[
https://issues.apache.org/jira/browse/TS-4502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15314960#comment-15314960
]
Leif Hedstrom edited comment on TS-4502 at 6/3/16 10:17 PM:
------------------------------------------------------------
I'm not convinced about this. There are legitimate reasons why you'd want very
short lived certificates (hours), while still have very long HSTS headers.
At a minimum, a feature like this should have a configuration knob, and it
should be turned off.
was (Author: zwoop):
I'm not convinced about this. There are legitimate reasons why you'd want very
short lived certificates (hours), while still have very long HSTS headers.
> HSTS should clip to the certificate expiry
> ------------------------------------------
>
> Key: TS-4502
> URL: https://issues.apache.org/jira/browse/TS-4502
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: James Peach
> Fix For: sometime
>
>
> When using {{proxy.config.ssl.hsts_max_age}} to send a strict transport
> security header, we should examine the expiry of the certificate we are
> servige the request with, and clip the max HSTS age to the expiry of the
> certificate. This would prevent browsers puking on HSTS when certificates
> expire legitimately.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
