Set maximum pinning age

2016-08-10 10:02:04 +01:00 · 2016-08-10 10:02:04 +01:00 · f25602ccd1
parent 6f0f37757e
commit f25602ccd1
1 changed files with 4 additions and 1 deletions
--- a/src/freedombone-pin-cert
+++ b/src/freedombone-pin-cert
@ -35,6 +35,9 @@ export TEXTDOMAINDIR="/usr/share/locale"

 WEBSITES_DIRECTORY=/etc/nginx/sites-available

+# 90 days
+PIN_MAX_AGE=7776000
+
 function pin_all_certs {
    if [ ! -d $WEBSITES_DIRECTORY ]; then
        return
@ -52,7 +55,7 @@ function pin_all_certs {
                    BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
                    if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then

-                        PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
+                        PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=${PIN_MAX_AGE}; includeSubDomains';"
                        sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" $file
                        echo $"Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"
                    fi