Pratik,
> Am 26.08.2020 um 06:52 schrieb Pratik Shrestha <pratik...@gmail.com>: > > Thanks for reply, > > Hi Peter - it complains on port 8443 which belongs to Tomcat. > > Hi Mark - Yes. making HTTP request on HTTPS is wrong. But this security > vulnerability is given to us by Qualys scan. It tries to post plain HTTP > request on HTTPS port and then gets error message "Bad Request. This > combination of host and port requires TLS." which is security loop hole for > Qualys. This is behaviour of Apache HTTP server also. But in Apache though, > we can get rid of this by using "ErrorDocument 400" directive. Do we have > similar in Tomcat? I have already tried using > > <error-page> > <error-code>400</error-code> > <location>/error.jsp</location> > </error-page> > I see an error 400 on 8443 (8.5.57). As it is on Nginx or Apache. So I don’t see why this would be a problem. False Positive one could address with Qualys? Regards Peter > Not sure, but my idea was to add redirect code on error.jsp page. But above > never works. It never reaches error.jsp page. Just sticks in default error > message page mentioned above. > > Btw..you can see the result from Qualys attached. > > Thanks again guys for getting back. > > Regards, > Pratik > > On Tue, Aug 25, 2020 at 5:36 PM Mark Thomas <ma...@apache.org > <mailto:ma...@apache.org>> wrote: > On 25/08/2020 11:14, Pratik Shrestha wrote: > > Hi all, > > > > Tomcat version: 9.0.37 > > > > Our website is running on Tomcat. We did Qualys vulnerability scan on our > > site. Scan shows below vulnerability. > > > > Insecure transport > > Group: Information Disclosure > > CWE CWE-319 > > OWASP A3 Sensitive Data Exposure > > WASC WASC-4 INSUFFICIENT TRANSPORT LAYER PROTECTION > > > > Please note > > 1. HTTP port is not enabled. > > 2. We have only opened HTTPS port 8443. But when we connect this HTTPS port > > with HTTP (http://www.oursite.com:8443/ <http://www.oursite.com:8443/>), we > > get an error "Bad Request. This > > combination of host and port requires TLS." > > 3. Due to the above error message, we get this vulnerability error from > > Qualys. > > 4. We have already enabled HSTS. > > 5. We have enabled Rewrite Valve also to direct all HTTP to HTTPS. But it > > never works. It is like, Tomcat doesn't care about Rewrite or HSTS. It just > > finds someone is accessing HTTPS port with HTTP protocol and then just > > throws error 400 'Bad Request' > > 6. Note that Tomcat version 7 used to send the error 'ERR_EMPTY_RESP' which > > should still be okay. > > > > We already tried to find the fix for this issue on the web but in vain. > > > > Kindly help if anyone has found a way to fix it. > > Fix what? > > If you make an HTTP request to an HTTPS port, Tomcat provides a helpful > error message. > > I don't see any security issues here. > > (And before anyone claims the request sent in the clear is insecure I'll > point out that the request is sent in the clear irrespective of whether > Tomcat responds with an HTTP/1.1 clear text error message or a cryptic > TLS failure). > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > <mailto:users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: users-h...@tomcat.apache.org > <mailto:users-h...@tomcat.apache.org> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
