. For other
certificates we leave well enough alone.
@calmh calmh closed this in 4736ccc Oct 16, 2019
@calmh calmh added this to the v1.3.2 milestone Oct 16, 2019
@calmh calmh changed the title gui: Generate certificates accepted by iOS 13 / macOS Catalina Generate HTTPS certificates accepted by iOS 13 / macOS Catalina Nov 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.