1178251 - Strict Transport Security (HSTS) site with correct header but self-signed cert console logs that the header is "invalid"

Status: RESOLVED DUPLICATE of bug 1124649

(Core :: Security: PSM, defect)

Description

[afattahi@yahoo.com]

Attachment: sample.jpg

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150525141253

Steps to reproduce:

The spring security (4.0.1.Release) set the HSTS host by default for https protocol and you can see Strict-Transport-Security: max-age=31536000 ; in the response header (I used Firefox>Web Development>Network ).

But when I look at firefox console I see an error which says: The site specified an invalid Strict-Transport-Security header.

Screen shoot is attached


Actual results:

See HSTS error log


Expected results:

No error log displayed

Comment 1

[:Gijs (he/him)]

Does it work if you remove the space after the max-age value and before the ";"  ? Do you have a test site that we can access in order to reproduce ?

Comment 2

[afattahi@yahoo.com]

Yes, I have removed the space and also change the https port to default port (443) but it did not solved it. The site is not live yet!

Comment 3

[:Gijs (he/him)]

Can you provide a reduced testcase that is public (maybe publicize just an example empty web app under a test URL that serves "hello world" through spring security configured with the headers as in your example)? 

As it is, there isn't really enough information here for me to figure out what's going wrong.

Comment 4

[:Gijs (he/him)]

An alternative thing to do would be to run Firefox from the commandline with logging. First set the environment variables:

set NSPR_LOG_FILE=/path/to/file.log
set NSPR_LOG_MODULES="nsSSService:5"

(use "export" if on Linux/OSX)

and then open Firefox and open the site, and see if there is log output that clarifies what's going wrong.

Does the security indicator indicate that SSL/TLS is working as expected? Your screenshot does not include that part of the browser window.

Comment 5

[afattahi@yahoo.com]

I set the log and did not generate any logs. Are other browsers generate any log when HSTS goes wrong?! I can test the site with them and send you more info.

Comment 6

[:Gijs (he/him)]

(In reply to afattahi@yahoo.com from comment #5)
> I set the log and did not generate any logs.

This works for me, and I've never seen NSPR logging not work. Are you sure you set the environment variables correctly before starting Firefox (and while starting Firefox from the terminal where you set them) ?

> Are other browsers generate any
> log when HSTS goes wrong?! 

I don't know, but if this also doesn't work in Chrome (or others), it sounds like it's an issue with your site rather than Firefox, and you want somewhere like stackoverflow instead of here.

Comment 7

[afattahi@yahoo.com]

I see a post at http://stackoverflow.com/questions/28367305/the-site-specified-an-invalid-strict-transport-security-header-firebug 
This seems to be the problem when the SSL is self signed. (Well I can not test it now)

Comment 8

[:Gijs (he/him)]

In this case, could we improve the message to not say the header is invalid, but say something about the security state of the site instead?

Comment 9

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Yes, this is certainly something that could be improved.