Closed Bug 1178251 Opened 5 years ago Closed 5 years ago
Strict Transport Security (HSTS) site with correct header but self-signed cert console logs that the header is "invalid"
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Build ID: 20150525141253 Steps to reproduce: The spring security (4.0.1.Release) set the HSTS host by default for https protocol and you can see Strict-Transport-Security: max-age=31536000 ; in the response header (I used Firefox>Web Development>Network ). But when I look at firefox console I see an error which says: The site specified an invalid Strict-Transport-Security header. Screen shoot is attached Actual results: See HSTS error log Expected results: No error log displayed
Does it work if you remove the space after the max-age value and before the ";" ? Do you have a test site that we can access in order to reproduce ?
Yes, I have removed the space and also change the https port to default port (443) but it did not solved it. The site is not live yet!
Can you provide a reduced testcase that is public (maybe publicize just an example empty web app under a test URL that serves "hello world" through spring security configured with the headers as in your example)? As it is, there isn't really enough information here for me to figure out what's going wrong.
An alternative thing to do would be to run Firefox from the commandline with logging. First set the environment variables: set NSPR_LOG_FILE=/path/to/file.log set NSPR_LOG_MODULES="nsSSService:5" (use "export" if on Linux/OSX) and then open Firefox and open the site, and see if there is log output that clarifies what's going wrong. Does the security indicator indicate that SSL/TLS is working as expected? Your screenshot does not include that part of the browser window.
I set the log and did not generate any logs. Are other browsers generate any log when HSTS goes wrong?! I can test the site with them and send you more info.
(In reply to firstname.lastname@example.org from comment #5) > I set the log and did not generate any logs. This works for me, and I've never seen NSPR logging not work. Are you sure you set the environment variables correctly before starting Firefox (and while starting Firefox from the terminal where you set them) ? > Are other browsers generate any > log when HSTS goes wrong?! I don't know, but if this also doesn't work in Chrome (or others), it sounds like it's an issue with your site rather than Firefox, and you want somewhere like stackoverflow instead of here.
I see a post at http://stackoverflow.com/questions/28367305/the-site-specified-an-invalid-strict-transport-security-header-firebug This seems to be the problem when the SSL is self signed. (Well I can not test it now)
In this case, could we improve the message to not say the header is invalid, but say something about the security state of the site instead?
Component: Untriaged → Security: PSM
Product: Firefox → Core
Summary: Security with HTTP Strict Transport Security (HSTS) with correct header still generates error log in console → Strict Transport Security (HSTS) site with correct header but self-signed cert console logs that the header is "invalid"
Yes, this is certainly something that could be improved.
Whiteboard: [good next bug]
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1124649
You need to log in before you can comment on or make changes to this bug.