Re: OT: hsts in Tomcat 9.0.73

[Christopher Schultz]

Jon,

On 4/27/23 12:24, jonmcalexan...@wellsfargo.com.INVALID wrote:

Ok, thank you.


Sure. Now you just need to figure out why it's not actually having the 
intended effect.


*SOME* of the headers are being produced, but not all.

The filter itself has no logging whatsosver, so I think you'll have to 
follow Olaf's suggestion of running it under a debugger if you want 
immediate clarity on what's happening.


-chris


-Original Message-
From: Christopher Schultz 
Sent: Thursday, April 27, 2023 10:16 AM
To: Tomcat Users List 
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/26/23 13:04, jonmcalexan...@wellsfargo.com.INVALID wrote:

Qualsys only checks ROOT (/), as it's the only context it could
possibly know about. The team does have a ROOT webapps which is
different from the one supplied with Tomcat.

Understood. I thought your main application was ROOT. It's not super
important. Just use the "dummy ROOT" for this purpose. I think it's easier to
modifying the base Tomcat install every time you upgrade.


Can you show me where in the application web.xml to specify the
headers? I'm not that familiar with things at that level, just at the
server level.

It should be the same as what you put into conf/web.xml: just define the
 and add /*.

-chris


-Original Message-
From: Christopher Schultz 
Sent: Tuesday, April 25, 2023 4:40 PM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/25/23 13:26, jonmcalexan...@wellsfargo.com.INVALID wrote:


keystoreFile="REMOVED"





ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_



WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256



,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_



128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_R



SA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SH



A,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_12



8_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WIT



H_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WI



TH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA



_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA

_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"





sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementa

ti
on"

sslEnabledProtocols=" TLSv1.2" sslProtocol="TLS" clientAuth="false"
secure="true" scheme="https" SSLEnabled="true" maxThreads="150"
protocol="org.apache.coyote.http11.Http11NioProtocol"/>

Here is the code for the HSTS part of the Filter:

   // HSTS
   if (hstsEnabled && request.isSecure()) {
   httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
   }

I was wondering if maybe secure="true" wasn't there, but you have it.

:hmm:

What's the name of application artifact? Like the WAR file or
WAR-directoery in webapps/ ? Are you deploying it multiple times --
say, from both auto- deployment *and also* with a  in

conf/server.xml?


Your copy/paste of web.xml has a bunch of leading - symbols before
each of the  e.g.:

-
httpHeaderSecurity

Is that just an artifact from the XML editor/viewer you are using?

I can see these headers which should also be coming from the
HttpHeaderSecurityFilter:


X-Content-Type-Options nosniff
X-Frame-OptionsSAMEORIGIN
X-XSS-Protection   1


(Although the documentation suggests that the value for
X-XSS-Protection should be "1; mode=block" and it isn't in the above
header value.)

Are you able to change the configuration and/or add some code/config?

-chris


-----Original Message-
From: Christopher Schultz 
Sent: Tuesday, April 25, 2023 10:04 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:

It's the Server level web.xml in conf


So it applies to all web applications.

I would recommend that you change that configuration to:

1. Be present in your own web application's WEB-INF/web.xml file and

2.

Deploy a ROOT application which has only a few things in it and 3.
Be present in webapps/ROOT/WEB-INF/web.xml

Having a missing ROOT application can cause a few weird things to

happen.

Having the ROOT means that you can always return e.g. a 404
response even if there is no application deployed on /foo just in case.
(This may have changed in the past few years, it used to be that a
request for /foo would return 400 or something similar instead of 404).

It also means that your Tomcat installation doesn't have to be
re-customized any time you upgrade it: just deploy your dummy-ROOT
and your own application and you are all good.

What does your  look like for port 8443?

-chris


-Original Message-
From: Christopher Schultz 
Sent: Tuesday, April 25, 2023 9:15 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Ok, thank you.

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Thursday, April 27, 2023 10:16 AM
> To: Tomcat Users List 
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Jon,
> 
> On 4/26/23 13:04, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Qualsys only checks ROOT (/), as it's the only context it could
> > possibly know about. The team does have a ROOT webapps which is
> > different from the one supplied with Tomcat.
> Understood. I thought your main application was ROOT. It's not super
> important. Just use the "dummy ROOT" for this purpose. I think it's easier to
> modifying the base Tomcat install every time you upgrade.
> 
> > Can you show me where in the application web.xml to specify the
> > headers? I'm not that familiar with things at that level, just at the
> > server level.
> It should be the same as what you put into conf/web.xml: just define the
>  and add /*.
> 
> -chris
> 
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Tuesday, April 25, 2023 4:40 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>
> >> Jon,
> >>
> >> On 4/25/23 13:26, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>  >> keystoreFile="REMOVED"
> >>>
> >>
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_
> >>
> WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> >>
> ,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_
> >>
> 128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_R
> >>
> SA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SH
> >>
> A,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_12
> >>
> 8_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WIT
> >>
> H_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WI
> >>
> TH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA
> >>
> _WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA
> >> _WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
> >>>
> >>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementa
> >> ti
> >> on"
> >>> sslEnabledProtocols=" TLSv1.2" sslProtocol="TLS" clientAuth="false"
> >>> secure="true" scheme="https" SSLEnabled="true" maxThreads="150"
> >>> protocol="org.apache.coyote.http11.Http11NioProtocol"/>
> >> Here is the code for the HSTS part of the Filter:
> >>
> >>   // HSTS
> >>   if (hstsEnabled && request.isSecure()) {
> >>   httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
> >>   }
> >>
> >> I was wondering if maybe secure="true" wasn't there, but you have it.
> >>
> >> :hmm:
> >>
> >> What's the name of application artifact? Like the WAR file or
> >> WAR-directoery in webapps/ ? Are you deploying it multiple times --
> >> say, from both auto- deployment *and also* with a  in
> conf/server.xml?
> >>
> >> Your copy/paste of web.xml has a bunch of leading - symbols before
> >> each of the  e.g.:
> >>
> >> -
> >> httpHeaderSecurity
> >>
> >> Is that just an artifact from the XML editor/viewer you are using?
> >>
> >> I can see these headers which should also be coming from the
> >> HttpHeaderSecurityFilter:
> >>
> >>> X-Content-Type-Options nosniff
> >>> X-Frame-OptionsSAMEORIGIN
> >>> X-XSS-Protection   1
> >>
> >> (Although the documentation suggests that the value for
> >> X-XSS-Protection should be "1; mode=block" and it isn't in the above
> 

Re: OT: hsts in Tomcat 9.0.73

[Christopher Schultz]

Jon,

On 4/26/23 13:04, jonmcalexan...@wellsfargo.com.INVALID wrote:

Qualsys only checks ROOT (/), as it's the only context it could
possibly know about. The team does have a ROOT webapps which is
different from the one supplied with Tomcat.
Understood. I thought your main application was ROOT. It's not super 
important. Just use the "dummy ROOT" for this purpose. I think it's 
easier to modifying the base Tomcat install every time you upgrade.



Can you show me where in the application web.xml to specify the
headers? I'm not that familiar with things at that level, just at the
server level.
It should be the same as what you put into conf/web.xml: just define the 
 and add /*.


-chris


-Original Message-
From: Christopher Schultz 
Sent: Tuesday, April 25, 2023 4:40 PM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/25/23 13:26, jonmcalexan...@wellsfargo.com.INVALID wrote:


keystoreFile="REMOVED"



ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_
WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_R
SA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SH
A,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_12
8_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WIT
H_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WI
TH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA
_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA
_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"



sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementati
on"

sslEnabledProtocols=" TLSv1.2" sslProtocol="TLS" clientAuth="false"
secure="true" scheme="https" SSLEnabled="true" maxThreads="150"
protocol="org.apache.coyote.http11.Http11NioProtocol"/>

Here is the code for the HSTS part of the Filter:

  // HSTS
  if (hstsEnabled && request.isSecure()) {
  httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
  }

I was wondering if maybe secure="true" wasn't there, but you have it.

:hmm:

What's the name of application artifact? Like the WAR file or WAR-directoery
in webapps/ ? Are you deploying it multiple times -- say, from both auto-
deployment *and also* with a  in conf/server.xml?

Your copy/paste of web.xml has a bunch of leading - symbols before each of
the  e.g.:

-
httpHeaderSecurity

Is that just an artifact from the XML editor/viewer you are using?

I can see these headers which should also be coming from the
HttpHeaderSecurityFilter:


X-Content-Type-Options nosniff
X-Frame-OptionsSAMEORIGIN
X-XSS-Protection   1


(Although the documentation suggests that the value for X-XSS-Protection
should be "1; mode=block" and it isn't in the above header value.)

Are you able to change the configuration and/or add some code/config?

-chris


-----Original Message-
From: Christopher Schultz 
Sent: Tuesday, April 25, 2023 10:04 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:

It's the Server level web.xml in conf


So it applies to all web applications.

I would recommend that you change that configuration to:

1. Be present in your own web application's WEB-INF/web.xml file and 2.
Deploy a ROOT application which has only a few things in it and 3. Be
present in webapps/ROOT/WEB-INF/web.xml

Having a missing ROOT application can cause a few weird things to

happen.

Having the ROOT means that you can always return e.g. a 404 response
even if there is no application deployed on /foo just in case.
(This may have changed in the past few years, it used to be that a
request for /foo would return 400 or something similar instead of 404).

It also means that your Tomcat installation doesn't have to be
re-customized any time you upgrade it: just deploy your dummy-ROOT
and your own application and you are all good.

What does your  look like for port 8443?

-chris


-Original Message-
From: Christopher Schultz 
Sent: Tuesday, April 25, 2023 9:15 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hellow again.

I hae another app team that is getting hit with a QID 11827
stating that the

hsts Security header is missing. We have reviewed the web.xml and
the appropriate section and filter are present. hstsEnabled is set to

true.

Performing a curl aganst the site does NOT show the hsts STRICT

header.


WEB.XML


Which web.xml? And is the filename really capitalized?

-chris

---
-- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Qualsys only checks ROOT (/), as it's the only context it could possibly know 
about. The team does have a ROOT webapps which is different from the one 
supplied with Tomcat. 

Can you show me where in the application web.xml to specify the headers? I'm 
not that familiar with things at that level, just at the server level.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, April 25, 2023 4:40 PM
> To: users@tomcat.apache.org
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Jon,
> 
> On 4/25/23 13:26, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >  keystoreFile="REMOVED"
> >
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_
> WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> ,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_
> 128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_R
> SA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SH
> A,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_12
> 8_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WIT
> H_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WI
> TH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA
> _WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA
> _WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
> >
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementati
> on"
> > sslEnabledProtocols=" TLSv1.2" sslProtocol="TLS" clientAuth="false"
> > secure="true" scheme="https" SSLEnabled="true" maxThreads="150"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"/>
> Here is the code for the HSTS part of the Filter:
> 
>  // HSTS
>  if (hstsEnabled && request.isSecure()) {
>  httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
>  }
> 
> I was wondering if maybe secure="true" wasn't there, but you have it.
> 
> :hmm:
> 
> What's the name of application artifact? Like the WAR file or WAR-directoery
> in webapps/ ? Are you deploying it multiple times -- say, from both auto-
> deployment *and also* with a  in conf/server.xml?
> 
> Your copy/paste of web.xml has a bunch of leading - symbols before each of
> the  e.g.:
> 
> -
> httpHeaderSecurity
> 
> Is that just an artifact from the XML editor/viewer you are using?
> 
> I can see these headers which should also be coming from the
> HttpHeaderSecurityFilter:
> 
> > X-Content-Type-Options nosniff
> > X-Frame-OptionsSAMEORIGIN
> > X-XSS-Protection   1
> 
> (Although the documentation suggests that the value for X-XSS-Protection
> should be "1; mode=block" and it isn't in the above header value.)
> 
> Are you able to change the configuration and/or add some code/config?
> 
> -chris
> 
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Tuesday, April 25, 2023 10:04 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>
> >> Jon,
> >>
> >> On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> It's the Server level web.xml in conf
> >>
> >> So it applies to all web applications.
> >>
> >> I would recommend that you change that configuration to:
> >>
> >> 1. Be present in your own web application's WEB-INF/web.xml file and 2.
> >> Deploy a ROOT application which has only a few things in it and 3. Be
> >> present in webapps/ROOT/WEB-INF/web.xml
> >>
> >> Having a missing ROOT application can cause a few weird things to
> happen.
> >> Having the ROOT means that you can always return e.g. a 404 response
> >> even if there is no application deployed on /foo just in case.
> >> (This may have changed in the past few years, it used to be that a
> >> request for /

Re: OT: hsts in Tomcat 9.0.73

[Christopher Schultz]

Jon,

On 4/25/23 13:26, jonmcalexan...@wellsfargo.com.INVALID wrote:



Here is the code for the HSTS part of the Filter:

// HSTS
if (hstsEnabled && request.isSecure()) {
httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
}

I was wondering if maybe secure="true" wasn't there, but you have it.

:hmm:

What's the name of application artifact? Like the WAR file or 
WAR-directoery in webapps/ ? Are you deploying it multiple times -- say, 
from both auto-deployment *and also* with a  in conf/server.xml?


Your copy/paste of web.xml has a bunch of leading - symbols before each 
of the  e.g.:


-
httpHeaderSecurity

Is that just an artifact from the XML editor/viewer you are using?

I can see these headers which should also be coming from the 
HttpHeaderSecurityFilter:



X-Content-Type-Options nosniff
X-Frame-OptionsSAMEORIGIN
X-XSS-Protection   1


(Although the documentation suggests that the value for X-XSS-Protection 
should be "1; mode=block" and it isn't in the above header value.)


Are you able to change the configuration and/or add some code/config?

-chris


-Original Message-
From: Christopher Schultz 
Sent: Tuesday, April 25, 2023 10:04 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:

It's the Server level web.xml in conf


So it applies to all web applications.

I would recommend that you change that configuration to:

1. Be present in your own web application's WEB-INF/web.xml file and 2.
Deploy a ROOT application which has only a few things in it and 3. Be present
in webapps/ROOT/WEB-INF/web.xml

Having a missing ROOT application can cause a few weird things to happen.
Having the ROOT means that you can always return e.g. a 404 response even
if there is no application deployed on /foo just in case.
(This may have changed in the past few years, it used to be that a request for
/foo would return 400 or something similar instead of 404).

It also means that your Tomcat installation doesn't have to be re-customized
any time you upgrade it: just deploy your dummy-ROOT and your own
application and you are all good.

What does your  look like for port 8443?

-chris


-Original Message-
From: Christopher Schultz 
Sent: Tuesday, April 25, 2023 9:15 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hellow again.

I hae another app team that is getting hit with a QID 11827 stating
that the

hsts Security header is missing. We have reviewed the web.xml and the
appropriate section and filter are present. hstsEnabled is set to true.
Performing a curl aganst the site does NOT show the hsts STRICT header.


WEB.XML


Which web.xml? And is the filename really capitalized?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OT: hsts in Tomcat 9.0.73

[Christopher Schultz]

Olaf,

On 4/22/23 03:13, Olaf Kock wrote:


Am 22.04.23 um 00:48 schrieb jonmcalexan...@wellsfargo.com.INVALID:

Thanks Peter,

I still do not see the hsts header. I'm wondering if this is causing it.

SSL certificate verify result: self signed certificate in certificate 
chain (19), continuing anyway.


I don't know why it's complaining as the certificate for Tomcat is not 
a self-signed certificate.


That's a good guess: Anything self-signed is a problem for HSTS


No it's not.


(though only curl might see it as that, depending on the root
certificate store it uses compared to your browser). However, somehow
I'd expect the server to be ignorant to the level of trust that the
client has and send the header anyway.
The server should send the header. The client should report that the 
header was sent. There is no "self-signed silently removes HTTP response 
headers" or anything like that.


Another aspect to dig into is the explicit nonstandard port number. I 
didn't fully parse the RFC for it, but there are several statements on 
explicit, implicit ports and how they're mapped.


The Filter has no idea what port is being used, nor does it care.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OT: hsts in Tomcat 9.0.73

[Christopher Schultz]

Jon,

On 4/25/23 11:33, jonmcalexan...@wellsfargo.com.INVALID wrote:

There is a ROOT application which is part of the overall app and not
the default Tomcat one. How should this be added to those web.xml files?


If you deploy your own webapp as ROOT then you should place that HSTS 
configuration in ROOT/WEB-INF/web.xml and nowhere else.


-chris


-Original Message-
From: Christopher Schultz 
Sent: Tuesday, April 25, 2023 10:04 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:

It's the Server level web.xml in conf


So it applies to all web applications.

I would recommend that you change that configuration to:

1. Be present in your own web application's WEB-INF/web.xml file and 2.
Deploy a ROOT application which has only a few things in it and 3. Be present
in webapps/ROOT/WEB-INF/web.xml

Having a missing ROOT application can cause a few weird things to happen.
Having the ROOT means that you can always return e.g. a 404 response even
if there is no application deployed on /foo just in case.
(This may have changed in the past few years, it used to be that a request for
/foo would return 400 or something similar instead of 404).

It also means that your Tomcat installation doesn't have to be re-customized
any time you upgrade it: just deploy your dummy-ROOT and your own
application and you are all good.

What does your  look like for port 8443?

-chris


-Original Message-
From: Christopher Schultz 
Sent: Tuesday, April 25, 2023 9:15 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hellow again.

I hae another app team that is getting hit with a QID 11827 stating
that the

hsts Security header is missing. We have reviewed the web.xml and the
appropriate section and filter are present. hstsEnabled is set to true.
Performing a curl aganst the site does NOT show the hsts STRICT header.


WEB.XML


Which web.xml? And is the filename really capitalized?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Christopher,

Here is the SSL connector:



Thanks!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, April 25, 2023 10:04 AM
> To: users@tomcat.apache.org
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Jon,
> 
> On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > It's the Server level web.xml in conf
> 
> So it applies to all web applications.
> 
> I would recommend that you change that configuration to:
> 
> 1. Be present in your own web application's WEB-INF/web.xml file and 2.
> Deploy a ROOT application which has only a few things in it and 3. Be present
> in webapps/ROOT/WEB-INF/web.xml
> 
> Having a missing ROOT application can cause a few weird things to happen.
> Having the ROOT means that you can always return e.g. a 404 response even
> if there is no application deployed on /foo just in case.
> (This may have changed in the past few years, it used to be that a request for
> /foo would return 400 or something similar instead of 404).
> 
> It also means that your Tomcat installation doesn't have to be re-customized
> any time you upgrade it: just deploy your dummy-ROOT and your own
> application and you are all good.
> 
> What does your  look like for port 8443?
> 
> -chris
> 
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Tuesday, April 25, 2023 9:15 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>
> >> Jon,
> >>
> >> On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> Hellow again.
> >>>
> >>> I hae another app team that is getting hit with a QID 11827 stating
> >>> that the
> >> hsts Security header is missing. We have reviewed the web.xml and the
> >> appropriate section and filter are present. hstsEnabled is set to true.
> >> Performing a curl aganst the site does NOT show the hsts STRICT header.
> >>>
> >>> WEB.XML
> >>
> >> Which web.xml? And is the filename really capitalized?
> >>
> >> -chris
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Christopher,

There is a ROOT application which is part of the overall app and not the 
default Tomcat one. How should this be added to those web.xml files?

I'm working on getting the connector.

Thanks,


Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, April 25, 2023 10:04 AM
> To: users@tomcat.apache.org
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Jon,
> 
> On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > It's the Server level web.xml in conf
> 
> So it applies to all web applications.
> 
> I would recommend that you change that configuration to:
> 
> 1. Be present in your own web application's WEB-INF/web.xml file and 2.
> Deploy a ROOT application which has only a few things in it and 3. Be present
> in webapps/ROOT/WEB-INF/web.xml
> 
> Having a missing ROOT application can cause a few weird things to happen.
> Having the ROOT means that you can always return e.g. a 404 response even
> if there is no application deployed on /foo just in case.
> (This may have changed in the past few years, it used to be that a request for
> /foo would return 400 or something similar instead of 404).
> 
> It also means that your Tomcat installation doesn't have to be re-customized
> any time you upgrade it: just deploy your dummy-ROOT and your own
> application and you are all good.
> 
> What does your  look like for port 8443?
> 
> -chris
> 
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Tuesday, April 25, 2023 9:15 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>
> >> Jon,
> >>
> >> On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> Hellow again.
> >>>
> >>> I hae another app team that is getting hit with a QID 11827 stating
> >>> that the
> >> hsts Security header is missing. We have reviewed the web.xml and the
> >> appropriate section and filter are present. hstsEnabled is set to true.
> >> Performing a curl aganst the site does NOT show the hsts STRICT header.
> >>>
> >>> WEB.XML
> >>
> >> Which web.xml? And is the filename really capitalized?
> >>
> >> -chris
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OT: hsts in Tomcat 9.0.73

[Christopher Schultz]

Jon,

On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:

It's the Server level web.xml in conf


So it applies to all web applications.

I would recommend that you change that configuration to:

1. Be present in your own web application's WEB-INF/web.xml file
and
2. Deploy a ROOT application which has only a few things in it
and
3. Be present in webapps/ROOT/WEB-INF/web.xml

Having a missing ROOT application can cause a few weird things to 
happen. Having the ROOT means that you can always return e.g. a 404 
response even if there is no application deployed on /foo just in case. 
(This may have changed in the past few years, it used to be that a 
request for /foo would return 400 or something similar instead of 404).


It also means that your Tomcat installation doesn't have to be 
re-customized any time you upgrade it: just deploy your dummy-ROOT and 
your own application and you are all good.


What does your  look like for port 8443?

-chris


-Original Message-
From: Christopher Schultz 
Sent: Tuesday, April 25, 2023 9:15 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hellow again.

I hae another app team that is getting hit with a QID 11827 stating that the

hsts Security header is missing. We have reviewed the web.xml and the
appropriate section and filter are present. hstsEnabled is set to true.
Performing a curl aganst the site does NOT show the hsts STRICT header.


WEB.XML


Which web.xml? And is the filename really capitalized?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Hi Christopher,

It's the Server level web.xml in conf, and no, the file is all lowercase. 
Welcome to the wonderful world of Qualsys. :-)

Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, April 25, 2023 9:15 AM
> To: users@tomcat.apache.org
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Jon,
> 
> On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hellow again.
> >
> > I hae another app team that is getting hit with a QID 11827 stating that the
> hsts Security header is missing. We have reviewed the web.xml and the
> appropriate section and filter are present. hstsEnabled is set to true.
> Performing a curl aganst the site does NOT show the hsts STRICT header.
> >
> > WEB.XML
> 
> Which web.xml? And is the filename really capitalized?
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OT: hsts in Tomcat 9.0.73

[Christopher Schultz]

Jon,

On 4/25/23 10:15, Christopher Schultz wrote:

Jon,

On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hellow again.

I hae another app team that is getting hit with a QID 11827 stating 
that the hsts Security header is missing. We have reviewed the web.xml 
and the appropriate section and filter are present. hstsEnabled is set 
to true. Performing a curl aganst the site does NOT show the hsts 
STRICT header.


WEB.XML


Which web.xml? And is the filename really capitalized?


Oh, and also, what does your  look like for port 8443?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OT: hsts in Tomcat 9.0.73

[Christopher Schultz]

Jon,

On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hellow again.

I hae another app team that is getting hit with a QID 11827 stating that the 
hsts Security header is missing. We have reviewed the web.xml and the 
appropriate section and filter are present. hstsEnabled is set to true. 
Performing a curl aganst the site does NOT show the hsts STRICT header.

WEB.XML


Which web.xml? And is the filename really capitalized?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

In this case it's only internally accessible, not public.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Peter Kreuser 
> Sent: Monday, April 24, 2023 10:15 AM
> To: Tomcat Users List 
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Jon,
> 
> 
> 
> Peter Kreuser
> Liebknechtstr. 83
> 63303 Dreieich-Sprendlingen
> phone: +49 6103 9880863
> fax: +49 6103 9886215
> mobile: +49 172 6649346
> email: pe...@kreuser.name
> web:
> https://urldefense.com/v3/__http://www.kreuser.name__;!!F9svGWnIaVP
> GSwU!rbMrC6HJe7IYVcn7rbC0hDaJ81tFEU7WcvWO1ktM4rw2hsJkNVcX8VRe
> jG-aXHUfP92OAAUqhvhtpYnoxv2cd08$
> key:
> https://urldefense.com/v3/__http://www.kreuser.name/PGP_Public_Key.t
> xt__;!!F9svGWnIaVPGSwU!rbMrC6HJe7IYVcn7rbC0hDaJ81tFEU7WcvWO1kt
> M4rw2hsJkNVcX8VRejG-aXHUfP92OAAUqhvhtpYnodiDk6U8$
> smime:
> https://urldefense.com/v3/__http://www.kreuser.name/SMIME.cer__;!!F9
> svGWnIaVPGSwU!rbMrC6HJe7IYVcn7rbC0hDaJ81tFEU7WcvWO1ktM4rw2hsJ
> kNVcX8VRejG-aXHUfP92OAAUqhvhtpYnoShykdvA$
> > Am 24.04.2023 um 15:39 schrieb jonmcalexan...@wellsfargo.com.invalid:
> >
> > Thank you for all the good insights Olaf. I am like you, I prefer to put a
> reverse proxy in front of my Tomcat instances as well. Unfortunately it is
> Qualsys that is calling this particular system out, so have to figure out how
> best to fix it.
> 
> should it always be behind the reverse proxy and not available to the public?
> 
> Peter
> 
> >
> > Thanks again.
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >> -Original Message-
> >> From: Olaf Kock 
> >> Sent: Saturday, April 22, 2023 2:14 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>
> >>
> >>> Am 22.04.23 um 00:48 schrieb
> jonmcalexan...@wellsfargo.com.INVALID:
> >>> Thanks Peter,
> >>>
> >>> I still do not see the hsts header. I'm wondering if this is causing it.
> >>>
> >>> SSL certificate verify result: self signed certificate in
> >>> certificate chain (19),
> >> continuing anyway.
> >>>
> >>> I don't know why it's complaining as the certificate for Tomcat is
> >>> not a self-
> >> signed certificate.
> >>
> >> That's a good guess: Anything self-signed is a problem for HSTS
> >> (though only curl might see it as that, depending on the root
> >> certificate store it uses compared to your browser). However, somehow
> >> I'd expect the server to be ignorant to the level of trust that the client 
> >> has
> and send the header anyway.
> >>
> >> Another aspect to dig into is the explicit nonstandard port number. I
> >> didn't fully parse the RFC for it, but there are several statements
> >> on explicit, implicit ports and how they're mapped.
> >>
> >> In the end, it might be worth hitting the Tomcat filter in a
> >> debugger, or inspecting the source - to see if any conditional
> >> branches in an unexpected fashion, if a different filter than the
> >> expected one is hitting, or if the URL doesn't match.

Re: OT: hsts in Tomcat 9.0.73

[Peter Kreuser]

Jon,



Peter Kreuser
Liebknechtstr. 83
63303 Dreieich-Sprendlingen
phone: +49 6103 9880863
fax: +49 6103 9886215
mobile: +49 172 6649346
email: pe...@kreuser.name
web: www.kreuser.name
key: http://www.kreuser.name/PGP_Public_Key.txt
smime: http://www.kreuser.name/SMIME.cer
> Am 24.04.2023 um 15:39 schrieb jonmcalexan...@wellsfargo.com.invalid:
> 
> Thank you for all the good insights Olaf. I am like you, I prefer to put a 
> reverse proxy in front of my Tomcat instances as well. Unfortunately it is 
> Qualsys that is calling this particular system out, so have to figure out how 
> best to fix it.

should it always be behind the reverse proxy and not available to the public?

Peter

> 
> Thanks again.
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 
>> -Original Message-
>> From: Olaf Kock 
>> Sent: Saturday, April 22, 2023 2:14 AM
>> To: users@tomcat.apache.org
>> Subject: Re: OT: hsts in Tomcat 9.0.73
>> 
>> 
>>> Am 22.04.23 um 00:48 schrieb jonmcalexan...@wellsfargo.com.INVALID:
>>> Thanks Peter,
>>> 
>>> I still do not see the hsts header. I'm wondering if this is causing it.
>>> 
>>> SSL certificate verify result: self signed certificate in certificate chain 
>>> (19),
>> continuing anyway.
>>> 
>>> I don't know why it's complaining as the certificate for Tomcat is not a 
>>> self-
>> signed certificate.
>> 
>> That's a good guess: Anything self-signed is a problem for HSTS (though only
>> curl might see it as that, depending on the root certificate store it uses
>> compared to your browser). However, somehow I'd expect the server to be
>> ignorant to the level of trust that the client has and send the header 
>> anyway.
>> 
>> Another aspect to dig into is the explicit nonstandard port number. I didn't
>> fully parse the RFC for it, but there are several statements on explicit, 
>> implicit
>> ports and how they're mapped.
>> 
>> In the end, it might be worth hitting the Tomcat filter in a debugger, or
>> inspecting the source - to see if any conditional branches in an unexpected
>> fashion, if a different filter than the expected one is hitting, or if the 
>> URL
>> doesn't match.
>> 
>> Yet one more option: Set some nonstandard header, where no assumption
>> can be made in any server- or client-side code, and see if it gets through. 
>> This
>> way you know that you're hitting the expected filter
>> 
>> I'm typically lazy in all of this setup, as I defer HTTPS/HSTS to a reverse 
>> proxy
>> (and I'm only setting up demo systems), so I can only make wild guesses.
>> 
>> Olaf
>> 
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> ТÐÐ¥FòVç7V'67&–ÂRÖÖ–âW6W'2×Vç7V'67&–FöÖ6Bæ6†Ræ÷Фf÷"FF—F–öæÂ6öÖÖæG2ÂRÖÖ–âW6W'2Ö†VÇFöÖ6Bæ6†Ræ÷Ð
>  

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Thank you for all the good insights Olaf. I am like you, I prefer to put a 
reverse proxy in front of my Tomcat instances as well. Unfortunately it is 
Qualsys that is calling this particular system out, so have to figure out how 
best to fix it.

Thanks again.

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Olaf Kock 
> Sent: Saturday, April 22, 2023 2:14 AM
> To: users@tomcat.apache.org
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> 
> Am 22.04.23 um 00:48 schrieb jonmcalexan...@wellsfargo.com.INVALID:
> > Thanks Peter,
> >
> > I still do not see the hsts header. I'm wondering if this is causing it.
> >
> > SSL certificate verify result: self signed certificate in certificate chain 
> > (19),
> continuing anyway.
> >
> > I don't know why it's complaining as the certificate for Tomcat is not a 
> > self-
> signed certificate.
> 
> That's a good guess: Anything self-signed is a problem for HSTS (though only
> curl might see it as that, depending on the root certificate store it uses
> compared to your browser). However, somehow I'd expect the server to be
> ignorant to the level of trust that the client has and send the header anyway.
> 
> Another aspect to dig into is the explicit nonstandard port number. I didn't
> fully parse the RFC for it, but there are several statements on explicit, 
> implicit
> ports and how they're mapped.
> 
> In the end, it might be worth hitting the Tomcat filter in a debugger, or
> inspecting the source - to see if any conditional branches in an unexpected
> fashion, if a different filter than the expected one is hitting, or if the URL
> doesn't match.
> 
> Yet one more option: Set some nonstandard header, where no assumption
> can be made in any server- or client-side code, and see if it gets through. 
> This
> way you know that you're hitting the expected filter
> 
> I'm typically lazy in all of this setup, as I defer HTTPS/HSTS to a reverse 
> proxy
> (and I'm only setting up demo systems), so I can only make wild guesses.
> 
> Olaf
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OT: hsts in Tomcat 9.0.73

[Olaf Kock]

Am 22.04.23 um 00:48 schrieb jonmcalexan...@wellsfargo.com.INVALID:

Thanks Peter,

I still do not see the hsts header. I'm wondering if this is causing it.

SSL certificate verify result: self signed certificate in certificate chain 
(19), continuing anyway.

I don't know why it's complaining as the certificate for Tomcat is not a 
self-signed certificate.


That's a good guess: Anything self-signed is a problem for HSTS (though 
only curl might see it as that, depending on the root certificate store 
it uses compared to your browser). However, somehow I'd expect the 
server to be ignorant to the level of trust that the client has and send 
the header anyway.


Another aspect to dig into is the explicit nonstandard port number. I 
didn't fully parse the RFC for it, but there are several statements on 
explicit, implicit ports and how they're mapped.


In the end, it might be worth hitting the Tomcat filter in a debugger, 
or inspecting the source - to see if any conditional branches in an 
unexpected fashion, if a different filter than the expected one is 
hitting, or if the URL doesn't match.


Yet one more option: Set some nonstandard header, where no assumption 
can be made in any server- or client-side code, and see if it gets 
through. This way you know that you're hitting the expected filter


I'm typically lazy in all of this setup, as I defer HTTPS/HSTS to a 
reverse proxy (and I'm only setting up demo systems), so I can only make 
wild guesses.


Olaf



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Thanks Peter,

I still do not see the hsts header. I'm wondering if this is causing it.

SSL certificate verify result: self signed certificate in certificate chain 
(19), continuing anyway.

I don't know why it's complaining as the certificate for Tomcat is not a 
self-signed certificate.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: l...@kreuser.name 
> Sent: Friday, April 21, 2023 5:32 PM
> To: Tomcat Users List 
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Jon,
> 
> 
> Oh, I see there is a redirect. I do see a similar behavior on redirects (302) 
> or
> auth (401 eg. on the manager app). But HSTS on 200, 404 or 403.
> 
> What happens if you call "/c/portal/license" ?
> 
> Peter
> 
> > Am 21.04.2023 um 23:05 schrieb jonmcalexan...@wellsfargo.com.invalid
> :
> >
> > Here is the output from a powershell command:
> >
> > Invoke-WebRequest -Uri https://ldvwa00a0010.wellsfargo.com:8443
> > -MaximumRedirection 0 | Select-Object -ExpandProperty Headers
> >
> > KeyValue
> > ----
> > X-Content-Type-Options nosniff
> > X-Frame-OptionsSAMEORIGIN
> > X-XSS-Protection   1
> > Set-Cookie JSESSIONID=E60F2DA9B666966565C8076FE5C47226.wfig1;
> Path=/; Secure; HttpOnly,COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069
> 23:39:55 GMT; Path=/; Secure; HttpOnly,GU...
> > Location
> https://ldvwa00a0010.wellsfargo.com:8443/c/portal/license
> > Content-Length 0
> > Date   Fri, 21 Apr 2023 20:57:47 GMT
> > Keep-Alive timeout=60
> > Connection keep-alive
> >
> >
> > Here is curl
> >
> > curl -ikl --verbose
> >
> https://urldefense.com/v3/__https://HOST:8443__;!!F9svGWnIaVPGSwU!u
> DCA
> > GHZL-GxWlS7CM9oz5r-
> Ix6vcjidfq9Xc7ATcRPT98_ehOMc8VHsjrk4wxDJ158oYIdARw8
> > VKJ_UMK-M5PSM$  > op.txt
> >
> >  % Total% Received % Xferd  Average Speed   TimeTime Time  
> > Current
> > Dload  Upload   Total   SpentLeft  Speed
> >  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 
> > 0*   Trying IP:8443...
> > * TCP_NODELAY set
> > * Connected to HOST (IP) port 8443 (#0)
> > * ALPN, offering h2
> > * ALPN, offering http/1.1
> > } [5 bytes data]
> > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> > } [512 bytes data]
> >  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 
> > 0* TLSv1.3 (IN), TLS
> handshake, Server hello (2):
> > { [85 bytes data]
> > * TLSv1.2 (IN), TLS handshake, Certificate (11):
> > { [3806 bytes data]
> > * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> > { [300 bytes data]
> > * TLSv1.2 (IN), TLS handshake, Server finished (14):
> > { [4 bytes data]
> > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> > } [37 bytes data]
> > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> > } [1 bytes data]
> > * TLSv1.2 (OUT), TLS handshake, Finished (20):
> > } [16 bytes data]
> > * TLSv1.2 (IN), TLS handshake, Finished (20):
> > { [16 bytes data]
> > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> > * ALPN, server did not agree to a protocol
> > * Server certificate:
> > *  subject: C=US; O=; OU=; CN=
> > *  start date: Aug 10 16:35:12 2022 GMT
> > *  expire date: Aug  9 16:35:12 2024 GMT
> > *  issuer: C=US; O=; OU=; CN=
> > *  SSL certificate verify result: self signed certificate in certificate 
> > chain (19),
> continuing anyway.
> >  0 00 00 0  0  0 --:--:--  0:00:02 --:--:-- 
> > 0} [5 bytes data]
> >> GET / HTTP/1.1
> >> Host: HOST:8443
> >> User-Agent: curl/7.65.3
> >> Accept: */*
> >>
> > { [5 bytes data]
> > * Mark bundle as not supporting multiu

Re: OT: hsts in Tomcat 9.0.73

[logo]

Jon,


Oh, I see there is a redirect. I do see a similar behavior on redirects (302) 
or auth (401 eg. on the manager app). But HSTS on 200, 404 or 403.

What happens if you call "/c/portal/license" ?

Peter

> Am 21.04.2023 um 23:05 schrieb jonmcalexan...@wellsfargo.com.invalid 
> :
> 
> Here is the output from a powershell command:
> 
> Invoke-WebRequest -Uri https://ldvwa00a0010.wellsfargo.com:8443 
> -MaximumRedirection 0 | Select-Object -ExpandProperty Headers
> 
> KeyValue
> ----
> X-Content-Type-Options nosniff
> X-Frame-OptionsSAMEORIGIN
> X-XSS-Protection   1
> Set-Cookie JSESSIONID=E60F2DA9B666966565C8076FE5C47226.wfig1; 
> Path=/; Secure; HttpOnly,COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 
> 23:39:55 GMT; Path=/; Secure; HttpOnly,GU...
> Location   
> https://ldvwa00a0010.wellsfargo.com:8443/c/portal/license
> Content-Length 0
> Date   Fri, 21 Apr 2023 20:57:47 GMT
> Keep-Alive timeout=60
> Connection keep-alive
> 
> 
> Here is curl
> 
> curl -ikl --verbose https://HOST:8443 > op.txt
> 
>  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
> Dload  Upload   Total   SpentLeft  Speed
>  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 
> 0*   Trying IP:8443...
> * TCP_NODELAY set
> * Connected to HOST (IP) port 8443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> } [5 bytes data]
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> } [512 bytes data]
>  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 
> 0* TLSv1.3 (IN), TLS handshake, Server hello (2):
> { [85 bytes data]
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> { [3806 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> { [300 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> { [4 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> } [37 bytes data]
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> } [1 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> } [16 bytes data]
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> { [16 bytes data]
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server did not agree to a protocol
> * Server certificate:
> *  subject: C=US; O=; OU=; CN=
> *  start date: Aug 10 16:35:12 2022 GMT
> *  expire date: Aug  9 16:35:12 2024 GMT
> *  issuer: C=US; O=; OU=; CN=
> *  SSL certificate verify result: self signed certificate in certificate 
> chain (19), continuing anyway.
>  0 00 00 0  0  0 --:--:--  0:00:02 --:--:-- 
> 0} [5 bytes data]
>> GET / HTTP/1.1
>> Host: HOST:8443
>> User-Agent: curl/7.65.3
>> Accept: */*
>> 
> { [5 bytes data]
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 302
> < X-Content-Type-Options: nosniff
> < X-Frame-Options: SAMEORIGIN
> < X-XSS-Protection: 1
> < Set-Cookie: JSESSIONID=CB5FFB977D92D0CB953AE651014CD048.wfig1; Path=/; 
> Secure; HttpOnly
> < Set-Cookie: COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 23:42:52 GMT; 
> Path=/; Secure; HttpOnly
> < Set-Cookie: GUEST_LANGUAGE_ID=en_US; Expires=Tue, 03 Dec 2069 23:42:52 GMT; 
> Path=/; Secure; HttpOnly
> < Location: https://HOST:8443/c/portal/license
> < Content-Length: 0
> < Date: Fri, 21 Apr 2023 21:00:44 GMT
> <
>  0 00 00 0  0  0 --:--:--  0:00:03 --:--:-- 0
> * Connection #0 to host left intact
> 
> Thanks,
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 
> 
>> -Original Message-
>> From: Christopher Schultz 
>> Sent: Friday, April 21, 2023 1:17 PM
>> To: users@tomcat.apache.org
>> Subject: Re: OT: hsts in Tomcat 9.0.73
>> 
&g

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Here is the output from a powershell command:

Invoke-WebRequest -Uri https://ldvwa00a0010.wellsfargo.com:8443 
-MaximumRedirection 0 | Select-Object -ExpandProperty Headers

KeyValue
----
X-Content-Type-Options nosniff
X-Frame-OptionsSAMEORIGIN
X-XSS-Protection   1
Set-Cookie JSESSIONID=E60F2DA9B666966565C8076FE5C47226.wfig1; 
Path=/; Secure; HttpOnly,COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 23:39:55 
GMT; Path=/; Secure; HttpOnly,GU...
Location   https://ldvwa00a0010.wellsfargo.com:8443/c/portal/license
Content-Length 0
Date   Fri, 21 Apr 2023 20:57:47 GMT
Keep-Alive timeout=60
Connection keep-alive


Here is curl

curl -ikl --verbose https://HOST:8443 > op.txt

  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0* 
  Trying IP:8443...
* TCP_NODELAY set
* Connected to HOST (IP) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0* 
TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [85 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3806 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; O=; OU=; CN=
*  start date: Aug 10 16:35:12 2022 GMT
*  expire date: Aug  9 16:35:12 2024 GMT
*  issuer: C=US; O=; OU=; CN=
*  SSL certificate verify result: self signed certificate in certificate chain 
(19), continuing anyway.
  0 00 00 0  0  0 --:--:--  0:00:02 --:--:-- 0} 
[5 bytes data]
> GET / HTTP/1.1
> Host: HOST:8443
> User-Agent: curl/7.65.3
> Accept: */*
>
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 302
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1
< Set-Cookie: JSESSIONID=CB5FFB977D92D0CB953AE651014CD048.wfig1; Path=/; 
Secure; HttpOnly
< Set-Cookie: COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 23:42:52 GMT; 
Path=/; Secure; HttpOnly
< Set-Cookie: GUEST_LANGUAGE_ID=en_US; Expires=Tue, 03 Dec 2069 23:42:52 GMT; 
Path=/; Secure; HttpOnly
< Location: https://HOST:8443/c/portal/license
< Content-Length: 0
< Date: Fri, 21 Apr 2023 21:00:44 GMT
<
  0 00 00 0  0  0 --:--:--  0:00:03 --:--:-- 0
* Connection #0 to host left intact

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Friday, April 21, 2023 1:17 PM
> To: users@tomcat.apache.org
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Jon,
> 
> On 4/21/23 11:47, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Thank you Olaf, however, the connection was made over https directly
> > to Tomcat on port 8443.
> Sample curl with secrets removed?
> 
> -chris
> 
> >> -Original Message-
> >> From: Olaf Kock 
> >> Sent: Friday, April 21, 2023 1:48 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>
> >>
> >> Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID:
> >>> No, there is no error and no stack trace. Everything works, just the
> >>> hsts
> >> header isn't in the list of headers.
> >>>
> >> The lowest hanging fruit: HSTS is only defined on https - on http it
> >> doesn't have any meanin

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Hey Peter,

Yes, the context is ROOT as this app does have a ROOT component.

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: l...@kreuser.name 
> Sent: Friday, April 21, 2023 1:58 PM
> To: Tomcat Users List 
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Jon,
> 
> again, the Qualys Scanner usually does not know any other webcontexts
> than root, manager and examples. So if you don't have a root context, it may
> well end up in the woods and the result will not have a HSTS-Header. Can you
> verify the requested resource?
> 
> Best regards
> 
> Peter
> 
> > Am 21.04.2023 um 17:47 schrieb jonmcalexan...@wellsfargo.com.invalid
> :
> >
> > Thank you Olaf, however, the connection was made over https directly to
> Tomcat on port 8443.
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Olaf Kock 
> >> Sent: Friday, April 21, 2023 1:48 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>
> >>
> >> Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID:
> >>> No, there is no error and no stack trace. Everything works, just the
> >>> hsts
> >> header isn't in the list of headers.
> >>>
> >> The lowest hanging fruit: HSTS is only defined on https - on http it
> >> doesn't have any meaning and Tomcat would be correct in not sending
> >> it (I haven't looked at the source if it does, but it should be easy
> >> to test)
> >>
> >> If you have a reverse proxy handling https & proxying through http,
> >> Tomcat might not know that it'd be fine to send the header. (If that
> >> is your case, there is the brute force "secure" attribute on the
> >> connector
> >> - use it only when there's no way to connect through http from
> >> anywhere but your reverse proxy)
> >>
> >> This has bitten me a few times
> >>
> >> Olaf
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OT: hsts in Tomcat 9.0.73

[logo]

Jon,

again, the Qualys Scanner usually does not know any other webcontexts than 
root, manager and examples. So if you don't have a root context, it may well 
end up in the woods and the result will not have a HSTS-Header. Can you verify 
the requested resource?

Best regards

Peter

> Am 21.04.2023 um 17:47 schrieb jonmcalexan...@wellsfargo.com.invalid 
> :
> 
> Thank you Olaf, however, the connection was made over https directly to 
> Tomcat on port 8443.
> 
> Thanks,
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 
> 
>> -Original Message-
>> From: Olaf Kock 
>> Sent: Friday, April 21, 2023 1:48 AM
>> To: users@tomcat.apache.org
>> Subject: Re: OT: hsts in Tomcat 9.0.73
>> 
>> 
>> Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID:
>>> No, there is no error and no stack trace. Everything works, just the hsts
>> header isn't in the list of headers.
>>> 
>> The lowest hanging fruit: HSTS is only defined on https - on http it doesn't
>> have any meaning and Tomcat would be correct in not sending it (I haven't
>> looked at the source if it does, but it should be easy to test)
>> 
>> If you have a reverse proxy handling https & proxying through http, Tomcat
>> might not know that it'd be fine to send the header. (If that is your case,
>> there is the brute force "secure" attribute on the connector
>> - use it only when there's no way to connect through http from anywhere
>> but your reverse proxy)
>> 
>> This has bitten me a few times
>> 
>> Olaf
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OT: hsts in Tomcat 9.0.73

[Christopher Schultz]

Jon,

On 4/21/23 11:47, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thank you Olaf, however, the connection was made over https directly
to Tomcat on port 8443.

Sample curl with secrets removed?

-chris


-Original Message-
From: Olaf Kock 
Sent: Friday, April 21, 2023 1:48 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73


Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID:

No, there is no error and no stack trace. Everything works, just the hsts

header isn't in the list of headers.



The lowest hanging fruit: HSTS is only defined on https - on http it doesn't
have any meaning and Tomcat would be correct in not sending it (I haven't
looked at the source if it does, but it should be easy to test)

If you have a reverse proxy handling https & proxying through http, Tomcat
might not know that it'd be fine to send the header. (If that is your case,
there is the brute force "secure" attribute on the connector
- use it only when there's no way to connect through http from anywhere
but your reverse proxy)

This has bitten me a few times

Olaf


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Thank you Olaf, however, the connection was made over https directly to Tomcat 
on port 8443.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Olaf Kock 
> Sent: Friday, April 21, 2023 1:48 AM
> To: users@tomcat.apache.org
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> 
> Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID:
> > No, there is no error and no stack trace. Everything works, just the hsts
> header isn't in the list of headers.
> >
> The lowest hanging fruit: HSTS is only defined on https - on http it doesn't
> have any meaning and Tomcat would be correct in not sending it (I haven't
> looked at the source if it does, but it should be easy to test)
> 
> If you have a reverse proxy handling https & proxying through http, Tomcat
> might not know that it'd be fine to send the header. (If that is your case,
> there is the brute force "secure" attribute on the connector
> - use it only when there's no way to connect through http from anywhere
> but your reverse proxy)
> 
> This has bitten me a few times
> 
> Olaf
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OT: hsts in Tomcat 9.0.73

[Olaf Kock]

Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID:

No, there is no error and no stack trace. Everything works, just the hsts 
header isn't in the list of headers.

The lowest hanging fruit: HSTS is only defined on https - on http it 
doesn't have any meaning and Tomcat would be correct in not sending it 
(I haven't looked at the source if it does, but it should be easy to test)


If you have a reverse proxy handling https & proxying through http, 
Tomcat might not know that it'd be fine to send the header. (If that is 
your case, there is the brute force "secure" attribute on the connector 
- use it only when there's no way to connect through http from anywhere 
but your reverse proxy)


This has bitten me a few times

Olaf


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

No, there is no error and no stack trace. Everything works, just the hsts 
header isn't in the list of headers.

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Peter Kreuser 
> Sent: Thursday, April 20, 2023 4:44 PM
> To: Tomcat Users List 
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Any more details on the request?
> 
> Are you hitting an error 400? Like with ip address on a name based host?
> 
> That is handled prior to the filter and so you don't see the header!
> 
> Peter
> 
> > Am 20.04.2023 um 22:40 schrieb jonmcalexan...@wellsfargo.com.invalid:
> >
> > Hellow again.
> >
> > I hae another app team that is getting hit with a QID 11827 stating that the
> hsts Security header is missing. We have reviewed the web.xml and the
> appropriate section and filter are present. hstsEnabled is set to true.
> Performing a curl aganst the site does NOT show the hsts STRICT header.
> >
> > WEB.XML
> >
> > -
> > httpHeaderSecurity
> > org.apache.catalina.filters.HttpHeaderSecurityFilter > lter-class> true
> > 
> >
> > -
> > antiClickJackingOption
> > SAMEORIGIN
> > 
> >
> > -
> > hstsEnabled
> > true
> > 
> >
> >
> > -
> > hstsMaxAgeSeconds
> > 31536000
> > 
> >
> >
> > -
> > hstsIncludeSubDomains
> > true
> > 
> >
> > 
> >
> > -
> > httpHeaderSecurity
> > /*
> > REQUEST
> > 
> >
> >
> > Thank you,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> >
> jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OT: hsts in Tomcat 9.0.73

[Peter Kreuser]

Any more details on the request?

Are you hitting an error 400? Like with ip address on a name based host?

That is handled prior to the filter and so you don't see the header!

Peter

> Am 20.04.2023 um 22:40 schrieb jonmcalexan...@wellsfargo.com.invalid:
> 
> Hellow again.
> 
> I hae another app team that is getting hit with a QID 11827 stating that the 
> hsts Security header is missing. We have reviewed the web.xml and the 
> appropriate section and filter are present. hstsEnabled is set to true. 
> Performing a curl aganst the site does NOT show the hsts STRICT header.
> 
> WEB.XML
> 
> -
> httpHeaderSecurity
> org.apache.catalina.filters.HttpHeaderSecurityFilter
> true
> 
> 
> -
> antiClickJackingOption
> SAMEORIGIN
> 
> 
> -
> hstsEnabled
> true
> 
> 
> 
> -
> hstsMaxAgeSeconds
> 31536000
> 
> 
> 
> -
> hstsIncludeSubDomains
> true
> 
> 
> 
> 
> -
> httpHeaderSecurity
> /*
> REQUEST
> 
> 
> 
> Thank you,
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Hellow again.

I hae another app team that is getting hit with a QID 11827 stating that the 
hsts Security header is missing. We have reviewed the web.xml and the 
appropriate section and filter are present. hstsEnabled is set to true. 
Performing a curl aganst the site does NOT show the hsts STRICT header.

WEB.XML

-
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
true


-
antiClickJackingOption
SAMEORIGIN


-
hstsEnabled
true



-
hstsMaxAgeSeconds
31536000



-
hstsIncludeSubDomains
true




-
httpHeaderSecurity
/*
REQUEST



Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.