FPs

關閉HPKP 和HSTS的方法

大家對於HSTS 一般都比較熟悉了,對HPKP 可能比較陌生,簡單來說由於CA 的工作模式,導致別人有可能通過其他CA 簽發你網站的證書,這個時候你就需要有一條頭信息聲明你網站的證書的指紋是什麼。
關於HSTS 和HPKP 的介紹可以查看Jerry Qu 的這2篇文章:

HSTS 和HPKP 都是通過頭信息傳遞給瀏覽器,瀏覽器都會根據max-age 緩存起來,所以在添加了HSTS 和HPKP 了之後,想要回滾,就沒有在服務端回滾程序那麼方便了。

有以下幾種情況會遇到要關閉/移除:

HSTS: 運維同學在剛剛做HTTPS 的時候,開啓了HSTS,甚至加了includeSubDomains,某些老客戶端訪問HTTP的接口的時候跳到HTTS,由於SNI、加密套件兼容性等問題出現故障;

HPKP: 無論是用根證書、中間證書還是站點證書簽發了指紋,虽然HPKP有备份方案,即发送多个pin-sha,但是还是需要准备证书出现故障,要关闭HPKP。另外要记得添加report-uri,这样出错时,服务端能主动的发现上报的信息。

個人覺得HPKP 和HSTS 在設計上實在太像了,如下例子:

HSTS:

Strict-Transport-Security: max-age=31536000; includeSubDomains

HPKP:

Public-Key-Pins:
      pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=";
      pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
      pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=";
      max-age=10000; includeSubDomains

所以在關閉,或者說移除HSTS或HPKP的方式上也是一樣的。

即max-age 字段指定为0

看下RFC:

HTST(RFC6797):

The max-age value is essentially a "time to live" value relative
to the reception time of the STS header field.

If the max-age header field value token has a value of zero, the
UA MUST remove its cached HSTS Policy information (including the
includeSubDomains directive, if asserted) if the HSTS Host is
known, or the UA MUST NOT note this HSTS Host if it is not yet
known.

HPKP(RFC7469):

The max-age value is essentially a "time to live" value relative to
the time of the most recent observation of the PKP header field.  If
the max-age header field value token has a value of 0, the UA MUST
remove its cached Pinning Policy information (including the
includeSubDomains directive, if asserted) if the Pinned Host is
Known, or, MUST NOT note this Pinned Host if it is not yet Known.

果然很像。。。居然照抄。
另外includeSubdomains 两者的定义也是一样的。

This article is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
If you reprint it, please indicate the source: http://fangpeishi.com/turn_off_hkpk_hsts.html