For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kim_Busho's avatar
Kim_Busho
Icon for Nimbostratus rankNimbostratus
Feb 12, 2008

SSL/Tomcat Security Alert

We have a website that is hosted on Tomcat (v5.5) web servers and uses an SSL certificate configured on our (v9.1.2) F5's.

 

 

There is an iRule in place for the http vs that redirects all requests to https:

 

 

Redirects all to HTTPS keeps URI intact

 

 

when HTTP_REQUEST {

 

HTTP::redirect https://[HTTP::host][HTTP::uri]

 

}

 

 

After a user enters login information for the site and attempts to login, this pop-up message appears:

 

 

Security Alert

 

You are about to be redirected to a connection that is not secure.

 

The information you are sending to the current site might be retransmitted to a nonsecure site. Do you wish to continue?

 

 

If you select Yes to continue you're redirected to the correct page using https.

 

 

We don't see this message with our IIS sites. How can I get rid of this message?
application delivery
dev
devops
iRules

4 Replies

  • Jeff_C_42204's avatar
    Jeff_C_42204
    Icon for Nimbostratus rankNimbostratus
    Feb 12, 2008
    Have you verified that the certificate is completely valid including chaining as defined in your ssl profile?

     

     

    If you have something similar setup against IIS sites I would verify your setup of the virtual servers and ssl profiles to ensure they are identical and valid.

     

     

  • Kim_Busho's avatar
    Kim_Busho
    Icon for Nimbostratus rankNimbostratus
    Feb 12, 2008
    I have checked these items and everything looks good (including the chained intermediate certificate). The pop-up only occurs during the login process and the cert seems to otherwise be fine. Thanks!
  • kykong_107132's avatar
    kykong_107132
    Icon for Nimbostratus rankNimbostratus
    Feb 13, 2008
    Hi Kim,

     

     

    the error message indicate that certain link is not using https. can you try to use fiddler http debugger to capture the HTTP header while you are accessing the login page. you can get fiddler package from http://www.fiddlertool.com/fiddler/.

     

     

    Fiddler will tell you which link not using HTTPS.

     

     

    regards,

     

    KY

     

  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Feb 14, 2008
    To further elaborate on what KY is saying, most likely what is happening is that your Tomcat server is sending back http redirects to the client rather than https. Because you are decrypting SSL at the BIG-IP, the Tomcat server is running on port 80 and doesn't realize that it needs to send redirects as https instead of http.

     

     

    The best way to fix this is to make sure your Tomcat server doesn't improperly send back http redirects, but if that is not possible, then you can use the Rewrite Redirects feature in the http profile on the BIG-IP to "catch" those http redirects on the way back out to the client and change them to https as they should be.

     

     

    Click here for the manual on Rewrite Redirects for 9.1.2.

     

     

    Denny