[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15770524#comment-15770524 ] Masaori Koshiba commented on TS-3216: - If anybody needs HPKP, I recommend to use header_rewrite plugin temporally. The bug around back-slash escape is solved by TS-4797 and TS-4993. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba > Labels: review > Fix For: sometime > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > Time Spent: 5h 20m > Remaining Estimate: 0h > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15424290#comment-15424290 ] Masaori Koshiba commented on TS-3216: - [~bcall] I'll fix my patch for current master and open a PR. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 7.0.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15423361#comment-15423361 ] Bryan Call commented on TS-3216: [~masaori] Want to make a pull request for it? > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 7.0.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15232579#comment-15232579 ] Alan M. Carroll commented on TS-3216: - Yes. You need to make sure the netVC is an SSL one and checking dynamic_cast is a reasonable way to do that. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 7.0.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15168247#comment-15168247 ] Masaori Koshiba commented on TS-3216: - [~rudra] Nice catch. Dual cert scenarios make sense. We should support it. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 6.2.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15168147#comment-15168147 ] Prakhar Rudra commented on TS-3216: --- Please include features just to add multiple pins ( precalculated ) per domain served. In dual cert (rsa and ec) scenarios one may need to include like 2 main, 2 backup and even one two more. Like say if one wants to use pinning over cloudflare, they will have to pin on CF root certs and in case they decide to leave CF in future, they will need to pin on their own leafs and back ups. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 6.2.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15085643#comment-15085643 ] Leif Hedstrom commented on TS-3216: --- [~masaori] Should this be landed for 6.1.0 ? If not, please move out to 6.2.0. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 6.1.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15060425#comment-15060425 ] Leif Hedstrom commented on TS-3216: --- [~masaori] If this is still needed, can you create a PR and land this asap? > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 6.1.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[
https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618213#comment-14618213
]
bettydramit commented on TS-3216:
-
Sorry, for my mistake
When chmod o+x test.csr and enabled proxy.config.ssl.hpkp.enabled 1 in
records.config
and ssl_multicert.config
dest_ip=* ssl_cert_name=test.crt ssl_key_name=test.key hpkp_enabled=1
hpkp_max_age=300 hpkp_include_subdomains=1 hpkp_backup_csr_filename=test.csr
It works!
But only worked for Wget
{code}
Public-Key-Pins: pin-sha256=BRotFk9Bt4Ldy9ab04f6T+84fYi3vPTBOlXvAWwptMU=;
pin-sha256=BRotFk9Bt4Ldy9ab04f6T+84fYi3vPTBOlXvAWwptMU=; max-age=3000;
includeSubDomains
{code}
It break when chrome get
core bt info
{code}
Core was generated by `/usr/bin/traffic_server -M --httpport
80:fd=7,443:fd=8:ssl'.
Program terminated with signal 11, Segmentation fault.
#0 HttpTransactHeaders::insert_hpkp_header_in_response (s=value optimized
out, header=0x2b4e7c17c840) at HttpTransactHeaders.cc:823
823 const SSLCertContext *cc = ssl_vc-sslCertContext;
Missing separate debuginfos, use: debuginfo-install
glibc-2.12-1.132.el6_5.2.x86_64 hwloc-1.5-1.el6.x86_64
libattr-2.4.44-7.el6.x86_64 libcap-2.16-5.5.el6.x86_64
libgcc-4.4.7-4.el6.x86_64 libstdc++-4.4.7-4.el6.x86_64
libxml2-2.7.6-14.el6_5.2.x86_64 nss-softokn-freebl-3.14.3-10.el6_5.x86_64
numactl-2.0.7-8.el6.x86_64 pciutils-libs-3.1.10-2.el6.x86_64
pcre-7.8-6.el6.x86_64 spdylay-1.2.5-1.el6.x86_64 tcl-8.5.7-6.el6.x86_64
xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) bt
#0 HttpTransactHeaders::insert_hpkp_header_in_response (s=value optimized
out, header=0x2b4e7c17c840) at HttpTransactHeaders.cc:823
#1 0x005cde57 in HttpTransact::build_response (s=0x2b4e7c17c0f8,
base_response=0x2b4e7c17c8c0, outgoing_response=0x2b4e7c17c840,
outgoing_version=value optimized out, status_code=HTTP_STATUS_OK,
reason_phrase=value optimized out) at HttpTransact.cc:7943
#2 0x005d768b in
HttpTransact::handle_cache_operation_on_forward_server_response
(s=0x2b4e7c17c0f8) at HttpTransact.cc:4542
#3 0x005e181c in HttpTransact::HandleResponse (s=0x2b4e7c17c0f8) at
HttpTransact.cc:3328
#4 0x0059a0e6 in HttpSM::call_transact_and_set_next_state
(this=0x2b4e7c17c090, f=value optimized out) at HttpSM.cc:6832
#5 0x005ad4cf in HttpSM::handle_api_return (this=0x2b4e7c17c090) at
HttpSM.cc:1508
#6 0x005b08ff in do_api_callout (this=0x2b4e7c17c090, event=100,
data=0x2b4e8001b318) at HttpSM.cc:390
#7 HttpSM::state_read_server_response_header (this=0x2b4e7c17c090, event=100,
data=0x2b4e8001b318) at HttpSM.cc:1846
#8 0x005afe78 in HttpSM::main_handler (this=0x2b4e7c17c090, event=100,
data=0x2b4e8001b318) at HttpSM.cc:2534
#9 0x0073b840 in handleEvent (this=0x2b4e8001b200, event=value
optimized out) at ../../iocore/eventsystem/I_Continuation.h:145
#10 read_signal_and_update (this=0x2b4e8001b200, event=value optimized out)
at UnixNetVConnection.cc:142
#11 UnixNetVConnection::readSignalAndUpdate (this=0x2b4e8001b200, event=value
optimized out) at UnixNetVConnection.cc:972
#12 0x007237e5 in SSLNetVConnection::net_read_io (this=0x2b4e8001b200,
nh=0x2b4e09f0eb40, lthread=0x2b4e09f0b010)
at SSLNetVConnection.cc:579
#13 0x00730822 in NetHandler::mainNetEvent (this=0x2b4e09f0eb40,
event=value optimized out, e=value optimized out)
at UnixNet.cc:516
#14 0x0075df15 in handleEvent (this=0x2b4e09f0b010, e=0x1fad2d0,
calling_code=5) at I_Continuation.h:145
#15 EThread::process_event (this=0x2b4e09f0b010, e=0x1fad2d0, calling_code=5)
at UnixEThread.cc:128
#16 0x0075e859 in EThread::execute (this=0x2b4e09f0b010) at
UnixEThread.cc:252
#17 0x0075d35a in spawn_thread_internal (a=0x2204c30) at Thread.cc:85
#18 0x2b4dff25a9d1 in start_thread () from /lib64/libpthread.so.0
#19 0x2b4e00ef9b5d in clone () from /lib64/libc.so.6
(gdb)
{code}
Add HPKP (Public Key Pinning Extension for HTTP) support
Key: TS-3216
URL: https://issues.apache.org/jira/browse/TS-3216
Project: Traffic Server
Issue Type: New Feature
Components: SSL
Reporter: Masaori Koshiba
Labels: review
Fix For: 6.1.0
Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch
Add Public Key Pinning Extension for HTTP Support in Traffic Server.
RFC 7469 Public Key Pinning Extension for HTTP
- https://tools.ietf.org/html/rfc7469
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[
https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618348#comment-14618348
]
Masaori Koshiba commented on TS-3216:
-
I could not reproduce the SEGV. But I'm thinking add null check around
dynamic_cast in {{HttpTransactHeaders::insert_hpkp_header_in_response}}
{noformat}
819 void
820 HttpTransactHeaders::insert_hpkp_header_in_response(HttpTransact::State *s,
HTTPHdr *header)
821 {
822 SSLNetVConnection *ssl_vc = dynamic_castSSLNetVConnection
*(s-state_machine-ua_session-get_netvc());
823 const SSLCertContext *cc = ssl_vc-sslCertContext;
{noformat}
Add HPKP (Public Key Pinning Extension for HTTP) support
Key: TS-3216
URL: https://issues.apache.org/jira/browse/TS-3216
Project: Traffic Server
Issue Type: New Feature
Components: SSL
Reporter: Masaori Koshiba
Labels: review
Fix For: 6.1.0
Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch
Add Public Key Pinning Extension for HTTP Support in Traffic Server.
RFC 7469 Public Key Pinning Extension for HTTP
- https://tools.ietf.org/html/rfc7469
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[
https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618126#comment-14618126
]
bettydramit commented on TS-3216:
-
[~masaori] With hpkp-003.patch
ssl_multicert.config
{code}
dest_ip=* ssl_cert_name=test.crt ssl_key_name=test.key hpkp_enabled=1
hpkp_max_age=300 hpkp_include_subdomains=1 hpkp_backup_csr_filename=test.csr
{code}
start ats
{code}
[Jul 8 15:14:12.385] Server {0x2ae6de051180} NOTE: loading SSL certificate
configuration from /etc/trafficserver/ssl_multicert.config
[Jul 8 15:14:12.387] Server {0x2ae6de051180} ERROR: fail to read csr from
'/etc/trafficserver/www.test.csr'
[Jul 8 15:14:12.387] Server {0x2ae6de051180} ERROR: fail to generate backup
pin for HPKP
[Jul 8 15:14:12.434] Server {0x2ae6de051180} NOTE: traffic server running
[Jul 8 15:14:12.563] Server {0x2ae6df688700} NOTE: cache enabled
{code}
Add HPKP (Public Key Pinning Extension for HTTP) support
Key: TS-3216
URL: https://issues.apache.org/jira/browse/TS-3216
Project: Traffic Server
Issue Type: New Feature
Components: SSL
Reporter: Masaori Koshiba
Labels: review
Fix For: 6.1.0
Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch
Add Public Key Pinning Extension for HTTP Support in Traffic Server.
RFC 7469 Public Key Pinning Extension for HTTP
- https://tools.ietf.org/html/rfc7469
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[
https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618032#comment-14618032
]
Masaori Koshiba commented on TS-3216:
-
{quote}
It assumes that there is only 1 backup pin, the backup pin is contained in a
CSR, and that the CSR is available to ATS. All of these assumptions seem shaky
to me.
Do you mean even if there are 2 cert settings in ssl_multicert.config, only one
backup pin is enough?
{quote}
Sorry, I misunderstood. {{hpkp-003.patch}} still asuumes there is only 1 backup
pin.
Is it better to allow lists of CSR files in {{backup_csr.filename}} and
generate pins for each?
Add HPKP (Public Key Pinning Extension for HTTP) support
Key: TS-3216
URL: https://issues.apache.org/jira/browse/TS-3216
Project: Traffic Server
Issue Type: New Feature
Components: SSL
Reporter: Masaori Koshiba
Labels: review
Fix For: 6.1.0
Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch
Add Public Key Pinning Extension for HTTP Support in Traffic Server.
RFC 7469 Public Key Pinning Extension for HTTP
- https://tools.ietf.org/html/rfc7469
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[
https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618033#comment-14618033
]
Masaori Koshiba commented on TS-3216:
-
[~bettydreamit] You can overrde every configs of HPKP from
{{ssl_multicert.config}} if you want.
Add HPKP (Public Key Pinning Extension for HTTP) support
Key: TS-3216
URL: https://issues.apache.org/jira/browse/TS-3216
Project: Traffic Server
Issue Type: New Feature
Components: SSL
Reporter: Masaori Koshiba
Labels: review
Fix For: 6.1.0
Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch
Add Public Key Pinning Extension for HTTP Support in Traffic Server.
RFC 7469 Public Key Pinning Extension for HTTP
- https://tools.ietf.org/html/rfc7469
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618070#comment-14618070 ] bettydramit commented on TS-3216: - I will try, Thanks Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Labels: review Fix For: 6.1.0 Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. RFC 7469 Public Key Pinning Extension for HTTP - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[
https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618029#comment-14618029
]
Masaori Koshiba commented on TS-3216:
-
Hi [~jpe...@apache.org],
I attached a new patch. Add below configs in {{records.config}} and those
configs are overridable from {{ssl_multicert.config}}.
{noformat}
proxy.config.ssl.hpkp.enabled
proxy.config.ssl.hpkp.backup_csr.filename
proxy.config.ssl.hpkp.report_only
proxy.config.ssl.hpkp.report_uri
proxy.config.ssl.hpkp.max_age
proxy.config.ssl.hpkp.include_subdomains
{noformat}
This patch also have {{Public-Key-Pins-Report-Only}} and {{report-uri}} support.
Add HPKP (Public Key Pinning Extension for HTTP) support
Key: TS-3216
URL: https://issues.apache.org/jira/browse/TS-3216
Project: Traffic Server
Issue Type: New Feature
Components: SSL
Reporter: Masaori Koshiba
Labels: review
Fix For: 6.1.0
Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch
Add Public Key Pinning Extension for HTTP Support in Traffic Server.
RFC 7469 Public Key Pinning Extension for HTTP
- https://tools.ietf.org/html/rfc7469
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[
https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14499114#comment-14499114
]
Masaori Koshiba commented on TS-3216:
-
I noticed TS-2773 and it looks good.
I'm going to move HPKP configurations to {{records.config}} and support only
one cert as the first step.
When TS-2773 is fixed, I'll add HPKP configurations in {{ssl_multicert.config}}
for each certs.
Add HPKP (Public Key Pinning Extension for HTTP) support
Key: TS-3216
URL: https://issues.apache.org/jira/browse/TS-3216
Project: Traffic Server
Issue Type: New Feature
Components: SSL
Reporter: Masaori Koshiba
Assignee: James Peach
Labels: review
Fix For: 6.0.0
Attachments: hpkp-001.patch, hpkp-002.patch
Add Public Key Pinning Extension for HTTP Support in Traffic Server.
Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21)
- https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14363134#comment-14363134 ] bettydramit commented on TS-3216: - It is a very nice feature Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Assignee: James Peach Labels: review Fix For: 5.3.0 Attachments: hpkp-001.patch, hpkp-002.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21) - https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[
https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14364147#comment-14364147
]
James Peach commented on TS-3216:
-
I don't like this approach, for a number of reasons
- It's based on {{ssl_multicert.config}} configuration, so it is not consistent
with HSTS which is based on {{records.config}}.
- It assumes that there is only 1 backup pin, the backup pin is contained in a
CSR, and that the CSR is available to ATS. All of these assumptions seem shaky
to me.
- There are many HPKP options missing (e.g., {{Public-Key-Pins-Report-Only}},
{{report-url}}) and it's not clear to me that configuring this in
{{ssl_multicert.config}} would be a good approach.
- I really would like to avoid adding more knobs to {{ssl_multicert.config}},
since it is way to complex already.
Add HPKP (Public Key Pinning Extension for HTTP) support
Key: TS-3216
URL: https://issues.apache.org/jira/browse/TS-3216
Project: Traffic Server
Issue Type: New Feature
Components: SSL
Reporter: Masaori Koshiba
Assignee: James Peach
Labels: review
Fix For: 5.3.0
Attachments: hpkp-001.patch, hpkp-002.patch
Add Public Key Pinning Extension for HTTP Support in Traffic Server.
Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21)
- https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14229969#comment-14229969 ] James Peach commented on TS-3216: - I will review this patch and also read the relevant RFC. From the description above, my first reaction is that this should work like HSTS. Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Reporter: Masaori Koshiba Labels: review Fix For: 5.3.0 Attachments: hpkp-001.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21) - https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[
https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228205#comment-14228205
]
Masaori Koshiba commented on TS-3216:
-
Attached patch, hpkp-001.patch, does following things.
1. Read public key from cert files, hash with SHA256 and encode to Base64.
2. Read public key from csr file, hash with SHA256 and encode to Base64.
3. Add Public-Key-Pins header when coming request is https.
I have few concerns about my patch.
1. I added SSLCertContext field in SSLVConnection to get SSLCertContext in
HttpTransactHeaders.
2. I directly used hash functions of OpenSSL, because I couldn't find some
functions like ATSHashSHA256.
Should I add some wrapper functions under lib/ts/ directory and use them?
Below is an example of ssl_multicert.config with HPKP.
{noformat}
dest_ip=* ssl_cert_name=ssl/s_yimg_jp.pem ssl_key_name=ssl/s_yimg_jp.key
ssl_ca_name=ssl/s_yimg_jp_ca.pem hpkp_enabled=1 hpkp_max_age=300
hpkp_include_subdomains=1 hpkp_csr_name=ssl/s_yimg_jp.csr
{noformat}
Add HPKP (Public Key Pinning Extension for HTTP) support
Key: TS-3216
URL: https://issues.apache.org/jira/browse/TS-3216
Project: Traffic Server
Issue Type: New Feature
Reporter: Masaori Koshiba
Attachments: hpkp-001.patch
Add Public Key Pinning Extension for HTTP Support in Traffic Server.
Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21)
- https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
