1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00

TODO: Add PINNEDPUBLICKEY - HPKP compatibility, HSTS & HPKP

Closes #1025
Closes #1026
Closes #1027
This commit is contained in:
rugk 2016-09-19 16:23:38 +02:00 committed by Daniel Stenberg
parent a2b360f890
commit 31dd3bf674

View File

@ -109,6 +109,9 @@
13.8 Support DANE
13.9 Support TLS v1.3
13.10 Support SSLKEYLOGFILE
13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
13.12 Support HSTS
13.13 Support HPKP
14. GnuTLS
14.1 SSL engine stuff
@ -718,6 +721,42 @@ that doesn't exist on the server, just like --ftp-create-dirs.
used as inspiration and guidance
https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
certificates when comparing the pinned keys. Therefore it is not compatible
with "HTTP Public Key Pinning" as there also intermediate and root certificates
can be pinned. This is very useful as it prevents webadmins from "locking
themself out of their servers".
Adding this feature would make curls pinning 100% compatible to HPKP and allow
more flexible pinning.
13.12 Support HSTS
"HTTP Strict Transport Security" is TOFU (trust on first use), time-based
features indicated by a HTTP header send by the webserver. It is widely used
in browsers and it's purpose is to prevent insecure HTTP connections after
a previous HTTPS connection. It protects against SSLStripping attacks.
Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
RFC 6797: https://tools.ietf.org/html/rfc6797
13.13 Support HPKP
"HTTP Public Key Pinning" is TOFU (trust on first use), time-based
features indicated by a HTTP header send by the webserver. It's purpose is
to prevent Man-in-the-middle attacks by trusted CAs by allowing webadmins
to specify which CAs/certificates/public keys to trust when connection to
their websites.
It can be build based on PINNEDPUBLICKEY.
Wikipedia: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
OWASP: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
Doc: https://developer.mozilla.org/de/docs/Web/Security/Public_Key_Pinning
RFC: https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21
14. GnuTLS
14.1 SSL engine stuff