Thanks Peter for the link and it worked like a charm. I am running the tomcat version 9.0.56 on CentOS Linux release 7.9.2009 (Core). I have enabled the TLSv1.3 protocol as per the below block but when I ran the scan https://www.ssllabs.com/ssltest/analyze.html, It says *TLS 1.3 -> No* as per the below scan results.
<Connector port="443" protocol="HTTP/1.1" connectionTimeout="20000" SSLEnabled="true" scheme="https" ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" keystoreFile="ssl/hsbcconsent.jks" keystorePass="tomcat" clientAuth="false" disableSessionTickets="true" honorCipherOrder="true" *SSLProtocol="TLSv1.2+TLSv1.3"* redirectPort="8443" /> https://github.com/drwetter/testssl.sh ./testssl.sh --htmlfile testapp-consent-testpreprod.testapicraft.com.29042022.html testapp-consent-testpreprod.testapicraft.com ########################################################### testssl.sh 3.1dev from https://testssl.sh/dev/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "LibreSSL 2.8.3" [~69 ciphers] on DACADMINs-MacBook-Pro:/usr/bin/openssl (built: "date not available", platform: "information not available") Start 2022-04-29 19:02:41 -->> 35.210.220.115:443 ( testapp-consent-testpreprod.testapicraft.com) <<-- Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) *TLS 1.3 not offered and downgraded to a weaker protocol* NPN/SPDY Local problem: /usr/bin/openssl doesn't support NPN/SPDY ALPN/HTTP2 not offered [image: image.png] Am I missing anything in the /opt/tomcat9/conf/server.xml file? Please comment and guide me. Thanks in advance Best Regards, Kaushal On Fri, Apr 29, 2022 at 12:15 PM Thomas Hoffmann (Speed4Trade GmbH) <thomas.hoffm...@speed4trade.com.invalid> wrote: > > > > -----Ursprüngliche Nachricht----- > > Von: Christopher Schultz <ch...@christopherschultz.net> > > Gesendet: Freitag, 29. April 2022 01:10 > > An: users@tomcat.apache.org > > Betreff: Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x > > > > Kaushal, > > > > On 4/28/22 15:37, Kaushal Shriyan wrote: > > > On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu <pc8...@gmail.com> wrote: > > > > > >> This is what I am using. Hope this helps. > > >> > > >> https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html > > > > > > Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable > > > HTTP Strict Transport Security (HSTS). I will be unable to run tomcat > > > service on port 443 as it is a privileged port for root user only. > > > Currently I am running tomcat service as tomcat user on port 8080. > > > > You must use HTTPS to connect to a server in order for the HSTS header > to be > > respected. > > > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict- > > Transport-Security > > > > " > > Note: The Strict-Transport-Security header is ignored by the browser when > > your site is accessed using HTTP; this is because an attacker may > intercept > > HTTP connections and inject the header or remove it. When your site is > > accessed over HTTPS with no certificate errors, the browser knows your > site > > is HTTPS capable and will honor the Strict-Transport-Security header. > > " > > > > Is your server available via https:// ? If you are running on port 80, > that > > doesn't tell us if it's encrypted. > > > > If you are enabling HSTS, how do you expect users to connect to your > service > > if you are running non-secure HTTP on port 8080? > > > > -chris > > > > Hello, > according to > https://github.com/Oreste-Luci/apache-tomcat-8.0.26-src/blob/master/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java > the headers are set, if request.isSecure is set to true. > > So it depends on <Connector secure="true" .../> within the server.xml > If behind a proxy with SSL Offloading, this flag can also be set on a > plain http connection. > > Greetings, > Thomas >