Bug 52741 – ssl/validity/host not taken into account

Bug 52741 - ssl/validity/host not taken into account


Summary:	ssl/validity/host not taken into account

Status:	RESOLVED INVALID

Product:	UCS
Classification:	Unclassified
Component:	SSL
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:	interim-2

Depends on:	27002
Blocks:
	Show dependency tree / graph

Reported:	2021-02-03 09:22 CET by Daniel Duchon
Modified:	2022-02-09 12:22 CET (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	4: Will affect most installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.091
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021020121000406
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Duchon

2021-02-03 09:22:25 CET

+++ This bug was initially created as a clone of Bug #27002 +++

The variable ssl/validity/host is no longer taken into account when generating host certificates. Instead the variable ssl/default/days is used.

Reason why this was noticed:

According to the decision of Google(1), Apple(2) and Mozilla(3) the age of a server certificates, created from 01 Seb 2020 on, must not be longer than 398 days. Currently, this can still be partially deactivated in the browsers. However, it is to be expected that this will also be deactivated in the future. So that certificates generated from now on are considered valid, a distinction must be made between the age of the PKI and that of the certificate.

1: https://chromium.googlesource.com/chromium/src/+/ae4d6809912f8171b23f6aa43c6a4e8e627de784
2: https://support.apple.com/en-us/HT211025
3: https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/

Comment 1 Timo Denissen

2022-02-09 12:10:42 CET

According to "ucr get info ssl/validity/host" this is an integer since 1970-01-01 until when the current installed certificate on a host is valid, not the validity time of a newly created certificate.

This variable stores the validity length of the host certificate in days since the 1st of January 1970. This value is generated automatically and should not be modified.
 Categories: system-ssl

The value should be updated shortly after the new certificate is installed on a server.

Comment 2 Florian Best

2022-02-09 12:22:20 CET

Timo is correct.
The UCR variable you are searching for is ssl/default/days (and maybe additionally ssl/crl/validity).