Christopher, Here is the SSL connector:
<Connector port="8443" keystorePass="REMOVED" keystoreFile="REMOVED" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" sslEnabledProtocols=" TLSv1.2" sslProtocol="TLS" clientAuth="false" secure="true" scheme="https" SSLEnabled="true" maxThreads="150" protocol="org.apache.coyote.http11.Http11NioProtocol"/> Thanks! Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Tuesday, April 25, 2023 10:04 AM > To: users@tomcat.apache.org > Subject: Re: OT: hsts in Tomcat 9.0.73 > > Jon, > > On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote: > > It's the Server level web.xml in conf > > So it applies to all web applications. > > I would recommend that you change that configuration to: > > 1. Be present in your own web application's WEB-INF/web.xml file and 2. > Deploy a ROOT application which has only a few things in it and 3. Be present > in webapps/ROOT/WEB-INF/web.xml > > Having a missing ROOT application can cause a few weird things to happen. > Having the ROOT means that you can always return e.g. a 404 response even > if there is no application deployed on /foo just in case. > (This may have changed in the past few years, it used to be that a request for > /foo would return 400 or something similar instead of 404). > > It also means that your Tomcat installation doesn't have to be re-customized > any time you upgrade it: just deploy your dummy-ROOT and your own > application and you are all good. > > What does your <Connector> look like for port 8443? > > -chris > > >> -----Original Message----- > >> From: Christopher Schultz <ch...@christopherschultz.net> > >> Sent: Tuesday, April 25, 2023 9:15 AM > >> To: users@tomcat.apache.org > >> Subject: Re: OT: hsts in Tomcat 9.0.73 > >> > >> Jon, > >> > >> On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote: > >>> Hellow again. > >>> > >>> I hae another app team that is getting hit with a QID 11827 stating > >>> that the > >> hsts Security header is missing. We have reviewed the web.xml and the > >> appropriate section and filter are present. hstsEnabled is set to true. > >> Performing a curl aganst the site does NOT show the hsts STRICT header. > >>> > >>> WEB.XML > >> > >> Which web.xml? And is the filename really capitalized? > >> > >> -chris > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
