HPKP directives for SSL module

Andrew Benton andrew at benton.io
Fri Dec 16 23:20:27 UTC 2016


Been working for a couple hours on an addition to the SSL module that would
help users implement HPKP (
https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning).

The idea is to add a directive that would be easily configurable to have
nginx present the appropriate PKP header on HTTP responses. Rather than
continuing to work on this in a vacuum though, I thought maybe I should
chime in on here to discuss the desirability of such a feature and get some
consensus about the directive's API.

Having implemented HPKP in a few environments, one of the more frustrating
problems is the need to extract public key data from a certificate or key
and hardcode it into an add_header directive. Given that nginx already has
access to the public key data for at least one possible pin (given TLS
enabled and configured properly) in memory, it would seem to make sense to
just have nginx handle this.

So that's the motivation. The things that are configurable in the HTTP PKP
header are:

1 or more pins, extracted from public key information
max-age, a number of seconds that the pins are valid
includeSubdomains, an optional flag
reportUri, an optional url for the browser to report pin validation failures

So the proposal would be to have some new directives:

ssl_hpkp (on/off flag directive, default off)
ssl_hpkp_pins (variable args, possibly string filenames for more cert/keys
to use, need help here)
ssl_hpkp_max_age (number of seconds, default of 1)
ssl_hpkp_include_subdomains (on/off flag directive, default off)
ssl_hpkp_report_uri (string directive for optional reporting url, default
empty)

Of these, the only one I think is difficult is the one concerning pins. So
I'd love to see suggestions for that.

In general, let me know what you all think.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20161216/0e108387/attachment-0001.html>


More information about the nginx-devel mailing list