-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 19/11/16 15:20, Valentin Sundermann wrote: > Hey, > >>>> There seems to be some HSTS setup blocking access to >>>> http://keys.vsund.de:11371/pks/lookup?op=stats ? >>> Not HSTS but; > HSTS only prevents a "real" browser from viewing it. As of my > understanding, all other client implementations shouldn't have > problems with HSTS on the domain but HTTP traffic at port 11371. So > I'm sure it isn't a problem. > >>> 139752133074456:error:140770FC:SSL >>> routines:SSL23_GET_SERVER_HELLO:unknown >>> protocol:s23_clnt.c:794: >> >>> (proxy is sending https traffic to http) >> >>> ie no ssl offload. > I'm pretty sure that this is because of my ssl settings (I only > accept TLS 1.2 atm). But the clients shouldn't have problem with > this either, because they use the plain protocol at port 11371. > >> + a rewrite rule to https, (I hadn't visited the url before so >> HSTS wouldn't apply) > There is one at port 80 but not at 11371. If I understood it > correctly, the client implementations expect to have plain traffic > at port 11371. So having a rewrite there would confuse them, I > guess. > > Best regards, Valentin Sundermann
I had another look as this was confusing me; turns out HSTS can be enabled without a header... https://hstspreload.appspot.com/?domain=vsund.de at some point or presently the tld had been parsed with preload; as such the domain has entered a hsts database used by common web browsers. Kind Regards, Mike -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYMJAmAAoJEOYwtpHNe8Fm+2YIAJV3w5uUOl1FoEUyvuA5HYZb tfgC+egBS1ePQViwENdCGPsvEfTEcJqvtHpNT3ZEeledx5HbFRqOb67mpK1jlkHV XIbfcwBKjSjzYslHqlTz6Uw9BZMnI028xxQi1D7eZp+aa3bCFVgoqEGFsyao4U0s 4F3r5QP5te+Vw9cWBnOiTxE3nrCgddr80KuMIBCwpzIMKI1Lg6/IRRCer0Bwh1ih EhoMP32OSKPKtAQQwdtn/DyOOr3aIwcrcCogtsTNE8jiJD1XxuDgqgT95zCBw9Tj Ln/RaKUz5n85ULCjPJyCz8l8H7u7HxULoKWEW8fDp3MxhbDjgvxUP16ps+dWhQI= =kkrl -----END PGP SIGNATURE----- _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel