Olaf,
On 4/22/23 03:13, Olaf Kock wrote:
Am 22.04.23 um 00:48 schrieb jonmcalexan...@wellsfargo.com.INVALID:
Thanks Peter,
I still do not see the hsts header. I'm wondering if this is causing it.
SSL certificate verify result: self signed certificate in certificate
chain (19), continuing anyway.
I don't know why it's complaining as the certificate for Tomcat is not
a self-signed certificate.
That's a good guess: Anything self-signed is a problem for HSTS
No it's not.
(though only curl might see it as that, depending on the root
certificate store it uses compared to your browser). However, somehow
I'd expect the server to be ignorant to the level of trust that the
client has and send the header anyway.
The server should send the header. The client should report that the
header was sent. There is no "self-signed silently removes HTTP response
headers" or anything like that.
Another aspect to dig into is the explicit nonstandard port number. I
didn't fully parse the RFC for it, but there are several statements on
explicit, implicit ports and how they're mapped.
The Filter has no idea what port is being used, nor does it care.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
