[Bug 64609] New: Tomcat Error parsing encrypted HTTP request header

Thu, 16 Jul 2020 18:28:25 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=64609

            Bug ID: 64609
           Summary: Tomcat Error parsing encrypted HTTP request header
           Product: Tomcat 9
           Version: 9.0.37
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: jeff_z...@yahoo.com
  Target Milestone: -----

There are two types of errors that start with "Error parsing HTTP request
header"
1) Invalid character found in the HTTP protocol
2) Invalid character found in method name.
Providing a record of the Http Request Error, Tomcat does not send any response
back to the client.
The socked is not closed and one more Open File added to LFOS (log for open
files).
Eventually number of open files is increased to the limit and Tomcat stops
responding at all.
This situation is covered for regular HTTP request but not for encrypted HTTPS
requests. I am using HTTPS via AWS Cloud Front, worked with AWS support team,
but we could not find a solution. AWS support sincerely tried to help me but
unfortunately failed.
I tried recommended configurations in server.xml and catalina.properties (see
below).
I also tried almost all Tomcat 8.5 versions and the latest Tomcat 9.0.37.

I established ServletFilter class, but it does not help because the error
happens before the filter, in the Tomcat layer. Tomcat has some provisioning
for accepting different character coding in HTTP, but not in HTTPS/encrypted
request.
I highly appreciate anyone who can help here.

Thank you,
Jeff

This is the extract from the standard server.xml

<Connector port="80" maxHttpHeaderSize="16000" protocol="HTTP/1.1"
URIEncoding="UTF-8" connectionTimeout="20000" redirectPort="443"/>

This is the additional two lines in the standard catalina.properties:

# Allow for changes to HTTP request validation
# WARNING: Using this option may expose the server to CVE-2016-6816
tomcat.util.http.parser.HttpParser.requestTargetAllow=|{}
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to