[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15770524#comment-15770524 ] Masaori Koshiba commented on TS-3216: - If anybody needs HPKP, I recommend to use header_rewrite plugin temporally. The bug around back-slash escape is solved by TS-4797 and TS-4993. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba > Labels: review > Fix For: sometime > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > Time Spent: 5h 20m > Remaining Estimate: 0h > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15424290#comment-15424290 ] Masaori Koshiba commented on TS-3216: - [~bcall] I'll fix my patch for current master and open a PR. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 7.0.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15423361#comment-15423361 ] Bryan Call commented on TS-3216: [~masaori] Want to make a pull request for it? > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 7.0.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15232579#comment-15232579 ] Alan M. Carroll commented on TS-3216: - Yes. You need to make sure the netVC is an SSL one and checking dynamic_cast is a reasonable way to do that. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 7.0.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15168247#comment-15168247 ] Masaori Koshiba commented on TS-3216: - [~rudra] Nice catch. Dual cert scenarios make sense. We should support it. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 6.2.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15168147#comment-15168147 ] Prakhar Rudra commented on TS-3216: --- Please include features just to add multiple pins ( precalculated ) per domain served. In dual cert (rsa and ec) scenarios one may need to include like 2 main, 2 backup and even one two more. Like say if one wants to use pinning over cloudflare, they will have to pin on CF root certs and in case they decide to leave CF in future, they will need to pin on their own leafs and back ups. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 6.2.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15085643#comment-15085643 ] Leif Hedstrom commented on TS-3216: --- [~masaori] Should this be landed for 6.1.0 ? If not, please move out to 6.2.0. > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 6.1.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15060425#comment-15060425 ] Leif Hedstrom commented on TS-3216: --- [~masaori] If this is still needed, can you create a PR and land this asap? > Add HPKP (Public Key Pinning Extension for HTTP) support > > > Key: TS-3216 > URL: https://issues.apache.org/jira/browse/TS-3216 > Project: Traffic Server > Issue Type: New Feature > Components: SSL >Reporter: Masaori Koshiba >Assignee: Masaori Koshiba > Labels: review > Fix For: 6.1.0 > > Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch > > > Add "Public Key Pinning Extension for HTTP" Support in Traffic Server. > RFC 7469 Public Key Pinning Extension for HTTP > - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618213#comment-14618213 ] bettydramit commented on TS-3216: - Sorry, for my mistake When chmod o+x test.csr and enabled proxy.config.ssl.hpkp.enabled 1 in records.config and ssl_multicert.config dest_ip=* ssl_cert_name=test.crt ssl_key_name=test.key hpkp_enabled=1 hpkp_max_age=300 hpkp_include_subdomains=1 hpkp_backup_csr_filename=test.csr It works! But only worked for Wget {code} Public-Key-Pins: pin-sha256=BRotFk9Bt4Ldy9ab04f6T+84fYi3vPTBOlXvAWwptMU=; pin-sha256=BRotFk9Bt4Ldy9ab04f6T+84fYi3vPTBOlXvAWwptMU=; max-age=3000; includeSubDomains {code} It break when chrome get core bt info {code} Core was generated by `/usr/bin/traffic_server -M --httpport 80:fd=7,443:fd=8:ssl'. Program terminated with signal 11, Segmentation fault. #0 HttpTransactHeaders::insert_hpkp_header_in_response (s=value optimized out, header=0x2b4e7c17c840) at HttpTransactHeaders.cc:823 823 const SSLCertContext *cc = ssl_vc-sslCertContext; Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.132.el6_5.2.x86_64 hwloc-1.5-1.el6.x86_64 libattr-2.4.44-7.el6.x86_64 libcap-2.16-5.5.el6.x86_64 libgcc-4.4.7-4.el6.x86_64 libstdc++-4.4.7-4.el6.x86_64 libxml2-2.7.6-14.el6_5.2.x86_64 nss-softokn-freebl-3.14.3-10.el6_5.x86_64 numactl-2.0.7-8.el6.x86_64 pciutils-libs-3.1.10-2.el6.x86_64 pcre-7.8-6.el6.x86_64 spdylay-1.2.5-1.el6.x86_64 tcl-8.5.7-6.el6.x86_64 xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_64 zlib-1.2.3-29.el6.x86_64 (gdb) bt #0 HttpTransactHeaders::insert_hpkp_header_in_response (s=value optimized out, header=0x2b4e7c17c840) at HttpTransactHeaders.cc:823 #1 0x005cde57 in HttpTransact::build_response (s=0x2b4e7c17c0f8, base_response=0x2b4e7c17c8c0, outgoing_response=0x2b4e7c17c840, outgoing_version=value optimized out, status_code=HTTP_STATUS_OK, reason_phrase=value optimized out) at HttpTransact.cc:7943 #2 0x005d768b in HttpTransact::handle_cache_operation_on_forward_server_response (s=0x2b4e7c17c0f8) at HttpTransact.cc:4542 #3 0x005e181c in HttpTransact::HandleResponse (s=0x2b4e7c17c0f8) at HttpTransact.cc:3328 #4 0x0059a0e6 in HttpSM::call_transact_and_set_next_state (this=0x2b4e7c17c090, f=value optimized out) at HttpSM.cc:6832 #5 0x005ad4cf in HttpSM::handle_api_return (this=0x2b4e7c17c090) at HttpSM.cc:1508 #6 0x005b08ff in do_api_callout (this=0x2b4e7c17c090, event=100, data=0x2b4e8001b318) at HttpSM.cc:390 #7 HttpSM::state_read_server_response_header (this=0x2b4e7c17c090, event=100, data=0x2b4e8001b318) at HttpSM.cc:1846 #8 0x005afe78 in HttpSM::main_handler (this=0x2b4e7c17c090, event=100, data=0x2b4e8001b318) at HttpSM.cc:2534 #9 0x0073b840 in handleEvent (this=0x2b4e8001b200, event=value optimized out) at ../../iocore/eventsystem/I_Continuation.h:145 #10 read_signal_and_update (this=0x2b4e8001b200, event=value optimized out) at UnixNetVConnection.cc:142 #11 UnixNetVConnection::readSignalAndUpdate (this=0x2b4e8001b200, event=value optimized out) at UnixNetVConnection.cc:972 #12 0x007237e5 in SSLNetVConnection::net_read_io (this=0x2b4e8001b200, nh=0x2b4e09f0eb40, lthread=0x2b4e09f0b010) at SSLNetVConnection.cc:579 #13 0x00730822 in NetHandler::mainNetEvent (this=0x2b4e09f0eb40, event=value optimized out, e=value optimized out) at UnixNet.cc:516 #14 0x0075df15 in handleEvent (this=0x2b4e09f0b010, e=0x1fad2d0, calling_code=5) at I_Continuation.h:145 #15 EThread::process_event (this=0x2b4e09f0b010, e=0x1fad2d0, calling_code=5) at UnixEThread.cc:128 #16 0x0075e859 in EThread::execute (this=0x2b4e09f0b010) at UnixEThread.cc:252 #17 0x0075d35a in spawn_thread_internal (a=0x2204c30) at Thread.cc:85 #18 0x2b4dff25a9d1 in start_thread () from /lib64/libpthread.so.0 #19 0x2b4e00ef9b5d in clone () from /lib64/libc.so.6 (gdb) {code} Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Labels: review Fix For: 6.1.0 Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. RFC 7469 Public Key Pinning Extension for HTTP - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618348#comment-14618348 ] Masaori Koshiba commented on TS-3216: - I could not reproduce the SEGV. But I'm thinking add null check around dynamic_cast in {{HttpTransactHeaders::insert_hpkp_header_in_response}} {noformat} 819 void 820 HttpTransactHeaders::insert_hpkp_header_in_response(HttpTransact::State *s, HTTPHdr *header) 821 { 822 SSLNetVConnection *ssl_vc = dynamic_castSSLNetVConnection *(s-state_machine-ua_session-get_netvc()); 823 const SSLCertContext *cc = ssl_vc-sslCertContext; {noformat} Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Labels: review Fix For: 6.1.0 Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. RFC 7469 Public Key Pinning Extension for HTTP - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618126#comment-14618126 ] bettydramit commented on TS-3216: - [~masaori] With hpkp-003.patch ssl_multicert.config {code} dest_ip=* ssl_cert_name=test.crt ssl_key_name=test.key hpkp_enabled=1 hpkp_max_age=300 hpkp_include_subdomains=1 hpkp_backup_csr_filename=test.csr {code} start ats {code} [Jul 8 15:14:12.385] Server {0x2ae6de051180} NOTE: loading SSL certificate configuration from /etc/trafficserver/ssl_multicert.config [Jul 8 15:14:12.387] Server {0x2ae6de051180} ERROR: fail to read csr from '/etc/trafficserver/www.test.csr' [Jul 8 15:14:12.387] Server {0x2ae6de051180} ERROR: fail to generate backup pin for HPKP [Jul 8 15:14:12.434] Server {0x2ae6de051180} NOTE: traffic server running [Jul 8 15:14:12.563] Server {0x2ae6df688700} NOTE: cache enabled {code} Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Labels: review Fix For: 6.1.0 Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. RFC 7469 Public Key Pinning Extension for HTTP - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618032#comment-14618032 ] Masaori Koshiba commented on TS-3216: - {quote} It assumes that there is only 1 backup pin, the backup pin is contained in a CSR, and that the CSR is available to ATS. All of these assumptions seem shaky to me. Do you mean even if there are 2 cert settings in ssl_multicert.config, only one backup pin is enough? {quote} Sorry, I misunderstood. {{hpkp-003.patch}} still asuumes there is only 1 backup pin. Is it better to allow lists of CSR files in {{backup_csr.filename}} and generate pins for each? Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Labels: review Fix For: 6.1.0 Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. RFC 7469 Public Key Pinning Extension for HTTP - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618033#comment-14618033 ] Masaori Koshiba commented on TS-3216: - [~bettydreamit] You can overrde every configs of HPKP from {{ssl_multicert.config}} if you want. Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Labels: review Fix For: 6.1.0 Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. RFC 7469 Public Key Pinning Extension for HTTP - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618070#comment-14618070 ] bettydramit commented on TS-3216: - I will try, Thanks Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Labels: review Fix For: 6.1.0 Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. RFC 7469 Public Key Pinning Extension for HTTP - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14618029#comment-14618029 ] Masaori Koshiba commented on TS-3216: - Hi [~jpe...@apache.org], I attached a new patch. Add below configs in {{records.config}} and those configs are overridable from {{ssl_multicert.config}}. {noformat} proxy.config.ssl.hpkp.enabled proxy.config.ssl.hpkp.backup_csr.filename proxy.config.ssl.hpkp.report_only proxy.config.ssl.hpkp.report_uri proxy.config.ssl.hpkp.max_age proxy.config.ssl.hpkp.include_subdomains {noformat} This patch also have {{Public-Key-Pins-Report-Only}} and {{report-uri}} support. Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Labels: review Fix For: 6.1.0 Attachments: hpkp-001.patch, hpkp-002.patch, hpkp-003.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. RFC 7469 Public Key Pinning Extension for HTTP - https://tools.ietf.org/html/rfc7469 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14499114#comment-14499114 ] Masaori Koshiba commented on TS-3216: - I noticed TS-2773 and it looks good. I'm going to move HPKP configurations to {{records.config}} and support only one cert as the first step. When TS-2773 is fixed, I'll add HPKP configurations in {{ssl_multicert.config}} for each certs. Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Assignee: James Peach Labels: review Fix For: 6.0.0 Attachments: hpkp-001.patch, hpkp-002.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21) - https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14363134#comment-14363134 ] bettydramit commented on TS-3216: - It is a very nice feature Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Assignee: James Peach Labels: review Fix For: 5.3.0 Attachments: hpkp-001.patch, hpkp-002.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21) - https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14364147#comment-14364147 ] James Peach commented on TS-3216: - I don't like this approach, for a number of reasons - It's based on {{ssl_multicert.config}} configuration, so it is not consistent with HSTS which is based on {{records.config}}. - It assumes that there is only 1 backup pin, the backup pin is contained in a CSR, and that the CSR is available to ATS. All of these assumptions seem shaky to me. - There are many HPKP options missing (e.g., {{Public-Key-Pins-Report-Only}}, {{report-url}}) and it's not clear to me that configuring this in {{ssl_multicert.config}} would be a good approach. - I really would like to avoid adding more knobs to {{ssl_multicert.config}}, since it is way to complex already. Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: Masaori Koshiba Assignee: James Peach Labels: review Fix For: 5.3.0 Attachments: hpkp-001.patch, hpkp-002.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21) - https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14229969#comment-14229969 ] James Peach commented on TS-3216: - I will review this patch and also read the relevant RFC. From the description above, my first reaction is that this should work like HSTS. Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Reporter: Masaori Koshiba Labels: review Fix For: 5.3.0 Attachments: hpkp-001.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21) - https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228205#comment-14228205 ] Masaori Koshiba commented on TS-3216: - Attached patch, hpkp-001.patch, does following things. 1. Read public key from cert files, hash with SHA256 and encode to Base64. 2. Read public key from csr file, hash with SHA256 and encode to Base64. 3. Add Public-Key-Pins header when coming request is https. I have few concerns about my patch. 1. I added SSLCertContext field in SSLVConnection to get SSLCertContext in HttpTransactHeaders. 2. I directly used hash functions of OpenSSL, because I couldn't find some functions like ATSHashSHA256. Should I add some wrapper functions under lib/ts/ directory and use them? Below is an example of ssl_multicert.config with HPKP. {noformat} dest_ip=* ssl_cert_name=ssl/s_yimg_jp.pem ssl_key_name=ssl/s_yimg_jp.key ssl_ca_name=ssl/s_yimg_jp_ca.pem hpkp_enabled=1 hpkp_max_age=300 hpkp_include_subdomains=1 hpkp_csr_name=ssl/s_yimg_jp.csr {noformat} Add HPKP (Public Key Pinning Extension for HTTP) support Key: TS-3216 URL: https://issues.apache.org/jira/browse/TS-3216 Project: Traffic Server Issue Type: New Feature Reporter: Masaori Koshiba Attachments: hpkp-001.patch Add Public Key Pinning Extension for HTTP Support in Traffic Server. Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21) - https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21 -- This message was sent by Atlassian JIRA (v6.3.4#6332)