httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott (" <>
Subject Re: [users@httpd] How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser
Date Thu, 09 Oct 2014 22:09:38 GMT
I am not sure whether I agree that that violates the RFC. The connection
does fail it just allows the user to override it.

In my opinion, I think that this is the only secure way to "fail" an
authenticated HSTS header otherwise anybody could in theory activate HSTS
on a host.

The same paragraph then goes to on to say that if you want to use a HSTS
policy with the host then distribute the CA certificate and then of course
it works as expected with No User Recourse.

Kind Regards,


First Class Watches
9 Warwick Road
United Kingdom

On 9 October 2014 22:27, Eddie B <> wrote:

> The cert is self signed. Whats is the conclusion, chrome is violating the
> RFC? It DOES let me proceed.
> On 10/6/14 5:52 PM, Scott ( wrote:
> > Hello,
> >
> > Not strictly a httpd specific issue but nevertheless, Chrome/Firefox
> > should ignore the header because it is not delivered with a valid
> > certificate and thus there is no way of knowing if it was actually
> > issued by the website.
> Spec says in this exact case, the TLS connection should be refused:
> > You should get the expected result if you first respond with an HSTS
> > header in a valid TLS request and then /future/ requests should be
> > prevented from proceeding if there is a certificate error.
> >
> > This is why HSTS are being preloaded for major websites as that would
> > to cover the first request. For your average website there isn't
> > currently a solution to this.
> - -chris
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message