Hi, On Wed, Aug 26, 2020 at 7:53 AM Pratik Shrestha <pratik...@gmail.com> wrote:
> Thanks for reply, > > Hi Peter - it complains on port 8443 which belongs to Tomcat. > > Hi Mark - Yes. making HTTP request on HTTPS is wrong. But this security > vulnerability is given to us by Qualys scan. It tries to post plain HTTP > request on HTTPS port and then gets error message "Bad Request. This > combination > of host and port requires TLS." which is security loop hole for Qualys. > This is behaviour of Apache HTTP server also. But in Apache though, we can > get rid of this by using "ErrorDocument 400" directive. Do we have similar > in Tomcat? I have already tried using > > <error-page> > <error-code>400</error-code> > <location>/error.jsp</location> > </error-page> > This won't work because Tomcat stops the request earlier and doesn't pass it to your application. I haven't tried it but it may work with a custom Valve, extending ErrorReportValve. > > Not sure, but my idea was to add redirect code on error.jsp page. But > above never works. It never reaches error.jsp page. Just sticks in default > error message page mentioned above. > > Btw..you can see the result from Qualys attached. > What is the desired behavior expected by Qualys ? Because at the moment Tomcat returns a text/html error page and you try to "fix" it by returning a custom text/html error page. I don't see how this will change the Qualys report. > > Thanks again guys for getting back. > > Regards, > Pratik > > On Tue, Aug 25, 2020 at 5:36 PM Mark Thomas <ma...@apache.org> wrote: > >> On 25/08/2020 11:14, Pratik Shrestha wrote: >> > Hi all, >> > >> > Tomcat version: 9.0.37 >> > >> > Our website is running on Tomcat. We did Qualys vulnerability scan on >> our >> > site. Scan shows below vulnerability. >> > >> > Insecure transport >> > Group: Information Disclosure >> > CWE CWE-319 >> > OWASP A3 Sensitive Data Exposure >> > WASC WASC-4 INSUFFICIENT TRANSPORT LAYER PROTECTION >> > >> > Please note >> > 1. HTTP port is not enabled. >> > 2. We have only opened HTTPS port 8443. But when we connect this HTTPS >> port >> > with HTTP (http://www.oursite.com:8443/), we get an error "Bad >> Request. This >> > combination of host and port requires TLS." >> > 3. Due to the above error message, we get this vulnerability error from >> > Qualys. >> > 4. We have already enabled HSTS. >> > 5. We have enabled Rewrite Valve also to direct all HTTP to HTTPS. But >> it >> > never works. It is like, Tomcat doesn't care about Rewrite or HSTS. It >> just >> > finds someone is accessing HTTPS port with HTTP protocol and then just >> > throws error 400 'Bad Request' >> > 6. Note that Tomcat version 7 used to send the error 'ERR_EMPTY_RESP' >> which >> > should still be okay. >> > >> > We already tried to find the fix for this issue on the web but in vain. >> > >> > Kindly help if anyone has found a way to fix it. >> >> Fix what? >> >> If you make an HTTP request to an HTTPS port, Tomcat provides a helpful >> error message. >> >> I don't see any security issues here. >> >> (And before anyone claims the request sent in the clear is insecure I'll >> point out that the request is sent in the clear irrespective of whether >> Tomcat responds with an HTTP/1.1 clear text error message or a cryptic >> TLS failure). >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
