From 47b792bae10ced48185063ccb558cadbff80c1e5 Mon Sep 17 00:00:00 2001 From: Maximilian Hils Date: Tue, 25 May 2021 23:39:17 +0200 Subject: [PATCH] make the CA cert live longer (#4611) We need to restrict `CERT_EXPIRY` because modern browsers only accept a ~ <= 1year period for certs, but re-reading all prior commits and issues as well as the CA/Browser Forum Baseline Requirements on the topic, it looks like we don't actually need to restrict our CA lifetime by that much. Let's try out a longer validity and see if anyone complains. --- mitmproxy/certs.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mitmproxy/certs.py b/mitmproxy/certs.py index 69f12ffef..e6f3fee1b 100644 --- a/mitmproxy/certs.py +++ b/mitmproxy/certs.py @@ -17,7 +17,7 @@ import OpenSSL from mitmproxy.coretypes import serializable # Default expiry must not be too long: https://github.com/mitmproxy/mitmproxy/issues/815 -CA_EXPIRY = datetime.timedelta(days=3 * 365) +CA_EXPIRY = datetime.timedelta(days=10 * 365) CERT_EXPIRY = datetime.timedelta(days=365) # Generated with "openssl dhparam". It's too slow to generate this on startup.