From 1c08874d01b2e83c39bba068a19ee6c4bc4b3731 Mon Sep 17 00:00:00 2001 From: Jeff Becker Date: Sat, 5 Nov 2022 10:35:15 -0400 Subject: [PATCH] make tls certs never expire according to RFC5280 we can make tls certs never expire by setting their notAfter date to a value that is basically the end of time. fixes #976 --- src/core/link_tls.go | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/core/link_tls.go b/src/core/link_tls.go index 4eeb8710..fbc6172e 100644 --- a/src/core/link_tls.go +++ b/src/core/link_tls.go @@ -120,20 +120,18 @@ func (l *linkTLS) listen(url *url.URL, sintf string) (*Listener, error) { return entry, nil } +// RFC5280 section 4.1.2.5 +var notAfterNeverExpires = time.Date(9999, time.December, 31, 23, 59, 59, 0, time.UTC) + func (l *linkTLS) generateConfig() (*tls.Config, error) { certBuf := &bytes.Buffer{} - - // TODO: because NotAfter is finite, we should add some mechanism to - // regenerate the certificate and restart the listeners periodically - // for nodes with very high uptimes. Perhaps regenerate certs and restart - // listeners every few months or so. cert := x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{ CommonName: hex.EncodeToString(l.links.core.public[:]), }, NotBefore: time.Now(), - NotAfter: time.Now().Add(time.Hour * 24 * 365), + NotAfter: notAfterNeverExpires, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true,