SSL Pinning (HPKP)

Warning - this is DEPRECATED by Google… Apparently they got the power to decide what’s good or bad. Just like against DANE.

Backup CSRs for rollover

Of course with curves and PFS! What did you expect?

openssl ecparam -genkey -name prime256v1 > prime256v1.bkp.key
openssl ecparam -genkey -name prime256v1 > prime256v1.bkp2.key
chmod 400 prime256v1.*

openssl req -new -sha256 -key prime256v1.bkp.key -out xc.nethence.com.bkp.csr -config /usr/local/ssl/openssl.cnf
openssl req -new -sha256 -key prime256v1.bkp2.key -out xc.nethence.com.bkp2.csr -config /usr/local/ssl/openssl.cnf

cat xc.nethence.com.bkp.csr
cat xc.nethence.com.bkp2.csr

Get the Pins / Fingerprints

cd ~/certs/
openssl req -pubkey < xc.nethence.com.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
openssl req -pubkey < xc.nethence.com.bkp.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
openssl req -pubkey < xc.nethence.com.bkp2.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

Alternative ways to do the same. First using the pkey

#openssl ec -in prime256v1.key -pubout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl base64

Second using the cert (but we only got one)

#openssl x509 -pubkey < prime256v1.crt| openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

Finally add those to HTTPS headers e.g. with NGINX (I guess the order doesn’t matter here)

add_header Public-Key-Pins 'pin-sha256="9f2ya5rnfw7muDylUWHrUUHIuZtKx3c8vSYlzwzs41Y="; pin-sha256="BaTCK1hT3Rn1FRSzKVXUb3Np8SGitNE+TC6Xvyvt8do="; pin-sha256="+PwVSmsGzejnEY5D2LlxWrNQMjVNs7im9fv8fu3x7/A="; max-age=2592000; includeSubDomains';

Resources

HTTP Public Key Pinning https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

HPKP is deprecated. What now? https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html

HPKP: HTTP Public Key Pinning https://scotthelme.co.uk/hpkp-http-public-key-pinning/

HTTP Public Key Pinning Extension HPKP for Apache, NGINX and Lighttpd https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html

What is “Static Public Key Pinning”? https://discussions.qualys.com/thread/17152-what-is-static-public-key-pinning

Is HTTP Public Key Pinning Dead? https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml