SOLVED Can't connect to web GUI due to Strict Transport Security

[David Dyer-Bennet]

Looks like the combination of strong security settings on the GUI port, and FreeNAS using a self-signed certificate, has made it impossible to connect from Firefox to FreeNAS. I recently did a forced upgrade (I physically damaged the old USB key it booted from, and downloaded and made a new one, and then uploaded the old configuration backup when the new USB key booted).

FreeNAS version is

Code:

[ddb@fsfs ~]$ uname -a
FreeBSD fsfs.bpoly.local 10.3-STABLE FreeBSD 10.3-STABLE #0 r295946+21897e6695f(HEAD): Tue Jul 25 00:03:12 UTC 2017  root@gauntlet:/freenas-9.10-releng/_BE/objs/freenas-9.10-releng/_BE/os/sys/FreeNAS.amd64  amd64

Firefox (on Windows 10) is version 55.0.3

Firefox says

Code:

Your connection is not secure

The owner of fsfs.bpoly.local has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

So...reconfigure the security from the command line? I don't know how, but there could be a way. The long-term solution could be to tell Firefox to accept the self-signed certificate, but the ways I know to get a copy of the certificate are through the GUI, which I can't reach.

This smells wrong in one way -- it seems like anybody doing a new install from scratch would run into this if they asked for HTTPS enforced, and that seems an unlikely error to leak out. So maybe something else really triggered this?

 

[SweetAndLow]

Is there a way to reset hsts in Firefox? Seems like your browser thinks it's taking too a different server.

 

[David Dyer-Bennet]

Is there a way to reset hsts in Firefox? Seems like your browser thinks it's taking too a different server.

I think that's a per-connection thing? Restarting firefox didn't help, anyway.

It does seem to somehow be local to this system, somehow (maybe this copy of Firefox), though. I was able to get in from my laptop, and download the CA certificate. Importing that into Firefox doesn't help, which makes sense I guess. I also turned off https-only, and that didn't help either; I may try http-only next, though that's a little dangerous.

 

[SweetAndLow]

I think that's a per-connection thing? Restarting firefox didn't help, anyway.

It does seem to somehow be local to this system, somehow (maybe this copy of Firefox), though. I was able to get in from my laptop, and download the CA certificate. Importing that into Firefox doesn't help, which makes sense I guess. I also turned off https-only, and that didn't help either; I may try http-only next, though that's a little dangerous.

I didn't think hsts was per connection. It's basically a way to stop you from connecting to a server that is pretending to be someone else.

What in your env makes http connecting dangerous? I would think just about 99% of people would be just fine using http. A large corporate network should probably use https or a management network to prevent snooping.
Are you a home user?

 

[Jailer]

Was your certificate stored on the boot device? Did you save a copy of it and import it to your fresh install?

Hsts works by not allowing an unecrypted connection once the initial connection has been established. If the connection was made with an old certificate with the same name as a new certificate it will generate the error you are seeing regardless if it is self signed or signed by a recognized CA until the time defined by the Max-age directive has expired.

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

 

[Chris Moore]

I think that's a per-connection thing? Restarting firefox didn't help, anyway.

It does seem to somehow be local to this system, somehow (maybe this copy of Firefox), though.

Like yesterday you installed FireFox and it was the only browser you had that would work. Now, it isn't working either.

You should not have set FreeNAS to such strict security. You locked yourself out.

 

[Jailer]

Always wait to add HSTS until you know everything is working as intended. Even then make absolutely certain that you need it before enabling it.

 

[David Dyer-Bennet]

Was your certificate stored on the boot device? Did you save a copy of it and import it to your fresh install?

No idea, it was handled entirely by FreeNAS GUI. I think however that the certificates there now are the same as the ones before I booted from a clean flash drive and and the uploaded the backed-up configuration (they have names I recognize; it seems unlikely the name would be preserved but the cert regenerated!).

I also have this problem only on the Windows 10 box; the Windows 7 laptop, also with Firefox, accessed the GUI fine, through HTTPS.

I have no idea where HSTS comes from; is it the result of selecting "HTTPS" as the protocol on the System / General GUI page? And now that it's set to HTTP, I still get redirected to https, which then fails, in Firefox. Works in Chrome.

(I have no particular threat requiring https only; it's just the recommended setting, and I tend towards highest security settings generally. Been running that way for a year or more without trouble until suddenly just now. The alternative is logging into the FreeNAS box via unencrypted web connection using the root password, which thirty some years of holding root passwords on Internet servers has left me feeling is not good practice.)

 

[David Dyer-Bennet]

Resolved: manually edit the line for the mis-behaving URL out of SiteSecurityServiceState.txt while Firefox is closed, as described in https://security.stackexchange.com/questions/102279/can-hsts-be-disabled-in-firefox/154176#154176