You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Masaori Koshiba (JIRA)" <ji...@apache.org> on 2014/11/28 11:06:12 UTC
[jira] [Commented] (TS-3216) Add HPKP (Public Key Pinning Extension
for HTTP) support
[ https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14228205#comment-14228205 ]
Masaori Koshiba commented on TS-3216:
-------------------------------------
Attached patch, "hpkp-001.patch", does following things.
1. Read public key from cert files, hash with SHA256 and encode to Base64.
2. Read public key from csr file, hash with SHA256 and encode to Base64.
3. Add "Public-Key-Pins" header when coming request is https.
I have few concerns about my patch.
1. I added SSLCertContext field in SSLVConnection to get SSLCertContext in HttpTransactHeaders.
2. I directly used hash functions of OpenSSL, because I couldn't find some functions like "ATSHashSHA256".
Should I add some wrapper functions under "lib/ts/" directory and use them?
Below is an example of ssl_multicert.config with HPKP.
{noformat}
dest_ip=* ssl_cert_name=ssl/s_yimg_jp.pem ssl_key_name=ssl/s_yimg_jp.key ssl_ca_name=ssl/s_yimg_jp_ca.pem hpkp_enabled=1 hpkp_max_age=300 hpkp_include_subdomains=1 hpkp_csr_name=ssl/s_yimg_jp.csr
{noformat}
> Add HPKP (Public Key Pinning Extension for HTTP) support
> --------------------------------------------------------
>
> Key: TS-3216
> URL: https://issues.apache.org/jira/browse/TS-3216
> Project: Traffic Server
> Issue Type: New Feature
> Reporter: Masaori Koshiba
> Attachments: hpkp-001.patch
>
>
> Add "Public Key Pinning Extension for HTTP" Support in Traffic Server.
> Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21)
> - https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)