Thanks for reply, Hi Peter - it complains on port 8443 which belongs to Tomcat.
Hi Mark - Yes. making HTTP request on HTTPS is wrong. But this security vulnerability is given to us by Qualys scan. It tries to post plain HTTP request on HTTPS port and then gets error message "Bad Request. This combination of host and port requires TLS." which is security loop hole for Qualys. This is behaviour of Apache HTTP server also. But in Apache though, we can get rid of this by using "ErrorDocument 400" directive. Do we have similar in Tomcat? I have already tried using <error-page> <error-code>400</error-code> <location>/error.jsp</location> </error-page> Not sure, but my idea was to add redirect code on error.jsp page. But above never works. It never reaches error.jsp page. Just sticks in default error message page mentioned above. Btw..you can see the result from Qualys attached. Thanks again guys for getting back. Regards, Pratik On Tue, Aug 25, 2020 at 5:36 PM Mark Thomas <ma...@apache.org> wrote: > On 25/08/2020 11:14, Pratik Shrestha wrote: > > Hi all, > > > > Tomcat version: 9.0.37 > > > > Our website is running on Tomcat. We did Qualys vulnerability scan on our > > site. Scan shows below vulnerability. > > > > Insecure transport > > Group: Information Disclosure > > CWE CWE-319 > > OWASP A3 Sensitive Data Exposure > > WASC WASC-4 INSUFFICIENT TRANSPORT LAYER PROTECTION > > > > Please note > > 1. HTTP port is not enabled. > > 2. We have only opened HTTPS port 8443. But when we connect this HTTPS > port > > with HTTP (http://www.oursite.com:8443/), we get an error "Bad Request. > This > > combination of host and port requires TLS." > > 3. Due to the above error message, we get this vulnerability error from > > Qualys. > > 4. We have already enabled HSTS. > > 5. We have enabled Rewrite Valve also to direct all HTTP to HTTPS. But it > > never works. It is like, Tomcat doesn't care about Rewrite or HSTS. It > just > > finds someone is accessing HTTPS port with HTTP protocol and then just > > throws error 400 'Bad Request' > > 6. Note that Tomcat version 7 used to send the error 'ERR_EMPTY_RESP' > which > > should still be okay. > > > > We already tried to find the fix for this issue on the web but in vain. > > > > Kindly help if anyone has found a way to fix it. > > Fix what? > > If you make an HTTP request to an HTTPS port, Tomcat provides a helpful > error message. > > I don't see any security issues here. > > (And before anyone claims the request sent in the clear is insecure I'll > point out that the request is sent in the clear irrespective of whether > Tomcat responds with an HTTP/1.1 clear text error message or a cryptic > TLS failure). > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
