HSTS Manager IIS Crash

[andrewcbancroft]

Hi Floris,

1: Thank you for taking over this project - we've found it extremely useful

2: I'm running into an issue using the msi installer to get things installed and working. The msi runs perfectly. But when I go to IIS and attempt to configure things, the IIS Magager crashes.

My machine has IIS 8.5.9600.16384 on it.

Windows event log has the following (let me know if I can be more helpful):

IISMANAGER_CRASH

IIS Manager terminated unexpectedly.

Exception:System.InvalidCastException: Specified cast is not valid.
at HSTS_IIS_Module.Manager.ConfigSection.get_MaxAge()
at HSTS_IIS_Module.Manager.ConfigScreen.Initialise(String siteName)
at HSTS_IIS_Module.Manager.ConfigModulePage.OnActivated(Boolean initialActivation)
at Microsoft.Web.Management.Client.Win32.ModulePage.Microsoft.Web.Management.Client.IModulePage.OnActivated(Boolean initialActivation)
at Microsoft.Web.Management.Host.UserInterface.ManagementFrame.SetActivePage(ModulePage modulePage, Boolean showInHierarchyMode)
at Microsoft.Web.Management.Client.NavigationEventHandler.Invoke(Object sender, NavigationEventArgs e)
at Microsoft.Web.Management.Host.NavigationService.OnNavigationPerformed(NavigationEventArgs e)
at Microsoft.Web.Management.Host.NavigationService.NavigateToIndex(Int32 index, Boolean isNew)
at Microsoft.Web.Management.Host.NavigationService.NavigateToItem(NavigationItem newItem, Boolean isNew)
at Microsoft.Web.Management.Host.NavigationService.Microsoft.Web.Management.Client.INavigationService.Navigate(Connection connection, ManagementConfigurationPath configurationPath, Type pageType, Object navigationData)
at Microsoft.Web.Management.Client.Win32.ModulePage.Navigate(Type pageType, Object navigationData)
at Microsoft.Web.Management.Client.Win32.ModulePage.Navigate(Type pageType)
at Microsoft.Web.Management.Host.UserInterface.Homepage.OnListViewItemActivate(Object sender, EventArgs e)
at System.Windows.Forms.ListView.OnItemActivate(EventArgs e)
at System.Windows.Forms.ListView.WmReflectNotify(Message& m)
at System.Windows.Forms.ListView.WndProc(Message& m)
at Microsoft.Web.Management.Client.Win32.ListPageListView.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

Process:InetMgr

[FWest98]

Hmm.. I did notice this myself when accessing a server with remote access, is this the case for you?
Currently I do not have much time to look into it (exams and things) but in two weeks I will have a look, maybe I can get the build to work then as well since some VS update with W10 tools messed up C++ compilation. The MSI installer provided is a bit outdated.

So if you're accessing the server remotely, can you try configuring it on the server itself, using RDP or something?

[andrewcbancroft]

It's quite alright, Floris - I understand if you're trying to wrap up exams, so no worries or rush.

This is actually happening directly on my local machine. I was just trying it out so as not to mess up an actual server if something went awry.

I've been able to grab older versions of the DLLs from servers I already had this module installed on, and they work fine on this new server I'm configuring for HSTS. Just wanted to report the issue.

Thanks!

[Lumute]

Hi Floris,

I'm having the exact same problem installing on Windows 2012 R2 (IIS 8.5.9600.16834), did you have a chance to look into this?

I'm installing directly on the server using RDP but the thing is, I'm not sure I'm installing the latest version, it is supposed to be 2.1.2 yet the file in the download page for the latest release says HSTS-IIS-Module-2.1.0.0.msi and after installed windows reports is as version 2.1.0.0. could it be I'm using an old installer? where can I find the msi installer for 2.1.2?

I got the msi from here:

https://github.com/FWest98/hsts-iis-module/releases/tag/version_2.1.2

I'm not a developer so I do not have the environment to compile the source code...

Thanks a lot n advance for your help and work on this project.

G

[navossoc]

Hey @Lumute , I'm not sure if you still want to install this extension.
Do you know if the issue with the memory leak has been fixed?

Anyway, you can achieve the same result using URL Rewrite plugin with a custom rewrite rule.

Let me know if you want more details.

[FWest98]

@Lumute I think the 2.1.2 installer got lost when removing my old fork and I accidently re uploaded 2.1.0. Did not have time to take a look at it unfortunately, but in two weeks I will look at it. Memory leaks are fixed locally but I was not able to build at the time.

@navossoc Simple URL rewrite does not suffice since that doesn't prevent the browser from connecting over HTTP the first time in a session (when the user enters the web address), and then a MITM might get all cookies or intercept the connection as a whole. Also adding the HSTS header to the response is not a good solution since that is not in accordance to the specification, as explained in more detail in the README.

[navossoc]

From: RFC 6797 - HTTP Strict Transport Security (HSTS)

7.2. HTTP Request Type

If an HSTS Host receives an HTTP request message over a non-secure
transport, it SHOULD send an HTTP response message containing a
status code indicating a permanent redirect, such as status code 301
(Section 10.3.2 of [RFC2616]), and a Location header field value
containing either the HTTP request's original Effective Request URI
(see Section 9 ("Constructing an Effective Request URI")) altered as
necessary to have a URI scheme of "https", or a URI generated
according to local policy with a URI scheme of "https".

NOTE: The above behavior is a "SHOULD" rather than a "MUST" due to:

  *  Risks in server-side non-secure-to-secure redirects
     [OWASP-TLSGuide].

  *  Site deployment characteristics.  For example, a site that
     incorporates third-party components may not behave correctly
     when doing server-side non-secure-to-secure redirects in the
     case of being accessed over non-secure transport but does
     behave correctly when accessed uniformly over secure transport.
     The latter is the case given an HSTS-capable UA that has
     already noted the site as a Known HSTS Host (by whatever means,
     e.g., prior interaction or UA configuration).

An HSTS Host MUST NOT include the STS header field in HTTP responses
conveyed over non-secure transport.

---

I'm not sure if the rewrite is the true culprit here...

If the HTTP to HTTPS redirection is an issue, just don't listen over HTTP.

Also, about adding the header only for HTTPS responses it is possible, you just need to create a precondition to check if the connection is over a secure channel or not.

Or maybe am I missing something here? Let me know...

[FWest98]

@navossoc yes I know the specification. A redirect is always necessary (and this plugin provides one as well). But the HSTS header makes sure that future requests will always be over HTTPS. With just a redirect, not the whole domain will be HTTPS-only, only the previously visited page will be. Also the HSTS Preloading is not possible without the correct header.
And last time I checked you could not add headers with certain conditions, which is the entire point of this plugin. Maybe that changed in IIS 10?

[navossoc]

Since URL rewrite 2 we can use preconditions. I'm just not sure about the
condition (secure connection) is available since IIS 7. I'm sure the IIS 8
(2012) or higher have it.
I'm not at the computer right now, I will check it in more details when I
get back.

[FWest98]

Yes I know you can use them in URL Rewrite. But you cannot use that for adding headers afaik and the headers section thing does not have support for conditions in any form. And the header is only allowed on HTTPS connections

[navossoc]

Here, try this, it's a piece of my web.config
web.zip

It complies with the https://hstspreload.appspot.com if you add the keywords for the sub-domain and preload directive.

Seems the {SERVER_PORT_SECURE} server variable is available since IIS 6, so I think this config works for IIS 7 as well, besides the IIS 8.

[FWest98]

Oh that way. Didn't know that modifying the server variables would work this way. Thanks!
I still think this plugin is easier since you don't have to bother with HSTS in the code, every rewrite I add, I have to add it in the web.config in my project files ;)

[Lumute]

Hi Floris, Rafael,

Very interesting conversation! learning a lot from this...

I think I prefer the plugin too for its simplicity, I'm not in a hurry as my implementation is still in the testing phase and will not go on production for a while so I think I'll wait for a new build.

Floris, just in case I decide to adventure myself into installing VS and compiling the code, are the memory leak fixes checked in the code or you only have them in your PC?

Thanks a lot both for the help / support...

[FWest98]

I finally got time to look at it and I took the time to convert the whole (already outdated) Gradle thing to a Visual Studio project. Got everything up and running and managed to fix this issue. Apparently defining a config variable as uint in the schema requires me to handle it as a long in C#, and not as a uint. That's where the invalid cast came from. Why it díd work and still works on my server is still a mystery. You can get the fixed release from the releases page.