Difference between revisions of "Strict Transport Security"
IVSWikiBlue (talk | contribs) (→Symptoms) |
IVSWikiBlue (talk | contribs) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | __NOTOC__ | ||
+ | {{Article | content = | ||
=Symptoms= | =Symptoms= | ||
On a VALT server with HTTPS enabled, when you attempt to download, the page spins for a few seconds and then goes to a "This site cannot be reached" message. | On a VALT server with HTTPS enabled, when you attempt to download, the page spins for a few seconds and then goes to a "This site cannot be reached" message. | ||
Line 7: | Line 9: | ||
:https://valtserverfqdn.yourdomain.com:8000/935/1_935_115.mp4?filename=Smart+Button+Recording++P5415-E+03-02-2021+3-42-PM.mp4&token=bd3f7defaff04cca90542919c015f474 | :https://valtserverfqdn.yourdomain.com:8000/935/1_935_115.mp4?filename=Smart+Button+Recording++P5415-E+03-02-2021+3-42-PM.mp4&token=bd3f7defaff04cca90542919c015f474 | ||
+ | |||
+ | <hr> | ||
=Cause= | =Cause= | ||
Line 17: | Line 21: | ||
In previous versions of chromium (which most browsers are based on) the Strict-Transport-Security header only affected traffic on standard ports. The download for VALT uses port 8000 and was previously excluded from this setting. | In previous versions of chromium (which most browsers are based on) the Strict-Transport-Security header only affected traffic on standard ports. The download for VALT uses port 8000 and was previously excluded from this setting. | ||
+ | |||
+ | <hr> | ||
=Verification= | =Verification= | ||
Line 22: | Line 28: | ||
#Enter the following in the address bar: | #Enter the following in the address bar: | ||
#:<code>chrome://net-internals/#hsts</code> | #:<code>chrome://net-internals/#hsts</code> | ||
− | #: | + | #:{{img | file = hsts2.png}} |
# In the '''Query HSTS/PKP domain''' section, enter the fqdn of the VALT server and click query. | # In the '''Query HSTS/PKP domain''' section, enter the fqdn of the VALT server and click query. | ||
# If something similar to what is shown in the picture above is displayed then hsts is enabled. | # If something similar to what is shown in the picture above is displayed then hsts is enabled. | ||
#: ''Note: If the header was sent on another website in the same domain, it '''may''' not show just by querying the address of the valt server. You may need to try other queries, such as just the root domain'' | #: ''Note: If the header was sent on another website in the same domain, it '''may''' not show just by querying the address of the valt server. You may need to try other queries, such as just the root domain'' | ||
+ | |||
+ | <hr> | ||
=Resolution= | =Resolution= | ||
Line 35: | Line 43: | ||
This will only work until the next time the header is recieved. If this header is set in the apache config files it '''MUST''' be removed and apache must be restarted. If this header is being sent from another website in the same domain, the header must be removed from that site or care must be taken not to visit that site. There does not appear to be any work around to this issue at this time. | This will only work until the next time the header is recieved. If this header is set in the apache config files it '''MUST''' be removed and apache must be restarted. If this header is being sent from another website in the same domain, the header must be removed from that site or care must be taken not to visit that site. There does not appear to be any work around to this issue at this time. | ||
+ | }} |
Latest revision as of 11:24, 8 March 2024
Symptoms
On a VALT server with HTTPS enabled, when you attempt to download, the page spins for a few seconds and then goes to a "This site cannot be reached" message.
When examing the address bar you will note that the address is similar to:
Cause
This issue is caused by the Strict-Transport-Security header being set.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains
This header might be set in the /etc/apache2/sites-enabled/default-ssl.conf or /etc/apache2/sites-enabled/v3.conf config files. It could also be set on another website with the same domain as the VALT server. If the includeSubDomains flag is set on the header, it will affect all sites that share the root domain.
In previous versions of chromium (which most browsers are based on) the Strict-Transport-Security header only affected traffic on standard ports. The download for VALT uses port 8000 and was previously excluded from this setting.
Verification
Google Chrome
- Enter the following in the address bar:
- In the Query HSTS/PKP domain section, enter the fqdn of the VALT server and click query.
- If something similar to what is shown in the picture above is displayed then hsts is enabled.
- Note: If the header was sent on another website in the same domain, it may not show just by querying the address of the valt server. You may need to try other queries, such as just the root domain
Resolution
The issue can be temporarily resolved by entering the site into the Delete domain security policies and clicking delete.
The site entered should be the sts_domain shown when querying during verification. In the example above it is ipivs.com
This will only work until the next time the header is recieved. If this header is set in the apache config files it MUST be removed and apache must be restarted. If this header is being sent from another website in the same domain, the header must be removed from that site or care must be taken not to visit that site. There does not appear to be any work around to this issue at this time.