Security Working Group meeting - this Wednesday February 19 - summary results

Patrick Williams patrick at
Sat Feb 22 07:26:50 AEDT 2020

On Fri, Feb 21, 2020 at 08:21:27PM +0000, Bruce Mitchell wrote:

Hi Bruce,

> I do not believe that the BMC's self-generated self-signed certificate should
> be beyond what web browsers will accept (or in the near future).  If the customer
> wants to install their own self-signed certificate (i.e. not from the BMC) then that
> is their issue and can do what they want on  their own self-signed certificate.

I think this is in reference to your original concern about the
certificate being 800+ days?  If so, I agree we should shorten if that is
more appropriate from a browser perspective.

My only concern is that it appears we're generating the certificate once
and if the bmcweb daemon stays up longer than that expiration time, we
end up serving out an expired certificate.  Unfortunately this isn't
something you can even observe until 30 days or so in the future.

[ I remember once having a ~40 day bug in a product because someone
  stored milliseconds in a 32 bit integer.  It can be a real pain to debug
  something that only happens when you don't touch it for a month. ]

Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the openbmc mailing list