Re: [Sks-devel] Something broken?

[Michael Jones]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 19/11/16 15:20, Valentin Sundermann wrote:
> Hey,
> 
>>>> There seems to be some HSTS setup blocking access to 
>>>> http://keys.vsund.de:11371/pks/lookup?op=stats ?
>>> Not HSTS but;
> HSTS only prevents a "real" browser from viewing it. As of my 
> understanding, all other client implementations shouldn't have
> problems with HSTS on the domain but HTTP traffic at port 11371. So
> I'm sure it isn't a problem.
> 
>>> 139752133074456:error:140770FC:SSL 
>>> routines:SSL23_GET_SERVER_HELLO:unknown
>>> protocol:s23_clnt.c:794:
>> 
>>> (proxy is sending https traffic to http)
>> 
>>> ie no ssl offload.
> I'm pretty sure that this is because of my ssl settings (I only
> accept TLS 1.2 atm). But the clients shouldn't have problem with
> this either, because they use the plain protocol at port 11371.
> 
>> + a rewrite rule to https, (I hadn't visited the url before so
>> HSTS wouldn't apply)
> There is one at port 80 but not at 11371. If I understood it
> correctly, the client implementations expect to have plain traffic
> at port 11371. So having a rewrite there would confuse them, I
> guess.
> 
> Best regards, Valentin Sundermann

I had another look as this was confusing me; turns out HSTS can be
enabled without a header...

https://hstspreload.appspot.com/?domain=vsund.de

at some point or presently the tld had been parsed with preload;

as such the domain has entered a hsts database used by common web
browsers.

Kind Regards,
Mike

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJYMJAmAAoJEOYwtpHNe8Fm+2YIAJV3w5uUOl1FoEUyvuA5HYZb
tfgC+egBS1ePQViwENdCGPsvEfTEcJqvtHpNT3ZEeledx5HbFRqOb67mpK1jlkHV
XIbfcwBKjSjzYslHqlTz6Uw9BZMnI028xxQi1D7eZp+aa3bCFVgoqEGFsyao4U0s
4F3r5QP5te+Vw9cWBnOiTxE3nrCgddr80KuMIBCwpzIMKI1Lg6/IRRCer0Bwh1ih
EhoMP32OSKPKtAQQwdtn/DyOOr3aIwcrcCogtsTNE8jiJD1XxuDgqgT95zCBw9Tj
Ln/RaKUz5n85ULCjPJyCz8l8H7u7HxULoKWEW8fDp3MxhbDjgvxUP16ps+dWhQI=
=kkrl
-----END PGP SIGNATURE-----