Peer Knowledge Base

HSTS blocks access to the PMC's web interface

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

Problem

Google Chrome and Microsoft Edge browsers block access to the PMC's web interface with a HSTS error similar to this:

hsts-example-error

Diagnosis

This error message is a bit misleading. The PMC's web service itself does not require HSTS but is using a self-signed certificate (that can be replaced). 

Chrome and Edge are applying HSTS rules to the PMC's server through the browser’s own configuration.  The combination of the browser's settings with the PMC's self-signed certificate is causing the blockage.

Solution

To clear up this error:

  1. Navigate to the appropriate page:

    Browser

    Page

     Google Chrome

    chrome://net-internals/#hsts

    Microsoft Edge

    edge://net-internals/#hsts


  2. Scroll to the bottom of the page to the Delete domain security policies section.

  3. Enter the domain name of the PMC in the Domain field, and then click Delete
    Note:  You do not need to enter https:// before the domain name; nor do you need to enter the port number or any text that follows the port number.

  4. Refresh the PMC’s page in the browser.   You will still get an alert but now the browser should let you bypass the alert.

Page: Advisories Page: Does PeerGFS support HSTS for the PMC web interface? Page: Firewall Requirements Page: HSTS blocks access to the PMC's web interface Page: Issues runing PeerSync as a service Page: Mitigate the Java JMX Agent Insecure Configuration vulnerability in Nessus Page: Replace TLS certificates Page: Set up synchronization/replication over TCP