Search code examples
apachehttp-headerspublic-keypinning

Public Key Pinning not working

Hello I am trying to implement Public-Key-Pinning on my apache server running as a proxy for another web-app, but it won't work (if I enter a wrong hash the page is still displayed instead of an error, which should be shown in Firefox or Chrome). I am sure the header is correct – the hash is correct, I have tested it with Chrome.

My Configdata is

<VirtualHost *:443>
ServerName subdomain.*******.***:443
SSLCertificateFile /etc/apache2/ssl/___.crt
SSLCertificateKeyFile /etc/apache2/ssl/___.key
SSLCertificateChainFile /etc/apache2/ssl/___.ca
Header always set Public-Key-Pins "pin-sha256=\"****\"; pin-sha256=\"****\";  max-age=120; includeSubDomains"

    <Proxy *>
       Order deny,allow
       Allow from all
   </Proxy>

    ProxyPass / ****:****/
    ProxyPassReverse / ****:****/
    <Location />
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>

At first I only had one hash but I added a second one just in case this would be required. What am I doing wrong?

Note: Of course I have mod_header enabled and loaded.

Solution

  • Two hashes are required and they must be two independent hashes. I.e. You cannot pin the cert and the intermediate cert that issued that as they are not independent. This is a safety feature to ensure you have a backup incase you need it.

    Additionally a policy will only be accepted if it passes so you cannot put in a fake policy and watch it fail because it will never be accepted.

    A good tool to check your policy is this one: https://report-uri.io/home/pkp_analyse And also other tools on same site to actually generate your policy: https://report-uri.io/home/pkp_hash

    However you need to be VERY careful with HPKP. It's very easy to block your website and, hope you don't take this the wrong way, it doesn't sound like you fully understand HPKP so I would suggest you read about it some more first.

    There is a Public-Key-Pins-Report-Only (which is only available in Chrome at present) , and which allows you to test a policy for a bit (well in Chrome at least) but for that you also need to use the report-uri option (you can also use above site to collect your reports if you don't want to write your own service for this).

    I've an active interest in this and, if people don't mind me linking here, I've blogged about it in much more detail here: https://www.tunetheweb.com/security/http-security-headers/hpkp/. I think it's potentially a very dangerous option that needs careful consideration before implementing.