Thanks Peter, I still do not see the hsts header. I'm wondering if this is causing it.
SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. I don't know why it's complaining as the certificate for Tomcat is not a self-signed certificate. Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: l...@kreuser.name <l...@kreuser.name> > Sent: Friday, April 21, 2023 5:32 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: OT: hsts in Tomcat 9.0.73 > > Jon, > > > Oh, I see there is a redirect. I do see a similar behavior on redirects (302) > or > auth (401 eg. on the manager app). But HSTS on 200, 404 or 403. > > What happens if you call "/c/portal/license" ? > > Peter > > > Am 21.04.2023 um 23:05 schrieb jonmcalexan...@wellsfargo.com.invalid > <jonmcalexan...@wellsfargo.com.INVALID>: > > > > Here is the output from a powershell command: > > > > Invoke-WebRequest -Uri https://ldvwa00a0010.wellsfargo.com:8443 > > -MaximumRedirection 0 | Select-Object -ExpandProperty Headers > > > > Key Value > > --- ----- > > X-Content-Type-Options nosniff > > X-Frame-Options SAMEORIGIN > > X-XSS-Protection 1 > > Set-Cookie JSESSIONID=E60F2DA9B666966565C8076FE5C47226.wfig1; > Path=/; Secure; HttpOnly,COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 > 23:39:55 GMT; Path=/; Secure; HttpOnly,GU... > > Location > https://ldvwa00a0010.wellsfargo.com:8443/c/portal/license > > Content-Length 0 > > Date Fri, 21 Apr 2023 20:57:47 GMT > > Keep-Alive timeout=60 > > Connection keep-alive > > > > > > Here is curl > > > > curl -ikl --verbose > > > https://urldefense.com/v3/__https://HOST:8443__;!!F9svGWnIaVPGSwU!u > DCA > > GHZL-GxWlS7CM9oz5r- > Ix6vcjidfq9Xc7ATcRPT98_ehOMc8VHsjrk4wxDJ158oYIdARw8 > > VKJ_UMK-M5PSM$ > op.txt > > > > % Total % Received % Xferd Average Speed Time Time Time > > Current > > Dload Upload Total Spent Left Speed > > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- > > 0* Trying IP:8443... > > * TCP_NODELAY set > > * Connected to HOST (IP) port 8443 (#0) > > * ALPN, offering h2 > > * ALPN, offering http/1.1 > > } [5 bytes data] > > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > > } [512 bytes data] > > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- > > 0* TLSv1.3 (IN), TLS > handshake, Server hello (2): > > { [85 bytes data] > > * TLSv1.2 (IN), TLS handshake, Certificate (11): > > { [3806 bytes data] > > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > > { [300 bytes data] > > * TLSv1.2 (IN), TLS handshake, Server finished (14): > > { [4 bytes data] > > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > > } [37 bytes data] > > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): > > } [1 bytes data] > > * TLSv1.2 (OUT), TLS handshake, Finished (20): > > } [16 bytes data] > > * TLSv1.2 (IN), TLS handshake, Finished (20): > > { [16 bytes data] > > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 > > * ALPN, server did not agree to a protocol > > * Server certificate: > > * subject: C=US; O=; OU=; CN= > > * start date: Aug 10 16:35:12 2022 GMT > > * expire date: Aug 9 16:35:12 2024 GMT > > * issuer: C=US; O=; OU=; CN= > > * SSL certificate verify result: self signed certificate in certificate > > chain (19), > continuing anyway. > > 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- > > 0} [5 bytes data] > >> GET / HTTP/1.1 > >> Host: HOST:8443 > >> User-Agent: curl/7.65.3 > >> Accept: */* > >> > > { [5 bytes data] > > * Mark bundle as not supporting multiuse < HTTP/1.1 302 < > > X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < > > X-XSS-Protection: 1 < Set-Cookie: > > JSESSIONID=CB5FFB977D92D0CB953AE651014CD048.wfig1; Path=/; Secure; > > HttpOnly < Set-Cookie: COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 > > 23:42:52 GMT; Path=/; Secure; HttpOnly < Set-Cookie: > > GUEST_LANGUAGE_ID=en_US; Expires=Tue, 03 Dec 2069 23:42:52 GMT; > > Path=/; Secure; HttpOnly < Location: > > https://urldefense.com/v3/__https://HOST:8443/c/portal/license__;!!F9s > > vGWnIaVPGSwU!uDCAGHZL-GxWlS7CM9oz5r- > Ix6vcjidfq9Xc7ATcRPT98_ehOMc8VHsjr > > k4wxDJ158oYIdARw8VKJ_UMwHR8GEc$ > > < Content-Length: 0 > > < Date: Fri, 21 Apr 2023 21:00:44 GMT > > < > > 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- > > 0 > > * Connection #0 to host left intact > > > > Thanks, > > > > Dream * Excel * Explore * Inspire > > Jon McAlexander > > Senior Infrastructure Engineer > > Asst. Vice President > > He/His > > > > Middleware Product Engineering > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > MAC: F4469-010 > > Tel 515-988-2508 | Cell 515-988-2508 > > > > jonmcalexan...@wellsfargo.com > > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you > for your cooperation. > > > > > >> -----Original Message----- > >> From: Christopher Schultz <ch...@christopherschultz.net> > >> Sent: Friday, April 21, 2023 1:17 PM > >> To: users@tomcat.apache.org > >> Subject: Re: OT: hsts in Tomcat 9.0.73 > >> > >> Jon, > >> > >> On 4/21/23 11:47, jonmcalexan...@wellsfargo.com.INVALID wrote: > >>> Thank you Olaf, however, the connection was made over https directly > >>> to Tomcat on port 8443. > >> Sample curl with secrets removed? > >> > >> -chris > >> > >>>> -----Original Message----- > >>>> From: Olaf Kock <tom...@olafkock.de> > >>>> Sent: Friday, April 21, 2023 1:48 AM > >>>> To: users@tomcat.apache.org > >>>> Subject: Re: OT: hsts in Tomcat 9.0.73 > >>>> > >>>> > >>>> Am 21.04.23 um 07:03 schrieb > jonmcalexan...@wellsfargo.com.INVALID: > >>>>> No, there is no error and no stack trace. Everything works, just > >>>>> the hsts > >>>> header isn't in the list of headers. > >>>>> > >>>> The lowest hanging fruit: HSTS is only defined on https - on http > >>>> it doesn't have any meaning and Tomcat would be correct in not > >>>> sending it (I haven't looked at the source if it does, but it > >>>> should be easy to test) > >>>> > >>>> If you have a reverse proxy handling https & proxying through http, > >>>> Tomcat might not know that it'd be fine to send the header. (If > >>>> that is your case, there is the brute force "secure" attribute on > >>>> the connector > >>>> - use it only when there's no way to connect through http from > >>>> anywhere but your reverse proxy) > >>>> > >>>> This has bitten me a few times > >>>> > >>>> Olaf > >>>> > >>>> > >>>> ------------------------------------------------------------------- > >>>> -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> > >>> > >>> -------------------------------------------------------------------- > >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
