Hello, Not sure exactly where the problem lies with this one. We have a local UrBackup server running, exposing its http-only web interface on http://hostname.local.domain:55414.
I can no longer browse to this address, Firefox responds with
Secure connection failed and the error code SSL_ERROR_RX_RECORD_TOO_LONG
Looking at the GET request, the scheme is set to https and there is only one request, no redirect.
I can however access the site fine by IP, http://192.168.x.x:55414, AND, by using hostname only, http://hostname:55414, letting Windows fill in our DNS suffix as the network is in an Active Directory domain.
I also have a local Apache server running on my machine, only listening on http on standard port 80. Accessing http://localhost is fine, accessing http://myhostname is fine, but accessing http://myhostname.local.domain again causes FF to switch to an https-request.
What makes me confused is that this behaviour is consistent across browsers, Edge, Chrome, Android on my mobile...
Using Bitdefender for AV/FW, disabling it makes no change.
Tried downloading an older version of Firefox (89) and it does NOT show the same behaviour, URLs load as plain http.
Finally, I tried to add test.subdomain.com as a zone in our DNS and add an A record for the IP of the UrBackup-server, and voila, Firefox requests that site as http without complaining!?
Has the global browser market collectively decided that non TLD:s can no longer be accessed using http, or am I overlooking something obvious?
Best regards Alexander
EDIT: I originally included "false HSTS-requests" in the subject, before realizing that this came from FF redirecting to 443 on my local machine, which has a docker instance listening on that port but using a cert for our public domain, not our local one.
Modified by alexander76
It is possible (likely) that this domain is on the HSTS preload list and thus a secure connection is forced as this happens with other browsers as well.Read this answer in context 👍 1
All Replies (2)
It is possible (likely) that this domain is on the HSTS preload list and thus a secure connection is forced as this happens with other browsers as well.
You are right. The TLD we are using is a fairly common one to use internally, and previously used as a recommended default by a certain big software company. It's now listed on the HSTS preload, along with ALL SUBDOMAINS. Bastards :)
I've googled around and the "best" I could find for Firefox is the setting network.stricttransportsecurity.preloadlist to false. It would be handy to be able to add local exceptions for the preload list instead of disabling it entirely.
Time to change our domain, *sigh*.
Anyway, thanks! Alexander