0

I am trying to do some testing with HSTS and so I setup a new Apache instance, configured it with a server cert (not self-signed), and configured it to send the HSTS header, and then am trying testing using Firefox, Chrome, and IE.

However, so far, it seems like I am only able to see the HSTS functionality (changing the end URL to an HTTPS URL when I point the browser to a non-HTTPS URL) with only Firefox.

When I do the same tests, using either Chrome or IE, when I point the browser to the non-HTTPS URL, the browser just displays the response page...

FYI, based on some searches, I have tried going to an HTTPS URL first, and then trying to point the browser to a non-HTTPS URL.... in this case, the browser just shows the non-HTTPS page.

Is there something additional that I need to do to IE and Chrome to get them to exhibit the HSTS functionality?

Thanks, Jim

user555303
  • 1,146
  • 3
  • 20
  • 44
  • With Chrome you should be able see the status of HSTS cache by typing `chrome://net-internals/#hsts` into the address bar and searching for your domain. Are you using a real domain? Do you get a green padlock or an HTTPS error? Chrome doesn’t cache details if you skip past cert errors. – Barry Pollard Aug 28 '18 at 21:11

1 Answers1

0

I figured out my problem. It appears that in order for the HSTS to work when using Chrome and IE, the server certificate MUST have a Subject Alternative Name (SAN) with the server name/FQDN, in addition to the FQDN in the certificate Subject.

I was able to modify and use one of the scripts in this thread:

https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58

to make a new CA-signed server certificate with a SAN, and now the HSTS works with Firefox, Chrome and IE (most of the solutions on that page were for self-signed server certs, but I was able to adapt one of them to use with my own (test) CA cert).

user555303
  • 1,146
  • 3
  • 20
  • 44