OCSP Public-Key-Pins Stapling


#1

Hi everybody :slight_smile:
I run debian stable and apache 2.2 . After certificates renew something went wrong and i’m actually stucked to get key pinning back to work and acess my site .

that’s what i have in my vhost configuration:

            # SSL Stapling
            SSLUseStapling on
            SSLStaplingReturnResponderErrors off
            SSLStaplingResponderTimeout 5

this is in ssl.conf

    SSLUseStapling On
    SSLStaplingReturnResponderErrors off
    SSLStaplingResponderTimeout 5
    SSLStaplingFakeTryLater on
    SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling_cache(256000)"
    SSLSessionCache "shmcb:${APACHE_RUN_DIR}/ssl_session_cache(1024000)

    SSLOCSPEnable on
    SSLOCSPResponseMaxAge 900
    SSLOCSPResponseTimeSkew 300

This the actual Public-Key-Pins header in etc/apache2/conf-enabled/security.conf is:

Header always set Public-Key-Pins: pin-sha256=“z/Xe4Trd7UXr4XchpALhN6NF8TVhWF2aYpcG/L1XgLg=”; pin-sha256=“foCPjKncmc49lKun2CkK+GOrlq8GTyVIb7T6mHRkQ+4=”; max-age=604800"

The first pin was taken from Let’s Encrypt Authority X3 chain.pem using this command:

openssl x509 -noout -in /etc/letsencrypt/live/www.tcpreset.net/chain.pem -pubkey | openssl asn1parse -noout -inform pem -out /tmp/fingerprint.key; openssl dgst -sha256 -binary /tmp/fingerprint.key | openssl enc -base64

Than i used this for pinning the privkey.pem:

openssl rsa -pubout -outform der -in /etc/letsencrypt/live/www.tcpreset.net/privkey.pem | openssl dgst -sha256 -binary | base64

Tests on sslabs globalsign.ssllabs gave A+ for my server.
i don’t see errors or warnings and i cannot access my site by firefox or chrome (midori does)
Hope i can get help on this.
Good night


#2

tcpreset.net loads fine for me in both Chrome and Firefox.

What is the precise SSL error you are getting? This is the NET::ERR string shown by Google Chrome in small gray text, or the Technical Details section shown by Firefox.

EDIT: if you visit tcpreset.net you get a certificate that is only valid for www.tcpreset.net:

https://www.ssllabs.com/ssltest/analyze.html?d=tcpreset.net

Usually Chrome and Firefox automatically work around this misconfiguration, which is why I didn’t notice it at first, but it is probably the cause of your issue.

You can add a name to your existing certificate with the --expand option, e.g.:

sudo certbot --apache --expand -d www.tcpreset.net,tcpreset.net

(If you used a different method than --apache to authenticate your original certificate then you should also use that here.)


#3

Hi,
At the time of writing my laptop which runs Linux Mint 18.3 Sylvia has chromium giving this error NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
Firefox right now started working again. :slight_smile:


#4

I checked your pins with ssllabs.com, hardenize.com, securityheaders.io, and report-uri.com and they all say it is valid.

Maybe the pinning was done incorrectly before and your browser has the old pin cached?

Can you reproduce the issue with a fresh profile? (You can use Chromium’s multiple users feature, a new Linux user account, or just mv ~/.config/chromium ~/.config/chromium.backup)


#5

You show two pins.

Please speak about which files they were pinned from.

ALSO…
SSLLABS shows these two:
pin-sha256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
pin-sha256: foCPjKncmc49lKun2CkK+GOrlq8GTyVIb7T6mHRkQ+4=

Which don’t match/include the new cert pin:
pin-sha256: z/Xe4Trd7UXr4XchpALhN6NF8TVhWF2aYpcG/L1XgLg=

On a positive note…
I like that the site has:
HSTS
CAA
4096 RSA cert
TLSv1.2 only
HPKP (temp misconfigured)

Where you could make some quick and effective improvements:

  1. Add ECDSA 384 cert support and prefer that over the RSA cert
  2. Include CHACHA20-POLY1305 cipher (for both certs)
  3. order the default “Supported Named Groups” (curves) from best to worst (for Apache try: SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409r1:sect409k1:secp384r1:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1:sect283r1:sect283k1:secp256k1:prime256v1)

#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.