Closed Bug 1460818 Opened 7 years ago Closed 7 years ago

site professionisti.bticino.it doesn't work in nightly

Categories

(Core :: Networking: HTTP, defect)

61 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: sxpert, Unassigned)

Details

(Whiteboard: [INVALID?])

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Build ID: 20180406121424 Steps to reproduce: running on Ubuntu 18.04 LTS go to bticino.it click on the center panel (professionisti) Actual results: Unable to connect Expected results: in 59.0.2, the site loads successfully
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 20180323154952 (In reply to Raphaël Jacquot from comment #0) > go to bticino.it Loads https://www.bticino.it with HSTS. > click on the center panel (professionisti) Link points to http://professionisti.bticino.it which results in an attempt to load https://professionisti.bticino.it That fails with "Unable to connect". That's with Firefox 59.0.2, Vivaldi, Edge, and SSL Labs. https://www.ssllabs.com/ssltest/analyze.html?d=professionisti.bticino.it If I open a Private Window so that HSTS doesn't apply, I can load http://professionisti.bticino.it by pasting directly into the address bar, as it doesn't get upgraded to HTTPS.
Has STR: --- → yes
Component: Untriaged → Networking: HTTP
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Whiteboard: [INVALID?]
This does indeed look like a server error. There's a HSTS response header saying Firefox should use HTTPS but when doing so, there's nothing serving HTTPS there (right now).
Indeed, the server sets HSTS with includeSubDomains on the request to https://www.bticino.it/ but doing |openssl s_client -connect professionisti.bticino.it:443| results in connection refused. The server needs fixing to either (1) not send HSTS at all, (2) Not send includeSubDomains until all subdomains answer on https, or (3) answering https on all subdomains. Note that (3) is most likely to work going forward, as there are probably already clients out there who would like to use the site who now have the HSTS info and won't get rid of it for... a while.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.