mirror of
https://github.com/jetkvm/kvm.git
synced 2026-05-21 05:20:35 +00:00
Maurus Cuelenaere
5806c80e6a
The 4096-bit limit produced ~500-byte serials that violate RFC 5280 §4.1.2.2's 20-octet cap. Apple's DER parser enforces this strictly, so URLSession, NWConnection, AVFoundation and every other client on macOS/iOS/tvOS rejected the cert with "Unknown format in import" before any trust evaluation ran. Lower the limit to 128 bits (matching Go stdlib's generate_cert.go example) and add a one-shot migration that drops any already-baked oversized CA, plus the leaves it issued, on startup so existing devices recover without manual SSH cleanup. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>