Set maximum pinning age
This commit is contained in:
parent
6f0f37757e
commit
f25602ccd1
|
@ -35,6 +35,9 @@ export TEXTDOMAINDIR="/usr/share/locale"
|
||||||
|
|
||||||
WEBSITES_DIRECTORY=/etc/nginx/sites-available
|
WEBSITES_DIRECTORY=/etc/nginx/sites-available
|
||||||
|
|
||||||
|
# 90 days
|
||||||
|
PIN_MAX_AGE=7776000
|
||||||
|
|
||||||
function pin_all_certs {
|
function pin_all_certs {
|
||||||
if [ ! -d $WEBSITES_DIRECTORY ]; then
|
if [ ! -d $WEBSITES_DIRECTORY ]; then
|
||||||
return
|
return
|
||||||
|
@ -52,7 +55,7 @@ function pin_all_certs {
|
||||||
BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
|
BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
|
||||||
if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then
|
if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then
|
||||||
|
|
||||||
PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
|
PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=${PIN_MAX_AGE}; includeSubDomains';"
|
||||||
sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" $file
|
sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" $file
|
||||||
echo $"Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"
|
echo $"Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in New Issue