5
0
mirror of https://github.com/cwinfo/yggdrasil-go.git synced 2024-11-24 02:11:36 +00:00

Make TLS certs never expire (#977)

According to RFC5280 we can make TLS certs never expire by setting their `NotAfter` date to a value that is basically the end of time.

Fixes #976.
This commit is contained in:
majestrate 2022-11-08 17:11:22 -05:00 committed by GitHub
parent 6112c9cf18
commit 6fed2a75d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -120,20 +120,18 @@ func (l *linkTLS) listen(url *url.URL, sintf string) (*Listener, error) {
return entry, nil return entry, nil
} }
// RFC5280 section 4.1.2.5
var notAfterNeverExpires = time.Date(9999, time.December, 31, 23, 59, 59, 0, time.UTC)
func (l *linkTLS) generateConfig() (*tls.Config, error) { func (l *linkTLS) generateConfig() (*tls.Config, error) {
certBuf := &bytes.Buffer{} certBuf := &bytes.Buffer{}
// TODO: because NotAfter is finite, we should add some mechanism to
// regenerate the certificate and restart the listeners periodically
// for nodes with very high uptimes. Perhaps regenerate certs and restart
// listeners every few months or so.
cert := x509.Certificate{ cert := x509.Certificate{
SerialNumber: big.NewInt(1), SerialNumber: big.NewInt(1),
Subject: pkix.Name{ Subject: pkix.Name{
CommonName: hex.EncodeToString(l.links.core.public[:]), CommonName: hex.EncodeToString(l.links.core.public[:]),
}, },
NotBefore: time.Now(), NotBefore: time.Now(),
NotAfter: time.Now().Add(time.Hour * 24 * 365), NotAfter: notAfterNeverExpires,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true, BasicConstraintsValid: true,