Thanks Peter for the link and it worked like a charm. I am running the
tomcat version 9.0.56 on CentOS Linux release 7.9.2009 (Core). I have
enabled the TLSv1.3 protocol as per the below block but when I ran the scan
https://www.ssllabs.com/ssltest/analyze.html, It says *TLS 1.3 -> No* as
per the below scan results.
<Connector port="443" protocol="HTTP/1.1"
connectionTimeout="20000"
SSLEnabled="true" scheme="https"
ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
keystoreFile="ssl/hsbcconsent.jks" keystorePass="tomcat" clientAuth="false"
disableSessionTickets="true" honorCipherOrder="true"
*SSLProtocol="TLSv1.2+TLSv1.3"*
redirectPort="8443" />
https://github.com/drwetter/testssl.sh
./testssl.sh --htmlfile
testapp-consent-testpreprod.testapicraft.com.29042022.html
testapp-consent-testpreprod.testapicraft.com
###########################################################
testssl.sh 3.1dev from https://testssl.sh/dev/
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "LibreSSL 2.8.3" [~69 ciphers]
on DACADMINs-MacBook-Pro:/usr/bin/openssl
(built: "date not available", platform: "information not available")
Start 2022-04-29 19:02:41 -->> 35.210.220.115:443 (
testapp-consent-testpreprod.testapicraft.com) <<--
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
*TLS 1.3 not offered and downgraded to a weaker protocol*
NPN/SPDY Local problem: /usr/bin/openssl doesn't support NPN/SPDY
ALPN/HTTP2 not offered
[image: image.png]
Am I missing anything in the /opt/tomcat9/conf/server.xml file? Please
comment and guide me. Thanks in advance
Best Regards,
Kaushal
On Fri, Apr 29, 2022 at 12:15 PM Thomas Hoffmann (Speed4Trade GmbH)
<thomas.hoffm...@speed4trade.com.invalid> wrote:
>
>
> > -----Ursprüngliche Nachricht-----
> > Von: Christopher Schultz <ch...@christopherschultz.net>
> > Gesendet: Freitag, 29. April 2022 01:10
> > An: users@tomcat.apache.org
> > Betreff: Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
> >
> > Kaushal,
> >
> > On 4/28/22 15:37, Kaushal Shriyan wrote:
> > > On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu <pc8...@gmail.com> wrote:
> > >
> > >> This is what I am using. Hope this helps.
> > >>
> > >> https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html
> > >
> > > Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable
> > > HTTP Strict Transport Security (HSTS). I will be unable to run tomcat
> > > service on port 443 as it is a privileged port for root user only.
> > > Currently I am running tomcat service as tomcat user on port 8080.
> >
> > You must use HTTPS to connect to a server in order for the HSTS header
> to be
> > respected.
> >
> > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-
> > Transport-Security
> >
> > "
> > Note: The Strict-Transport-Security header is ignored by the browser when
> > your site is accessed using HTTP; this is because an attacker may
> intercept
> > HTTP connections and inject the header or remove it. When your site is
> > accessed over HTTPS with no certificate errors, the browser knows your
> site
> > is HTTPS capable and will honor the Strict-Transport-Security header.
> > "
> >
> > Is your server available via https:// ? If you are running on port 80,
> that
> > doesn't tell us if it's encrypted.
> >
> > If you are enabling HSTS, how do you expect users to connect to your
> service
> > if you are running non-secure HTTP on port 8080?
> >
> > -chris
> >
>
> Hello,
> according to
> https://github.com/Oreste-Luci/apache-tomcat-8.0.26-src/blob/master/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
> the headers are set, if request.isSecure is set to true.
>
> So it depends on <Connector secure="true" .../> within the server.xml
> If behind a proxy with SSL Offloading, this flag can also be set on a
> plain http connection.
>
> Greetings,
> Thomas
>
