0

We're trying to harden firewall settings for a computer. We allowed only port HTTPS (443), NTP (123) and DNS (53).

Now we fail to send POST requests to a web api application unless we open port 80.

After we open port 80 and perform one successful request, we are able to work with the web api application for a while even if port 80 is blocked again.

Is it possible to leave only 443 allowed and perform HTTPS requests without ever allowing port 80?

Thanks for the answers!

Yaron Adler
  • 119
  • 1
  • 3
  • 1
    If you application has port 80 (http-requests) hardcoded you should fix your application. – Gerald Schneider Jul 26 '18 at 11:43
  • 2
    `Is it possible to leave only 443 allowed and perform HTTPS requests without ever allowing port 80?` Yes. This is the standard. If this doesn't work, something is broken with the API (or your app). – Sven Jul 26 '18 at 11:43
  • I have a very simple post request (to https://xyzw...) that fail with "TrustFailure" upon executing, and working perfectly well when port 80 is allowed. nothing else in the program around that that could possibly break.. – Yaron Adler Jul 26 '18 at 11:50
  • Changing firewall settings will not fix a broken web server. Contact whoever runs that server to report the problem. – Michael Hampton Jul 26 '18 at 13:09

2 Answers2

1

Well, that was very educational.

Apparently also port 80 IS used to communicate with the CA.

This happens when the CA is not yet in the trusted CA list and for CRL.

Yaron Adler
  • 119
  • 1
  • 3
  • There are various URLs embedded in a certificate that an application can use: URLs for CRLs, URLs for OCSP, URLs for Certificate Transparency Logs, and I am certain many others. Some of these could be over HTTP. Some of them may be mandatory to consult before allowing the TLS handshake to go through, so by blocking port 80 you may get into problems, and filtering on the URLs/domains is not a good idea. I am not sure why you want to forbid outgoing port 80 trafffic and how this enhances security of the host. – Patrick Mevzek Jul 29 '18 at 18:07
0

You need to check on your web API code if it's using http (port 80) or https (port 443)

Ardian
  • 1
  • 1