Jon,
Oh, I see there is a redirect. I do see a similar behavior on redirects (302) or auth (401 eg. on the manager app). But HSTS on 200, 404 or 403. What happens if you call "/c/portal/license" ? Peter > Am 21.04.2023 um 23:05 schrieb jonmcalexan...@wellsfargo.com.invalid > <jonmcalexan...@wellsfargo.com.INVALID>: > > Here is the output from a powershell command: > > Invoke-WebRequest -Uri https://ldvwa00a0010.wellsfargo.com:8443 > -MaximumRedirection 0 | Select-Object -ExpandProperty Headers > > Key Value > --- ----- > X-Content-Type-Options nosniff > X-Frame-Options SAMEORIGIN > X-XSS-Protection 1 > Set-Cookie JSESSIONID=E60F2DA9B666966565C8076FE5C47226.wfig1; > Path=/; Secure; HttpOnly,COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 > 23:39:55 GMT; Path=/; Secure; HttpOnly,GU... > Location > https://ldvwa00a0010.wellsfargo.com:8443/c/portal/license > Content-Length 0 > Date Fri, 21 Apr 2023 20:57:47 GMT > Keep-Alive timeout=60 > Connection keep-alive > > > Here is curl > > curl -ikl --verbose https://HOST:8443 > op.txt > > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- > 0* Trying IP:8443... > * TCP_NODELAY set > * Connected to HOST (IP) port 8443 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > } [5 bytes data] > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > } [512 bytes data] > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- > 0* TLSv1.3 (IN), TLS handshake, Server hello (2): > { [85 bytes data] > * TLSv1.2 (IN), TLS handshake, Certificate (11): > { [3806 bytes data] > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > { [300 bytes data] > * TLSv1.2 (IN), TLS handshake, Server finished (14): > { [4 bytes data] > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > } [37 bytes data] > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): > } [1 bytes data] > * TLSv1.2 (OUT), TLS handshake, Finished (20): > } [16 bytes data] > * TLSv1.2 (IN), TLS handshake, Finished (20): > { [16 bytes data] > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 > * ALPN, server did not agree to a protocol > * Server certificate: > * subject: C=US; O=; OU=; CN= > * start date: Aug 10 16:35:12 2022 GMT > * expire date: Aug 9 16:35:12 2024 GMT > * issuer: C=US; O=; OU=; CN= > * SSL certificate verify result: self signed certificate in certificate > chain (19), continuing anyway. > 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- > 0} [5 bytes data] >> GET / HTTP/1.1 >> Host: HOST:8443 >> User-Agent: curl/7.65.3 >> Accept: */* >> > { [5 bytes data] > * Mark bundle as not supporting multiuse > < HTTP/1.1 302 > < X-Content-Type-Options: nosniff > < X-Frame-Options: SAMEORIGIN > < X-XSS-Protection: 1 > < Set-Cookie: JSESSIONID=CB5FFB977D92D0CB953AE651014CD048.wfig1; Path=/; > Secure; HttpOnly > < Set-Cookie: COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 23:42:52 GMT; > Path=/; Secure; HttpOnly > < Set-Cookie: GUEST_LANGUAGE_ID=en_US; Expires=Tue, 03 Dec 2069 23:42:52 GMT; > Path=/; Secure; HttpOnly > < Location: https://HOST:8443/c/portal/license > < Content-Length: 0 > < Date: Fri, 21 Apr 2023 21:00:44 GMT > < > 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0 > * Connection #0 to host left intact > > Thanks, > > Dream * Excel * Explore * Inspire > Jon McAlexander > Senior Infrastructure Engineer > Asst. Vice President > He/His > > Middleware Product Engineering > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you for > your cooperation. > > >> -----Original Message----- >> From: Christopher Schultz <ch...@christopherschultz.net> >> Sent: Friday, April 21, 2023 1:17 PM >> To: users@tomcat.apache.org >> Subject: Re: OT: hsts in Tomcat 9.0.73 >> >> Jon, >> >> On 4/21/23 11:47, jonmcalexan...@wellsfargo.com.INVALID wrote: >>> Thank you Olaf, however, the connection was made over https directly >>> to Tomcat on port 8443. >> Sample curl with secrets removed? >> >> -chris >> >>>> -----Original Message----- >>>> From: Olaf Kock <tom...@olafkock.de> >>>> Sent: Friday, April 21, 2023 1:48 AM >>>> To: users@tomcat.apache.org >>>> Subject: Re: OT: hsts in Tomcat 9.0.73 >>>> >>>> >>>> Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID: >>>>> No, there is no error and no stack trace. Everything works, just the >>>>> hsts >>>> header isn't in the list of headers. >>>>> >>>> The lowest hanging fruit: HSTS is only defined on https - on http it >>>> doesn't have any meaning and Tomcat would be correct in not sending >>>> it (I haven't looked at the source if it does, but it should be easy >>>> to test) >>>> >>>> If you have a reverse proxy handling https & proxying through http, >>>> Tomcat might not know that it'd be fine to send the header. (If that >>>> is your case, there is the brute force "secure" attribute on the >>>> connector >>>> - use it only when there's no way to connect through http from >>>> anywhere but your reverse proxy) >>>> >>>> This has bitten me a few times >>>> >>>> Olaf >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
