SSL cannot be disabled while HSTS connection enabled

dash-crypto
#1

Hello,

I’m enabling HSTS mode to bypass ISP block port 80 and forwarding all connection from port 80 to 443…

Hence after success i have install Zimbra mail and create a new SSL certificate from Let’s Encrypt to make SSL works … i have some problems with SSL certificate so when i use Let’s encrypt it’s works fine with me…

But the problem now is there is a problem in Zimbra mail with SSL Handshake, it’s keep show even if i disable CloudFlare that the old SSL Certificate from CloudFalre is enabled… and i cannot make any valid SSL with Zimbra and Let’s encrypt through CloudFlare, even if i make a valid SSL and/or disable CloudFlare…

what i want now i want to make sure to enable HSTS on my domain www.mysite.com and in the same time disable SSL certificate on *.mysite.com, ex: mail.mysite.com and/or webmail.mysite.com

So then i can fix the Zimbra SSL Handshake issue;
status=deferred (Cannot start TLS: handshake failure)

// and

SSL_connect error to in.mailjet.com:465: Connection reset by peer < my relay SMTP server on port 465 or 587.

Much regards.

#2

HSTS does not forward anything from port 80 to 443, but instructs browsers to connect exlusively in a secure fashion via HTTPS.

If you have enabled HSTS you certainly cannot disable HTTPS as your site would not be reachable otherwise. If you want HSTS only for certain hosts you would need to disable it globally and enable it per-host via page rules. Keep in mind though, if some browsers already got HSTS you will need to wait until it expires.

Also, not using SSL generally is a bad idea. You better ensure you can get SSL working with them or switch to a different service otherwise.

Also also, if that is mail related you need to unproxy the entire mail host as you cant proxy that via Cloudflare anyhow.

#3

Thanks Sandro,

I know the HSTS now is connected on the domain www.mysite.com and i change the setting on HSTS to turn off on subdomain;

Apply HSTS policy to subdomains (includeSubDomains) <-- OFF now;

Is that possible or should i disbale the HSTS and make only rules on certian host for that ?

and should i delete all the previews SSL certificate and make HSTS enabled ?

Thanks.

#4

Also i’m unproxy the mail server host from Cloudflare; and it’s showing the real IP for my webserver; but the problem is the Cache still not deleted; or chaned… even if i force to clear cache it’s doesnt go since 4 days …

#6

Sure.

Which cache? The browser HSTS cache? That is something you have no control over at this point.

#7

Well i’m going to put rule to disable HSTS on certain domains and make sure the cache is not enabled on them; this is only what i’m looking to do… make sure CloudFlare SSL is not enabled on my mail.mysite.com

#8

One thing that confuses me is that you seem to refer to SMTP connections which should not be affected by HSTS in the first place.

#9

the SMTP is on relay server; not my server; and it’s show me ( connection reset by peer and delivery temporarily suspended: Cannot start TLS: handshake failure ) because of SSL cache…

which rule should i enable or disable to make sure HSTS is off on my mail.mysite.com ?

#10

Again, SMTP connections should not be affected by HSTS and a page rule most likely wont help.

#11

I understand, but the problem is with CloudFlare SSL cache header is still showing old CloudFlare SSL and this is make a handshake failure with the relay SMTP server.

#12

I am not sure what that means but whatever header Cloudflare returns should not affect SMTP connections. Check your SMTP connection settings if you maybe configured it to connect via TLS to a server which does not support TLS.

#13

The problem is the connection to in.mailjet.com, right?

Who is connecting to that machine?

#14

This is my new rules for : mail.mysite.com while i’m enabling HSTS on the *.mysite.com

#15

That will disable SSL request for web requests, but wont affect SMTP connections.

#16

yes, see attachment for example domain dossier

#17

That is a webmail host, not in.mailjet.com.

You need to address my earlier question.

#18

i enable this rules on CloudFlare for this sub-domain: webmail

Even i disable CloudFlare and mysite.com and enable development mode; still never change since 1 week…

#19

Probably because you are tackling the wrong issue.

#20

should i enable CloudFlare rules on in.mailjet.com ? it’s relay SMTP… is that necessary

#21

Assuming that is not your domain it wont be of any use.

You need to explain what the actual issue is, otherwise there is no way to help I am afraid.