httpd(8): don't send HSTS headers over unencrypted connections

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

httpd(8): don't send HSTS headers over unencrypted connections

Anthony J. Bentley-4
Hi,

RFC 6797 says:

   An HSTS Host MUST NOT include the STS header field in HTTP responses
   conveyed over non-secure transport.

Is this the correct check? With this I get what I expect: HSTS headers
over TLS, and no HSTS headers over unencrypted HTTP.

Index: server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.76
diff -u -p -r1.76 server_fcgi.c
--- server_fcgi.c 19 May 2018 13:56:56 -0000 1.76
+++ server_fcgi.c 15 Oct 2018 01:30:28 -0000
@@ -655,7 +655,7 @@ server_fcgi_header(struct client *clt, u
  return (-1);
 
  /* HSTS header */
- if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+ if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
  if ((cl =
     kv_add(&resp->http_headers, "Strict-Transport-Security",
     NULL)) == NULL ||
Index: server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.125
diff -u -p -r1.125 server_http.c
--- server_http.c 11 Oct 2018 09:52:22 -0000 1.125
+++ server_http.c 15 Oct 2018 01:30:28 -0000
@@ -950,7 +950,7 @@ server_abort_http(struct client *clt, un
  goto done;
  }
 
- if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+ if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
  if (asprintf(&hstsheader, "Strict-Transport-Security: "
     "max-age=%d%s%s\r\n", srv_conf->hsts_max_age,
     srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
@@ -1452,7 +1452,7 @@ server_response_http(struct client *clt,
  return (-1);
 
  /* HSTS header */
- if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+ if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
  if ((cl =
     kv_add(&resp->http_headers, "Strict-Transport-Security",
     NULL)) == NULL ||

Reply | Threaded
Open this post in threaded view
|

Re: httpd(8): don't send HSTS headers over unencrypted connections

Bruno Flueckiger
On 14.10.18 19:36, Anthony J. Bentley wrote:

> Hi,
>
> RFC 6797 says:
>
>    An HSTS Host MUST NOT include the STS header field in HTTP responses
>    conveyed over non-secure transport.
>
> Is this the correct check? With this I get what I expect: HSTS headers
> over TLS, and no HSTS headers over unencrypted HTTP.
>

If you don't want to send HSTS headers then don't set the option hsts in
httpd.conf(5). Why would you provide an option for the admin to choose
but restrict it to only encrypted connections?

Your change would break the scenario of running httpd behind relayd(8)
for TLS acceleaation, e. g. relayd on the public interface and httpd on
localhost.

Cheers,
Bruno

> Index: server_fcgi.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
> retrieving revision 1.76
> diff -u -p -r1.76 server_fcgi.c
> --- server_fcgi.c 19 May 2018 13:56:56 -0000 1.76
> +++ server_fcgi.c 15 Oct 2018 01:30:28 -0000
> @@ -655,7 +655,7 @@ server_fcgi_header(struct client *clt, u
>   return (-1);
>  
>   /* HSTS header */
> - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
>   if ((cl =
>      kv_add(&resp->http_headers, "Strict-Transport-Security",
>      NULL)) == NULL ||
> Index: server_http.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
> retrieving revision 1.125
> diff -u -p -r1.125 server_http.c
> --- server_http.c 11 Oct 2018 09:52:22 -0000 1.125
> +++ server_http.c 15 Oct 2018 01:30:28 -0000
> @@ -950,7 +950,7 @@ server_abort_http(struct client *clt, un
>   goto done;
>   }
>  
> - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
>   if (asprintf(&hstsheader, "Strict-Transport-Security: "
>      "max-age=%d%s%s\r\n", srv_conf->hsts_max_age,
>      srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
> @@ -1452,7 +1452,7 @@ server_response_http(struct client *clt,
>   return (-1);
>  
>   /* HSTS header */
> - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
>   if ((cl =
>      kv_add(&resp->http_headers, "Strict-Transport-Security",
>      NULL)) == NULL ||
>

Reply | Threaded
Open this post in threaded view
|

Re: httpd(8): don't send HSTS headers over unencrypted connections

Anthony J. Bentley-4
Bruno Flueckiger writes:
> If you don't want to send HSTS headers then don't set the option hsts in
> httpd.conf(5). Why would you provide an option for the admin to choose
> but restrict it to only encrypted connections?

Because it's possible to specify both "listen on * tls port 443" and
"listen on * port 80" in the same server block.

The other TLS-related options only apply to encrypted connections in
such a scenario. Then again, none of them work by injecting headers.

--
Anthony J. Bentley

Reply | Threaded
Open this post in threaded view
|

Re: httpd(8): don't send HSTS headers over unencrypted connections

Florian Obser
In reply to this post by Anthony J. Bentley-4
On Sun, Oct 14, 2018 at 07:36:18PM -0600, Anthony J. Bentley wrote:
> Hi,
>
> RFC 6797 says:
>
>    An HSTS Host MUST NOT include the STS header field in HTTP responses
>    conveyed over non-secure transport.
>
> Is this the correct check? With this I get what I expect: HSTS headers

please use srv_conf->flags & SRVFLAG_TLS

> over TLS, and no HSTS headers over unencrypted HTTP.
>
> Index: server_fcgi.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
> retrieving revision 1.76
> diff -u -p -r1.76 server_fcgi.c
> --- server_fcgi.c 19 May 2018 13:56:56 -0000 1.76
> +++ server_fcgi.c 15 Oct 2018 01:30:28 -0000
> @@ -655,7 +655,7 @@ server_fcgi_header(struct client *clt, u
>   return (-1);
>  
>   /* HSTS header */
> - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
>   if ((cl =
>      kv_add(&resp->http_headers, "Strict-Transport-Security",
>      NULL)) == NULL ||
> Index: server_http.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
> retrieving revision 1.125
> diff -u -p -r1.125 server_http.c
> --- server_http.c 11 Oct 2018 09:52:22 -0000 1.125
> +++ server_http.c 15 Oct 2018 01:30:28 -0000
> @@ -950,7 +950,7 @@ server_abort_http(struct client *clt, un
>   goto done;
>   }
>  
> - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
>   if (asprintf(&hstsheader, "Strict-Transport-Security: "
>      "max-age=%d%s%s\r\n", srv_conf->hsts_max_age,
>      srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
> @@ -1452,7 +1452,7 @@ server_response_http(struct client *clt,
>   return (-1);
>  
>   /* HSTS header */
> - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
>   if ((cl =
>      kv_add(&resp->http_headers, "Strict-Transport-Security",
>      NULL)) == NULL ||
>

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: httpd(8): don't send HSTS headers over unencrypted connections

Florian Obser-2
In reply to this post by Bruno Flueckiger
On Mon, Oct 15, 2018 at 07:33:52AM +0200, Bruno Flueckiger wrote:

> On 14.10.18 19:36, Anthony J. Bentley wrote:
> > Hi,
> >
> > RFC 6797 says:
> >
> >    An HSTS Host MUST NOT include the STS header field in HTTP responses
> >    conveyed over non-secure transport.
> >
> > Is this the correct check? With this I get what I expect: HSTS headers
> > over TLS, and no HSTS headers over unencrypted HTTP.
> >
>
> If you don't want to send HSTS headers then don't set the option hsts in
> httpd.conf(5). Why would you provide an option for the admin to choose
> but restrict it to only encrypted connections?
>
> Your change would break the scenario of running httpd behind relayd(8)
> for TLS acceleaation, e. g. relayd on the public interface and httpd on
> localhost.

relayd should add the hsts header in that case with the "header set"
feature.

I wonder how I manage to not see the "MUST NOT" when I implemented
HSTS because I remember that I specifically looked for guidance on
when to set the header.

"MUST NOT" is the strongest language the IETF has - we should follow
it.

>
> Cheers,
> Bruno
>
> > Index: server_fcgi.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
> > retrieving revision 1.76
> > diff -u -p -r1.76 server_fcgi.c
> > --- server_fcgi.c 19 May 2018 13:56:56 -0000 1.76
> > +++ server_fcgi.c 15 Oct 2018 01:30:28 -0000
> > @@ -655,7 +655,7 @@ server_fcgi_header(struct client *clt, u
> >   return (-1);
> >  
> >   /* HSTS header */
> > - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> > + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
> >   if ((cl =
> >      kv_add(&resp->http_headers, "Strict-Transport-Security",
> >      NULL)) == NULL ||
> > Index: server_http.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
> > retrieving revision 1.125
> > diff -u -p -r1.125 server_http.c
> > --- server_http.c 11 Oct 2018 09:52:22 -0000 1.125
> > +++ server_http.c 15 Oct 2018 01:30:28 -0000
> > @@ -950,7 +950,7 @@ server_abort_http(struct client *clt, un
> >   goto done;
> >   }
> >  
> > - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> > + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
> >   if (asprintf(&hstsheader, "Strict-Transport-Security: "
> >      "max-age=%d%s%s\r\n", srv_conf->hsts_max_age,
> >      srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
> > @@ -1452,7 +1452,7 @@ server_response_http(struct client *clt,
> >   return (-1);
> >  
> >   /* HSTS header */
> > - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> > + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
> >   if ((cl =
> >      kv_add(&resp->http_headers, "Strict-Transport-Security",
> >      NULL)) == NULL ||
> >
>

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: httpd(8): don't send HSTS headers over unencrypted connections

Anthony J. Bentley-4
In reply to this post by Florian Obser
Florian Obser writes:

> On Sun, Oct 14, 2018 at 07:36:18PM -0600, Anthony J. Bentley wrote:
> > Hi,
> >
> > RFC 6797 says:
> >
> >    An HSTS Host MUST NOT include the STS header field in HTTP responses
> >    conveyed over non-secure transport.
> >
> > Is this the correct check? With this I get what I expect: HSTS headers
>
> please use srv_conf->flags & SRVFLAG_TLS

With SRVFLAG_TLS:

Index: server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.76
diff -u -p -r1.76 server_fcgi.c
--- server_fcgi.c 19 May 2018 13:56:56 -0000 1.76
+++ server_fcgi.c 15 Oct 2018 06:32:08 -0000
@@ -655,7 +655,8 @@ server_fcgi_header(struct client *clt, u
  return (-1);
 
  /* HSTS header */
- if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+ if (srv_conf->flags & SRVFLAG_SERVER_HSTS &&
+    srv_conf->flags & SRVFLAG_TLS) {
  if ((cl =
     kv_add(&resp->http_headers, "Strict-Transport-Security",
     NULL)) == NULL ||
Index: server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.125
diff -u -p -r1.125 server_http.c
--- server_http.c 11 Oct 2018 09:52:22 -0000 1.125
+++ server_http.c 15 Oct 2018 06:32:08 -0000
@@ -950,7 +950,8 @@ server_abort_http(struct client *clt, un
  goto done;
  }
 
- if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+ if (srv_conf->flags & SRVFLAG_SERVER_HSTS &&
+    srv_conf->flags & SRVFLAG_TLS) {
  if (asprintf(&hstsheader, "Strict-Transport-Security: "
     "max-age=%d%s%s\r\n", srv_conf->hsts_max_age,
     srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
@@ -1452,7 +1453,8 @@ server_response_http(struct client *clt,
  return (-1);
 
  /* HSTS header */
- if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+ if (srv_conf->flags & SRVFLAG_SERVER_HSTS &&
+    srv_conf->flags & SRVFLAG_TLS) {
  if ((cl =
     kv_add(&resp->http_headers, "Strict-Transport-Security",
     NULL)) == NULL ||

Reply | Threaded
Open this post in threaded view
|

Re: httpd(8): don't send HSTS headers over unencrypted connections

Florian Obser-2
OK florian@

On Mon, Oct 15, 2018 at 12:38:56AM -0600, Anthony J. Bentley wrote:

> Florian Obser writes:
> > On Sun, Oct 14, 2018 at 07:36:18PM -0600, Anthony J. Bentley wrote:
> > > Hi,
> > >
> > > RFC 6797 says:
> > >
> > >    An HSTS Host MUST NOT include the STS header field in HTTP responses
> > >    conveyed over non-secure transport.
> > >
> > > Is this the correct check? With this I get what I expect: HSTS headers
> >
> > please use srv_conf->flags & SRVFLAG_TLS
>
> With SRVFLAG_TLS:
>
> Index: server_fcgi.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
> retrieving revision 1.76
> diff -u -p -r1.76 server_fcgi.c
> --- server_fcgi.c 19 May 2018 13:56:56 -0000 1.76
> +++ server_fcgi.c 15 Oct 2018 06:32:08 -0000
> @@ -655,7 +655,8 @@ server_fcgi_header(struct client *clt, u
>   return (-1);
>  
>   /* HSTS header */
> - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> + if (srv_conf->flags & SRVFLAG_SERVER_HSTS &&
> +    srv_conf->flags & SRVFLAG_TLS) {
>   if ((cl =
>      kv_add(&resp->http_headers, "Strict-Transport-Security",
>      NULL)) == NULL ||
> Index: server_http.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
> retrieving revision 1.125
> diff -u -p -r1.125 server_http.c
> --- server_http.c 11 Oct 2018 09:52:22 -0000 1.125
> +++ server_http.c 15 Oct 2018 06:32:08 -0000
> @@ -950,7 +950,8 @@ server_abort_http(struct client *clt, un
>   goto done;
>   }
>  
> - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> + if (srv_conf->flags & SRVFLAG_SERVER_HSTS &&
> +    srv_conf->flags & SRVFLAG_TLS) {
>   if (asprintf(&hstsheader, "Strict-Transport-Security: "
>      "max-age=%d%s%s\r\n", srv_conf->hsts_max_age,
>      srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
> @@ -1452,7 +1453,8 @@ server_response_http(struct client *clt,
>   return (-1);
>  
>   /* HSTS header */
> - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
> + if (srv_conf->flags & SRVFLAG_SERVER_HSTS &&
> +    srv_conf->flags & SRVFLAG_TLS) {
>   if ((cl =
>      kv_add(&resp->http_headers, "Strict-Transport-Security",
>      NULL)) == NULL ||
>

--
I'm not entirely sure you are real.