The cert is self signed. Whats is the conclusion, chrome is violating the RFC? It DOES let me proceed. On 10/6/14 5:52 PM, Scott (firstclasswatches.co.uk) wrote: > Hello, > > Not strictly a httpd specific issue but nevertheless, Chrome/Firefox > should ignore the header because it is not delivered with a valid > certificate and thus there is no way of knowing if it was actually > issued by the website. Spec says in this exact case, the TLS connection should be refused: http://tools.ietf.org/html/rfc6797#section-11.3 > You should get the expected result if you first respond with an HSTS > header in a valid TLS request and then /future/ requests should be > prevented from proceeding if there is a certificate error. > > This is why HSTS are being preloaded for major websites as that would > to cover the first request. For your average website there isn't > currently a solution to this. - -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|