falcon icon indicating copy to clipboard operation
falcon copied to clipboard

Published 20 hours ago verified publisher icon socketry

SSL self-signed certificate problem on MacOS Catalina

Open sekrett opened this issue 5 years ago • 6 comments

There is a nice explanation here: https://superuser.com/questions/1492207/neterr-cert-revoked-in-chrome-chromium-introduced-with-macos-catalina Obviously Falcon is generating a self-signed certificate valid for 10 years which is much more than 825 days. Maybe something else is wrong and should be fixed.

sekrett avatar Jan 12 '20 21:01 sekrett

Can you give me more details of the error you are seeing?

ioquatix avatar Jan 13 '20 23:01 ioquatix

Your connection is not private Attackers might be trying to steal your information from localhost (for example, passwords, messages or credit cards). Learn more NET::ERR_CERT_REVOKED

Usually I can press "Advanced" and there is a proceed link, but here there is none, so I cannot bypass this error screen.

sekrett avatar Jan 14 '20 07:01 sekrett

I will take a look.

ioquatix avatar Jan 14 '20 09:01 ioquatix

The Subject also looks wrong: subject=O = Development/CN=localhost, eg. Chrome shows Subject as "Development/CN=localhost" and the details show "Company: Development/CN=localhost" and it refuses to connect with NET::ERR_CERT_INVALID, so it's probably a problem with how the certificate is generated.

felixbuenemann avatar May 09 '20 16:05 felixbuenemann

Here is where the certificate is named:

https://github.com/socketry/localhost/blob/275eafb6f0817aa98067215c1f4a0ba7add967ff/lib/localhost/authority.rb#L70-L72

Here is where it is generated:

https://github.com/socketry/localhost/blob/275eafb6f0817aa98067215c1f4a0ba7add967ff/lib/localhost/authority.rb#L78-L106

Maybe something is wrong with the subject line:

https://github.com/socketry/localhost/blob/275eafb6f0817aa98067215c1f4a0ba7add967ff/lib/localhost/authority.rb#L80

What should we set it to?

ioquatix avatar May 09 '20 23:05 ioquatix

Here is the validity period:

https://github.com/socketry/localhost/blob/275eafb6f0817aa98067215c1f4a0ba7add967ff/lib/localhost/authority.rb#L90

What is the maximum validity period that we can use?

We should implement some filesystem check, or loading the existing certificate and checking if it's expired before using it.

ioquatix avatar May 09 '20 23:05 ioquatix

The maximum validity period is 398 days -- https://support.apple.com/en-us/102028

  • Validity period is defined in line with RFC 5280, Section 4.1.2.5, as "the period of time from notBefore through notAfter, inclusive."
  • 398 days is measured with a day being equal to 86,400 seconds. Any time greater than this indicates an additional day of validity.
  • We recommend that certificates be issued with a maximum validity of 397 days.
  • This change will not affect certificates issued from user-added or administrator-added Root CAs.

uberjay avatar Sep 14 '23 19:09 uberjay

I believe we can address this issue in the localhost gem: https://github.com/socketry/localhost/pull/26

ioquatix avatar Feb 01 '24 10:02 ioquatix

I released the localhost gem v1.2.0 which has a validity period of 1 year. This is within the published limits.

If there are further issues, please consider opening a PR on the localhost gem repository.

ioquatix avatar Feb 01 '24 11:02 ioquatix