-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 8/26/20 05:27, Mark Thomas wrote: > On 26/08/2020 08:14, Martin Grigorov wrote: >> Hi, >> >> On Wed, Aug 26, 2020 at 7:53 AM Pratik Shrestha >> <pratik...@gmail.com> wrote: >> >>> Thanks for reply, >>> >>> Hi Peter - it complains on port 8443 which belongs to Tomcat. >>> >>> Hi Mark - Yes. making HTTP request on HTTPS is wrong. But this >>> security vulnerability is given to us by Qualys scan. It tries >>> to post plain HTTP request on HTTPS port and then gets error >>> message "Bad Request. This combination of host and port >>> requires TLS." which is security loop hole for Qualys. > > On what basis? > > I fail to see any security issue here other than "Qualys says so" > which is not a valid description of a security vulnerability. My guess is that this is some form of "server fingerprinting" that they are claiming, like "Zomg! It says Server: Apache-Coyote/1.1! You are $uper vulnerable to 0days, now!". Pratik, can you please be very clear about what the actual complaint is? Are they objecting to one or more of the following: 0. Any legible response at all (meaning they just want a connection-drop response) 1. Server: Apache-Coyote/1.1 response header 2. Predictable / stock text (e.g. "Bad Request. This combination of host and port requires TLS." identifies the server as Tomcat v.x.y or later) 3. Actual Tomcat version number in response > Absent a description of how this can be exploited (and I'll be > very surprised if this can be exploited), there is no security > issue here and Tomcat will not be making any changes. It seems reasonable to (configurably) strip-out version information if there is anything in there... which there probably is not. I'm interested in having Tomcat be able to pass these (admittedly stupid) security requirements, so maybe we could have a setting on the <Connector> that can allow ERR_EMPTY_RESP to be sent if the handshake fails due to probably-not-encrypted just like older versions of Tomcat did. IMO, being able to reply in plaintext like this is a *feature* (one that I personally and specifically lobbied to have added to Tomcat) and shouldn't be removed. If it's not the end of the world to add an option to disable it, though, I think we ought to do it. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9GkuAACgkQHPApP6U8 pFiGYRAAtvVTw1CKi+epZULpmSHDuO9ipm+I37a6eKMufhIUevCl6MfBQN0kgrfu Hfh9ByaLIN2JogyCuMehhZv5McGpKT7i9t0OWV9eLzlSvmVh+wzDUvAR83bj8Qk4 woOaiU23DM0jZTfPPtsCGGkJ6FGTzNuwrYzIyjQ8f4OKYopkHffeJ59fQoqmlKeW hA0+m4xcKgvmRjPmbE+4E5gpV8ylYAyAxQYdpVESpWI4pXViqwn2QfrWMgFZGEE3 7NTTAlQLB3N0jgJCt9dvi4aFzKZOLdYEQ0ooCP34EqfU6S/WQGfR6BZxbcQSyzMa qOBLnTfe9LBC9DIVQAKenDkkDCWen+7e/EEcRmaAvrlbD9ZfCJ/pNl5WlzymkXfq y2W6laFR985am5RTAZIfiiOYX2wBW1kna0q7tpDji7wtTag+ZbrqdcFQF3FH3/+u 5l9RWWIMhasQPtC0YiEyeDvCR9iwpjyB6kqIOpMYPR8CCnpq4qtRtbLFpXqXT4QF MxKNcssX0sZFzsqz/j7VGafg2fq545vCkZFb13HG3Fp0xeNgnwz4WC5yzEHtUWMq EEacHJaHDusgyjn9Mk5+kT0NNPaerIA/mZEKhjQAORqJPMHRxHGgRN1A4H49SQvL b7jrlkZc55XqCV5dq+/eR8XIKuXemWKKb4bp0BT9c0WR3mE0FtM= =HTAL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
