[jira] [Commented] (TS-4502) HSTS should clip to the certificate expiry

Leif Hedstrom (JIRA) Fri, 03 Jun 2016 15:18:06 -0700

    [ 
https://issues.apache.org/jira/browse/TS-4502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15314960#comment-15314960
 ]


Leif Hedstrom commented on TS-4502:
-----------------------------------

I'm not convinced about this. There are legitimate reasons why you'd want very 
short lived certificates (hours), while still have very long HSTS headers.

> HSTS should clip to the certificate expiry
> ------------------------------------------
>
>                 Key: TS-4502
>                 URL: https://issues.apache.org/jira/browse/TS-4502
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: SSL
>            Reporter: James Peach
>             Fix For: sometime
>
>
> When using {{proxy.config.ssl.hsts_max_age}} to send a strict transport 
> security header, we should examine the expiry of the certificate we are 
> servige the request with, and clip the max HSTS age to the expiry of the 
> certificate. This would prevent browsers puking on HSTS when certificates 
> expire legitimately.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (TS-4502) HSTS should clip to the certificate expiry

Reply via email to