Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1281218FCD for ; Tue, 29 Mar 2016 03:35:32 +0000 (UTC) Received: (qmail 81537 invoked by uid 500); 29 Mar 2016 03:35:28 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 81455 invoked by uid 500); 29 Mar 2016 03:35:27 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 81442 invoked by uid 99); 29 Mar 2016 03:35:27 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Mar 2016 03:35:27 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 3151EC0B54 for ; Tue, 29 Mar 2016 03:35:27 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.18 X-Spam-Level: * X-Spam-Status: No, score=1.18 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id FphyBgDwUQ_d for ; Tue, 29 Mar 2016 03:35:25 +0000 (UTC) Received: from mail-oi0-f51.google.com (mail-oi0-f51.google.com [209.85.218.51]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id E18DB5F238 for ; Tue, 29 Mar 2016 03:35:24 +0000 (UTC) Received: by mail-oi0-f51.google.com with SMTP id o62so5042020oig.1 for ; Mon, 28 Mar 2016 20:35:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=kDIW9sJFCC2wfqzHCeTOkW5A/8ah3PN4QXfMGzevtKk=; b=jx6yY1b8LP2DpJB8UI8M0a3kQ/G2pVxnSX3k3xvLhZRLpQJZRsK9pKrdLXGGMnNvdg jMZS4ovjBfNs1ZFFaP5+ZFPF26aNKjcfEAgDGJhbtdIULRmNwqnkGrltd0acVSzgvz4d mrktUX2ihJOmX8PMk4CNqNsV3srn459CRmJ4YMTOD12q/L/JqqT8n3knWvCpX5m58Pz6 Pi5TyNlTV14xjI2cal64TjVO0oRAu8bYMgc8/BX1dahM7lAKQj6D7pUSzqyO/SLYfXb8 dVPrrTLPZXUIR1fbsDNn4YN+93Xq6QsbaXQI7cOQR9ksS50ZLCPG39runjAvl+K/hUMW N9mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=kDIW9sJFCC2wfqzHCeTOkW5A/8ah3PN4QXfMGzevtKk=; b=Z5LUajm+xyHt5QkyKRdyPFE2/DtnEcx0VXkYzG5Rjq5kGCqrlhvBjM20CaOhu2dL6M ttvV7vW/UPv66qlF6bH861lIVXpJHwyGoRt3Thmtm7fhcx+l2aCv2MiU4kFvgcpYYkj6 MDDT+E8et4fzJmg+6SpIo7bWZ48UGpH3fwknF/yipRRPcK8a0i/RKzaVu3f0sw++cN6B jtgx3M6KI857Hf8VqQG4rBaS1VO+Un78jOAzmSDg8BiMsqRmqdXZk3FPIbNUGtReKGHa na2Ry0ifUsvpy9awMINoRoeEcp7D2RmOMHpdOOfajf4wt2jJSZ7tlbBNawU6s0RIUTcF r7fw== X-Gm-Message-State: AD7BkJK+cmNc9lXQxTQw8VMa9zX0d03oc9+/Yl21NYBQetAncgXWPW5RAgdZwd5UfTVHrmUjb/S2bOaW9o4yAw== MIME-Version: 1.0 X-Received: by 10.157.5.243 with SMTP id 106mr12587840otd.159.1459222517743; Mon, 28 Mar 2016 20:35:17 -0700 (PDT) Received: by 10.76.0.76 with HTTP; Mon, 28 Mar 2016 20:35:17 -0700 (PDT) In-Reply-To: <56F95C08.1070707@christopherschultz.net> References: <56F93571.1080505@christopherschultz.net> <56F95C08.1070707@christopherschultz.net> Date: Tue, 29 Mar 2016 09:05:17 +0530 Message-ID: Subject: Re: Getting garbled data when making http request on https port From: Amey Rokde To: Tomcat Users List Content-Type: multipart/alternative; boundary=001a113f0f1cd18cda052f27b76a --001a113f0f1cd18cda052f27b76a Content-Type: text/plain; charset=UTF-8 Christoph Fair enough that it is not a security leak . Can you throw some light on what's happening internally so as to understand why we get this garbled data to be downloaded. sorry for pushing Amey On Mon, Mar 28, 2016 at 10:00 PM, Christopher Schultz < chris@christopherschultz.net> wrote: > Amey, > > On 3/28/16 11:25 AM, Amey Rokde wrote: > > May be i didn't explained my question properly. What we have is a single > > web application running on https port 7070. This port is configured for > > https connection only and that the reason there is single connector. What > > we are seeing is if by mistake > > or intentionally the user types instead of https://localhost:7070/myapp > he > > types http://localhost:7070/myapp > > the content with some garbled data gets downloaded. The question is > > whether i can prevent the garbled data and if so how i can do that. > > There is currently no Tomcat-only solution that meets all of your > criteria (single connector). > > Apache httpd can respond with a plaintext response (it's a 400, not a > 404), but Apache Tomcat is not yet able to do that. > > I would like to reiterate that there is no security leak, here. > > -chris > > > On Mon, Mar 28, 2016 at 7:15 PM, Christopher Schultz < > > chris@christopherschultz.net> wrote: > > > > Amey, > > > > On 3/28/16 3:54 AM, Amey Rokde wrote: > >>>> Dear Community > >>>> > >>>> We are using the apache-tomcat-7.0.55 and have configured only one > >>>> SSL connector (7070). > >>>> > >>>> The SSL connection (https) )works properly and i am able to fetch > >>>> the request. But if we make http request we get the garbled data to > >>>> be downloaded in the browser. > > > > This is expected behavior. > > > >>>> I tried searching over the net but the information available is > >>>> more about redirect and things around it. What i want is to prevent > >>>> this garbled data and get more of http 404 not found. > > > > Then you need to make an HTTP connection, not an HTTPS one. It's easy > > to configure an HTTP connector that redirects to HTTPS. > > > >>>> Getting this garbled data is considered more or less security > >>>> leak. > > > > Considered a security leak by whom? There is no information leakage. > > There are no secrets being transmitted. This is an inconvenience to > > the user that you can easily remedy. > > > >>>> I am attaching the sample server xml of the tomcat . > > > > Thanks, but it wasn't relevant (other than to confirm that you weren't > > configuring an HTTPS connector on a standard HTTP port such as 80). > > > >>>> Please advise what needs to be done. > > > > If you want your users to get a 404, then you should listen on port 80 > > (for HTTP) and return 404 for all requests. If you want to do better > > than that, you should listen on port 80 (for HTTP) and redirect all > > requests to the secure port. > > > >>>> PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not > >>>> show above behaviour. > > > > It should behave exactly the same way. > > > > -chris > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >> For additional commands, e-mail: users-help@tomcat.apache.org > >> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --001a113f0f1cd18cda052f27b76a--