reference:
http://socpuppet.blogspot.com/2016/04/dns-caa-records-for-certifications.html
But another sure way to increase your SSLLAB score is to enable HPKP ( http public key pining ). This process is simple to create and if you can inject the HTTP-header "Public-Key-Pins:" and the pin, you can increase the comfort level within the browser.
Here's typical A+ score as seen on SSLAB for a website i just recently built
I'm going to focus on HPKP pinning.
1st to find your https-site public-key is quite simple.
e.g
openssl s_client -connect www.example.com:443 | openssl x509 -noout -pubkey > yoursitepub.key
The above example will create a file with the following context
Alternative, you can use the quick hpkp calculator ;)
https://hpkpcalc.github.io/calculator.html
Tools that's helpful
https://report-uri.io/home/pkp_analyse
https://securityheaders.io/
https://crt.sh
In a F5, you can apply a public key pin with in a LTMPOLICY
http://socpuppet.blogspot.com/2017/10/building-http-pkp-header-for-insert.html
Now keep in mind Google has redacted the HPKP in a recent announcement and they refer to the Expect-CT header.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
YMMV
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment