mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 16:18:48 -05:00
TODO: Add PINNEDPUBLICKEY - HPKP compatibility, HSTS & HPKP
Closes #1025 Closes #1026 Closes #1027
This commit is contained in:
parent
a2b360f890
commit
31dd3bf674
39
docs/TODO
39
docs/TODO
@ -109,6 +109,9 @@
|
|||||||
13.8 Support DANE
|
13.8 Support DANE
|
||||||
13.9 Support TLS v1.3
|
13.9 Support TLS v1.3
|
||||||
13.10 Support SSLKEYLOGFILE
|
13.10 Support SSLKEYLOGFILE
|
||||||
|
13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
|
||||||
|
13.12 Support HSTS
|
||||||
|
13.13 Support HPKP
|
||||||
|
|
||||||
14. GnuTLS
|
14. GnuTLS
|
||||||
14.1 SSL engine stuff
|
14.1 SSL engine stuff
|
||||||
@ -718,6 +721,42 @@ that doesn't exist on the server, just like --ftp-create-dirs.
|
|||||||
used as inspiration and guidance
|
used as inspiration and guidance
|
||||||
https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
|
https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
|
||||||
|
|
||||||
|
13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
|
||||||
|
|
||||||
|
CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
|
||||||
|
certificates when comparing the pinned keys. Therefore it is not compatible
|
||||||
|
with "HTTP Public Key Pinning" as there also intermediate and root certificates
|
||||||
|
can be pinned. This is very useful as it prevents webadmins from "locking
|
||||||
|
themself out of their servers".
|
||||||
|
|
||||||
|
Adding this feature would make curls pinning 100% compatible to HPKP and allow
|
||||||
|
more flexible pinning.
|
||||||
|
|
||||||
|
13.12 Support HSTS
|
||||||
|
|
||||||
|
"HTTP Strict Transport Security" is TOFU (trust on first use), time-based
|
||||||
|
features indicated by a HTTP header send by the webserver. It is widely used
|
||||||
|
in browsers and it's purpose is to prevent insecure HTTP connections after
|
||||||
|
a previous HTTPS connection. It protects against SSLStripping attacks.
|
||||||
|
|
||||||
|
Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
|
||||||
|
RFC 6797: https://tools.ietf.org/html/rfc6797
|
||||||
|
|
||||||
|
13.13 Support HPKP
|
||||||
|
|
||||||
|
"HTTP Public Key Pinning" is TOFU (trust on first use), time-based
|
||||||
|
features indicated by a HTTP header send by the webserver. It's purpose is
|
||||||
|
to prevent Man-in-the-middle attacks by trusted CAs by allowing webadmins
|
||||||
|
to specify which CAs/certificates/public keys to trust when connection to
|
||||||
|
their websites.
|
||||||
|
|
||||||
|
It can be build based on PINNEDPUBLICKEY.
|
||||||
|
|
||||||
|
Wikipedia: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
|
||||||
|
OWASP: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
|
||||||
|
Doc: https://developer.mozilla.org/de/docs/Web/Security/Public_Key_Pinning
|
||||||
|
RFC: https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21
|
||||||
|
|
||||||
14. GnuTLS
|
14. GnuTLS
|
||||||
|
|
||||||
14.1 SSL engine stuff
|
14.1 SSL engine stuff
|
||||||
|
Loading…
Reference in New Issue
Block a user