mirror of
https://github.com/cwinfo/yggdrasil-go.git
synced 2024-11-09 16:20:26 +00:00
Make TLS certs never expire (#977)
According to RFC5280 we can make TLS certs never expire by setting their `NotAfter` date to a value that is basically the end of time. Fixes #976.
This commit is contained in:
parent
6112c9cf18
commit
6fed2a75d7
@ -120,20 +120,18 @@ func (l *linkTLS) listen(url *url.URL, sintf string) (*Listener, error) {
|
|||||||
return entry, nil
|
return entry, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// RFC5280 section 4.1.2.5
|
||||||
|
var notAfterNeverExpires = time.Date(9999, time.December, 31, 23, 59, 59, 0, time.UTC)
|
||||||
|
|
||||||
func (l *linkTLS) generateConfig() (*tls.Config, error) {
|
func (l *linkTLS) generateConfig() (*tls.Config, error) {
|
||||||
certBuf := &bytes.Buffer{}
|
certBuf := &bytes.Buffer{}
|
||||||
|
|
||||||
// TODO: because NotAfter is finite, we should add some mechanism to
|
|
||||||
// regenerate the certificate and restart the listeners periodically
|
|
||||||
// for nodes with very high uptimes. Perhaps regenerate certs and restart
|
|
||||||
// listeners every few months or so.
|
|
||||||
cert := x509.Certificate{
|
cert := x509.Certificate{
|
||||||
SerialNumber: big.NewInt(1),
|
SerialNumber: big.NewInt(1),
|
||||||
Subject: pkix.Name{
|
Subject: pkix.Name{
|
||||||
CommonName: hex.EncodeToString(l.links.core.public[:]),
|
CommonName: hex.EncodeToString(l.links.core.public[:]),
|
||||||
},
|
},
|
||||||
NotBefore: time.Now(),
|
NotBefore: time.Now(),
|
||||||
NotAfter: time.Now().Add(time.Hour * 24 * 365),
|
NotAfter: notAfterNeverExpires,
|
||||||
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
||||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
||||||
BasicConstraintsValid: true,
|
BasicConstraintsValid: true,
|
||||||
|
Loading…
Reference in New Issue
Block a user