Closed
Bug 1178251
Opened 9 years ago
Closed 9 years ago
Strict Transport Security (HSTS) site with correct header but self-signed cert console logs that the header is "invalid"
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1124649
People
(Reporter: afattahi, Unassigned, Mentored)
Details
(Keywords: in-triage, Whiteboard: [good next bug])
Attachments
(1 file)
(deleted),
image/jpeg
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150525141253
Steps to reproduce:
The spring security (4.0.1.Release) set the HSTS host by default for https protocol and you can see Strict-Transport-Security: max-age=31536000 ; in the response header (I used Firefox>Web Development>Network ).
But when I look at firefox console I see an error which says: The site specified an invalid Strict-Transport-Security header.
Screen shoot is attached
Actual results:
See HSTS error log
Expected results:
No error log displayed
Comment 1•9 years ago
|
||
Does it work if you remove the space after the max-age value and before the ";" ? Do you have a test site that we can access in order to reproduce ?
Group: core-security
Flags: needinfo?(afattahi)
Updated•9 years ago
|
Group: core-security
Updated•9 years ago
|
Group: core-security
Reporter | ||
Comment 2•9 years ago
|
||
Yes, I have removed the space and also change the https port to default port (443) but it did not solved it. The site is not live yet!
Flags: needinfo?(afattahi)
Comment 3•9 years ago
|
||
Can you provide a reduced testcase that is public (maybe publicize just an example empty web app under a test URL that serves "hello world" through spring security configured with the headers as in your example)?
As it is, there isn't really enough information here for me to figure out what's going wrong.
Flags: needinfo?(afattahi)
Comment 4•9 years ago
|
||
An alternative thing to do would be to run Firefox from the commandline with logging. First set the environment variables:
set NSPR_LOG_FILE=/path/to/file.log
set NSPR_LOG_MODULES="nsSSService:5"
(use "export" if on Linux/OSX)
and then open Firefox and open the site, and see if there is log output that clarifies what's going wrong.
Does the security indicator indicate that SSL/TLS is working as expected? Your screenshot does not include that part of the browser window.
Reporter | ||
Comment 5•9 years ago
|
||
I set the log and did not generate any logs. Are other browsers generate any log when HSTS goes wrong?! I can test the site with them and send you more info.
Flags: needinfo?(afattahi)
Comment 6•9 years ago
|
||
(In reply to afattahi@yahoo.com from comment #5)
> I set the log and did not generate any logs.
This works for me, and I've never seen NSPR logging not work. Are you sure you set the environment variables correctly before starting Firefox (and while starting Firefox from the terminal where you set them) ?
> Are other browsers generate any
> log when HSTS goes wrong?!
I don't know, but if this also doesn't work in Chrome (or others), it sounds like it's an issue with your site rather than Firefox, and you want somewhere like stackoverflow instead of here.
Flags: needinfo?(afattahi)
Keywords: in-triage
Reporter | ||
Comment 7•9 years ago
|
||
I see a post at http://stackoverflow.com/questions/28367305/the-site-specified-an-invalid-strict-transport-security-header-firebug
This seems to be the problem when the SSL is self signed. (Well I can not test it now)
Flags: needinfo?(afattahi)
Comment 8•9 years ago
|
||
In this case, could we improve the message to not say the header is invalid, but say something about the security state of the site instead?
Component: Untriaged → Security: PSM
Flags: needinfo?(dkeeler)
Product: Firefox → Core
Summary: Security with HTTP Strict Transport Security (HSTS) with correct header still generates error log in console → Strict Transport Security (HSTS) site with correct header but self-signed cert console logs that the header is "invalid"
Yes, this is certainly something that could be improved.
Mentor: dkeeler
Flags: needinfo?(dkeeler)
Whiteboard: [good next bug]
Updated•9 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•