-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/6/14 5:52 PM, Scott (firstclasswatches.co.uk) wrote: > Hello, > > Not strictly a httpd specific issue but nevertheless, > Chrome/Firefox should ignore the header because it is not > delivered with a valid certificate and thus there is no way of > knowing if it was actually issued by the website. Spec says in this exact case, the TLS connection should be refused: http://tools.ietf.org/html/rfc6797#section-11.3 > You should get the expected result if you first respond with an > HSTS header in a valid TLS request and then /future/ requests > should be prevented from proceeding if there is a certificate > error. > > This is why HSTS are being preloaded for major websites as that > would to cover the first request. For your average website there > isn't currently a solution to this. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUNtEzAAoJEBzwKT+lPKRYqfAQAIauntEj79ba/p69JD6qBjKZ mt9XCUj7EEI3sWaQsGcOWVHuFh4y/udvYqdPPDb5I3T5y7uUAkrZw+6e++EvJqU1 1oD6ELwaAoiwkz/J7RgS7ecIqBAFJHm2GkQ8wrfo5MmQDrrpU33SIa8N2kqtxqfK P+Hoou6vfvCQZHteXKDrwx9iRoZxQnlY532zt6yPWxx1Xza3unkXZHkB04g9b+Fp iCd1Tk8whQ5S712GDA2WZr1Dgvx4SoHgWhEPd6lG9ez/2As1OabG7aGqfSnSo6lT o/gz3+I27tpU0837ZuvPWsYJ85uTnonFz+qkol1hT49WOM3wd0PnAWAmHRhEqo9p q76EMhqyAwoSd7L9fgh9FwnvJr+wmhvoYDxzcGzI3jCvv6BaN72dbsBZEpRy1qSj 1RNHlY2MxBNPdxf9SJqQIgkVXzMGLw/4sTxZWA73R3MtYqvmHe1YlDHTvPFfvUVU Wv+kpXPgFC+7VDa7tzeSnI6SNCU+CB1hrZdBmsoRhWYb5p8oE6msSgTwPB6G19gD hDfTTGhl8WrVkgCyYgrPLV51CsNX8yueL1LYpJRjsG9OCii5pjzGBcjJ5ri3PsRx zbFB2SPA0hD68Iyp2R0qEfKpRpK/kXwVv/V2xVB7F9zrVcBTQHXzWzLEc99OxDHG 3GIKbzBqmNUECA+qZOyq =MX2I -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|