Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cherokee: dev

Issue 1302 in cherokee: HSTS in wrongly implemented

 

 

Cherokee dev RSS feed   Index | Next | Previous | View Threaded


cherokee at googlecode

Nov 13, 2011, 5:20 PM

Post #1 of 4 (425 views)
Permalink
Issue 1302 in cherokee: HSTS in wrongly implemented

Status: Accepted
Owner: ----
Labels: Type-Defect Priority-Medium Component-Logic Security

New issue 1302 by ste...@konink.de: HSTS in wrongly implemented
http://code.google.com/p/cherokee/issues/detail?id=1302

What steps will reproduce the problem?
1.
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Implementation

2. look at handler_error.c
3. Notice that we are actually sending it when we find the URL not being
TLS.
4. http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-03
5. I think when a user enables HSTS what should happen:

a) There is a virtual rule inserted that checks TLS, if it is not TLS the
user gets an external redirect to the TLS resource.
b) HSTS is send as a second virtual rule non-final with add-headers, strict
transport security


Based on:
6.2. HTTP Request Type

If a HSTS Host receives a HTTP request message over a non-secure
transport, it SHOULD send a HTTP response message containing a
Status-Code of 301 and a Location header field value containing
either the HTTP request's original Effective Request URI (see
Section 12 "Constructing an Effective Request URI", below) altered as
necessary to have a URI scheme of "https", or a URI generated
according to local policy (which SHOULD employ a URI scheme of
"https").

6.1. HTTP-over-Secure-Transport Request Type

When replying to an HTTP request that was conveyed over a secure
transport, a HSTS Host SHOULD include in its response message a
Strict-Transport-Security HTTP Response Header that MUST satisfy the
grammar specified above in Section 5.1 "Strict-Transport-Security
HTTP Response Header Field". If a Strict-Transport-Security HTTP
Response Header is included, the HSTS Host MUST include only one such
header.


_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


cherokee at googlecode

Nov 13, 2011, 6:04 PM

Post #2 of 4 (404 views)
Permalink
Re: Issue 1302 in cherokee: HSTS in wrongly implemented [In reply to]

Updates:
Status: Started
Owner: alobbs

Comment #1 on issue 1302 by ste...@konink.de: HSTS in wrongly implemented
http://code.google.com/p/cherokee/issues/detail?id=1302

https://github.com/skinkie/webserver/commit/209e47633474e253b442355149deb79fc19b3fe2
https://github.com/skinkie/webserver/commit/a7c57b8325168380502afdd10a91fb37aae965ce

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


cherokee at googlecode

Nov 19, 2011, 5:59 AM

Post #3 of 4 (391 views)
Permalink
Re: Issue 1302 in cherokee: HSTS in wrongly implemented [In reply to]

Comment #2 on issue 1302 by alobbs: HSTS in wrongly implemented
http://code.google.com/p/cherokee/issues/detail?id=1302

ACK. The patch looks good.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


cherokee at googlecode

Nov 22, 2011, 10:47 AM

Post #4 of 4 (377 views)
Permalink
Re: Issue 1302 in cherokee: HSTS in wrongly implemented [In reply to]

Updates:
Status: Fixed
Owner: ste...@konink.de

Comment #3 on issue 1302 by alobbs: HSTS in wrongly implemented
http://code.google.com/p/cherokee/issues/detail?id=1302

Fixed, along with the QA tests. (Do remember the QA tests!!!!)

Stefan, thanks for the fix.
Good work! :-)

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev

Cherokee dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.