Difference between revisions of "Strict Transport Security"

From IVS Wiki
Jump to: navigation, search
(Created page with "=Symptoms= On a VALT server with HTTPS enabled, when you attempt to download, the page spins for a few seconds and then goes to a "This site cannot be reached" message. Fi...")
 
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
__NOTOC__
 +
{{Article | content =
 
=Symptoms=
 
=Symptoms=
 
On a VALT server with HTTPS enabled, when you attempt to download, the page spins for a few seconds and then goes to a "This site cannot be reached" message.  
 
On a VALT server with HTTPS enabled, when you attempt to download, the page spins for a few seconds and then goes to a "This site cannot be reached" message.  
  
[[File:hsts1.png]]
+
:{{img | file = hsts1.png}}
  
 
When examing the address bar you will note that the address is similar to:
 
When examing the address bar you will note that the address is similar to:
  
 
:https://valtserverfqdn.yourdomain.com:8000/935/1_935_115.mp4?filename=Smart+Button+Recording++P5415-E+03-02-2021+3-42-PM.mp4&token=bd3f7defaff04cca90542919c015f474
 
:https://valtserverfqdn.yourdomain.com:8000/935/1_935_115.mp4?filename=Smart+Button+Recording++P5415-E+03-02-2021+3-42-PM.mp4&token=bd3f7defaff04cca90542919c015f474
 +
 +
<hr>
  
 
=Cause=
 
=Cause=
Line 17: Line 21:
  
 
In previous versions of chromium (which most browsers are based on) the Strict-Transport-Security header only affected traffic on standard ports. The download for VALT uses port 8000 and was previously excluded from this setting.  
 
In previous versions of chromium (which most browsers are based on) the Strict-Transport-Security header only affected traffic on standard ports. The download for VALT uses port 8000 and was previously excluded from this setting.  
 +
 +
<hr>
  
 
=Verification=
 
=Verification=
Line 22: Line 28:
 
#Enter the following in the address bar:
 
#Enter the following in the address bar:
 
#:<code>chrome://net-internals/#hsts</code>
 
#:<code>chrome://net-internals/#hsts</code>
#:[[File:hsts2.png]]
+
#:{{img | file = hsts2.png}}
 
# In the '''Query HSTS/PKP domain''' section, enter the fqdn of the VALT server and click query.
 
# In the '''Query HSTS/PKP domain''' section, enter the fqdn of the VALT server and click query.
 
# If something similar to what is shown in the picture above is displayed then hsts is enabled.
 
# If something similar to what is shown in the picture above is displayed then hsts is enabled.
 
#: ''Note: If the header was sent on another website in the same domain, it '''may''' not show just by querying the address of the valt server. You may need to try other queries, such as just the root domain''
 
#: ''Note: If the header was sent on another website in the same domain, it '''may''' not show just by querying the address of the valt server. You may need to try other queries, such as just the root domain''
 +
 +
<hr>
  
 
=Resolution=
 
=Resolution=
Line 35: Line 43:
  
 
This will only work until the next time the header is recieved. If this header is set in the apache config files it '''MUST''' be removed and apache must be restarted. If this header is being sent from another website in the same domain, the header must be removed from that site or care must be taken not to visit that site. There does not appear to be any work around to this issue at this time.
 
This will only work until the next time the header is recieved. If this header is set in the apache config files it '''MUST''' be removed and apache must be restarted. If this header is being sent from another website in the same domain, the header must be removed from that site or care must be taken not to visit that site. There does not appear to be any work around to this issue at this time.
 +
}}

Latest revision as of 11:24, 8 March 2024

Symptoms

On a VALT server with HTTPS enabled, when you attempt to download, the page spins for a few seconds and then goes to a "This site cannot be reached" message.

Hsts1.png

When examing the address bar you will note that the address is similar to:

https://valtserverfqdn.yourdomain.com:8000/935/1_935_115.mp4?filename=Smart+Button+Recording++P5415-E+03-02-2021+3-42-PM.mp4&token=bd3f7defaff04cca90542919c015f474

Cause

This issue is caused by the Strict-Transport-Security header being set.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains

This header might be set in the /etc/apache2/sites-enabled/default-ssl.conf or /etc/apache2/sites-enabled/v3.conf config files. It could also be set on another website with the same domain as the VALT server. If the includeSubDomains flag is set on the header, it will affect all sites that share the root domain.

In previous versions of chromium (which most browsers are based on) the Strict-Transport-Security header only affected traffic on standard ports. The download for VALT uses port 8000 and was previously excluded from this setting.


Verification

Google Chrome

  1. Enter the following in the address bar:
    chrome://net-internals/#hsts
    Hsts2.png
  2. In the Query HSTS/PKP domain section, enter the fqdn of the VALT server and click query.
  3. If something similar to what is shown in the picture above is displayed then hsts is enabled.
    Note: If the header was sent on another website in the same domain, it may not show just by querying the address of the valt server. You may need to try other queries, such as just the root domain

Resolution

The issue can be temporarily resolved by entering the site into the Delete domain security policies and clicking delete.

Hsts3.png

The site entered should be the sts_domain shown when querying during verification. In the example above it is ipivs.com

This will only work until the next time the header is recieved. If this header is set in the apache config files it MUST be removed and apache must be restarted. If this header is being sent from another website in the same domain, the header must be removed from that site or care must be taken not to visit that site. There does not appear to be any work around to this issue at this time.