search

chromium / hstspreload

🔒🔍 A Go package to scan sites against requirements for Chromium-maintained HSTS preload list.
https://hstspreload.org
BSD 3-Clause "New" or "Revised" License
116 stars 37 forks source link

HSTS PREVIOUS CERTIFICATE CACHE PROBLEMS ?? #108

Closed 4k2k closed 6 years ago

4k2k commented 6 years ago

Hi there

I write about a problem with a website listed in hstspreload.org Issue is the website with security policies was preloaded with a old certificate and It seem still is cached from hstspreload.org and is not detected the new certificate, hpkp etc. In adittion of Chrome and Firefox, others new firewalls as ESET and AVAST with SSL filtering enabled is detecting the previous ssl headers with old hsts as if it would be cached from hstspreload.org

It seem this problem appears mainly with users who had previously visited the web with the previous certificate and Chrome-Firefox or Eset-Avast added old certificate in his whitelist; now the browsers and firewalls detect new certificate with old keys of previous certificate and dont allow visit website. Errors are:

err_ssl_pinned_key_not_in_cert_chain err_bad_ssl_client_auth_cert ssl_error_bad_cert_alert

I tried remove redirects, disable Hsts, hpkp, policy securities and checked many certificates from diferent vendors but the solution I think is not in server. After 2 weeks still is unsolved this issue. All SSL testing tools show A+++

Really the only options to solve this problem is Delist website from hstspreload.org or wait weeks-months for his cache is expired ?

Note: I also contacted to ESET and in their tests (with new computers that never visited the website) they had no problem and the problems (at least know) came of 5 old customers and my pc where we visited previously the website with old certificate

nharper commented 6 years ago

This bug tracker is for issues with the hstspreload library, not for getting help with issues that might be related to server deployments of HSTS and/or HPKP. Questions about removal from the HSTS preload list should go to hstspreload@chromium.org.

Based on the first error you list, it sounds like at one point you had HPKP configured (and possibly preloaded), and now you're using a certificate that was not in the pin-set. The only options in this case are to change the server's certificate chain to one that matches one of the pins in the previously pinned pin-set, or wait for the max-age previously sent to expire.