-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark and James,
On 2/6/19 04:04, Mark Thomas wrote: > On 05/02/2019 23:49, James H. H. Lampert wrote: >> We've just received word from a customer that they had two >> vulnerabilities flagged on a security scan of the box their >> Tomcat server is running on. >> >> 38628 - TLS 1.0 still supported. Ok, assuming that the box and >> the JVM can go up to a more current TLS level, and a more current >> cipher, what do I need to set? On other boxes, I've added a >> "ciphers" clause to the Connector for port 443 in the server.xml, >> but what about the TLS? > > On the TLS Connector: > > sslEnabledProtocols="TLSv1.1,TLSv1.2" Unless you will *fail* your security evaluation, you might want to keep TLSv1.0 enabled. >> 17369 - HTTP Security Header Not Detected. This, I don't get: >> what I've been able to find on this one talks about a security >> header missing on port 80; the Tomcat server (at least the one >> we're responsible for) doesn't even have 80 (or 8080) open at >> all. If I remember right, though, there are other HTTP(S) servers >> running on that box; is it perhaps one of the others? > > It looks like this one: > > https://community.qualys.com/thread/17369-http-security-header-not-det ected > > While that page talks about port 80, it would apply equally to > any HTTP[S] connection. Yes, X-Frame-Options should be set regardless of the protocol. Try running nikto[1] against your site. It points out all kinds of little things and (!!) gives you better information than "header not found". - -chris [1] https://cirt.net/Nikto2 (also comes pre-installed in a Kali Linux livecd, which you can use easily from within a VM guest) -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxbAwQACgkQHPApP6U8 pFjgdxAAyKfl++O9kWtO9yYTcKtKotVMywF2tMCTcHNj3rGiVa/Jf++XtUv5Cxi1 mBcR8/FiaUUcKMbQncVD+MbcQpF1gDdw1v1pNpdHJz9opEGlNb9PFyJbh/x6BIiI m8b2wqfpootbVZ14cczzyVFkbpF5Ydw/31IYOiSN0COHvuyPrc11S2qbedvYggOz lX3h+G12jh3FFfl3SHMCeUAe0Hq5rg34K/4czsELGV0VpIzNfeacBBxrUUcsO6H5 esUPomQTGQYHsmSkF17aVxDw3Oa/Sth28CatdWGXMaOKkm7WeKbyM/UrugnJSeKE 5HnSgi5rQaRbyMGs1U3XZV0/EnndGKMdZctBWZipNzMeOxPRDA8eng0QEVZAm4QD W+mqSyGkemmxCQGYhA7Ds4uWt1hfhEGGnTBw/pGqOf1x+1G560IrJNECvEF47Zre boJoCoX9S4uY+hYprBP4ugmXgN1Ln07DxkxSxIjFRi6YaOlVzJ1P0f+rfIa0CAxO 8nxugMFHam1fJ9kvSevU5uTm/0bA4EhNKDNBRJzh0310zjfgquEw48Y+cIPQzeiy T9icqVgXVJfvsoWTjmTvwwLmQC7JAPdYFxEwI+PiNJQkcp5n3MgTV5jonLr0DSZZ uwqqxcrRs0LgQRLt1eVF7gPVOLHzGYEZNFaSUVlOpk/EQttHcWk= =D5aV -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
