AnsweredAssumed Answered

Strict Transport Security detection

Question asked by Scott Miller on Jun 17, 2013
Latest reply on Jun 18, 2013 by Scott Miller

(Edit: I think I see my answer: https://community.qualys.com/thread/11041?tstart=0 )

 

 

I'm sending a header for Strict Transport Security but the ssllabs scan shows:

 

Strict Transport Security: No

 

 

https://www.ssllabs.com/ssltest/analyze.html?d=scottlinux.com

 

It's Ubuntu 12.04, stock apache and openssl provided. mod_header is enabled and the only config I have to specify this header is in the virtual host:

 

<Virtualhost *:443>

Header always set Strict-Transport-Security "max-age=43200;"

ServerName scottlinux.com

...

 

According to browser tools and curl, etc the header is coming across and looks like it is working.

 

Does anyone have any ideas? Thanks,

 

 

 

 

stmiller@brahms:~$ curl -I -v https://scottlinux.com

* About to connect() to scottlinux.com port 443 (#0)

*   Trying 2600:3c01::f03c:91ff:fe96:edba...

* connected

* Connected to scottlinux.com (2600:3c01::f03c:91ff:fe96:edba) port 443 (#0)

* successfully set certificate verify locations:

*   CAfile: none

  CApath: /etc/ssl/certs

* SSLv3, TLS handshake, Client hello (1):

* SSLv3, TLS handshake, Server hello (2):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS handshake, Server finished (14):

* SSLv3, TLS handshake, Client key exchange (16):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSL connection using RC4-SHA

* Server certificate:

*            subject: serialNumber=1XZdnS3S/eEXEFBKquhTKEWRuzCLADYy; OU=GT05040709; OU=See www.rapidssl.com/resources/cps (c)13; OU=Domain Control Validated - RapidSSL(R); CN=scottlinux.com

*            start date: 2013-01-24 18:16:35 GMT

*            expire date: 2017-01-26 20:17:52 GMT

*            subjectAltName: scottlinux.com matched

*            issuer: C=US; O=GeoTrust, Inc.; CN=RapidSSL CA

*            SSL certificate verify ok.

> HEAD / HTTP/1.1

> User-Agent: curl/7.26.0

> Host: scottlinux.com

> Accept: */*

>

* additional stuff not fine transfer.c:1037: 0 0

* HTTP 1.1 or later with persistent connection, pipelining supported

< HTTP/1.1 200 OK

HTTP/1.1 200 OK

< Date: Tue, 18 Jun 2013 01:09:14 GMT

Date: Tue, 18 Jun 2013 01:09:14 GMT

< Server: Apache

Server: Apache

< X-Frame-Options: DENY

X-Frame-Options: DENY

< Strict-Transport-Security: max-age=43200;

Strict-Transport-Security: max-age=43200;

< Cache-Control: max-age=0, no-cache

Cache-Control: max-age=0, no-cache

< X-Powered-By: Beer

X-Powered-By: Beer

< X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; mode=block

< X-UA-Compatible: IE=edge,chrome=1

X-UA-Compatible: IE=edge,chrome=1

< Vary: User-Agent,Accept-Encoding

Vary: User-Agent,Accept-Encoding

< Pragma: no-cache

Pragma: no-cache

< Content-Type: text/html; charset=UTF-8

Content-Type: text/html; charset=UTF-8

* no chunk, no close, no size. Assume close to signal end

 

 

<

* Closing connection #0

* SSLv3, TLS alert, Client hello (1):

stmiller@brahms:~$

Outcomes