HSTS Missing From HTTPS Server (RFC 6797)

View Only

Expand all | Collapse all

1. HSTS Missing From HTTPS Server (RFC 6797)

0 Like
Dhinakaran Lakshmanadoss
Posted Thu July 07, 2022 07:20 AM

Reply
Hi All,
We have a device vuln called "HSTS Missing From HTTPS Server (RFC 6797)". Our application is running currently in HTTP. To resolve this issue, I referred the below site and implemented it. Can start IHS (IBM HTTP Server) web server and site redirect to https automatically, even if we put http. But application shows invalid URL.
My question is, Do we want to enable SSL or TLS? Or how to resolve this issue? Please advise

------------------------------
Dhinakaran Lakshmanadoss
------------------------------
2. RE: HSTS Missing From HTTPS Server (RFC 6797)

0 Like
IBM Champion

Hermann Huebler
Posted Fri July 08, 2022 02:17 AM

Reply
Good morning Dhinakaran,
to which page are you referring to? Looks like the link got lost.

If your question is whether you have to enable SSL on the HTTP server the answer is YES. I.e. you need to enable SSL on the IHS so that it can serve requests via https.

If that does not answer your question please provide a bit more information.

Thanks, Hermann

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
------------------------------

Original Message
3. RE: HSTS Missing From HTTPS Server (RFC 6797)

0 Like
Dhinakaran Lakshmanadoss
Posted Fri July 08, 2022 02:32 AM

Reply
Hi Hermann,
Thanks for your response.

I need to fix this "HSTS Missing From HTTPS Server (RFC 6797)" vulnerability. Referred below site and implemented that. After that, I can start IHS (IBM HTTP Server) web server and site redirect to https automatically, even if I put http. But application shows invalid URL. Application only run in HTTP.

How to resolve the issue? If I want to enable SSL/TLS, we can't. Because, to enable it, we need to upgrade Java JDK to 8. Since our application going to retire, users don't want to do any software upgrade/ code changes. So, without SSL/TLS, can't we resolve this?

https://www.ibm.com/docs/en/was-zos/8.5.5?topic=SS7K4U_8.5.5/com.ibm.websphere.ihs.doc/ihs/tihs_hsts.html

------------------------------
Dhinakaran Lakshmanadoss
------------------------------

Original Message
4. RE: HSTS Missing From HTTPS Server (RFC 6797)

0 Like
Brian S Paskin
Posted Fri July 08, 2022 03:49 AM

Reply
Hi, this is a header that is added to tell the browser to communicate only with SSL/TLS. The plugin to WAS does not need to communicate over SSL/TLS, but it means that part of the communications is using clear text.

You may need to add *:443 to the virtual hosts and then regenerate and propagate the plugin. This will allow the plugin to accept the request. It would be helpful to get the actual message that is being shown, what is in the plugin log and app server logs.

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering
------------------------------

Original Message
5. RE: HSTS Missing From HTTPS Server (RFC 6797)

0 Like
IBM Champion

Hermann Huebler
Posted Fri July 08, 2022 06:35 AM

Reply
Hello Dhinakaran,
if you say "I want to enable SSL/TLS, we can't." - where aren't you able to enable SSL/TLS? On the HTTP server? The enablement of SSL on the HTTP server should not depend on the Java version. Hence I'm not sure why you say this is related to the Java version.

As Brian mentioned as well you might need to add a VirtualHost Entry on WAS to accept port 443 as well. Another thing which might be needed is to set the UseInsecure (https://www.ibm.com/docs/en/was-nd/8.5.5?topic=ins-web-server-plug-in-custom-properties#rwsv_plugin_customprop__UseInsecure) custom property on the Plugin so allow the plugin to forward requests it received on HTTPS via HTTP to WAS.

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
------------------------------

Original Message
6. RE: HSTS Missing From HTTPS Server (RFC 6797)

0 Like
Dhinakaran Lakshmanadoss
Posted Fri July 08, 2022 09:37 AM

Reply
In our httpd.conf file following lines are present. What changes should I make to enable SSL in httpd.conf?
Listen {server_name}:8080

<VirtualHost {server_name}:8080>
ServerName {server_name}
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>

------------------------------
Dhinakaran Lakshmanadoss
------------------------------

Original Message
7. RE: HSTS Missing From HTTPS Server (RFC 6797)

0 Like
Brian S Paskin
Posted Fri July 08, 2022 10:59 AM

Reply
There is a guide here: https://www.ibm.com/support/pages/guide-properly-setting-ssl-within-ibm-http-server

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering
------------------------------

Original Message

IBM Application Runtimes Community

Come for answers, stay for best practices. All we're missing is you.

WebSphere Application Server & Liberty

HSTS Missing From HTTPS Server (RFC 6797)

Dhinakaran LakshmanadossThu July 07, 2022 07:20 AM

Hermann HueblerFri July 08, 2022 02:17 AM

Dhinakaran LakshmanadossFri July 08, 2022 02:32 AM

Brian S PaskinFri July 08, 2022 03:49 AM

Hermann HueblerFri July 08, 2022 06:35 AM

Dhinakaran LakshmanadossFri July 08, 2022 09:37 AM

Brian S PaskinFri July 08, 2022 10:59 AM

1. HSTS Missing From HTTPS Server (RFC 6797)

2. RE: HSTS Missing From HTTPS Server (RFC 6797)

3. RE: HSTS Missing From HTTPS Server (RFC 6797)

4. RE: HSTS Missing From HTTPS Server (RFC 6797)

5. RE: HSTS Missing From HTTPS Server (RFC 6797)

6. RE: HSTS Missing From HTTPS Server (RFC 6797)

7. RE: HSTS Missing From HTTPS Server (RFC 6797)