如何正确设置 HPKP 标头(Public-Key-Pinning Header)?
[英]How to properly set HPKP header (Public-Key-Pinning Header)?
问题描述
I am absolutely confused about the header Public-Key-Pinning.
我对标题 Public-Key-Pinning 感到非常困惑。 How do you add it in Apache?你如何在Apache中添加它?
What I did:我做了什么:
Took the public key hash from my domain cert, intermediate cert and the root certs separately and added this to apache, mod_headers is enabled.分别从我的域证书、中间证书和根证书中获取公钥哈希并将其添加到 apache,启用 mod_headers。 But ssllabs says "No Chain. Check Backup Pins"但是 ssllabs 说“没有链。检查备份引脚”
Header always set Public-Key-Pins "pin-sha256=\"Root-SSL-Public-Key\"; pin-sha256=\"Intermediate-SSL-Public-Key\"; pin-sha256=\"Domain-SSL-Public-Key\"; max-age=2592000; includeSubDomains"
1 个解决方案
解决方案1
2 已采纳 2020-02-18 14:28:12
HPKP is a bad idea. HPKP 是个坏主意。 It's way too easy to brick your site using it and the protection it provides is fairly small given that.使用它来破坏您的网站太容易了,而且鉴于此,它提供的保护相当小。
Almost all browsers have dropped support for HPKP because of this.几乎所有浏览器都因此放弃了对 HPKP 的支持。
One of the things the spec includes to mitigate breaking your site is you must have at least one pin that is NOT in your current cert and chain .的事情之一,该规范包括减轻破坏你的网站,你必须至少有一个引脚,是不是在你当前的证书和链。 That is you must have two completely independent pins - one from a backup key/cert/CA so if you lose control of your primary one you can still connect.也就是说,您必须有两个完全独立的引脚 - 一个来自备份密钥/证书/CA,因此如果您失去对主要引脚的控制,您仍然可以连接。 If you have only pinned your cert, intermediate and root then they are all from the same chain and so do not meet this requirement.如果您只固定了您的证书、中间证书和根证书,那么它们都来自同一链,因此不符合此要求。
Fix that and it should be accepted by SSLLabs.解决这个问题,它应该被 SSLLabs 接受。 But honestly why bother given browser support and the risk versus reward profile?但老实说,为什么要考虑浏览器支持和风险与回报的关系呢?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.