Invalid: Server provided more than one HSTS header

ssllabs / ssllabs-scan

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.

https://www.ssllabs.com/projects/ssllabs-apis/

Apache License 2.0

1.7k stars 241 forks source link

Invalid: Server provided more than one HSTS header #544

Open angelperezleon opened 6 years ago

angelperezleon commented 6 years ago

Hi all,

There is a similar issue highlighted https://github.com/ssllabs/ssllabs-scan/issues/294 I am using Apache 2.4 on Debian webserver, and ssllabs-scan always comes back with this problem what everI do with the enabled sites configs.

I also use Lets Encrypt certbot to renew my certs so I am wondering if this is where the HSTS header is been picked up from as I am normally setting this form the vhost entry of each site.

This is what I have, like to keep site anonymous for obvious reasons.

curl --head http://files.mysite.url HTTP/1.1 301 Moved Permanently Date: Tue, 14 Nov 2017 14:35:09 GMT Server: Apache Strict-Transport-Security: max-age=31536000; includeSubDomains Location: https://files.mysite.url Content-Type: text/html; charset=iso-8859-1

anand-bhat commented 6 years ago

You can check the reponse headers section of the UI scanner to determine what exactly is being sent.

Also, the HSTS header is applicable only on HTTPS responses. Ideally, you wouldn't send it in the http -> https 301 redirect.

angelperezleon commented 6 years ago

@anand-bhat

Thanks for the feedback.

.htaccess file = https://pastebin.com/cPM1HwpP

my apache site config file in debian 9 = https://pastebin.com/mQY4z0Hu

I have disabled the re-write rules as well in previous test but still see: https://pastebin.com/VzvXkZPJ

angelperezleon commented 6 years ago

OK after switching on loging I now see

root@localhost:~# cat /var/log/apache2/options-ssl-apache-error.log
[Thu Nov 16 10:57:37.345570 2017] [ssl:error] [pid 4526] [client 64.41.200.103:58810] AH02042: rejecting client initiated renegotiation
[Fri Nov 17 08:06:57.916619 2017] [ssl:error] [pid 16518] [client 64.41.200.101:53210] AH02042: rejecting client initiated renegotiation
[Fri Nov 17 12:50:54.216184 2017] [ssl:error] [pid 20957] [client 64.41.200.102:46442] AH02042: rejecting client initiated renegotiation

These are sslabs IPs.. any releveance here?

angelperezleon commented 6 years ago

Posting headers info for my site (note site url i have changed) and wondering if anyone else can offer advice on this. Why i am getting? "Strict Transport Security (HSTS)Invalid Server provided more than one HSTS header" when doing https://www.ssllabs.com/ssltest/

root@localhost:/var/log/letsencrypt# curl -i my-website-too.com
HTTP/1.1 301 Moved Permanently
Date: Fri, 01 Dec 2017 09:57:17 GMT
Server: Apache
Strict-Transport-Security: max-age=300; includeSubDomains
Location: https://my-website-too.com/
Content-Length: 231
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://my-website-too.com/">here</a>.</p>
</body></html>
root@localhost:/var/log/letsencrypt#