On 25/08/2020 11:14, Pratik Shrestha wrote: > Hi all, > > Tomcat version: 9.0.37 > > Our website is running on Tomcat. We did Qualys vulnerability scan on our > site. Scan shows below vulnerability. > > Insecure transport > Group: Information Disclosure > CWE CWE-319 > OWASP A3 Sensitive Data Exposure > WASC WASC-4 INSUFFICIENT TRANSPORT LAYER PROTECTION > > Please note > 1. HTTP port is not enabled. > 2. We have only opened HTTPS port 8443. But when we connect this HTTPS port > with HTTP (http://www.oursite.com:8443/), we get an error "Bad Request. This > combination of host and port requires TLS." > 3. Due to the above error message, we get this vulnerability error from > Qualys. > 4. We have already enabled HSTS. > 5. We have enabled Rewrite Valve also to direct all HTTP to HTTPS. But it > never works. It is like, Tomcat doesn't care about Rewrite or HSTS. It just > finds someone is accessing HTTPS port with HTTP protocol and then just > throws error 400 'Bad Request' > 6. Note that Tomcat version 7 used to send the error 'ERR_EMPTY_RESP' which > should still be okay. > > We already tried to find the fix for this issue on the web but in vain. > > Kindly help if anyone has found a way to fix it.
Fix what? If you make an HTTP request to an HTTPS port, Tomcat provides a helpful error message. I don't see any security issues here. (And before anyone claims the request sent in the clear is insecure I'll point out that the request is sent in the clear irrespective of whether Tomcat responds with an HTTP/1.1 clear text error message or a cryptic TLS failure). Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
