How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: <users@xxxxxxxxxxxxxxxx>
Subject: How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser
From: "Eddie B" <eddie@xxxxxxxxxxxxxxx>
Date: Mon, 6 Oct 2014 14:36:32 -0700
Organization: MATTERmedia
Reply-to: users@xxxxxxxxxxxxxxxx
Thread-index: Ac/hrWZUjlAnqM/kTPa6MnoW9Szx4g==

I have an https server that sets the HSTS header, but up to date Chrome (and other HSTS compatible browsers, such as Firefox 32) still let the user proceed to HTTPS. Isn’t the specific reason HSTS exists to prevent users from proceeding?

Here’s the server: http://pastebin.com/JFJw1m40

How is this possible?

Follow-Ups:
- Re: How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser
  - From: Scott (firstclasswatches.co.uk)

Prev by Date: Re: Cannot get certificate chain to work.
Next by Date: Re: How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser
Previous by thread: Cannot get certificate chain to work.
Next by thread: Re: How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]