公钥固定不起作用
[英]Public Key Pinning not working
问题描述
Hello I am trying to implement Public-Key-Pinning on my apache server running as a proxy for another web-app, but it won't work (if I enter a wrong hash the page is still displayed instead of an error, which should be shown in Firefox or Chrome). 
您好,我正在尝试在作为另一个Web应用程序的代理运行的apache服务器上实现Public-Key-Pinning,但这无法正常工作(如果我输入了错误的哈希,该页面仍会显示而不是显示错误,这应该在Firefox或Chrome中显示)。 I am sure the header is correct – the hash is correct, I have tested it with Chrome. 我确定标头是正确的-哈希正确,我已经在Chrome浏览器中对其进行了测试。
My Configdata is 我的配置数据是
<VirtualHost *:443>
ServerName subdomain.*******.***:443
SSLCertificateFile /etc/apache2/ssl/___.crt
SSLCertificateKeyFile /etc/apache2/ssl/___.key
SSLCertificateChainFile /etc/apache2/ssl/___.ca
Header always set Public-Key-Pins "pin-sha256=\"****\"; pin-sha256=\"****\"; max-age=120; includeSubDomains"
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / ****:****/
ProxyPassReverse / ****:****/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
At first I only had one hash but I added a second one just in case this would be required. 起初,我只有一个哈希,但是我添加了第二个哈希,以防万一需要。 What am I doing wrong? 我究竟做错了什么?
Note: Of course I have mod_header enabled and loaded. 注意:当然,我已经启用并加载了mod_header。
2 个解决方案
解决方案1
3 已采纳 2015-10-27 21:28:29
Two hashes are required and they must be two independent hashes. 需要两个哈希,并且它们必须是两个独立的哈希。 Ie You cannot pin the cert and the intermediate cert that issued that as they are not independent. 即,您不能固定颁发证书的证书和中间证书,因为它们不是独立的。 This is a safety feature to ensure you have a backup incase you need it. 这是一项安全功能,可确保您有备份以备不时之需。
Additionally a policy will only be accepted if it passes so you cannot put in a fake policy and watch it fail because it will never be accepted. 另外,只有通过的策略才会被接受,因此您不能放入伪造的策略并观看它失败,因为它永远不会被接受。
A good tool to check your policy is this one: https://report-uri.io/home/pkp_analyse And also other tools on same site to actually generate your policy: https://report-uri.io/home/pkp_hash 一个检查您的策略的好工具是: https : //report-uri.io/home/pkp_analyse以及同一站点上的其他工具可以实际生成您的策略: https : //report-uri.io/home/pkp_hash
However you need to be VERY careful with HPKP. 但是,使用HPKP时要非常小心。 It's very easy to block your website and, hope you don't take this the wrong way, it doesn't sound like you fully understand HPKP so I would suggest you read about it some more first. 封锁您的网站非常容易,希望您不要以错误的方式使用它,这听起来并不像您完全了解HPKP,所以建议您先阅读一些内容。
There is a Public-Key-Pins-Report-Only (which is only available in Chrome at present) , and which allows you to test a policy for a bit (well in Chrome at least) but for that you also need to use the report-uri option (you can also use above site to collect your reports if you don't want to write your own service for this). 有一个“仅公开密钥针报告”(目前仅在Chrome中可用),并且它可以让您对策略进行一点测试(至少可以在Chrome中使用),但是为此,您还需要使用report-uri选项(如果您不想为此编写自己的服务,也可以使用上面的网站来收集报告)。
I've an active interest in this and, if people don't mind me linking here, I've blogged about it in much more detail here: https://www.tunetheweb.com/security/http-security-headers/hpkp/ . 我对此很感兴趣,如果人们不介意我在此处链接,我会在此处详细介绍它: https : //www.tunetheweb.com/security/http-security-headers/ hpkp / 。 I think it's potentially a very dangerous option that needs careful consideration before implementing. 我认为这可能是一个非常危险的选择,需要在实施之前仔细考虑。
解决方案2
0 2015-10-27 21:52:38
It in fact worked... my mistake was the way I tested it. 它实际上起作用了……我的错误是我对其进行测试的方式。
So here's the most important thing I missed out: 所以这是我错过的最重要的事情:
- You need at least one backup pin 您至少需要一个备用别针
- If you test it don't change the hash in the header but either the SSL-Certificate or (better) try changing the hash saved locally. 如果您进行测试,请不要更改标头中的哈希,但可以使用SSL证书或(更好)尝试更改本地保存的哈希。 Or thanks for
BazzaDPfor pointing it out try using https://report-uri.io/home/pkp_analyse .或者感谢BazzaDP指出来尝试使用https://report-uri.io/home/pkp_analyse 。
Please read BazzaDP's answer if you are new to HPKP and want to get started with it. 如果您不熟悉HPKP,并想开始使用它,请阅读BazzaDP的答案。 Mozilla also has some good documentation. Mozilla也有一些不错的文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.