Filter HSTS response headers to allow cert override

Also remove HTTP Strict Transport Security (HSTS, RFC 6797) headers from
HTTP responses.  With HSTS active, the user is not allowed to accept
untrusted certificates.

NEWS

@@ -1,6 +1,7 @@
 
 ### SSLsplit master
 
+-   Filter out HSTS response header to allow users to accept untrusted certs.
 -   Build without SSLv2 support by default (issue #26).
 -   Add primary group override (-m) when dropping privileges to an
     unprivileged user (pull req #35 by @landonf).

README

@@ -19,8 +19,10 @@ subject DN and subjectAltName extension.  SSLsplit fully supports Server Name
 Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and
 ECDHE cipher suites.  SSLsplit can also use existing certificates of which the
 private key is available, instead of generating forged ones.  SSLsplit supports
-NULL-prefix CN certificates and can deny OCSP requests in a generic way.
-SSLsplit removes HPKP response headers in order to prevent public key pinning.
+NULL-prefix CN certificates and can deny OCSP requests in a generic way.  For
+HTTP and HTTPS connections, SSLsplit removes response headers for HPKP in order
+to prevent public key pinning, for HSTS to allow the user to accept untrusted
+certificates, and Alternate Protocols to prevent switching to QUIC/SPDY.
 
 See the manual page sslsplit(1) for details on using SSLsplit and setting up
 the various NAT engines.

pxyconn.c

@@ -1083,8 +1083,17 @@ pxy_http_resphdr_filter_line(const char *line, pxy_conn_ctx_t *ctx)
 				ctx->enomem = 1;
 				return NULL;
 			}
-		} else if (!strncasecmp(line, "Public-Key-Pins:", 16) ||
+		} else if (
+		    /* HPKP: Public Key Pinning Extension for HTTP
+		     * (draft-ietf-websec-key-pinning)
+		     * remove to prevent public key pinning */
+		    !strncasecmp(line, "Public-Key-Pins:", 16) ||
 		    !strncasecmp(line, "Public-Key-Pins-Report-Only:", 28) ||
+		    /* HSTS: HTTP Strict Transport Security (RFC 6797)
+		     * remove to allow users to accept bad certs */
+		    !strncasecmp(line, "Strict-Transport-Security:", 26) ||
+		    /* Alternate Protocol
+		     * remove to prevent switching to QUIC, SPDY et al */
 		    !strncasecmp(line, "Alternate-Protocol:", 19)) {
 			return NULL;
 		} else if (line[0] == '\0') {

sslsplit.1

@@ -64,7 +64,10 @@ Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and
 ECDHE cipher suites.  SSLsplit can also use existing certificates of which the
 private key is available, instead of generating forged ones.  SSLsplit supports
 NULL-prefix CN certificates and can deny OCSP requests in a generic way.
-SSLsplit removes HPKP response headers in order to prevent public key pinning.
+For HTTP and HTTPS connections, SSLsplit removes response headers
+for HPKP in order to prevent public key pinning,
+for HSTS to allow the user to accept untrusted certificates,
+and Alternate Protocols to prevent switching to QUIC/SPDY.
 .LP
 SSLsplit supports a number of NAT engines, static forwarding and SNI DNS
 lookups to determine the original destination of redirected connections