From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 01/16] IPsec: Use sane defaults for certificate lifetimes
Date: Thu, 28 May 2020 17:58:35 +0000
Message-ID: <20200528175850.12638-2-michael.tremer@ipfire.org>
In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9137730900203096300=="
List-Id: <development.lists.ipfire.org>

--===============9137730900203096300==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index e0f2c7a5e..2d0f57f98 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1007,7 +1007,7 @@ END
 			&General::log("ipsec", "Creating cacert...");
 			if (open(STDIN, "-|")) {
 				my $opt =3D " req -x509 -sha256 -nodes";
-				$opt .=3D " -days 999999";
+				$opt .=3D " -days 3650";
 				$opt .=3D " -newkey rsa:4096";
 				$opt .=3D " -keyout ${General::swroot}/private/cakey.pem";
 				$opt .=3D " -out ${General::swroot}/ca/cacert.pem";
@@ -1065,7 +1065,7 @@ END
 			print $fh "subjectAltName=3D$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{=
'SUBJECTALTNAME'});
 			close ($fh);
=20
-			my $opt =3D " ca -md sha256 -days 999999";
+			my $opt =3D " ca -md sha256 -days 825";
 			$opt .=3D " -batch -notext";
 			$opt .=3D " -in ${General::swroot}/certs/hostreq.pem";
 			$opt .=3D " -out ${General::swroot}/certs/hostcert.pem";
@@ -1552,7 +1552,7 @@ END
=20
 		# Sign the certificate request
 		&General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
-		my $opt =3D " ca -md sha256 -days 999999";
+		my $opt =3D " ca -md sha256 -days 825";
 		$opt .=3D " -batch -notext";
 		$opt .=3D " -in $filename";
 		$opt .=3D " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
@@ -1825,7 +1825,7 @@ END
 		print $fh "subjectAltName=3D$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'=
SUBJECTALTNAME'});
 		close ($fh);
=20
-		my $opt =3D " ca -md sha256 -days 999999 -batch -notext";
+		my $opt =3D " ca -md sha256 -days 825 -batch -notext";
 		$opt .=3D " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
 		$opt .=3D " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
 		$opt .=3D " -extfile $v3extname";
--=20
2.20.1


--===============9137730900203096300==--