[TS-4502] HSTS should clip to the certificate expiry - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: sometime
Component/s: SSL
Labels:
None

Description

When using proxy.config.ssl.hsts_max_age to send a strict transport security header, we should examine the expiry of the certificate we are servige the request with, and clip the max HSTS age to the expiry of the certificate. This would prevent browsers puking on HSTS when certificates expire legitimately.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: James Peach

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 02/Jun/16 17:09

Updated:: 03/Jun/16 22:28