SSL/Tomcat Security Alert

Question

We have a website that is hosted on Tomcat (v5.5) web servers and uses an SSL certificate configured on our (v9.1.2) F5's.&nbsp;
&nbsp;There is an iRule in place for the http vs that redirects all requests to https:&nbsp;
&nbsp;   Redirects all to HTTPS keeps URI intact
&nbsp;   
&nbsp;   when HTTP_REQUEST {
&nbsp;      HTTP::redirect https://[HTTP::host][HTTP::uri]
&nbsp;   }&nbsp;
&nbsp;After a user enters login information for the site and attempts to login, this pop-up message appears:&nbsp;
&nbsp;   Security Alert
&nbsp;   You are about to be redirected to a connection that is not secure.
&nbsp;   The information you are sending to the current site might be retransmitted to a nonsecure site. Do you wish to continue?&nbsp;
&nbsp;If you select Yes to continue you're redirected to the correct page using https.&nbsp;
&nbsp;We don't see this message with our IIS sites. How can I get rid of this message?

jeff_c_42204 · Answer

Have you verified that the certificate is completely valid including chaining as defined in your ssl profile? &nbsp;
&nbsp;If you have something similar setup against IIS sites I would verify your setup of the virtual servers and ssl profiles to ensure they are identical and valid.&nbsp;&nbsp;

kim_busho · Answer

I have checked these items and everything looks good (including the chained intermediate certificate). The pop-up only occurs during the login process and the cert seems to otherwise be fine. Thanks!

kykong_107132 · Answer

Hi Kim,&nbsp;
&nbsp;the error message indicate that certain link is not using https. can you try to use fiddler http debugger to capture the HTTP header while you are accessing the login page. you can get fiddler package from http://www.fiddlertool.com/fiddler/.&nbsp;
&nbsp;Fiddler will tell you which link not using HTTPS.&nbsp;
&nbsp;regards,
&nbsp;KY&nbsp;

dennypayne · Answer

To further elaborate on what KY is saying, most likely what is happening is that your Tomcat server is sending back http redirects to the client rather than https.  Because you are decrypting SSL at the BIG-IP, the Tomcat server is running on port 80 and doesn't realize that it needs to send redirects as https instead of http.  &nbsp;
&nbsp;The best way to fix this is to make sure your Tomcat server doesn't improperly send back http redirects, but if that is not possible, then you can use the Rewrite Redirects feature in the http profile on the BIG-IP to "catch" those http redirects on the way back out to the client and change them to https as they should be.  &nbsp;&nbsp;Click here for the manual on Rewrite Redirects for 9.1.2.&nbsp;
&nbsp;Denny

Forum Discussion

SSL/Tomcat Security Alert

4 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Using ChatGPT for security and introduction of AI security

Certificate Expiry Email alert configuration

ChatGPT and security - This Week in Security Feb 18th to Feb 25th, 2023

Avoiding Common iRules Security Pitfalls

My Security+ Certification Journey