We've just received word from a customer that they had two
vulnerabilities flagged on a security scan of the box their Tomcat
server is running on.
38628 - TLS 1.0 still supported.
Ok, assuming that the box and the JVM can go up to a more current TLS
level, and a more current cipher, what do I need to set? On other boxes,
I've added a "ciphers" clause to the Connector for port 443 in the
server.xml, but what about the TLS?
17369 - HTTP Security Header Not Detected.
This, I don't get: what I've been able to find on this one talks about a
security header missing on port 80; the Tomcat server (at least the one
we're responsible for) doesn't even have 80 (or 8080) open at all. If I
remember right, though, there are other HTTP(S) servers running on that
box; is it perhaps one of the others?
--
James H. H. Lampert
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
