Skip to content
Snippets Groups Projects
Commit f25602cc authored by Bob Mottram's avatar Bob Mottram
Browse files

Set maximum pinning age

parent 6f0f3775
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/freedombone-pin-cert
+ 4
1
View file @ f25602cc
...@@ -35,6 +35,9 @@ export TEXTDOMAINDIR="/usr/share/locale" ...@@ -35,6 +35,9 @@ export TEXTDOMAINDIR="/usr/share/locale"
WEBSITES_DIRECTORY=/etc/nginx/sites-available WEBSITES_DIRECTORY=/etc/nginx/sites-available
# 90 days
PIN_MAX_AGE=7776000
function pin_all_certs { function pin_all_certs {
if [ ! -d $WEBSITES_DIRECTORY ]; then if [ ! -d $WEBSITES_DIRECTORY ]; then
return return
...@@ -52,7 +55,7 @@ function pin_all_certs { ...@@ -52,7 +55,7 @@ function pin_all_certs {
BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64) BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then
PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';" PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=${PIN_MAX_AGE}; includeSubDomains';"
sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" $file sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" $file
echo $"Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH" echo $"Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"
fi fi
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment