Am 22.04.23 um 00:48 schrieb jonmcalexan...@wellsfargo.com.INVALID:
Thanks Peter, I still do not see the hsts header. I'm wondering if this is causing it. SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. I don't know why it's complaining as the certificate for Tomcat is not a self-signed certificate.
That's a good guess: Anything self-signed is a problem for HSTS (though only curl might see it as that, depending on the root certificate store it uses compared to your browser). However, somehow I'd expect the server to be ignorant to the level of trust that the client has and send the header anyway.
Another aspect to dig into is the explicit nonstandard port number. I didn't fully parse the RFC for it, but there are several statements on explicit, implicit ports and how they're mapped.
In the end, it might be worth hitting the Tomcat filter in a debugger, or inspecting the source - to see if any conditional branches in an unexpected fashion, if a different filter than the expected one is hitting, or if the URL doesn't match.
Yet one more option: Set some nonstandard header, where no assumption can be made in any server- or client-side code, and see if it gets through. This way you know that you're hitting the expected filter
I'm typically lazy in all of this setup, as I defer HTTPS/HSTS to a reverse proxy (and I'm only setting up demo systems), so I can only make wild guesses.
Olaf --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
