Forum Discussion
NimbostratusI have applied a HSTS-Irule to a virtual server bit user is getting Invalid Strict-Transport-Security header
I have applied below Irule to a Virtual server:
when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains" }
While accessing the URL from browser users gets an error when he tracks it on firebug tool:
Invalid Strict-Transport-Security header Also user gets a note not to use Sha1 certificate. right nwo I see cipher on the profile is ADH-AES256-SHA:AES256-SHA:ADH-AES128-SHA:AES128-SHA:ADH-DES-CBC3-SHA:DES-CBC3-SHA:@STRENGTH. Can you provide me a stronger one?
4 Replies
- Kevin_Stewart
Employee
Any chance you're using an untrusted certificate? You'll typically get that error in FireBug if Firefox doesn't trust the server cert.
dipta_03_149731No Kevin, I am using a trusted certificate signed by CA.
Is this irule somewhat not compatible with AES_256_CBC SHA-1 cipher. And shall we apply some stronger cipher ?
- Kevin_Stewart
That cipher suite is not incompatible with HSTS (and Firefox), so most likely not a cipher issue. You could, for giggles, set the cipher string to 'DEFAULT' and test, but you're most certainly going to get the same response.
- boneyard
MVP
Also user gets a note not to use Sha1 certificate.
that is different then using a specific cipher, you can only fix that by using a certificate signed with SHA-2 hash. see also: https://www.symantec.com/page.jsp?id=sha2-transition
