On 05/02/2019 23:49, James H. H. Lampert wrote: > We've just received word from a customer that they had two > vulnerabilities flagged on a security scan of the box their Tomcat > server is running on. > > 38628 - TLS 1.0 still supported. > Ok, assuming that the box and the JVM can go up to a more current TLS > level, and a more current cipher, what do I need to set? On other boxes, > I've added a "ciphers" clause to the Connector for port 443 in the > server.xml, but what about the TLS?
On the TLS Connector: sslEnabledProtocols="TLSv1.1,TLSv1.2" > 17369 - HTTP Security Header Not Detected. > This, I don't get: what I've been able to find on this one talks about a > security header missing on port 80; the Tomcat server (at least the one > we're responsible for) doesn't even have 80 (or 8080) open at all. If I > remember right, though, there are other HTTP(S) servers running on that > box; is it perhaps one of the others? It looks like this one: https://community.qualys.com/thread/17369-http-security-header-not-detected While that page talks about port 80, it would apply equally to any HTTP[S] connection. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
