Welcome! Log In Create A New Profile

Re: Key pinning / Nginx reverse proxy

Forum List Message List New Topic Print View

Francis Daly

February 21, 2016 04:52AM

On Sun, Feb 21, 2016 at 11:23:02AM +0200, Thierry wrote:

Hi there,

> After I have executed the curl command, it seems that I have an answer
> from my Apache2 back end server (apache2.conf)
> Yes I do see the "Public-Key-Pins:" line... And yes I do have the
> content that I expect.

That's good.

How do you know what content to expect?

> Public-Key-Pins: pin-sha256="DZNsRcNIolhfdouihfazormhrfozef=";pin-sha256="633ltusrlsqhoagfdgfo79xMD9r9Q="; max-age=2592000; includeSubDomains

What is the actual sha256 of the certificate that the browser receives? Is
it one of the two above?

The details are in RFC7469.

https://tools.ietf.org/html/rfc7469#appendix-A gives an example of how
you mind find it.

> But, is it really the output of Apache2 ? There is a syntax difference
> between Nginx and Apache2:

Should it be the output of Apache2?

Your browser is speaking https to nginx. It should only see the pinning
information from nginx. The browser never sees the Apache certificate,
and so should not see anything related to it.

> Nginx: pin-sha256="DZNsRcNIoiVdK8Img794j8/XGf4+6sDLFjADPWWOddw=";
> Apache2: pin-sha256=\"DZNsRcNIoirupeqrhfjpzehfrhfaefhpazf=\";

I suspect that only one of those is valid in the response header.

https://tools.ietf.org/html/rfc7469#section-2.1.5 suggests that the
backslashes are unnecessary.

(Note that neither of those sha256 values match the ones in the response
header. What is actually written in your nginx.conf, and what is the
actual response you get from curl? If they are different, you have more
investigating to do.)

> When the curl command return me the result, I can see that there is
> no "\" ... Is it normal ?

I think "yes".

> If yes, why is "ssllabs.com/ssltest" doesn't see anything concerning
> the HPKP ?

Is there any documentation on the ssllabs.com site about what they
are testing?

Can you see, does "HPKP: No" distinguish between:

* no Public-Key-Pins header returned
* Public-Key-Pins header found, but with invalid formatting
* valid Public-Key-Pins header found, but without the sha256 of the
current certificate

Good luck with it,

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Key pinning / Nginx reverse proxy	Thierry	February 20, 2016 12:44AM
Re: Key pinning / Nginx reverse proxy	A. Schulze	February 20, 2016 06:12AM
Re: Key pinning / Nginx reverse proxy	Thierry	February 21, 2016 03:24AM
Re: Key pinning / Nginx reverse proxy	Francis Daly	February 21, 2016 03:40AM
Re: Key pinning / Nginx reverse proxy	Thierry	February 21, 2016 04:24AM
Re: Key pinning / Nginx reverse proxy	Francis Daly	February 21, 2016 04:52AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 143

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018