bmcweb Security issue
Vernon Mauery
vernon.mauery at linux.intel.com
Thu Feb 13 08:33:37 AEDT 2020
On 12-Feb-2020 05:52 PM, Bruce Mitchell wrote:
>bmcweb Security issue: according to the The CA/Browser Forum https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.7.pdf ;
>Subscriber Certificates issued after 1 March 2018 MUST have a Validity Period no greater than 825 days.
>
>In bmcweb's ssl_key_handler.hpp we have:
> // Cert is valid for 10 years
> X509_gmtime_adj(X509_get_notAfter(x509),
> 60L * 60L * 24L * 365L * 10L);
>
>I believe we want this changed to the 825 days.
Self-signed certificates are not subscriber certificates.
This is a self-signed certificate, so really that is a bigger issue than
the length of time that it is valid for. This certificate should only be
trusted on a direct physical connection with no other machines. It is
there only to facilitate uploading a valid key/certificate to the BMC.
It is not intended to be used for any amount of time.
--Vernon
More information about the openbmc
mailing list