[
https://issues.apache.org/jira/browse/TS-4502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15314988#comment-15314988
]
Phil Sorber commented on TS-4502:
---------------------------------
It seems to me like you would necessarily want the browser to puke if your cert
expired and you were unable to renegotiate. Isn't that the whole point of such
a header? Anything that compromises your secure connection should be a failure,
imo.
> HSTS should clip to the certificate expiry
> ------------------------------------------
>
> Key: TS-4502
> URL: https://issues.apache.org/jira/browse/TS-4502
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: James Peach
> Fix For: sometime
>
>
> When using {{proxy.config.ssl.hsts_max_age}} to send a strict transport
> security header, we should examine the expiry of the certificate we are
> servige the request with, and clip the max HSTS age to the expiry of the
> certificate. This would prevent browsers puking on HSTS when certificates
> expire legitimately.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
