Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 48386 invoked from network); 20 Jun 2008 17:38:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 20 Jun 2008 17:38:39 -0000 Received: (qmail 9435 invoked by uid 500); 20 Jun 2008 17:38:28 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 9407 invoked by uid 500); 20 Jun 2008 17:38:28 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 9395 invoked by uid 99); 20 Jun 2008 17:38:28 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Jun 2008 10:38:28 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of unixhound@gmail.com designates 66.249.92.174 as permitted sender) Received: from [66.249.92.174] (HELO ug-out-1314.google.com) (66.249.92.174) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Jun 2008 17:37:38 +0000 Received: by ug-out-1314.google.com with SMTP id s2so31340uge.30 for ; Fri, 20 Jun 2008 10:37:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=L67QNL8SB9W/MvNViUieBZoI7XXl/5MX6QP6KELAP0k=; b=BYFzHINPSx+LvWmWvuN7kdf91mkfjpkJ907ySGP9lZ8ekgXvJtwybT0uUssM95EKR8 nkdf2LQ5gO/q+/TNdZfv2vAzcyucjs4AYBJDu1ySZGoCrUYfvSD7Zm18oHcZNFBv/fS2 8nr/yHbt1YObr2YcXe5nzVl+XNefKpupUJ+dk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=IwdnDCY5rIEdSfdgzCFjOEQAP2CytHLdpkT5KkjnkDyXsV2SaXOrGEgjP0TWOOIEK/ SB7qfsQhDgkQ6tBI6ftC+gEhva30W/KCGWAepz5ksIzfdcuRw+r0goCvJN4EcV9IFpPs CXKGryvbZnN19UWP/dTTIYvkJdFBAKL1ST3Vc= Received: by 10.210.34.2 with SMTP id h2mr3281179ebh.110.1213983475402; Fri, 20 Jun 2008 10:37:55 -0700 (PDT) Received: by 10.210.142.17 with HTTP; Fri, 20 Jun 2008 10:37:54 -0700 (PDT) Message-ID: Date: Fri, 20 Jun 2008 10:37:54 -0700 From: "Dave Girardin" To: "Tomcat Users List" Subject: How to turn off Etag headers? MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_8875_26790344.1213983474967" X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_8875_26790344.1213983474967 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Group, I'm a Unix admin working on a Solaris 8 server running Tomcat 6.0.16. No other apps run on the server, for example, there is no Apache httpd running. I have been tasked with turning off Etag headers. Our security folks have supposedly identified this security vulnerability, note that is says Apache but it's really Tomcat: Vulnerability Identified: Apache ETag Header Information Disclosure Weakness Severity: Low Description: A cache management feature is available for Apache that makes use of an entity tag (ETag) header. When this option is enabled and a request is made for a document relating to a file, for caching purposes, an ETag response header is returned containing various file attributes. A weakness has been found in the generation of ETag headers under certain configurations implementing the FileETag directive. Impact: Among the file attributes included in the header is the file inode number that is returned to a client. This poses a security risk, as this information may aid in launching attacks against other network-based services. For instance, NFS uses inode numbers to generate file handles. Recommendation: Disable ETag headers. Apache 1.3.22 and earlier are not configurable to disable the use of inodes in ETag headers. Default behavior in later versions will still release this sensitive information. OpenBSD has released a patch that addresses this issue. Inode numbers returned from the server are now encoded using a private hash to avoid the release of sensitive information Can anyone tell me how to disable the ETag headers? I have searched the documentation and sorry if it's there I missed it. Thanks!! David ------=_Part_8875_26790344.1213983474967--