OCSP Public-Key-Pins Stapling

Hi everybody :slight_smile:
I run debian stable and apache 2.2 . After certificates renew something went wrong and i'm actually stucked to get key pinning back to work and acess my site .

that's what i have in my vhost configuration:

            # SSL Stapling
            SSLUseStapling on
            SSLStaplingReturnResponderErrors off
            SSLStaplingResponderTimeout 5

this is in ssl.conf

    SSLUseStapling On
    SSLStaplingReturnResponderErrors off
    SSLStaplingResponderTimeout 5
    SSLStaplingFakeTryLater on
    SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling_cache(256000)"
    SSLSessionCache "shmcb:${APACHE_RUN_DIR}/ssl_session_cache(1024000)

    SSLOCSPEnable on
    SSLOCSPResponseMaxAge 900
    SSLOCSPResponseTimeSkew 300

This the actual Public-Key-Pins header in etc/apache2/conf-enabled/security.conf is:

Header always set Public-Key-Pins: pin-sha256="z/Xe4Trd7UXr4XchpALhN6NF8TVhWF2aYpcG/L1XgLg="; pin-sha256="foCPjKncmc49lKun2CkK+GOrlq8GTyVIb7T6mHRkQ+4="; max-age=604800"

The first pin was taken from Let's Encrypt Authority X3 chain.pem using this command:

openssl x509 -noout -in /etc/letsencrypt/live/www.tcpreset.net/chain.pem -pubkey | openssl asn1parse -noout -inform pem -out /tmp/fingerprint.key; openssl dgst -sha256 -binary /tmp/fingerprint.key | openssl enc -base64

Than i used this for pinning the privkey.pem:

openssl rsa -pubout -outform der -in /etc/letsencrypt/live/www.tcpreset.net/privkey.pem | openssl dgst -sha256 -binary | base64

Tests on sslabs globalsign.ssllabs gave A+ for my server.
i don't see errors or warnings and i cannot access my site by firefox or chrome (midori does)
Hope i can get help on this.
Good night

tcpreset.net loads fine for me in both Chrome and Firefox.

What is the precise SSL error you are getting? This is the NET::ERR string shown by Google Chrome in small gray text, or the Technical Details section shown by Firefox.

EDIT: if you visit tcpreset.net you get a certificate that is only valid for www.tcpreset.net:

https://www.ssllabs.com/ssltest/analyze.html?d=tcpreset.net

Usually Chrome and Firefox automatically work around this misconfiguration, which is why I didn’t notice it at first, but it is probably the cause of your issue.

You can add a name to your existing certificate with the --expand option, e.g.:

sudo certbot --apache --expand -d www.tcpreset.net,tcpreset.net

(If you used a different method than --apache to authenticate your original certificate then you should also use that here.)

Hi,
At the time of writing my laptop which runs Linux Mint 18.3 Sylvia has chromium giving this error NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
Firefox right now started working again. :slight_smile:

I checked your pins with ssllabs.com, hardenize.com, securityheaders.io, and report-uri.com and they all say it is valid.

Maybe the pinning was done incorrectly before and your browser has the old pin cached?

Can you reproduce the issue with a fresh profile? (You can use Chromium’s multiple users feature, a new Linux user account, or just mv ~/.config/chromium ~/.config/chromium.backup)

You show two pins.

Please speak about which files they were pinned from.

ALSO...
SSLLABS shows these two:
pin-sha256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
pin-sha256: foCPjKncmc49lKun2CkK+GOrlq8GTyVIb7T6mHRkQ+4=

Which don't match/include the new cert pin:
pin-sha256: z/Xe4Trd7UXr4XchpALhN6NF8TVhWF2aYpcG/L1XgLg=

On a positive note...
I like that the site has:
HSTS
CAA
4096 RSA cert
TLSv1.2 only
HPKP (temp misconfigured)

Where you could make some quick and effective improvements:

  1. Add ECDSA 384 cert support and prefer that over the RSA cert
  2. Include CHACHA20-POLY1305 cipher (for both certs)
  3. order the default "Supported Named Groups" (curves) from best to worst (for Apache try: SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409r1:sect409k1:secp384r1:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1:sect283r1:sect283k1:secp256k1:prime256v1)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.