Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Custom bad message error page 
Hi Simone,
Sorry for the obfuscation. I meant the error message that is returned when a request comes in that does not contain an SNI (we call sslContextFactory.setSniRequired(true)). That message contains the "Caused by:" fragment I posted. 

But I was able to solve the issue with the info from Joakim.

Kind regards,

Silvio


On 07-08-2023 20:01, Simone Bordet wrote:

Hi,

On Mon, Aug 7, 2023 at 4:49 PM Silvio Bierman
<sbierman@xxxxxxxxxxxxxxxxxx> wrote:

Hello Simone,

Thank you for the reply. We do not want to change the compliance, the
error flagging is correct and desired. It is just that some potential
user doing a pen-test on our system is objecting to the messages being
generated. The SNI message contains "Caused by:
org.eclipse.jetty.http.BadMessageException" which is information (Jetty)
we are not allowed to disclose for security reasons. In general the want
the ability to tweak all error messages generated by our application. We
tried to offer that through the custom handler.

I'm not sure what you mean exactly by "The SNI message".
We typically don't send the exception type to the client, which should
just receive a 400.
Is it in the body of the 400?

Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.

Back to the top