Key pinning / Nginx reverse proxy
francis at daoine.org
Sun Feb 21 09:49:50 UTC 2016
On Sun, Feb 21, 2016 at 11:23:02AM +0200, Thierry wrote:
> After I have executed the curl command, it seems that I have an answer
> from my Apache2 back end server (apache2.conf)
> Yes I do see the "Public-Key-Pins:" line... And yes I do have the
> content that I expect.
How do you know what content to expect?
> Public-Key-Pins: pin-sha256="DZNsRcNIolhfdouihfazormhrfozef=";pin-sha256="633ltusrlsqhoagfdgfo79xMD9r9Q="; max-age=2592000; includeSubDomains
What is the actual sha256 of the certificate that the browser receives? Is
it one of the two above?
The details are in RFC7469.
https://tools.ietf.org/html/rfc7469#appendix-A gives an example of how
you mind find it.
> But, is it really the output of Apache2 ? There is a syntax difference
> between Nginx and Apache2:
Should it be the output of Apache2?
Your browser is speaking https to nginx. It should only see the pinning
information from nginx. The browser never sees the Apache certificate,
and so should not see anything related to it.
> Nginx: pin-sha256="DZNsRcNIoiVdK8Img794j8/XGf4+6sDLFjADPWWOddw=";
> Apache2: pin-sha256=\"DZNsRcNIoirupeqrhfjpzehfrhfaefhpazf=\";
I suspect that only one of those is valid in the response header.
https://tools.ietf.org/html/rfc7469#section-2.1.5 suggests that the
backslashes are unnecessary.
(Note that neither of those sha256 values match the ones in the response
header. What is actually written in your nginx.conf, and what is the
actual response you get from curl? If they are different, you have more
investigating to do.)
> When the curl command return me the result, I can see that there is
> no "\" ... Is it normal ?
I think "yes".
> If yes, why is "ssllabs.com/ssltest" doesn't see anything concerning
> the HPKP ?
Is there any documentation on the ssllabs.com site about what they
Can you see, does "HPKP: No" distinguish between:
* no Public-Key-Pins header returned
* Public-Key-Pins header found, but with invalid formatting
* valid Public-Key-Pins header found, but without the sha256 of the
Good luck with it,
Francis Daly francis at daoine.org
More information about the nginx