DO NOT REPLY [Bug 45630] New: Increasing Database Connections after Redeployment
https://issues.apache.org/bugzilla/show_bug.cgi?id=45630 Summary: Increasing Database Connections after Redeployment Product: Tomcat 6 Version: 6.0.18 Platform: PC OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: Manager application AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] After undeploy/deploy via the manager application the number of oracle db connections increase and the old connections are remaining on the db server. When the tc server is going to shut down the db connections are closed. Oracle Version: 10.2.0.2 JDBC Driver: Oracle-9.2.0.5 Context setup: -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AJP and PHP
Quintin, Yes, what you suggested is similar to what I proposed in my inital post and I agree that implementing AJP in PHP would be a path best not traveled.. :-) Was planing on using the memcached PHP client as a road map to map the mod_jk or mod_proxy_ajp code into.. John Gentilin --- On Wed, 8/13/08, Quintin Beukes <[EMAIL PROTECTED]> wrote: From: Quintin Beukes <[EMAIL PROTECTED]> Subject: Re: AJP and PHP To: "Tomcat Developers List" , [EMAIL PROTECTED] Date: Wednesday, August 13, 2008, 11:46 PM Hey, I once looked for an AJP implementation for Java, and what I found was that there is only one implementation, and that is for Apache. >From here, it's not a very complex protocol. It's basically a "compressed" http implementation. The concepts are very similar, with GET/POST requests, Headers, body, etc. It won't be a quick one though, as it's very binary, and this would end up messy and buggy in PHP if not done properly (from personal experience I found that PHP tends to get very messy very quickly with these type of things). If I were you, I would rather make a PHP module that makes use of mod_proxy_ajp to do the requests. PHP modules are not difficult to write. The idea I'm talking of goes something like this. 1. Make a PHP module that exposes a function ajp_request($target_url, $method, $encoding, mixed $data) (or more than one for different call types, ex. form encoded post, raw post, get, etc.) 2. Then inside this function (on the module or "c" language level) you would hook into mod_proxy_ajp and do a request, returning a stream from which can be read. For raw posts you can even expose an output stream. This function would also return a resource handle, which can be used to set headers. Just figured I'd share this with you. This is definitely the route I would go. Especially since you'll benefit from the 3rd party implementation, which would result in your application effectively growing as their's grow (Their bug fixes become your bug fixes). And on top of this you already have a high-performance, mature AJP implementation to work from. If you do decide to implement this, you should definitely make it open source. I'm sure if you did PECL you would have. And I'm sure it would even become a standard PHP module, as it can be very useful, especially for web services (like you mentioned). Q On Thu, Aug 14, 2008 at 7:53 AM, John G <[EMAIL PROTECTED]> wrote: > Why scary, all I am trying to acheive is persistant connections to a servlet from PHP.. > > The same interface is used from Apache to a servlet, both in mod_jk and mod_proxy_ajp. > It seems less clumsy and more efficient than implementing a curl call and this same > persistant interface could also be used as a Web Service transport instead of JSON.. > > John Gentilin > > --- On Wed, 8/13/08, Jim Manico <[EMAIL PROTECTED]> wrote: > > From: Jim Manico <[EMAIL PROTECTED]> > Subject: Re: AJP and PHP > To: [EMAIL PROTECTED] > Date: Wednesday, August 13, 2008, 10:35 PM > > scary man - this cries for a web service interface. > > - Jim >> I have a project where our presentation layer is in PHP and the business > logic is Servlet based.. The interface is JSON via a CURL call.. >> >> I was thinking that I could gain some efficiencies if I created a native > AJP implementation as a PHP PECL module using memcache and mod_jk as templates > and create a >> persistent connection pool. That way I can dump the curl call.. >> >> Looked all over to see if this has been done before, but came up empty... >> >> Any thoughts on this ?? >> >> Thanks >> John Gentilin >> >> >> >> >> >> >> >> > > > -- > Jim Manico, Senior Application Security Engineer > [EMAIL PROTECTED] | [EMAIL PROTECTED] > (301) 604-4882 (work) > (808) 652-3805 (cell) > > Aspect Security™ > Securing your applications at the source > http://www.aspectsecurity.com > > --- > Management, Developers, Security Professionals ... > ... can only result in one thing. BETTER SECURITY. > http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference > Sept 22nd-25th 2008 > > > > > > -- Quintin Beukes
DO NOT REPLY [Bug 45630] Increasing Database Connections after Redeployment
https://issues.apache.org/bugzilla/show_bug.cgi?id=45630 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Comment #1 from Mark Thomas <[EMAIL PROTECTED]> 2008-08-14 01:11:02 PST --- Looks like you have a connection leak in your application. Please use the users list to debug. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 45618] Selector is not closed.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45618 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Status|NEEDINFO|RESOLVED Resolution||INVALID --- Comment #3 from Mark Thomas <[EMAIL PROTECTED]> 2008-08-14 01:29:21 PST --- Given how the selector is used, I can't see this causing a problem. It is my experience that automated tools tend to produce a lot of false positives. Any automated analysis of the Tomcat code base is welcome but there is a risk that a large amount of effort is expended investigating potential issues that turn out not to be bugs. The best way to avoid this is to filter issues before reporting them. Ideally, a bug report should contain a test case that demonstrates the issue, eg memory leak. If that isn't possible, then an explanation of how the issue may occur. As I stated above, I can't see how this could cause an issue so I am closing it as invalid. If you believe this to be incorrect, please re-open this report with an explanation of how not closing the selector leads to problems. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 44494] Requests greater than 8k being truncated.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44494 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution||FIXED --- Comment #57 from Mark Thomas <[EMAIL PROTECTED]> 2008-08-14 01:31:33 PST --- This has now been fixed in 5.5.x and will be included in 5.5.27 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 44021] Deployer cannot deploy wars with #s
https://issues.apache.org/bugzilla/show_bug.cgi?id=44021 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #14 from Mark Thomas <[EMAIL PROTECTED]> 2008-08-14 01:32:32 PST --- This has been fixed in 5.5.x and will be included in 5.5.27 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685818 - in /tomcat: container/tc5.5.x/modules/storeconfig/src/share/org/apache/catalina/storeconfig/StandardContextSF.java container/tc5.5.x/webapps/docs/changelog.xml current/tc5.5.x/ST
Author: markt
Date: Thu Aug 14 01:49:40 2008
New Revision: 685818
URL: http://svn.apache.org/viewvc?rev=685818&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=42899
When saving config from admin app, correctly handle case where old config file
does not exist.
Modified:
tomcat/container/tc5.5.x/modules/storeconfig/src/share/org/apache/catalina/storeconfig/StandardContextSF.java
tomcat/container/tc5.5.x/webapps/docs/changelog.xml
tomcat/current/tc5.5.x/STATUS.txt
Modified:
tomcat/container/tc5.5.x/modules/storeconfig/src/share/org/apache/catalina/storeconfig/StandardContextSF.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/modules/storeconfig/src/share/org/apache/catalina/storeconfig/StandardContextSF.java?rev=685818&r1=685817&r2=685818&view=diff
==
---
tomcat/container/tc5.5.x/modules/storeconfig/src/share/org/apache/catalina/storeconfig/StandardContextSF.java
(original)
+++
tomcat/container/tc5.5.x/modules/storeconfig/src/share/org/apache/catalina/storeconfig/StandardContextSF.java
Thu Aug 14 01:49:40 2008
@@ -156,8 +156,9 @@
if (mover != null) {
// Bugzilla 37781 Check to make sure we can write this output file
if ((mover.getConfigOld() == null)
-|| (!mover.getConfigOld().isFile())
-|| (!mover.getConfigOld().canWrite())) {
+|| (mover.getConfigOld().isDirectory())
+|| (mover.getConfigOld().exists() &&
+!mover.getConfigOld().canWrite())) {
log.error("Cannot move orignal context output file at "
+ mover.getConfigOld());
throw new IOException("Context orginal file at "
Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=685818&r1=685817&r2=685818&view=diff
==
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Thu Aug 14 01:49:40 2008
@@ -126,6 +126,10 @@
+42899: When saving config from admin app, correctly handle
+case where the old config file does not exist. (markt)
+
+
44541: Document packetSize attribute for AJP connector.
(markt)
Modified: tomcat/current/tc5.5.x/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=685818&r1=685817&r2=685818&view=diff
==
--- tomcat/current/tc5.5.x/STATUS.txt (original)
+++ tomcat/current/tc5.5.x/STATUS.txt Thu Aug 14 01:49:40 2008
@@ -49,13 +49,6 @@
+1: markt, yoavs, fhanik
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=42899
- When saving config from admin app, correctly handle case where old config
file
- does not exist.
- http://people.apache.org/~markt/patches/2008-05-10-bug42899.patch
- +1: markt, yoavs, fhanik
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
You can't use an unescaped quote if you quote the value with that character
http://svn.apache.org/viewvc?rev=657231&view=rev
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 42899] Creating a new context via Admin Tool fails when clicking button "commit changes"
https://issues.apache.org/bugzilla/show_bug.cgi?id=42899 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #2 from Mark Thomas <[EMAIL PROTECTED]> 2008-08-14 01:51:44 PST --- This has been fixed in 5.5.x and will be included in 5.5.27 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685823 - in /tomcat: container/tc5.5.x/webapps/docs/config/systemprops.xml current/tc5.5.x/STATUS.txt jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java jasper/tc5.5.x/src/sh
Author: markt
Date: Thu Aug 14 02:04:26 2008
New Revision: 685823
URL: http://svn.apache.org/viewvc?rev=685823&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
You can't use an unescaped quote if you quote the value with that character
Modified:
tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml
tomcat/current/tc5.5.x/STATUS.txt
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/resources/LocalStrings.properties
Modified: tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml?rev=685823&r1=685822&r2=685823&view=diff
==
--- tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml Thu Aug 14
02:04:26 2008
@@ -38,6 +38,13 @@
+
+ If false the requirements for escpaing quotes in JSP
+ attributes will be relaxed so that a missing required quote will not
+ cause an error. If not specified, the specification compliant default of
+ true will be used.
+
+
If true, any tag buffer that expands beyond
org.apache.jasper.Constants.DEFAULT_TAG_BUFFER_SIZE will be
Modified: tomcat/current/tc5.5.x/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=685823&r1=685822&r2=685823&view=diff
==
--- tomcat/current/tc5.5.x/STATUS.txt (original)
+++ tomcat/current/tc5.5.x/STATUS.txt Thu Aug 14 02:04:26 2008
@@ -49,13 +49,6 @@
+1: markt, yoavs, fhanik
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
- You can't use an unescaped quote if you quote the value with that character
- http://svn.apache.org/viewvc?rev=657231&view=rev
- http://svn.apache.org/viewvc?rev=670074&view=rev
- +1: markt, yoavs, fhanik
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45195
NPE when calling getAttribute(null). The spec is unclear but this
is a regression from 5.0.x Also avoid NPE on remove
Modified: tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java
URL:
http://svn.apache.org/viewvc/tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java?rev=685823&r1=685822&r2=685823&view=diff
==
--- tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java
(original)
+++ tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java Thu
Aug 14 02:04:26 2008
@@ -67,6 +67,11 @@
private static final String JAVAX_BODY_CONTENT_TEMPLATE_TEXT =
"JAVAX_BODY_CONTENT_TEMPLATE_TEXT";
+private static final boolean STRICT_QUOTE_ESCAPING = Boolean.valueOf(
+System.getProperty(
+"org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING",
+"true")).booleanValue();
+
/**
* The constructor
*/
@@ -242,7 +247,8 @@
err.jspError(start, "jsp.error.attribute.unterminated", watch);
}
-String ret = parseQuoted(reader.getText(start, stop));
+String ret = parseQuoted(start, reader.getText(start, stop),
+watch.charAt(watch.length() - 1));
if (watch.length() == 1)// quote
return ret;
@@ -261,7 +267,8 @@
*| '\$'
*| Char
*/
-private String parseQuoted(String tx) {
+private String parseQuoted(Mark start, String tx, char quote)
+throws JasperException {
StringBuffer buf = new StringBuffer();
int size = tx.length();
int i = 0;
@@ -295,6 +302,10 @@
buf.append('\\');
++i;
}
+} else if (ch == quote && STRICT_QUOTE_ESCAPING) {
+// Unescaped quote character
+err.jspError(start, "jsp.error.attribute.noescape", tx,
+"" + quote);
} else {
buf.append(ch);
++i;
Modified:
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/resources/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/resources/LocalStrings.properties?rev=685823&r1=685822&r2=685823&view=diff
==
---
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/resources/LocalStrings.properties
(original)
+++
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/resources/LocalStrings.properties
Thu Aug 14 02:04:26 2008
@@ -333,6 +333,7 @@
jsp.error.attribute.noequal=equal symbol expected
jsp.error.attribute.noquote=quote symbol expected
jsp.error.attri
DO NOT REPLY [Bug 45015] Quoting in attributes
https://issues.apache.org/bugzilla/show_bug.cgi?id=45015 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #4 from Mark Thomas <[EMAIL PROTECTED]> 2008-08-14 02:04:39 PST --- This has been fixed in 5.5.x and will be included in 5.5.27 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 45195] Possible regression issue with HttpSession.getAtttribute()
https://issues.apache.org/bugzilla/show_bug.cgi?id=45195 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #4 from Mark Thomas <[EMAIL PROTECTED]> 2008-08-14 02:11:54 PST --- This has been fixed in 5.5.x and will be included in 5.5.27 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685826 - in /tomcat: container/tc5.5.x/catalina/src/share/org/apache/catalina/session/StandardSession.java container/tc5.5.x/webapps/docs/changelog.xml current/tc5.5.x/STATUS.txt
Author: markt
Date: Thu Aug 14 02:11:55 2008
New Revision: 685826
URL: http://svn.apache.org/viewvc?rev=685826&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45195
NPE when calling getAttribute(null). The spec is unclear but this is a
regression from 5.0.x
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/session/StandardSession.java
tomcat/container/tc5.5.x/webapps/docs/changelog.xml
tomcat/current/tc5.5.x/STATUS.txt
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/session/StandardSession.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/session/StandardSession.java?rev=685826&r1=685825&r2=685826&view=diff
==
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/session/StandardSession.java
(original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/session/StandardSession.java
Thu Aug 14 02:11:55 2008
@@ -1021,6 +1021,8 @@
throw new IllegalStateException
(sm.getString("standardSession.getAttribute.ise"));
+if (name == null) return null;
+
return (attributes.get(name));
}
@@ -1165,6 +1167,9 @@
*/
public void removeAttribute(String name) {
+// Avoid NPE
+if (name == null) return;
+
removeAttribute(name, true);
}
Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=685826&r1=685825&r2=685826&view=diff
==
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Thu Aug 14 02:11:55 2008
@@ -92,6 +92,12 @@
names in server.xml. (markt)
+45195: Prevent NPE when calling
+Session.getAttribute(null) and
+Session.removeAttribute(null). The spec is unclear but
this
+ is a regression from 5.0.x. (markt)
+
+
45293: Update name of commons-logging jar in security
policy.
(markt)
Modified: tomcat/current/tc5.5.x/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=685826&r1=685825&r2=685826&view=diff
==
--- tomcat/current/tc5.5.x/STATUS.txt (original)
+++ tomcat/current/tc5.5.x/STATUS.txt Thu Aug 14 02:11:55 2008
@@ -49,14 +49,6 @@
+1: markt, yoavs, fhanik
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45195
- NPE when calling getAttribute(null). The spec is unclear but this
- is a regression from 5.0.x Also avoid NPE on remove
- http://svn.apache.org/viewvc?rev=667604&view=rev
- http://svn.apache.org/viewvc?rev=668854&view=rev
- +1: markt, yoavs, fhanik
- -1:
-
* Remove the JDK 1.3 references from SSL How To
http://people.apache.org/~markt/patches/2008-06-21-SSL-docs.patch
+1: markt, yoavs
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685831 - in /tomcat: container/tc5.5.x/webapps/docs/ssl-howto.xml current/tc5.5.x/STATUS.txt
Author: markt Date: Thu Aug 14 02:28:52 2008 New Revision: 685831 URL: http://svn.apache.org/viewvc?rev=685831&view=rev Log: Remove JDK 1.3 references. Docs patch so just apply it. Modified: tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml tomcat/current/tc5.5.x/STATUS.txt Modified: tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml?rev=685831&r1=685830&r2=685831&view=diff == --- tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml (original) +++ tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml Thu Aug 14 02:28:52 2008 @@ -49,11 +49,6 @@ To install and configure SSL support on Tomcat 5, you need to follow these simple steps. For more information, read the rest of this HOW-TO. -If you are running a 1.3 JVM, download JSSE 1.0.3 (or later) from - http://java.sun.com/products/jsse/";>http://java.sun.com/products/jsse/ - and either make it an installed extension on the system, or else - set an environment variable JSSE_HOME that points at the - directory into which you installed JSSE. Create a certificate keystore by executing the following command: Windows: @@ -193,30 +188,6 @@ - -Note that JSSE is bundled with Sun's JDK 1.4 and later, so if you're using -JDK 1.4 and later, you can skip this step. - - -Download the Java Secure Socket Extensions (JSSE) package, -version 1.0.3 or later, from -http://java.sun.com/products/jsse/";>http://java.sun.com/products/jsse/. -If you built Tomcat from source, you have probably already downloaded this -package. - -After expanding the package, there are two ways to make it available to -Tomcat (choose one or the other): - -Make JSSE an installed extension by copying all three JAR files -(jcert.jar, jnet.jar, and jsse.jar) -into your $JAVA_HOME/jre/lib/ext directory. -Create a new environment variable JSSE_HOME that contains -the absolute path to the directory into which you unpacked the -JSSE binary distribution. - - - - Tomcat currently operates with JKS, PKCS11 or Modified: tomcat/current/tc5.5.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=685831&r1=685830&r2=685831&view=diff == --- tomcat/current/tc5.5.x/STATUS.txt (original) +++ tomcat/current/tc5.5.x/STATUS.txt Thu Aug 14 02:28:52 2008 @@ -49,11 +49,6 @@ +1: markt, yoavs, fhanik -1: -* Remove the JDK 1.3 references from SSL How To - http://people.apache.org/~markt/patches/2008-06-21-SSL-docs.patch - +1: markt, yoavs - -1: - * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=42727 Correctly handle request lines that are exact multiples of 4096 in length. Patch provided by Will Pugh. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685833 - in /tomcat: container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/CoyoteReader.java container/tc5.5.x/webapps/docs/changelog.xml current/tc5.5.x/STATUS.txt
Author: markt
Date: Thu Aug 14 02:32:26 2008
New Revision: 685833
URL: http://svn.apache.org/viewvc?rev=685833&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=42727
Correctly handle request lines that are exact multiples of 4096 in length.
Patch provided by Will Pugh.
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/CoyoteReader.java
tomcat/container/tc5.5.x/webapps/docs/changelog.xml
tomcat/current/tc5.5.x/STATUS.txt
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/CoyoteReader.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/CoyoteReader.java?rev=685833&r1=685832&r2=685833&view=diff
==
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/CoyoteReader.java
(original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/CoyoteReader.java
Thu Aug 14 02:32:26 2008
@@ -153,7 +153,7 @@
while ((pos < MAX_LINE_LENGTH) && (end < 0)) {
int nRead = read(lineBuffer, pos, MAX_LINE_LENGTH - pos);
if (nRead < 0) {
-if (pos == 0) {
+if (pos == 0 && aggregator == null) {
return null;
}
end = pos;
Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=685833&r1=685832&r2=685833&view=diff
==
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Thu Aug 14 02:32:26 2008
@@ -110,6 +110,10 @@
mod_jk has hung up the phone. (billbarker)
+42727: Handle request lines that are exact multiples of 4096
+in length. Patch provided by Will Pugh. (markt)
+
+
43191: Compression could not be disabled for some file
types.
Based on a patch by Len Popp. (markt)
Modified: tomcat/current/tc5.5.x/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=685833&r1=685832&r2=685833&view=diff
==
--- tomcat/current/tc5.5.x/STATUS.txt (original)
+++ tomcat/current/tc5.5.x/STATUS.txt Thu Aug 14 02:32:26 2008
@@ -49,13 +49,6 @@
+1: markt, yoavs, fhanik
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=42727
- Correctly handle request lines that are exact multiples of 4096 in length.
- Patch provided by Will Pugh.
- http://svn.apache.org/viewvc?rev=677759&view=rev
- +1: markt, yoavs, fhanik
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45453
Add required sync to race condition
Based on a patch by Santtu Hyrkk
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 44060] This bug is a copy of bug 42727(CoyoteReader readLine returns null for some post request bodies that are a multiple of MAX_LINE_LENGTH in size). but for Tomcat Version 6
https://issues.apache.org/bugzilla/show_bug.cgi?id=44060 Bug 44060 depends on bug 42727, which changed state. Bug 42727 Summary: CoyoteReader readLine returns null for some post request bodies that are a multiple of MAX_LINE_LENGTH in size https://issues.apache.org/bugzilla/show_bug.cgi?id=42727 What|Old Value |New Value Status|NEW |RESOLVED Resolution||FIXED -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 42727] CoyoteReader readLine returns null for some post request bodies that are a multiple of MAX_LINE_LENGTH in size
https://issues.apache.org/bugzilla/show_bug.cgi?id=42727 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #6 from Mark Thomas <[EMAIL PROTECTED]> 2008-08-14 02:32:38 PST --- This has been fixed in 5.5.x and will be included in 5.5.27 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 45453] JDBCRealm.getRoles bad synchronization causes hangs w/ DIGEST authentication
https://issues.apache.org/bugzilla/show_bug.cgi?id=45453 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #6 from Mark Thomas <[EMAIL PROTECTED]> 2008-08-14 02:37:32 PST --- This has been fixed 5.5.x and will be included in 5.5.27 onwards -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685835 - in /tomcat: container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java container/tc5.5.x/webapps/docs/changelog.xml current/tc5.5.x/STATUS.txt
Author: markt
Date: Thu Aug 14 02:37:23 2008
New Revision: 685835
URL: http://svn.apache.org/viewvc?rev=685835&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45453
Add required sync to race condition
Based on a patch by Santtu Hyrkk
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
tomcat/container/tc5.5.x/webapps/docs/changelog.xml
tomcat/current/tc5.5.x/STATUS.txt
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java?rev=685835&r1=685834&r2=685835&view=diff
==
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
(original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
Thu Aug 14 02:37:23 2008
@@ -38,10 +38,11 @@
* See the JDBCRealm.howto for more details on how to set up the database and
* for configuration options.
*
-* TODO - Support connection pooling (including message
-* format objects) so that authenticate(),
-* getPassword() and roles() do not have to be
-* synchronized and would fix the ugly connection logic.
+* For a Realm implementation that supports connection pooling and
+* doesn't require synchronisation of authenticate(),
+* getPassword(), roles() and
+* getPrincipal() or the ugly connection logic use the
+* DataSourceRealm.
*
* @author Craig R. McClanahan
* @author Carson McDonald
@@ -591,7 +592,7 @@
/**
* Return the Principal associated with the given user name.
*/
-protected Principal getPrincipal(String username) {
+protected synchronized Principal getPrincipal(String username) {
return (new GenericPrincipal(this,
username,
Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=685835&r1=685834&r2=685835&view=diff
==
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Thu Aug 14 02:37:23 2008
@@ -101,6 +101,10 @@
45293: Update name of commons-logging jar in security
policy.
(markt)
+
+45453: Fix race condition in JDBC Realm. Based on a patch
+provided by Santtu Hyrkk. (markt)
+
Modified: tomcat/current/tc5.5.x/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=685835&r1=685834&r2=685835&view=diff
==
--- tomcat/current/tc5.5.x/STATUS.txt (original)
+++ tomcat/current/tc5.5.x/STATUS.txt Thu Aug 14 02:37:23 2008
@@ -49,13 +49,6 @@
+1: markt, yoavs, fhanik
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45453
- Add required sync to race condition
- Based on a patch by Santtu Hyrkk
- http://svn.apache.org/viewvc?rev=680725&view=rev
- +1: markt, yoavs, fhanik
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45591
NPE on start-up failure in some cases. Based on a patch by Matt Passell
http://svn.apache.org/viewvc?rev=683982&view=rev
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685828 - /tomcat/container/tc5.5.x/webapps/docs/changelog.xml
Author: markt Date: Thu Aug 14 02:15:19 2008 New Revision: 685828 URL: http://svn.apache.org/viewvc?rev=685828&view=rev Log: Add missing entry to changelog Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=685828&r1=685827&r2=685828&view=diff == --- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original) +++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Thu Aug 14 02:15:19 2008 @@ -127,6 +127,12 @@ 44877: Prevent collisions in tag pool names. (markt) + +45015: Enfore JSP spec rules on quoting in attrbutes. This is +configurable using the system property +org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING. +(markt) + - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685838 - in /tomcat/site/trunk: docs/security.html xdocs/security.xml
Author: markt Date: Thu Aug 14 03:07:25 2008 New Revision: 685838 URL: http://svn.apache.org/viewvc?rev=685838&view=rev Log: Make purpose of security mailing list even clearer. Could now just provide a link to this page in response to non-issue mails to the security address. Modified: tomcat/site/trunk/docs/security.html tomcat/site/trunk/xdocs/security.xml Modified: tomcat/site/trunk/docs/security.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=685838&r1=685837&r2=685838&view=diff == --- tomcat/site/trunk/docs/security.html (original) +++ tomcat/site/trunk/docs/security.html Thu Aug 14 03:07:25 2008 @@ -262,17 +262,36 @@ The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service attacks against Apache Tomcat. + We strongly encourage folks to report such problems to our private security mailing list first, before disclosing them in a public forum. -We cannot accept regular bug reports or other queries at this - address, we ask that you use our bug reporting - page for those. All mail sent to this address that does not relate to - security problems in the Apache Tomcat source code will be ignored. - +Please note that the security mailing list should only be used + for reporting undisclosed security vulnerabilities in Apache Tomcat and + managing the process of fixing such vulnerabilities. We cannot accept + regular bug reports or other queries at this address. All mail sent to + this address that does not relate to an undisclosed security problem in + the Apache Tomcat source code will be ignored. -The mailing address is: mailto:[EMAIL PROTECTED]"> + +If you need to report a bug that isn't an undisclosed security + vulnerability, please use the bug reporting + page. + +Questions about: + + how to configure Tomcat securely + if a vulnerability applies to your particular application + obtaining further information on a published vulnerability + availability of patches and/or new releases + +should be address to the users mailing list. Please see the + mailing lists page for details of how to + subscribe. + +The private security mailing address is: + mailto:[EMAIL PROTECTED]"> [EMAIL PROTECTED] Modified: tomcat/site/trunk/xdocs/security.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security.xml?rev=685838&r1=685837&r2=685838&view=diff == --- tomcat/site/trunk/xdocs/security.xml (original) +++ tomcat/site/trunk/xdocs/security.xml Thu Aug 14 03:07:25 2008 @@ -48,15 +48,34 @@ The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service attacks against Apache Tomcat. + We strongly encourage folks to report such problems to our private security mailing list first, before disclosing them in a public forum. -We cannot accept regular bug reports or other queries at this - address, we ask that you use our bug reporting - page for those. All mail sent to this address that does not relate to - security problems in the Apache Tomcat source code will be ignored. - -The mailing address is: mailto:[EMAIL PROTECTED]"> +Please note that the security mailing list should only be used + for reporting undisclosed security vulnerabilities in Apache Tomcat and + managing the process of fixing such vulnerabilities. We cannot accept + regular bug reports or other queries at this address. All mail sent to + this address that does not relate to an undisclosed security problem in + the Apache Tomcat source code will be ignored. + +If you need to report a bug that isn't an undisclosed security + vulnerability, please use the bug reporting + page. + +Questions about: + + how to configure Tomcat securely + if a vulnerability applies to your particular application + obtaining further information on a published vulnerability + availability of patches and/or new releases + +should be address to the users mailing list. Please see the + mailing lists page for details of how to + subscribe. + +The private security mailing address is: + mailto:[EMAIL PROTECTED]"> [EMAIL PROTECTED] Note that all networked servers are subject to denial of service attacks, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: svn commit: r684559 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Filip Hanik - Dev Lists wrote:
> -1: this is a misconfigured keystore. Solution is to fix the keystore.
> The SSL-HOW-TO in tomcat is talking about this.
> There are a few cases, in this users case, the 'tomcat' alias is
> not present
> The keystore in this case doesn't even contain a private key
>
> The bug report is invalid, the tomcat documentation talks how to get
> around this
> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
>
> Infinite loop is bad, but if we need to validate the keystore, lets
> validate the keystore, doing it in the accept() call is not the correct
> solution.
> not even if it is the main accept loop
The alias isn't the problem. When I tested this with an invalid password,
as per the OPs report, I couldn't reproduce it. The only way I could
reproduce it was to take a valid, working SSL configuration and set a value
for the ciphers attribute that was not compatible with the certificate
Tomcat was using.
The test is done in the init() for the connector.
The reason I used an accept() was it was the only way I could find to
detect the problem. You could catch the exception in the main accept() loop
once the connector has started but you'll see the same exception if the
handshake fails between the client and the server. The only way of
differentiating would be by looking for keywords in the exception message
but that opens up all sorts of i18n issues.
There must be a way to test cert/cipher compatibility without opening a
socket but I couldn't find it when I looked. I'll take another look at the
javax.net.ssl API but if anyone has any bright ideas please, let me know.
Mark
>
> Filip
>
>
> [EMAIL PROTECTED] wrote:
>> Author: markt
>> Date: Sun Aug 10 10:24:51 2008
>> New Revision: 684559
>>
>> URL: http://svn.apache.org/viewvc?rev=684559&view=rev
>> Log:
>> Fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=45528. Test
>> the SSL socket before returning it to make sure the specified
>> certificate will work with the specified ciphers.
>>
>> Modified:
>>
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>
>> Modified:
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=684559&r1=684558&r2=684559&view=diff
>>
>> ==
>>
>> ---
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>> (original)
>> +++
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>> Sun Aug 10 10:24:51 2008
>> @@ -26,6 +26,7 @@
>> import java.net.ServerSocket;
>> import java.net.Socket;
>> import java.net.SocketException;
>> +import java.net.SocketTimeoutException;
>> import java.security.KeyStore;
>> import java.security.SecureRandom;
>> import java.security.cert.CRL;
>> @@ -692,7 +693,7 @@
>> * Configures the given SSL server socket with the requested
>> cipher suites,
>> * protocol versions, and need for client authentication
>> */
>> -private void initServerSocket(ServerSocket ssocket) {
>> +private void initServerSocket(ServerSocket ssocket) throws
>> IOException {
>>
>> SSLServerSocket socket = (SSLServerSocket) ssocket;
>>
>> @@ -704,9 +705,48 @@
>> setEnabledProtocols(socket, getEnabledProtocols(socket,
>>
>> requestedProtocols));
>>
>> +// Check the SSL config is OK
>> +checkSocket(ssocket);
>> +
>> // we don't know if client auth is needed -
>> // after parsing the request we may re-handshake
>> configureClientAuth(socket);
>> }
>>
>> +/**
>> + * Checks that the cetificate is compatible with the enabled
>> cipher suites.
>> + * If we don't check now, the JIoEndpoint can enter a nasty
>> logging loop.
>> + * See bug 45528.
>> + */
>> +private void checkSocket(ServerSocket socket) throws IOException {
>> +int timeout = socket.getSoTimeout();
>> ++socket.setSoTimeout(1);
>> +Socket s = null;
>> +try {
>> +s = socket.accept();
>> +// No expecting to get here but if we do, at least we
>> know things
>> +// are working.
>> +} catch (SSLException ssle) {
>> +// Cert doesn't match ciphers
>> +IOException ioe =
>> +new IOException("Certificate / cipher mismatch");
>> +ioe.initCause(ssle);
>> +throw ioe;
>> +} catch (SocketTimeoutException ste) {
>> +// Expected - do nothing
>> +} finally {
>> +// In case we actually got a connection - close it.
>> +if (s != null) {
>> +try {
>> +s.close();
>> +} catch (IOException ioe) {
>> +// Ignore
>>
Re: svn commit: r684559 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Filip Hanik - Dev Lists wrote:
> the check would be as simple as
>
>
> boolean b = keystore.isKeyEntry(alias);
It would be if the alias was the problem. Unfortunately it isn't. See my
longer mail on the subject.
Mark
>
> Filip
>
>
> Filip Hanik - Dev Lists wrote:
>> -1: this is a misconfigured keystore. Solution is to fix the keystore.
>> The SSL-HOW-TO in tomcat is talking about this.
>> There are a few cases, in this users case, the 'tomcat' alias is
>> not present
>> The keystore in this case doesn't even contain a private key
>>
>> The bug report is invalid, the tomcat documentation talks how to get
>> around this
>> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
>>
>> Infinite loop is bad, but if we need to validate the keystore, lets
>> validate the keystore, doing it in the accept() call is not the
>> correct solution.
>> not even if it is the main accept loop
>>
>> Filip
>>
>>
>> [EMAIL PROTECTED] wrote:
>>> Author: markt
>>> Date: Sun Aug 10 10:24:51 2008
>>> New Revision: 684559
>>>
>>> URL: http://svn.apache.org/viewvc?rev=684559&view=rev
>>> Log:
>>> Fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=45528.
>>> Test the SSL socket before returning it to make sure the specified
>>> certificate will work with the specified ciphers.
>>>
>>> Modified:
>>>
>>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>>
>>> Modified:
>>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>> URL:
>>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=684559&r1=684558&r2=684559&view=diff
>>>
>>> ==
>>>
>>> ---
>>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>> (original)
>>> +++
>>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>> Sun Aug 10 10:24:51 2008
>>> @@ -26,6 +26,7 @@
>>> import java.net.ServerSocket;
>>> import java.net.Socket;
>>> import java.net.SocketException;
>>> +import java.net.SocketTimeoutException;
>>> import java.security.KeyStore;
>>> import java.security.SecureRandom;
>>> import java.security.cert.CRL;
>>> @@ -692,7 +693,7 @@
>>> * Configures the given SSL server socket with the requested
>>> cipher suites,
>>> * protocol versions, and need for client authentication
>>> */
>>> -private void initServerSocket(ServerSocket ssocket) {
>>> +private void initServerSocket(ServerSocket ssocket) throws
>>> IOException {
>>>
>>> SSLServerSocket socket = (SSLServerSocket) ssocket;
>>>
>>> @@ -704,9 +705,48 @@
>>> setEnabledProtocols(socket, getEnabledProtocols(socket,
>>>
>>> requestedProtocols));
>>>
>>> +// Check the SSL config is OK
>>> +checkSocket(ssocket);
>>> +
>>> // we don't know if client auth is needed -
>>> // after parsing the request we may re-handshake
>>> configureClientAuth(socket);
>>> }
>>>
>>> +/**
>>> + * Checks that the cetificate is compatible with the enabled
>>> cipher suites.
>>> + * If we don't check now, the JIoEndpoint can enter a nasty
>>> logging loop.
>>> + * See bug 45528.
>>> + */
>>> +private void checkSocket(ServerSocket socket) throws IOException {
>>> +int timeout = socket.getSoTimeout();
>>> ++socket.setSoTimeout(1);
>>> +Socket s = null;
>>> +try {
>>> +s = socket.accept();
>>> +// No expecting to get here but if we do, at least we
>>> know things
>>> +// are working.
>>> +} catch (SSLException ssle) {
>>> +// Cert doesn't match ciphers
>>> +IOException ioe =
>>> +new IOException("Certificate / cipher mismatch");
>>> +ioe.initCause(ssle);
>>> +throw ioe;
>>> +} catch (SocketTimeoutException ste) {
>>> +// Expected - do nothing
>>> +} finally {
>>> +// In case we actually got a connection - close it.
>>> +if (s != null) {
>>> +try {
>>> +s.close();
>>> +} catch (IOException ioe) {
>>> +// Ignore
>>> +}
>>> +}
>>> +// Reset the timeout
>>> +socket.setSoTimeout(timeout);
>>> +}
>>> ++}
>>> }
>>>
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>>
>>
>>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-ma
DO NOT REPLY [Bug 45528] Tomcat 6 fails to detect a matching certificate and stuck in an infinite loop
https://issues.apache.org/bugzilla/show_bug.cgi?id=45528 --- Comment #4 from Mark Thomas <[EMAIL PROTECTED]> 2008-08-14 03:41:12 PST --- For the record, neither the alias nor the password appears to be the problem. The only way I could reproduce the loop of log messages it was to take a valid, working SSL configuration and set a value for the ciphers attribute that was not compatible with the certificate Tomcat was using. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685843 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: markt Date: Thu Aug 14 03:45:13 2008 New Revision: 685843 URL: http://svn.apache.org/viewvc?rev=685843&view=rev Log: Respond to Filip's -1. Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=685843&r1=685842&r2=685843&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Aug 14 03:45:13 2008 @@ -91,6 +91,12 @@ that can be checked very easily http://www.exampledepot.com/egs/java.security/ListAliases.html Furthermore SSL-HOWTO in Tomcat, mentions this problem + - Whilst this might cause the logging loop (and I agree it is + easily checked), the only time I saw the logging loop was when + the certificate and the ciphers were not compatible. I could not + see anywhere in the javax.net.ssl API that would let me check + this. Opening a socket (which throws an excpetion in this case) + appears to be the only way to detect it. * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45608 Prevent race condition for allocate/deallocate in StandardWrapper - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685845 - /tomcat/current/tc5.5.x/STATUS.txt
Author: markt Date: Thu Aug 14 03:47:38 2008 New Revision: 685845 URL: http://svn.apache.org/viewvc?rev=685845&view=rev Log: Respond to Filip's -1 Modified: tomcat/current/tc5.5.x/STATUS.txt Modified: tomcat/current/tc5.5.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=685845&r1=685844&r2=685845&view=diff == --- tomcat/current/tc5.5.x/STATUS.txt (original) +++ tomcat/current/tc5.5.x/STATUS.txt Thu Aug 14 03:47:38 2008 @@ -88,3 +88,7 @@ The SSL-HOW-TO in tomcat is talking about this. There are a few cases, in this users case, the 'tomcat' alias is not present The keystore in this case doesn't even contain a private key + markt - This isn't an missing alias / private key issue. It is a cipher / + private key compatibility issue. I have updated the bug entry to + make this clearer. + - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: svn commit: r684559 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Mark Thomas wrote: > There must be a way to test cert/cipher compatibility without opening a > socket but I couldn't find it when I looked. I'll take another look at the > javax.net.ssl API but if anyone has any bright ideas please, let me know. SSLEngine looks promising. I'll see if I can modify the patch to use this instead. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: 5.5.27
On Thu, Aug 14, 2008 at 12:33 AM, Filip Hanik - Dev Lists <[EMAIL PROTECTED]> wrote: > How about cutting a release candidate on Monday, Aug 18th and if all is > well, have a release towards end of next week? +1. Yoav - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 45632] New: HttpOnly Cookie support in 6.0.18
https://issues.apache.org/bugzilla/show_bug.cgi?id=45632
Summary: HttpOnly Cookie support in 6.0.18
Product: Tomcat 6
Version: unspecified
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: Servlet & JSP API
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
We are seeing a different behavior in the cookie support between Tomcat version
6.0.14 and 6.0.18. The following code worked in 6.0.14 but not in 6.0.18.
Is there an explanation or is there a work around?
String sessionId = "Our Session ID";
String cookieValue = sessionId + "; Path=/; HttpOnly ";
Cookie cookie = new Cookie("sessionId", cookieValue);
cookie.setVersion(1);
response.addCookie(cookie);
Thanks,
Kal
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: svn commit: r684559 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Hi,
I, personally, somehow like the idea of testing accept() before entering
the main loop. Although it looks more like an enhancement than a fix
for some specific bug.
((Am I right, that this code of JSSESocketFactory.createSocket() /
initServerSocket() is executed only once, i.e. there is only one
ServerSocket per connector? Have no experience there.))
But an obvious issue: the exception message is too specific. It
does not match the test. There might be some other errors that
will be caught by the test.
Maybe some more general message would be better. E.g.:
new IOException("SSL configuration is invalid: accept() test failed.
See SSL-HOWTO for details.");
Also, s/cetificate/certificate/ in the JavaDoc.
Regarding the original issue:
I see that SSLServerSocket has a family of getSupported**() methods
(getSupportedProtocols(), getSupportedCipherSuites()). Are they of
any help here?
Best regards,
Konstantin Kolinko
2008/8/14 Mark Thomas <[EMAIL PROTECTED]>:
> Mark Thomas wrote:
>> There must be a way to test cert/cipher compatibility without opening a
>> socket but I couldn't find it when I looked. I'll take another look at the
>> javax.net.ssl API but if anyone has any bright ideas please, let me know.
>
> SSLEngine looks promising. I'll see if I can modify the patch to use this
> instead.
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: svn commit: r685823 - in /tomcat: container/tc5.5.x/webapps/docs/config/systemprops.xml current/tc5.5.x/STATUS.txt jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java jasper/tc5.5.x/sr
s/escpaing/escaping/ in systemprops.xml
2008/8/14 <[EMAIL PROTECTED]>:
> Author: markt
> Date: Thu Aug 14 02:04:26 2008
> New Revision: 685823
>
> URL: http://svn.apache.org/viewvc?rev=685823&view=rev
> Log:
> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
> You can't use an unescaped quote if you quote the value with that character
>
> Modified:
>tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml
>tomcat/current/tc5.5.x/STATUS.txt
>tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java
>
> tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/resources/LocalStrings.properties
>
> Modified: tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml
> URL:
> http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml?rev=685823&r1=685822&r2=685823&view=diff
> ==
> --- tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml (original)
> +++ tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml Thu Aug 14
> 02:04:26 2008
> @@ -38,6 +38,13 @@
>
>
>
> +
> + If false the requirements for escpaing quotes in JSP
> + attributes will be relaxed so that a missing required quote will not
> + cause an error. If not specified, the specification compliant default
> of
> + true will be used.
> +
> +
>
> If true, any tag buffer that expands beyond
> org.apache.jasper.Constants.DEFAULT_TAG_BUFFER_SIZE will be
>
> Modified: tomcat/current/tc5.5.x/STATUS.txt
> URL:
> http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=685823&r1=685822&r2=685823&view=diff
> ==
> --- tomcat/current/tc5.5.x/STATUS.txt (original)
> +++ tomcat/current/tc5.5.x/STATUS.txt Thu Aug 14 02:04:26 2008
> @@ -49,13 +49,6 @@
> +1: markt, yoavs, fhanik
> -1:
>
> -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
> - You can't use an unescaped quote if you quote the value with that character
> - http://svn.apache.org/viewvc?rev=657231&view=rev
> - http://svn.apache.org/viewvc?rev=670074&view=rev
> - +1: markt, yoavs, fhanik
> - -1:
> -
> * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45195
> NPE when calling getAttribute(null). The spec is unclear but this
> is a regression from 5.0.x Also avoid NPE on remove
>
> Modified:
> tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java
> URL:
> http://svn.apache.org/viewvc/tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java?rev=685823&r1=685822&r2=685823&view=diff
> ==
> --- tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java
> (original)
> +++ tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Parser.java
> Thu Aug 14 02:04:26 2008
> @@ -67,6 +67,11 @@
> private static final String JAVAX_BODY_CONTENT_TEMPLATE_TEXT =
> "JAVAX_BODY_CONTENT_TEMPLATE_TEXT";
>
> +private static final boolean STRICT_QUOTE_ESCAPING = Boolean.valueOf(
> +System.getProperty(
> +
> "org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING",
> +"true")).booleanValue();
> +
> /**
> * The constructor
> */
> @@ -242,7 +247,8 @@
> err.jspError(start, "jsp.error.attribute.unterminated", watch);
> }
>
> -String ret = parseQuoted(reader.getText(start, stop));
> +String ret = parseQuoted(start, reader.getText(start, stop),
> +watch.charAt(watch.length() - 1));
> if (watch.length() == 1)// quote
> return ret;
>
> @@ -261,7 +267,8 @@
> *| '\$'
> *| Char
> */
> -private String parseQuoted(String tx) {
> +private String parseQuoted(Mark start, String tx, char quote)
> +throws JasperException {
> StringBuffer buf = new StringBuffer();
> int size = tx.length();
> int i = 0;
> @@ -295,6 +302,10 @@
> buf.append('\\');
> ++i;
> }
> +} else if (ch == quote && STRICT_QUOTE_ESCAPING) {
> +// Unescaped quote character
> +err.jspError(start, "jsp.error.attribute.noescape", tx,
> +"" + quote);
> } else {
> buf.append(ch);
> ++i;
>
> Modified:
> tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/resources/LocalStrings.properties
> URL:
> http://svn.apache.org/viewvc/tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/resources/LocalStrings.properties?rev=685823&r1=685822&r2=685823&view=diff
> ==
> ---
> tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/resources/LocalStrings.propertie
DO NOT REPLY [Bug 45632] HttpOnly Cookie support in 6.0.18
https://issues.apache.org/bugzilla/show_bug.cgi?id=45632 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Comment #1 from Mark Thomas <[EMAIL PROTECTED]> 2008-08-14 06:11:19 PST --- You can't do that. Tomcat will escape the ; in your cookie value. You'll need to set the whole cookie header directly. HttpOnly support is on the todo list for 6.0.x. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: svn commit: r685838 - in /tomcat/site/trunk: docs/security.html xdocs/security.xml
I love the way you phrased this, httpd should steal this for our site :) Bill [EMAIL PROTECTED] wrote: Author: markt Date: Thu Aug 14 03:07:25 2008 New Revision: 685838 URL: http://svn.apache.org/viewvc?rev=685838&view=rev Log: Make purpose of security mailing list even clearer. Could now just provide a link to this page in response to non-issue mails to the security address. Modified: tomcat/site/trunk/docs/security.html tomcat/site/trunk/xdocs/security.xml Modified: tomcat/site/trunk/docs/security.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=685838&r1=685837&r2=685838&view=diff == --- tomcat/site/trunk/docs/security.html (original) +++ tomcat/site/trunk/docs/security.html Thu Aug 14 03:07:25 2008 @@ -262,17 +262,36 @@ The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service attacks against Apache Tomcat. + We strongly encourage folks to report such problems to our private security mailing list first, before disclosing them in a public forum. -We cannot accept regular bug reports or other queries at this - address, we ask that you use our bug reporting - page for those. All mail sent to this address that does not relate to - security problems in the Apache Tomcat source code will be ignored. - +Please note that the security mailing list should only be used + for reporting undisclosed security vulnerabilities in Apache Tomcat and + managing the process of fixing such vulnerabilities. We cannot accept + regular bug reports or other queries at this address. All mail sent to + this address that does not relate to an undisclosed security problem in + the Apache Tomcat source code will be ignored. -The mailing address is: mailto:[EMAIL PROTECTED]"> + +If you need to report a bug that isn't an undisclosed security + vulnerability, please use the bug reporting + page. + +Questions about: + + how to configure Tomcat securely + if a vulnerability applies to your particular application + obtaining further information on a published vulnerability + availability of patches and/or new releases + +should be address to the users mailing list. Please see the + mailing lists page for details of how to + subscribe. + +The private security mailing address is: + mailto:[EMAIL PROTECTED]"> [EMAIL PROTECTED] Modified: tomcat/site/trunk/xdocs/security.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security.xml?rev=685838&r1=685837&r2=685838&view=diff == --- tomcat/site/trunk/xdocs/security.xml (original) +++ tomcat/site/trunk/xdocs/security.xml Thu Aug 14 03:07:25 2008 @@ -48,15 +48,34 @@ The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service attacks against Apache Tomcat. + We strongly encourage folks to report such problems to our private security mailing list first, before disclosing them in a public forum. -We cannot accept regular bug reports or other queries at this - address, we ask that you use our bug reporting - page for those. All mail sent to this address that does not relate to - security problems in the Apache Tomcat source code will be ignored. - -The mailing address is: mailto:[EMAIL PROTECTED]"> +Please note that the security mailing list should only be used + for reporting undisclosed security vulnerabilities in Apache Tomcat and + managing the process of fixing such vulnerabilities. We cannot accept + regular bug reports or other queries at this address. All mail sent to + this address that does not relate to an undisclosed security problem in + the Apache Tomcat source code will be ignored. + +If you need to report a bug that isn't an undisclosed security + vulnerability, please use the bug reporting + page. + +Questions about: + + how to configure Tomcat securely + if a vulnerability applies to your particular application + obtaining further information on a published vulnerability + availability of patches and/or new releases + +should be address to the users mailing list. Please see the + mailing lists page for details of how to + subscribe. + +The private security mailing address is: + mailto:[EMAIL PROTECTED]"> [EMAIL PROTECTED] Note that all networked servers are subject to denial of service attacks, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685981 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Author: markt
Date: Thu Aug 14 11:11:28 2008
New Revision: 685981
URL: http://svn.apache.org/viewvc?rev=685981&view=rev
Log:
Revert the previous fix. Filip has suggested an alternative approach that
should address the various objections. New patch will follow in the next few
days.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=685981&r1=685980&r2=685981&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Thu Aug 14 11:11:28 2008
@@ -26,7 +26,6 @@
import java.net.ServerSocket;
import java.net.Socket;
import java.net.SocketException;
-import java.net.SocketTimeoutException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.CRL;
@@ -693,7 +692,7 @@
* Configures the given SSL server socket with the requested cipher suites,
* protocol versions, and need for client authentication
*/
-private void initServerSocket(ServerSocket ssocket) throws IOException {
+private void initServerSocket(ServerSocket ssocket) {
SSLServerSocket socket = (SSLServerSocket) ssocket;
@@ -705,48 +704,9 @@
setEnabledProtocols(socket, getEnabledProtocols(socket,
requestedProtocols));
-// Check the SSL config is OK
-checkSocket(ssocket);
-
// we don't know if client auth is needed -
// after parsing the request we may re-handshake
configureClientAuth(socket);
}
-/**
- * Checks that the cetificate is compatible with the enabled cipher suites.
- * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
- * See bug 45528.
- */
-private void checkSocket(ServerSocket socket) throws IOException {
-int timeout = socket.getSoTimeout();
-
-socket.setSoTimeout(1);
-Socket s = null;
-try {
-s = socket.accept();
-// No expecting to get here but if we do, at least we know things
-// are working.
-} catch (SSLException ssle) {
-// Cert doesn't match ciphers
-IOException ioe =
-new IOException("Certificate / cipher mismatch");
-ioe.initCause(ssle);
-throw ioe;
-} catch (SocketTimeoutException ste) {
-// Expected - do nothing
-} finally {
-// In case we actually got a connection - close it.
-if (s != null) {
-try {
-s.close();
-} catch (IOException ioe) {
-// Ignore
-}
-}
-// Reset the timeout
-socket.setSoTimeout(timeout);
-}
-
-}
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r685982 - in /tomcat: current/tc5.5.x/STATUS.txt tc6.0.x/trunk/STATUS.txt
Author: markt Date: Thu Aug 14 11:14:19 2008 New Revision: 685982 URL: http://svn.apache.org/viewvc?rev=685982&view=rev Log: Withdraw proposal since a better fix is on the way. Modified: tomcat/current/tc5.5.x/STATUS.txt tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/current/tc5.5.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=685982&r1=685981&r2=685982&view=diff == --- tomcat/current/tc5.5.x/STATUS.txt (original) +++ tomcat/current/tc5.5.x/STATUS.txt Thu Aug 14 11:14:19 2008 @@ -79,16 +79,3 @@ https://issues.apache.org/bugzilla/show_bug.cgi?id=41407 +1: markt, fhanik -1: - -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45528 - Test the SSL socket for cert/cipher compatibility before returning it - http://svn.apache.org/viewvc?rev=684559&view=rev - +1: markt - -1: fhanik - this is a misconfigured keystore. Solution is to fix the keystore. - The SSL-HOW-TO in tomcat is talking about this. - There are a few cases, in this users case, the 'tomcat' alias is not present - The keystore in this case doesn't even contain a private key - markt - This isn't an missing alias / private key issue. It is a cipher / - private key compatibility issue. I have updated the bug entry to - make this clearer. - Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=685982&r1=685981&r2=685982&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Aug 14 11:14:19 2008 @@ -78,27 +78,7 @@ -1: 0: funkman - I see the bug URL twice with no patch - -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45528 - Test the SSL socket for cert/cipher compatibility before returning it - http://svn.apache.org/viewvc?rev=684559&view=rev - +1: markt - 0: remm: It does look like a hack indeed, but it detects the problem - -1: billbarker The patch is horrible, since it drops connections for no good reason, simply to - protect against a totally brain-dead miss-configurations. If the check is moved into - the main except loop, then I can go for -0. - -1: fhanik - the problem in the bug is obvious, the keystore doesn't contain any private keys - that can be checked very easily - http://www.exampledepot.com/egs/java.security/ListAliases.html - Furthermore SSL-HOWTO in Tomcat, mentions this problem - - Whilst this might cause the logging loop (and I agree it is - easily checked), the only time I saw the logging loop was when - the certificate and the ciphers were not compatible. I could not - see anywhere in the javax.net.ssl API that would let me check - this. Opening a socket (which throws an excpetion in this case) - appears to be the only way to detect it. - -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45608 + * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45608 Prevent race condition for allocate/deallocate in StandardWrapper http://svn.apache.org/viewvc?rev=685177&view=rev +1: markt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: svn commit: r685981 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
[EMAIL PROTECTED] wrote: Author: markt Date: Thu Aug 14 11:11:28 2008 New Revision: 685981 FYI, I've updated asf-mailer so it no longer directs commit traffic to the long-dead [EMAIL PROTECTED] Which means starting at this commit, you may have to adjust your filters. But reply-to-all should now behave sanely. Appologies to anyone who is inconvenienced. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 45618] Selector is not closed.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45618 Hao Zhong <[EMAIL PROTECTED]> changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID | --- Comment #4 from Hao Zhong <[EMAIL PROTECTED]> 2008-08-14 18:48:32 PST --- Please take a look at a confirmed bug in JDK 1.5 [1]. This bug is caused by not explicitly closing a selector. I copy some descriptions from the bug report as follows. "However, when SocketAdaptor is done with the temporarily created selector, it never explicitly calls selector.close(), which causes the Pipe-related sockets to be orphaned and left in an ESTABLISHED state until process death. Over time, this exhausts the number of available sockets and degrades both application and operating system performance. Pipe-related sockets are only cleaned up when the owning process is killed." I agree that automatic tools can produce some false positives. As you suggested, I do not report all the violations but report those violations that make sense in my opinion. I am sorry that my tool cannot provide in what situation a bug will cause problem as my tool relies on static analysis. Still, I believe that you should take the report into careful considerations because as you can see, not closing a selector has already cause some problems in JDK 1.5 and they do take efforts to fix the problems. [1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5083450 -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
