Re: OT: hsts in Tomcat 9.0.73

Mon, 24 Apr 2023 08:15:46 -0700 

Jon,



Peter Kreuser
Liebknechtstr. 83
63303 Dreieich-Sprendlingen
phone: +49 6103 9880863
fax: +49 6103 9886215
mobile: +49 172 6649346
email: pe...@kreuser.name
web: www.kreuser.name
key: http://www.kreuser.name/PGP_Public_Key.txt
smime: http://www.kreuser.name/SMIME.cer
> Am 24.04.2023 um 15:39 schrieb jonmcalexan...@wellsfargo.com.invalid:
> 
> Thank you for all the good insights Olaf. I am like you, I prefer to put a 
> reverse proxy in front of my Tomcat instances as well. Unfortunately it is 
> Qualsys that is calling this particular system out, so have to figure out how 
> best to fix it.

should it always be behind the reverse proxy and not available to the public?

Peter

> 
> Thanks again.
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 
>> -----Original Message-----
>> From: Olaf Kock <tom...@olafkock.de>
>> Sent: Saturday, April 22, 2023 2:14 AM
>> To: users@tomcat.apache.org
>> Subject: Re: OT: hsts in Tomcat 9.0.73
>> 
>> 
>>> Am 22.04.23 um 00:48 schrieb jonmcalexan...@wellsfargo.com.INVALID:
>>> Thanks Peter,
>>> 
>>> I still do not see the hsts header. I'm wondering if this is causing it.
>>> 
>>> SSL certificate verify result: self signed certificate in certificate chain 
>>> (19),
>> continuing anyway.
>>> 
>>> I don't know why it's complaining as the certificate for Tomcat is not a 
>>> self-
>> signed certificate.
>> 
>> That's a good guess: Anything self-signed is a problem for HSTS (though only
>> curl might see it as that, depending on the root certificate store it uses
>> compared to your browser). However, somehow I'd expect the server to be
>> ignorant to the level of trust that the client has and send the header 
>> anyway.
>> 
>> Another aspect to dig into is the explicit nonstandard port number. I didn't
>> fully parse the RFC for it, but there are several statements on explicit, 
>> implicit
>> ports and how they're mapped.
>> 
>> In the end, it might be worth hitting the Tomcat filter in a debugger, or
>> inspecting the source - to see if any conditional branches in an unexpected
>> fashion, if a different filter than the expected one is hitting, or if the 
>> URL
>> doesn't match.
>> 
>> Yet one more option: Set some nonstandard header, where no assumption
>> can be made in any server- or client-side code, and see if it gets through. 
>> This
>> way you know that you're hitting the expected filter
>> 
>> I'm typically lazy in all of this setup, as I defer HTTPS/HSTS to a reverse 
>> proxy
>> (and I'm only setting up demo systems), so I can only make wild guesses.
>> 
>> Olaf
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> ТÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÐÐ¥FòVç7V'67&–&RÂRÖÖ–âW6W'2×Vç7V'67&–&TFöÖ6Bæ6†Ræ÷&pФf÷"FF—F–öæÂ6öÖÖæG2ÂRÖÖ–âW6W'2Ö†VÇFöÖ6Bæ6†Ræ÷&pÐ
>  

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to