Hi Stephane, Here's how I look at it:
Section 8.1 is about a user agent noting a new HSTS host. If the connection had an underlying error (e.g. self-signed cert), the user agent will not note that host as using HSTS. Section 11.3 is about when the user agent connects to a host that it previously noted as using HSTS. If there are underlying transport errors, the user agent will not allow the connection to continue under any circumstances (e.g. certificate exception overrides are disabled). Hope this helps, David On 12/17/2014 05:56 AM, Stephane Bortzmeyer wrote: > > [I'm not subscribed to the websec working group so please copy me when > replying.] > > I don't know how to read section 11.3 of RFC 6797. It says "If all > four of the following conditions are true... [self-signed > certificates...] ...then secure connections to that site will fail, > per the HSTS design." It seems to imply that adding a > Strict-Transport-Security: header to a site which has a self-signed > certificate is an error. > > But section 8.1 says that the Strict-Transport-Security: will be > ignored if the HTTPS session is not secured (for instance because the > client uses a self-signed cert, section 8.1 says the header will be > accepted only "if there are no underlying secure transport errors or > warnings"). So, it seems that adding Strict-Transport-Security: is > useless (they will be ignored, per section 8.1) but not an error. > > I checked with the Chromium browser "Version 20.0.1132.47 Ubuntu 12.04 > (144678)" and a HTTPS site signed by CAcert.org (unknown CA for most > browsers) and, indeed, Chromium ignores the HSTS header and accepts to > use HTTP. Once CAcert.org cert is added, Chromium accepts the HSTS > header and uses only HTTPS. So, it seems the Chromium programmers > decided to ignore section 11.3? > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
