AnsweredAssumed Answered

How to configure (and test) the Public Key Pinning in Apache Http?

Question asked by j-mailor on Sep 9, 2014
Latest reply on Sep 10, 2014 by Ivan Ristić

Hi,

when SSL/TLS was constructed there was intention to only have few very trustful SSL/TLS root authorities. But nowdays a lot of root authorities certificates are automatically build into web browser. There were reported several MITM attacks involved questionable trusted root authorities. To get over this problem the Public Key Pinning was designed so set on web server for specific domain to only accept specific root authority that it trusts and if browser recognizes certificate for this particular domain to be signed with some other root authority, browser refuses connection. Now Firefox 32 released few days back supports this pinning feature. For details read: http://www.ghacks.net/2014/08/28/public-key-pinning-in-firefox-32-to-protect-against-mitm-attacks/

 

I have searched the web and I couldn't find any useful how to configure pinning in web server like Apache.

 

Questions:

1. How to configure Public Key Pinning in Apache Http 2.4 (is this feature even supported)?

2. Is there any real test to find out if this pinning is really working? Maybe ssllabs.com test?

 

Thanks

Outcomes