HSTS on 401 / error pages

2023-09-13 Thread Thomas Hoffmann (Speed4Trade GmbH)
Hello everyone, I would like to get your opinion about the HttpHeaderSecurityFilter in Tomcat. I configured HSTS in Tomcat and it works well. When I do a pen-test with burpsuite it complains that HSTS header is missing on 401 responses. I couldn’t find much information about whether HSTS makes se

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

2023-09-13 Thread Brian Wolfe
The PKCS12 is the industry standard keystore format. Your mac should be creating it in that version. You should get familiar using the pkcs12. Its not difficult to set it up. keytool and openssl support pkcs12 and have for some time now. Its possible your older keystores are of the storetype JKS or

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

2023-09-13 Thread James H. H. Lampert
Java Keystores work. And I don't find them especially difficult to work with (other than new formats not being backward-compatible with older JVMs, and as one who has made a comfortable living banging out code for IBM Midrange boxes for over a quarter century, I am quite familiar with a much wo

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

2023-09-13 Thread Christopher Schultz
Shawn and Mark, On 9/13/23 09:30, Mark Thomas wrote: On 13/09/2023 14:00, Shawn Heisey wrote: On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote: I moved away from using the proprietary java keystore format. I switched to using Base64 PEM format. This is usually also the format you ge

AW: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

2023-09-13 Thread Thomas Hoffmann (Speed4Trade GmbH)
Hello, > -Ursprüngliche Nachricht- > Von: Shawn Heisey > Gesendet: Mittwoch, 13. September 2023 15:00 > An: users@tomcat.apache.org > Betreff: Re: AW: Solution to "Invalid keystore format" (cross-posted to > Tomcat Users List at Apache, and Java 400 List at Midrange) > > On 9/12/23 01:06

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

2023-09-13 Thread Mark Thomas
On 13/09/2023 14:00, Shawn Heisey wrote: On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote: I moved away from using the proprietary java keystore format. I switched to using Base64 PEM format. This is usually also the format you get from the certificate issuer. No need to convert it in

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

2023-09-13 Thread Shawn Heisey
On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote: I moved away from using the proprietary java keystore format. I switched to using Base64 PEM format. This is usually also the format you get from the certificate issuer. No need to convert it into Java format any more and you can also o

Re: page extends not working???

2023-09-13 Thread Christopher Schultz
Aryeh, On 9/12/23 17:50, Aryeh Friedman wrote: On Tue, Sep 12, 2023 at 1:51 PM Christopher Schultz wrote: Aryeh, On 9/12/23 12:42, Aryeh Friedman wrote: On Tue, Sep 12, 2023 at 11:42 AM Christopher Schultz wrote: Aryeh, On 9/11/23 10:05, Aryeh Friedman wrote: On Mon, Sep 11, 2023 at 9:

[SECURITY] CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure

2023-09-13 Thread Mark Thomas
CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat Connectors mod_jk Connector 1.2.0 to 1.2.48 Description: In some circumstances, such as when a configuration included "JkOptions