0
votes

As per the RFC6797- [..] "An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport." [..] https://tools.ietf.org/html/rfc6797#page-18

My question is - if the client is trying to access the host over non-secured HTTP (e.g. TCP port 80) and the server implements HSTS policy the server MUST respond with HSTS policy header over secured transport. Now considering the secured transport as SSL - when does the SSL key exchange and handshake happen, for client to decrypt the server response over secured transport/SSL?

The https://www.ssl2buy.com/wiki/http-strict-transport-security-hsts-better-security-for-applications link nicely explains the HSTS policy implementation but I am unable to put it together how the SSL handshake happens.

1

1 Answers

1
votes

HSTS has nothing to do with the SSL handshake.

It simply means if the browser is instructed to go to http://www.example.com, then instead act as if they were instructed to go to https://www.example.com.

The SSL negotiation happens afterwards - exactly as if they went to the https version directly.