Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changing minimum certificate rotation period and backdating to 1h #1243

Merged
merged 1 commit into from
Aug 1, 2016

Conversation

diogomonica
Copy link
Contributor

@aaronlehmann

Fixes #1175

Signed-off-by: Diogo Monica diogo.monica@gmail.com

@codecov-io
Copy link

codecov-io commented Jul 26, 2016

Current coverage is 54.85% (diff: 100%)

Merging #1243 into master will decrease coverage by <.01%

@@             master      #1243   diff @@
==========================================
  Files            78         77     -1   
  Lines         12402      12373    -29   
  Methods           0          0          
  Messages          0          0          
  Branches          0          0          
==========================================
- Hits           6803       6787    -16   
+ Misses         4665       4652    -13   
  Partials        934        934          

Sunburst

Powered by Codecov. Last update e65562c...6486e7f

Usage: []string{"signing", "key encipherment", "server auth", "client auth"},
Expiry: certExpiry,
NotBefore: notBefore,
NotAfter: notAfter,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably a dumb TLS question, but is it correct to specify both NotBefore / NotAfter and also Expiry? Does cfssl use both of them?

Copy link
Contributor Author

@diogomonica diogomonica Jul 26, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CFSSL is silly and doesn't seem to allow me to not specify Expiry. Tells me this is an invalid profile. Didn't dig super far into it though, I might be missing something obvious.

In TLS there is not concept of Expiry, the only two things that matter are notBefore and notAfter.

This is the code that fills in the notBefore and notAfter: https://github.com/cloudflare/cfssl/blob/f8a8adaa9d48141125b78c23553a174845661522/signer/signer.go#L280

@@ -124,10 +124,15 @@ func SigningPolicy(certExpiry time.Duration) *cfconfig.Signing {
certExpiry = DefaultNodeCertExpiration
}

notBefore := time.Now().Round(time.Minute).Add(CertDefaultBackdate).UTC()
notAfter := time.Now().Round(time.Minute).Add(certExpiry).UTC()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably a good idea to only call time.Now() once to ensure consistency between these timestamps, in case something crazy happens to the clock between the two calls.

It will probably never issue in practice, but I'd rather have one less corner case to think about.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

Signed-off-by: Diogo Monica <diogo.monica@gmail.com>
@aaronlehmann
Copy link
Collaborator

LGTM

But I'm not sure we can merge this in between the last -rc and the 1.12 GA :(

ping @aluzzardi @tiborvass for opinions

@aluzzardi aluzzardi added this to the 1.12.1 milestone Jul 27, 2016
@aluzzardi
Copy link
Member

Tagged as 1.12.1. We'll push it at the next release

@aaronlehmann aaronlehmann merged commit 3121444 into moby:master Aug 1, 2016
@diogomonica diogomonica deleted the change-backdate branch October 28, 2016 01:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants