You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As discussed over here: AdguardTeam/AdGuardHome#6131
Please lower the default days as the key validity period for this server is excessively long (365 days).
Of course, it can be adjusted manually afterwards.
It seems to me a good idea to reduce the number of days, by default already significantly.
Thanks.
The text was updated successfully, but these errors were encountered:
This default was chosen because the current implementation does not have a certificate rotation mechanism, the cert is only changed when you restart the server. This in turn will cause some troubles for the DNS client as there's no clear signal for when the client needs to fetch the new certificate, basically now it does that on every timeout error.
All in all, the task is much more complex than just changing a single constant.
What for the original claim that it reduces forward secrecy, I'd argue that the threat is a bit exaggerated.
This default was chosen because the current implementation does not have a certificate rotation mechanism, the cert is only changed when you restart the server.
So, In other words those 365 are actually placebo, if the server runs for say 400 days the certificate will not have been replaced because it only does so on a server reboot. Is that correct?
As discussed over here: AdguardTeam/AdGuardHome#6131
Please lower the default days as the key validity period for this server is excessively long (365 days).
Of course, it can be adjusted manually afterwards.
It seems to me a good idea to reduce the number of days, by default already significantly.
Thanks.
The text was updated successfully, but these errors were encountered: