Re: Browsers suddenly start timing out when accessing port 80 of secure site

Thu, 26 Jun 2014 12:20:20 -0700 

On 6/24/2014 12:25 PM, Bruce Lombardi wrote:

Thanks for the response Konstantinos. I'll look into the HSTS header. The 
behavior you describe may be what is happening.

Bruce

Sent from my iPad


On Jun 24, 2014, at 8:51 AM, Konstantin Preißer <kpreis...@apache.org> wrote:

Hi,


-----Original Message-----
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Tuesday, June 24, 2014 2:42 PM
To: Tomcat Users List
Subject: Re: Browsers suddenly start timing out when accessing port 80 of
secure site

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Bruce,


On 6/23/14, 2:30 PM, Bruce Lombardi wrote:
Moving the SSL port from 8443 to 443 has solved the problem. It
appears that when the url www.something.net is entered, Firefox
remembers that this is an SSL site and automatically add the "s"
to get https. In fact after the timeout the url line in the
browser shows https:www.something.net. Obviously, this is
defaulting to the standard SSL port (443), which does not work if
8443 is used. Moving the port to 443 solved the problem.

If you read about setting up Tomcat, the default SSL port is 8443.
Maybe this is done for testing, but it never seems to be explained
that there might be problems with 8443.

I have never experienced the behavior you describe. Certain clients do
cache responses from servers, so it's possible that you had a bad setup
at some point that redirected :80 -> :443 and then Firefox wouldn't
forget that response and change to :8443.

It might also be possible that the website used HSTS which forces compliant browsers (hopefully IE 
too in near future) to only view a site in HTTPS. I haven't tested how Firefox handles this, but I 
can imagine that when the website on :8443 sets an HSTS header and the user enters 
"www.example.com", that Firefox automatically switches this to 
"https://www.example.com/"; which is Port 443.


Regards,
Konstantin Preißer



There is a nice description on Mozilla:

https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

Thanks for pointing this out.

-Terence Bandoian

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to