Re: Getting garbled data when making http request on https port
On 29/03/2016 04:35, Amey Rokde wrote: > Christoph > > Fair enough that it is not a security leak . Can you throw some light on > what's happening internally so as to understand why we get this garbled > data to be downloaded. What you are seeing are the opening bytes of the TLS handshake. The client fails to respond correctly (it sends the HTTP request line) and the connection fails. Mark > > sorry for pushing > Amey > > On Mon, Mar 28, 2016 at 10:00 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> Amey, >> >> On 3/28/16 11:25 AM, Amey Rokde wrote: >>> May be i didn't explained my question properly. What we have is a single >>> web application running on https port 7070. This port is configured for >>> https connection only and that the reason there is single connector. What >>> we are seeing is if by mistake >>> or intentionally the user types instead of https://localhost:7070/myapp >> he >>> types http://localhost:7070/myapp >>> the content with some garbled data gets downloaded. The question is >>> whether i can prevent the garbled data and if so how i can do that. >> >> There is currently no Tomcat-only solution that meets all of your >> criteria (single connector). >> >> Apache httpd can respond with a plaintext response (it's a 400, not a >> 404), but Apache Tomcat is not yet able to do that. >> >> I would like to reiterate that there is no security leak, here. >> >> -chris >> >>> On Mon, Mar 28, 2016 at 7:15 PM, Christopher Schultz < >>> ch...@christopherschultz.net> wrote: >>> >>> Amey, >>> >>> On 3/28/16 3:54 AM, Amey Rokde wrote: >> Dear Community >> >> We are using the apache-tomcat-7.0.55 and have configured only one >> SSL connector (7070). >> >> The SSL connection (https) )works properly and i am able to fetch >> the request. But if we make http request we get the garbled data to >> be downloaded in the browser. >>> >>> This is expected behavior. >>> >> I tried searching over the net but the information available is >> more about redirect and things around it. What i want is to prevent >> this garbled data and get more of http 404 not found. >>> >>> Then you need to make an HTTP connection, not an HTTPS one. It's easy >>> to configure an HTTP connector that redirects to HTTPS. >>> >> Getting this garbled data is considered more or less security >> leak. >>> >>> Considered a security leak by whom? There is no information leakage. >>> There are no secrets being transmitted. This is an inconvenience to >>> the user that you can easily remedy. >>> >> I am attaching the sample server xml of the tomcat . >>> >>> Thanks, but it wasn't relevant (other than to confirm that you weren't >>> configuring an HTTPS connector on a standard HTTP port such as 80). >>> >> Please advise what needs to be done. >>> >>> If you want your users to get a 404, then you should listen on port 80 >>> (for HTTP) and return 404 for all requests. If you want to do better >>> than that, you should listen on port 80 (for HTTP) and redirect all >>> requests to the secure port. >>> >> PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not >> show above behaviour. >>> >>> It should behave exactly the same way. >>> >>> -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting garbled data when making http request on https port
Christoph Fair enough that it is not a security leak . Can you throw some light on what's happening internally so as to understand why we get this garbled data to be downloaded. sorry for pushing Amey On Mon, Mar 28, 2016 at 10:00 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > Amey, > > On 3/28/16 11:25 AM, Amey Rokde wrote: > > May be i didn't explained my question properly. What we have is a single > > web application running on https port 7070. This port is configured for > > https connection only and that the reason there is single connector. What > > we are seeing is if by mistake > > or intentionally the user types instead of https://localhost:7070/myapp > he > > types http://localhost:7070/myapp > > the content with some garbled data gets downloaded. The question is > > whether i can prevent the garbled data and if so how i can do that. > > There is currently no Tomcat-only solution that meets all of your > criteria (single connector). > > Apache httpd can respond with a plaintext response (it's a 400, not a > 404), but Apache Tomcat is not yet able to do that. > > I would like to reiterate that there is no security leak, here. > > -chris > > > On Mon, Mar 28, 2016 at 7:15 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Amey, > > > > On 3/28/16 3:54 AM, Amey Rokde wrote: > Dear Community > > We are using the apache-tomcat-7.0.55 and have configured only one > SSL connector (7070). > > The SSL connection (https) )works properly and i am able to fetch > the request. But if we make http request we get the garbled data to > be downloaded in the browser. > > > > This is expected behavior. > > > I tried searching over the net but the information available is > more about redirect and things around it. What i want is to prevent > this garbled data and get more of http 404 not found. > > > > Then you need to make an HTTP connection, not an HTTPS one. It's easy > > to configure an HTTP connector that redirects to HTTPS. > > > Getting this garbled data is considered more or less security > leak. > > > > Considered a security leak by whom? There is no information leakage. > > There are no secrets being transmitted. This is an inconvenience to > > the user that you can easily remedy. > > > I am attaching the sample server xml of the tomcat . > > > > Thanks, but it wasn't relevant (other than to confirm that you weren't > > configuring an HTTPS connector on a standard HTTP port such as 80). > > > Please advise what needs to be done. > > > > If you want your users to get a 404, then you should listen on port 80 > > (for HTTP) and return 404 for all requests. If you want to do better > > than that, you should listen on port 80 (for HTTP) and redirect all > > requests to the secure port. > > > PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not > show above behaviour. > > > > It should behave exactly the same way. > > > > -chris > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Getting garbled data when making http request on https port
Amey, On 3/28/16 11:25 AM, Amey Rokde wrote: > May be i didn't explained my question properly. What we have is a single > web application running on https port 7070. This port is configured for > https connection only and that the reason there is single connector. What > we are seeing is if by mistake > or intentionally the user types instead of https://localhost:7070/myapp he > types http://localhost:7070/myapp > the content with some garbled data gets downloaded. The question is > whether i can prevent the garbled data and if so how i can do that. There is currently no Tomcat-only solution that meets all of your criteria (single connector). Apache httpd can respond with a plaintext response (it's a 400, not a 404), but Apache Tomcat is not yet able to do that. I would like to reiterate that there is no security leak, here. -chris > On Mon, Mar 28, 2016 at 7:15 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Amey, > > On 3/28/16 3:54 AM, Amey Rokde wrote: Dear Community We are using the apache-tomcat-7.0.55 and have configured only one SSL connector (7070). The SSL connection (https) )works properly and i am able to fetch the request. But if we make http request we get the garbled data to be downloaded in the browser. > > This is expected behavior. > I tried searching over the net but the information available is more about redirect and things around it. What i want is to prevent this garbled data and get more of http 404 not found. > > Then you need to make an HTTP connection, not an HTTPS one. It's easy > to configure an HTTP connector that redirects to HTTPS. > Getting this garbled data is considered more or less security leak. > > Considered a security leak by whom? There is no information leakage. > There are no secrets being transmitted. This is an inconvenience to > the user that you can easily remedy. > I am attaching the sample server xml of the tomcat . > > Thanks, but it wasn't relevant (other than to confirm that you weren't > configuring an HTTPS connector on a standard HTTP port such as 80). > Please advise what needs to be done. > > If you want your users to get a 404, then you should listen on port 80 > (for HTTP) and return 404 for all requests. If you want to do better > than that, you should listen on port 80 (for HTTP) and redirect all > requests to the secure port. > PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not show above behaviour. > > It should behave exactly the same way. > > -chris >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting garbled data when making http request on https port
Hi Christoph May be i didn't explained my question properly. What we have is a single web application running on https port 7070. This port is configured for https connection only and that the reason there is single connector. What we are seeing is if by mistake or intentionally the user types instead of https://localhost:7070/myapp he types http://localhost:7070/myapp the content with some garbled data gets downloaded. The question is whether i can prevent the garbled data and if so how i can do that. Thanks for all the help On Mon, Mar 28, 2016 at 7:15 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Amey, > > On 3/28/16 3:54 AM, Amey Rokde wrote: > > Dear Community > > > > We are using the apache-tomcat-7.0.55 and have configured only one > > SSL connector (7070). > > > > The SSL connection (https) )works properly and i am able to fetch > > the request. But if we make http request we get the garbled data to > > be downloaded in the browser. > > This is expected behavior. > > > I tried searching over the net but the information available is > > more about redirect and things around it. What i want is to prevent > > this garbled data and get more of http 404 not found. > > Then you need to make an HTTP connection, not an HTTPS one. It's easy > to configure an HTTP connector that redirects to HTTPS. > > > Getting this garbled data is considered more or less security > > leak. > > Considered a security leak by whom? There is no information leakage. > There are no secrets being transmitted. This is an inconvenience to > the user that you can easily remedy. > > > I am attaching the sample server xml of the tomcat . > > Thanks, but it wasn't relevant (other than to confirm that you weren't > configuring an HTTPS connector on a standard HTTP port such as 80). > > > Please advise what needs to be done. > > If you want your users to get a 404, then you should listen on port 80 > (for HTTP) and return 404 for all requests. If you want to do better > than that, you should listen on port 80 (for HTTP) and redirect all > requests to the secure port. > > > PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not > > show above behaviour. > > It should behave exactly the same way. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlb5NXEACgkQ9CaO5/Lv0PA1WACfVyLxPNvG8EDwcNgNthvA0GOI > eE0AoLOsRTnqp99mmIktin69zJz89pVj > =YDpX > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Getting garbled data when making http request on https port
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Amey, On 3/28/16 3:54 AM, Amey Rokde wrote: > Dear Community > > We are using the apache-tomcat-7.0.55 and have configured only one > SSL connector (7070). > > The SSL connection (https) )works properly and i am able to fetch > the request. But if we make http request we get the garbled data to > be downloaded in the browser. This is expected behavior. > I tried searching over the net but the information available is > more about redirect and things around it. What i want is to prevent > this garbled data and get more of http 404 not found. Then you need to make an HTTP connection, not an HTTPS one. It's easy to configure an HTTP connector that redirects to HTTPS. > Getting this garbled data is considered more or less security > leak. Considered a security leak by whom? There is no information leakage. There are no secrets being transmitted. This is an inconvenience to the user that you can easily remedy. > I am attaching the sample server xml of the tomcat . Thanks, but it wasn't relevant (other than to confirm that you weren't configuring an HTTPS connector on a standard HTTP port such as 80). > Please advise what needs to be done. If you want your users to get a 404, then you should listen on port 80 (for HTTP) and return 404 for all requests. If you want to do better than that, you should listen on port 80 (for HTTP) and redirect all requests to the secure port. > PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not > show above behaviour. It should behave exactly the same way. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlb5NXEACgkQ9CaO5/Lv0PA1WACfVyLxPNvG8EDwcNgNthvA0GOI eE0AoLOsRTnqp99mmIktin69zJz89pVj =YDpX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Getting garbled data when making http request on https port
Dear Community We are using the apache-tomcat-7.0.55 and have configured only one SSL connector (7070). The SSL connection (https) )works properly and i am able to fetch the request. But if we make http request we get the garbled data to be downloaded in the browser. I tried searching over the net but the information available is more about redirect and things around it. What i want is to prevent this garbled data and get more of http 404 not found. Getting this garbled data is considered more or less security leak. I am attaching the sample server xml of the tomcat . Please advise what needs to be done. Thanks Amey PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not show above behaviour. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
