SSL and TLS: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
(Die Seite wurde neu angelegt: „Kategorie: Security ==HPKP - HTTP Public Key Pinning== A helpful script to create the hashes was made by Hanno Böck and is accessible at [https://github…“)
 
No edit summary
Line 1: Line 1:
[[Kategorie: Security]]
[[Kategorie: Security]]
 
==HTTPS==
==HPKP - HTTP Public Key Pinning==
===HSTS - HTTP Strict Transport Security===
* [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol_Secure#HSTS HSTS at Wikipedia (English)]
* [https://de.wikipedia.org/wiki/Hypertext_Transfer_Protocol_Secure#HSTS HSTS at Wikipedia (German)]
===HPKP - HTTP Public Key Pinning===


A helpful script to create the hashes was made by Hanno Böck and is accessible at [https://github.com/hannob/hpkp Github].
A helpful script to create the hashes was made by Hanno Böck and is accessible at [https://github.com/hannob/hpkp Github].

Revision as of 12:24, 18 August 2015

Kategorie: Security

HTTPS

HSTS - HTTP Strict Transport Security

HPKP - HTTP Public Key Pinning

A helpful script to create the hashes was made by Hanno Böck and is accessible at Github.

I added a create option which makes the script more comfortable for me at Github, too.

The public key pins for this site are created like this: 

# /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de   
Generating RSA private key, 4096 bit long modulus
..............................++
..........................................++
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
...................................................................................................................++
.......................................................++
e is 65537 (0x10001)
Header always set Strict-Transport-Security "max-age=31556926;"
Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"i38qmLX9VLKCmH4XNvctxbv+ogiJXHtdPA/6RvvuJHE=\";pin-sha256=\"Oh+mTGIdu9+uughG5M1W6pCBRO5Ukja5MOzcl4qxKKw=\";pin-sha256=\"i38qmLX9VLKCmH4XNvctxbv+ogiJXHtdPA/6RvvuJHE=\";"

At the end you get on line for optional adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format. 

<VirtualHost lars.timmann.de:443>
    ...
    SSLEngine On
    SSLProtocol all -SSLv2 -SSLv3
    SSLCompression off
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SSLCertificateFile    /etc/apache2/ssl/timmann.de-wildcard.pem
    SSLCertificateKeyFile /etc/apache2/ssl/timmann.de.ec-key
    Header always set Strict-Transport-Security "max-age=31556926;"
    Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";pin-sha256=\"9f3SRITO2UNdpnurhfJGLZqcaXJBUm3WRKRIKYiPARc=\";pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";"
    ...
</VirtualHost>

You need to enable the headers module in Apache. On Ubuntu just do: 

# sudo a2enmod headers
Retrieved from "https://lars.timmann.de/wiki/index.php?title=SSL_and_TLS&oldid=875"