DO NOT REPLY [Bug 48160] Coyote HTTP11 Protocol pause

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48160

Mark Thomas  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||INVALID

--- Comment #1 from Mark Thomas  2009-11-09 02:03:51 GMT ---
Bugzilla isn't a support forum. Please use the users list.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Konstantin Kolinko]

2009/11/7 Mark Thomas :
>
> We also need to think about what to do with tc native. Maybe something like:

I think that we can
- recommend recompiling 1.1.16 with OpenSSL 0.9.8l for those who used
our sources
- for those architectures where binaries are available for 1.1.16
(windows 32/64-bit), rebuild them using OpenSSL 0.9.8l

My understanding is that 1.1.17 and later require TC 6.0.21 and 5.5.29
and later and vice versa, because of some API changes, and thus won't
be useful until those versions are released.

> - release 1.1.17 with binaries built with 0.9.8l (so renegotiation is
> disabled)

+1

> - keep an eye on httpd and if they find a work-around, copy it and
> release 1.1.18 with renegotiation enabled
>

+1

> For now, I'm not proposing any changes to the docs although we may want
> to put a summary of the advice - once agreed - on the security pages.
>
> Thoughts?
>
> Mark
>

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Mladen Turk]

On 09/11/09 11:34, Konstantin Kolinko wrote:

2009/11/7 Mark Thomas:


We also need to think about what to do with tc native. Maybe something like:


I think that we can
- recommend recompiling 1.1.16 with OpenSSL 0.9.8l for those who used
our sources
- for those architectures where binaries are available for 1.1.16
(windows 32/64-bit), rebuild them using OpenSSL 0.9.8l



Nope.
Use 1.1.17 and 0.9.8l

Just made binaries for 1.1.17 with APR 1.3.9 and OpenSSL 0.9.8l
(Well, 64-bit versions are on the way)

Regards
--
^TM


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Mark Thomas]

Konstantin Kolinko wrote:
> 2009/11/7 Mark Thomas :
>> We also need to think about what to do with tc native. Maybe something like:
> 
> I think that we can
> - recommend recompiling 1.1.16 with OpenSSL 0.9.8l for those who used
> our sources
> - for those architectures where binaries are available for 1.1.16
> (windows 32/64-bit), rebuild them using OpenSSL 0.9.8l
> 
> My understanding is that 1.1.17 and later require TC 6.0.21 and 5.5.29
> and later and vice versa, because of some API changes, and thus won't
> be useful until those versions are released.

That isn't my understanding. 6.0.21/5.5.29 requires 1.1.17 but not the
other way around (a method or two was added to the APR/native) libraries
but nothing was removed. 1.1.17 should work happily with 6.0.x and 5.5.x

Mark




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Mark Thomas]

Summarising the information gathered so far from various channels
(thanks to Bill B., Bill W. & Rainer who have done most of the actual
work to find the info below).

BIO/NIO connectors using JSSE.
Vulnerable when renegotiation is triggered by the client or server.
We could prevent server initiated renegotiation (and probably break the
majority of configurations using CLIENT-CERT).
We can't do anything to prevent client initiated renegotiation.

APR/native connector using OpenSSL
It is vulnerable when renegotiation is triggered by the client or by the
server.
Client triggered negotiation is supported.
Server triggered negotiation will be supported from 1.1.17 onwards.

OpenSSL 0.9.8l disables negotiation by default


In terms of what this means for users:

BIO/NIO
- There isn't anything we can do in Tomcat to stop client
  initiated renegotiation so it is a case of waiting for the JVM
  vendors to respond.

APR/native
- Re-building their current version with 0.9.8l will protect
  users at the risk of breaking any configurations that
  require renegotiation.
- We can release 1.1.17 with the binaries built with 0.9.8l. This
  will also protect users at the risk of breaking any
  configurations that require renegotiation. Mladen is doing this
  now.
- Supporting renegotiation whilst avoiding the vulnerability will
  require a protocol fix. In the meantime, we could port port
  r833582 from httpd which would disable client triggered
  renegotiation for OpenSSL < 0.9.8l (which may help some users
  who can't easily change their OpenSSl version and release 1.1.18
  with this fix
- Once the protocol is fixed, release 1.1.next bundled with the
  appropriate version of OpenSSL


Have I got my facts right above? If so, any objections to posting the
above to the users@ and announce@ lists along with adding something to
the security pages?

Mark




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Mladen Turk]

On 09/11/09 11:56, Mark Thomas wrote:

- We can release 1.1.17 with the binaries built with 0.9.8l. This
   will also protect users at the risk of breaking any
   configurations that require renegotiation. Mladen is doing this
   now.


I've uploaded binaries with APR-1.3.9/OpenSSL 9.8.8l.
Should be visible within an hour.

Regards
--
^TM

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834021 - in /tomcat/trunk/java/javax/servlet/resources: javaee_6.xsd web-app_3_0.xsd web-common_3_0.xsd web-fragment_3_0.xsd

[markt]

Author: markt
Date: Mon Nov  9 11:27:57 2009
New Revision: 834021

URL: http://svn.apache.org/viewvc?rev=834021&view=rev
Log:
Update schemas to latest draft as of 2009-11-05

Modified:
tomcat/trunk/java/javax/servlet/resources/javaee_6.xsd
tomcat/trunk/java/javax/servlet/resources/web-app_3_0.xsd
tomcat/trunk/java/javax/servlet/resources/web-common_3_0.xsd
tomcat/trunk/java/javax/servlet/resources/web-fragment_3_0.xsd

Modified: tomcat/trunk/java/javax/servlet/resources/javaee_6.xsd
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/resources/javaee_6.xsd?rev=834021&r1=834020&r2=834021&view=diff
==
--- tomcat/trunk/java/javax/servlet/resources/javaee_6.xsd (original)
+++ tomcat/trunk/java/javax/servlet/resources/javaee_6.xsd Mon Nov  9 11:27:57 
2009
@@ -182,12 +182,38 @@
 
   
 
-This group collects elements that are common to all the
+This group collects elements that are common to most
 JNDI resource elements.
 
   
 
 
+  
+  
+
+  
+
+The JNDI name to be looked up to resolve a resource reference.
+
+  
+
+  
+
+  
+
+  
+
+  
+
+This group collects elements that are common to all the
+JNDI resource elements. It does not include the lookup-name
+element, that is only applicable to some resource elements.
+
+  
+
+
   
@@ -217,17 +243,6 @@
type="javaee:injection-targetType"
minOccurs="0"
maxOccurs="unbounded"/>
-  
-
-  
-
-The JNDI name to be looked up to resolve a resource reference.
-
-  
-
-  
 
   
 
@@ -315,14 +330,14 @@
minOccurs="0">
 
   
-
+]]>
   
 
   
@@ -355,7 +370,7 @@
 
   
 
-JDBC DataSource Propertry.  This may be a vendor-specific
+JDBC DataSource property.  This may be a vendor-specific
 property or a less commonly used DataSource property.
 
   
@@ -511,7 +526,7 @@
   
 
   
-
+]]>
   
 
 
@@ -541,7 +556,7 @@
   
 
   
-
+]]>
   
 
 
@@ -633,7 +648,7 @@
   
 
   
-
+]]>
   
 
 
@@ -789,7 +804,7 @@
type="javaee:jndi-nameType">
 
   
-
+]]>
   
 
   
@@ -811,7 +826,7 @@
minOccurs="0">
 
   
-
+]]>
   
 
   
@@ -832,7 +847,7 @@
minOccurs="0">
 
   
-
+]]>
   
 
   
@@ -860,7 +875,7 @@
   
 
   
-
+]]>
   
 
 
@@ -961,7 +976,7 @@
minOccurs="0">
 
   
-
+]]>
   
 
   
@@ -983,7 +998,7 @@
minOccurs="0">
 
   
-
+]]>
   
 
   
@@ -1046,14 +1061,16 @@
 
   
 
-public enum isolation-level-type { TRANSACTION_NONE,
-TRANSACTION_READ_UNCOMMITTED, TRANSACTION_READ_COMMITTED,
-TRANSACTION_REPEATABLE_READ, TRANSACTION_SERIALIZABLE };
+   The following transaction isolation levels are allowed
+   (see documentation for the java.sql.Connection interface):
+TRANSACTION_READ_UNCOMMITTED
+TRANSACTION_READ_COMMITTED
+TRANSACTION_REPEATABLE_READ
+TRANSACTION_SERIALIZABLE
 
   
 
 
-  
   
   
   
@@ -1107,7 +1124,7 @@
   
 
   
-
+]]>
   
 
 
@@ -1153,7 +1170,7 @@
   
 
   
-
+]]>
   
 
 
@@ -1340,7 +1357,7 @@
   
 
   
-
+]]>
   
 
 
@@ -1436,7 +1453,7 @@
   
 
   
-  
+  
 
 
@@ -1496,7 +1513,7 @@
   
 
   
-
+]]>
   
 
 
@@ -1566,7 +1583,7 @@
   
 
   
-  
+  
 
 
@@ -1578,7 +1595,7 @@
   
 
   
-
+]]>
   
 
 
@@ -1600,7 +1617,7 @@
   
 
   
-
+]]>
   
 
 
@@ -1677,7 +1694,7 @@
   
 
   
-
+]]>
   
 
 
@@ -1859,7 +1876,7 @@
   
 
   
-
+]]>
   
 
 
@@ -2168,7 +2185,7 @@
   
 
   
-
+]]>
   
 
 
@@ -2257,7 +2274,7 @@
   
 
   
-
+]]>
   
 
 
@@ -2365,7 +2382,7 @@
   
 
   
-
+]]>
   
 
 
@@ -2418,3 +2435,5 @@
   
 
 
+
+

Modified: tomcat/trunk/java/javax/servlet/resources/web-app_3_0.xsd
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/resources/web-app_3_0.xsd?rev=834021&r1=834020&r2=834021&view=diff

svn commit: r834022 - /tomcat/trunk/java/javax/servlet/jsp/resources/jsp_2_2.xsd

[markt]

Author: markt
Date: Mon Nov  9 11:29:18 2009
New Revision: 834022

URL: http://svn.apache.org/viewvc?rev=834022&view=rev
Log:
Add the JSP 2.2 schema. Note election to use CDDL.

Added:
tomcat/trunk/java/javax/servlet/jsp/resources/jsp_2_2.xsd   (with props)

Added: tomcat/trunk/java/javax/servlet/jsp/resources/jsp_2_2.xsd
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/jsp/resources/jsp_2_2.xsd?rev=834022&view=auto
==
--- tomcat/trunk/java/javax/servlet/jsp/resources/jsp_2_2.xsd (added)
+++ tomcat/trunk/java/javax/servlet/jsp/resources/jsp_2_2.xsd Mon Nov  9 
11:29:18 2009
@@ -0,0 +1,406 @@
+
+http://www.w3.org/2001/XMLSchema";
+targetNamespace="http://java.sun.com/xml/ns/javaee";
+xmlns:javaee="http://java.sun.com/xml/ns/javaee";
+xmlns:xsd="http://www.w3.org/2001/XMLSchema";
+elementFormDefault="qualified"
+attributeFormDefault="unqualified"
+version="2.2">
+  
+
+
+  $Id$
+  
+
+  
+
+  
+
+
+  DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+  
+  Copyright 2003-2009 Sun Microsystems, Inc. All rights reserved.
+  
+  The contents of this file are subject to the terms of either the
+  GNU General Public License Version 2 only ("GPL") or the Common
+  Development and Distribution License("CDDL") (collectively, the
+  "License").  You may not use this file except in compliance with
+  the License. You can obtain a copy of the License at
+  https://glassfish.dev.java.net/public/CDDL+GPL.html or
+  glassfish/bootstrap/legal/LICENSE.txt.  See the License for the
+  specific language governing permissions and limitations under the
+  License.
+  
+  When distributing the software, include this License Header
+  Notice in each file and include the License file at
+  glassfish/bootstrap/legal/LICENSE.txt.  Sun designates this
+  particular file as subject to the "Classpath" exception as
+  provided by Sun in the GPL Version 2 section of the License file
+  that accompanied this code.  If applicable, add the following
+  below the License Header, with the fields enclosed by brackets []
+  replaced by your own identifying information:
+  "Portions Copyrighted [year] [name of copyright owner]"
+  
+  Contributor(s):
+  
+  If you wish your version of this file to be governed by only the
+  CDDL or only the GPL Version 2, indicate your decision by adding
+  "[Contributor] elects to include this software in this
+  distribution under the [CDDL or GPL Version 2] license."  If you
+  don't indicate a single choice of license, a recipient has the
+  option to distribute your version of this file under either the
+  CDDL, the GPL Version 2 or to extend the choice of license to its
+  licensees as provided above.  However, if you add GPL Version 2
+  code and therefore, elected the GPL Version 2 license, then the
+  option applies only if the new code is made subject to such
+  option by the copyright holder.
+  
+
+  
+
+  
+
+  The Apache Software Foundation elects to include this software under the
+  CDDL license.
+
+  
+
+  
+
+
+  This is the XML Schema for the JSP 2.2 deployment descriptor
+  types.  The JSP 2.2 schema contains all the special
+  structures and datatypes that are necessary to use JSP files
+  from a web application. 
+  
+  The contents of this schema is used by the web-common_3_0.xsd 
+  file to define JSP specific content. 
+  
+
+  
+
+  
+
+
+  The following conventions apply to all Java EE
+  deployment descriptor elements unless indicated otherwise.
+  
+  - In elements that specify a pathname to a file within the
+  same JAR file, relative filenames (i.e., those not
+  starting with "/") are considered relative to the root of
+  the JAR file's namespace.  Absolute filenames (i.e., those
+  starting with "/") also specify names in the root of the
+  JAR file's namespace.  In general, relative names are
+  preferred.  The exception is .war files where absolute
+  names are preferred for consistency with the Servlet API.
+  
+
+  
+
+  
+
+
+
+
+  
+
+  
+
+The jsp-configType is used to provide global configuration
+information for the JSP files in a web application. It has
+two subelements, taglib and jsp-property-group.
+
+  
+
+
+  
+  
+
+
+  
+
+
+
+
+  
+
+  
+
+The jsp-file element contains the full path to a JSP file
+within the web application beginning with a `/'.
+
+  
+
+
+  
+
+  
+
+
+
+
+  
+
+  
+
+The jsp-property-groupType is used to group a number of
+files so they can be gi

svn commit: r834023 - /tomcat/trunk/NOTICE

[markt]

Author: markt
Date: Mon Nov  9 11:31:08 2009
New Revision: 834023

URL: http://svn.apache.org/viewvc?rev=834023&view=rev
Log:
Add JSP 2.2 XSD

Modified:
tomcat/trunk/NOTICE

Modified: tomcat/trunk/NOTICE
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/NOTICE?rev=834023&r1=834022&r2=834023&view=diff
==
--- tomcat/trunk/NOTICE (original)
+++ tomcat/trunk/NOTICE Mon Nov  9 11:31:08 2009
@@ -32,4 +32,5 @@
  - web-app_3_0.xsd
  - web-common_3_0.xsd
  - web-fragment_3_0.xsd
+ - jsp_2_2.xsd
 may be obtained from http://java.sun.com/xml/ns/javaee/



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834024 - in /tomcat/trunk: build.xml res/META-INF/jsp-api.jar.license res/META-INF/jsp-api.jar.notice

[markt]

Author: markt
Date: Mon Nov  9 11:37:53 2009
New Revision: 834024

URL: http://svn.apache.org/viewvc?rev=834024&view=rev
Log:
Use correct default manifest
Use specific notice and license file for jsp jar

Added:
tomcat/trunk/res/META-INF/jsp-api.jar.license   (with props)
tomcat/trunk/res/META-INF/jsp-api.jar.notice   (with props)
Modified:
tomcat/trunk/build.xml

Modified: tomcat/trunk/build.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/build.xml?rev=834024&r1=834023&r2=834024&view=diff
==
--- tomcat/trunk/build.xml (original)
+++ tomcat/trunk/build.xml Mon Nov  9 11:37:53 2009
@@ -301,7 +301,7 @@
 
 
 
+   default="${tomcat.tmp}/default.manifest" />
 
 
+  notice="res/META-INF/jsp-api.jar.notice"
+  license="res/META-INF/jsp-api.jar.license" />
 
 
 http://svn.apache.org/viewvc/tomcat/trunk/res/META-INF/jsp-api.jar.license?rev=834024&view=auto
==
--- tomcat/trunk/res/META-INF/jsp-api.jar.license (added)
+++ tomcat/trunk/res/META-INF/jsp-api.jar.license Mon Nov  9 11:37:53 2009
@@ -0,0 +1,544 @@
+
+ Apache License
+   Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+  "License" shall mean the terms and conditions for use, reproduction,
+  and distribution as defined by Sections 1 through 9 of this document.
+
+  "Licensor" shall mean the copyright owner or entity authorized by
+  the copyright owner that is granting the License.
+
+  "Legal Entity" shall mean the union of the acting entity and all
+  other entities that control, are controlled by, or are under common
+  control with that entity. For the purposes of this definition,
+  "control" means (i) the power, direct or indirect, to cause the
+  direction or management of such entity, whether by contract or
+  otherwise, or (ii) ownership of fifty percent (50%) or more of the
+  outstanding shares, or (iii) beneficial ownership of such entity.
+
+  "You" (or "Your") shall mean an individual or Legal Entity
+  exercising permissions granted by this License.
+
+  "Source" form shall mean the preferred form for making modifications,
+  including but not limited to software source code, documentation
+  source, and configuration files.
+
+  "Object" form shall mean any form resulting from mechanical
+  transformation or translation of a Source form, including but
+  not limited to compiled object code, generated documentation,
+  and conversions to other media types.
+
+  "Work" shall mean the work of authorship, whether in Source or
+  Object form, made available under the License, as indicated by a
+  copyright notice that is included in or attached to the work
+  (an example is provided in the Appendix below).
+
+  "Derivative Works" shall mean any work, whether in Source or Object
+  form, that is based on (or derived from) the Work and for which the
+  editorial revisions, annotations, elaborations, or other modifications
+  represent, as a whole, an original work of authorship. For the purposes
+  of this License, Derivative Works shall not include works that remain
+  separable from, or merely link (or bind by name) to the interfaces of,
+  the Work and Derivative Works thereof.
+
+  "Contribution" shall mean any work of authorship, including
+  the original version of the Work and any modifications or additions
+  to that Work or Derivative Works thereof, that is intentionally
+  submitted to Licensor for inclusion in the Work by the copyright owner
+  or by an individual or Legal Entity authorized to submit on behalf of
+  the copyright owner. For the purposes of this definition, "submitted"
+  means any form of electronic, verbal, or written communication sent
+  to the Licensor or its representatives, including but not limited to
+  communication on electronic mailing lists, source code control systems,
+  and issue tracking systems that are managed by, or on behalf of, the
+  Licensor for the purpose of discussing and improving the Work, but
+  excluding communication that is conspicuously marked or otherwise
+  designated in writing by the copyright owner as "Not a Contribution."
+
+  "Contributor" shall mean Licensor and any individual or Legal Entity
+  on behalf of whom a Contribution has been received by Licensor and
+  subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+  this License, each Contributor hereby grants to You a perpetual,
+  worldwide, non-exclusive, no-charge, royalty-fr

DO NOT REPLY [Bug 48157] describe how to disable X-Header trick to attack client cert auth

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48157

--- Comment #3 from Ralf Hauser  2009-11-09 04:06:08 UTC ---
Since we do not really have the option use "APR/Native" and we would be happy
to have X-Header fixing heuristics as another optional server.xml attribute.
You fear in comment 2 that there are other more complex attack vectors, but if
we can, shouldn't we fix the immediate and obvious ones all the same - even if
we can't guarantee that there aren't worse, but also more complex attack
vectors.

We happily offer to test and report at least for our setup.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

DO NOT REPLY [Bug 48158] warn that "per directory client certificate authentication" is harmful

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48158

--- Comment #2 from Ralf Hauser  2009-11-09 04:07:54 UTC ---
tomcat-dev-list:> BIO/NIO connectors using JSSE.
> Vulnerable when renegotiation is triggered by the client or server.
> We could prevent server initiated renegotiation (and probably break 
> the majority of configurations using CLIENT-CERT).
Couldn't you make this an optional server.xml attribute where each site can
decide whether to use it or not (i.e. test themselves whether it affects them
or not). We are quite advanced on migrating our site away from
sub-directory/url-pattern based renegotiation. So, having Coyote not allowing
for re-negotiation would be a great benefit for us and we obviously would
report on difficulties we and our users encounter to optimize this approach!
> We can't do anything to prevent client initiated renegotiation.
Sure, but closing 2 out of 3 attack vectors is at least something, isn't it?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Konstantin Kolinko]

2009/11/9 Mark Thomas :
> Konstantin Kolinko wrote:
>>
>> My understanding is that 1.1.17 and later require TC 6.0.21 and 5.5.29
>> and later and vice versa, because of some API changes, and thus won't
>> be useful until those versions are released.
>
> That isn't my understanding. 6.0.21/5.5.29 requires 1.1.17 but not the
> other way around (a method or two was added to the APR/native) libraries
> but nothing was removed. 1.1.17 should work happily with 6.0.x and 5.5.x
>

I am glad to be wrong.
I thought about the changes done by the following commit:
http://svn.apache.org/viewvc?view=revision&revision=832187
but those are already in 1.1.16 ..1.1.13. I have not looked earlier.

So let's go with 1.1.17

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834034 - /tomcat/trunk/java/javax/servlet/http/Cookie.java

[markt]

Author: markt
Date: Mon Nov  9 12:34:45 2009
New Revision: 834034

URL: http://svn.apache.org/viewvc?rev=834034&view=rev
Log:
Cookie is now serializable in Servlet 3.0
Fix some Eclipse warnings

Modified:
tomcat/trunk/java/javax/servlet/http/Cookie.java

Modified: tomcat/trunk/java/javax/servlet/http/Cookie.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/http/Cookie.java?rev=834034&r1=834033&r2=834034&view=diff
==
--- tomcat/trunk/java/javax/servlet/http/Cookie.java (original)
+++ tomcat/trunk/java/javax/servlet/http/Cookie.java Mon Nov  9 12:34:45 2009
@@ -16,6 +16,7 @@
 */
 package javax.servlet.http;
 
+import java.io.Serializable;
 import java.text.MessageFormat;
 import java.util.ResourceBundle;
 
@@ -58,12 +59,9 @@
  * @version$Version$
  *
  */
+public class Cookie implements Cloneable, Serializable {
 
-// XXX would implement java.io.Serializable too, but can't do that
-// so long as sun.servlet.* must run on older JDK 1.02 JVMs which
-// don't include that support.
-
-public class Cookie implements Cloneable {
+private static final long serialVersionUID = 1L;
 
 private static final String LSTRING_FILE =
"javax.servlet.http.LocalStrings";
@@ -560,11 +558,11 @@
  * a reserved token; false
  * if it is not
  */
-private boolean isToken(String value) {
-int len = value.length();
+private boolean isToken(String possibleToken) {
+int len = possibleToken.length();
 
 for (int i = 0; i < len; i++) {
-char c = value.charAt(i);
+char c = possibleToken.charAt(i);
 
 if (c < 0x20 || c >= 0x7f || tspecials.indexOf(c) != -1 ||
 (STRICT_NAMING && tspecials2.indexOf(c) != -1)) {



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834036 - /tomcat/trunk/java/javax/servlet/annotation/WebServlet.java

[markt]

Author: markt
Date: Mon Nov  9 12:40:56 2009
New Revision: 834036

URL: http://svn.apache.org/viewvc?rev=834036&view=rev
Log:
Add support for displayName

Modified:
tomcat/trunk/java/javax/servlet/annotation/WebServlet.java

Modified: tomcat/trunk/java/javax/servlet/annotation/WebServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/annotation/WebServlet.java?rev=834036&r1=834035&r2=834036&view=diff
==
--- tomcat/trunk/java/javax/servlet/annotation/WebServlet.java (original)
+++ tomcat/trunk/java/javax/servlet/annotation/WebServlet.java Mon Nov  9 
12:40:56 2009
@@ -39,4 +39,5 @@
 String smallIcon() default "";
 String largeIcon() default "";
 String description() default "";
+String displayName() default "";
 }



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834047 - /tomcat/trunk/res/tomcat.nsi

[markt]

Author: markt
Date: Mon Nov  9 13:04:52 2009
New Revision: 834047

URL: http://svn.apache.org/viewvc?rev=834047&view=rev
Log:
Fix CVE-2009-3548.
When installing using defaults, don't create an administrative user with a 
blank password
Note: This is already public - it was discussed on the users list. The formal 
announcement will go out shortly.
The patch also includes making the Manager and Host-Manager applications 
separately selectable with the addition of an administrative user only enabled 
if one of the manager apps is selected

Modified:
tomcat/trunk/res/tomcat.nsi

Modified: tomcat/trunk/res/tomcat.nsi
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/res/tomcat.nsi?rev=834047&r1=834046&r2=834047&view=diff
==
--- tomcat/trunk/res/tomcat.nsi (original)
+++ tomcat/trunk/res/tomcat.nsi Mon Nov  9 13:04:52 2009
@@ -98,7 +98,9 @@
 LangString DESC_SecTomcatNative ${LANG_ENGLISH} "Install APR based Tomcat 
native .dll for better performance and scalability in production environments."
 LangString DESC_SecMenu ${LANG_ENGLISH} "Create a Start Menu program group 
for Tomcat."
 LangString DESC_SecDocs ${LANG_ENGLISH} "Install the Tomcat documentation 
bundle. This include documentation on the servlet container and its 
configuration options, on the Jasper JSP page compiler, as well as on the 
native webserver connectors."
-LangString DESC_SecExamples ${LANG_ENGLISH} "Installs some examples web 
applications."
+LangString DESC_SecManager ${LANG_ENGLISH} "Install the Tomcat Manager 
administrative web application."
+LangString DESC_SecHostManager ${LANG_ENGLISH} "Install the Tomcat Host 
Manager administrative web application."
+LangString DESC_SecExamples ${LANG_ENGLISH} "Install the Servlet and JSP 
example web applications."
 
   ;Language
   !insertmacro MUI_LANGUAGE English
@@ -149,10 +151,6 @@
   File conf\*.*
   SetOutPath $INSTDIR\webapps\ROOT
   File /r webapps\ROOT\*.*
-  SetOutPath $INSTDIR\webapps\host-manager
-  File /r webapps\host-manager\*.*
-  SetOutPath $INSTDIR\webapps\manager
-  File /r webapps\manager\*.*
 
   Call configure
   Call findJavaPath
@@ -292,6 +290,26 @@
 
 SectionEnd
 
+Section "Manager" SecManager
+
+  SectionIn 1 3
+
+  SetOverwrite on
+  SetOutPath $INSTDIR\webapps\manager
+  File /r webapps\manager\*.*
+
+SectionEnd
+
+Section "Host Manager" SecHostManager
+
+  SectionIn 3
+
+  SetOverwrite on
+  SetOutPath $INSTDIR\webapps\host-manager
+  File /r webapps\host-manager\*.*
+
+SectionEnd
+
 Section "Examples" SecExamples
 
   SectionIn 3
@@ -339,7 +357,38 @@
 
 Function SetConfiguration
   !insertmacro MUI_HEADER_TEXT "$(TEXT_CONF_TITLE)" "$(TEXT_CONF_SUBTITLE)"
+
+  SectionGetFlags ${SecManager} $0
+  IntOp $0 $0 & ${SF_SELECTED}
+  IntCmp $0 0 0 Enable Enable
+  SectionGetFlags ${SecHostManager} $0
+  IntOp $0 $0 & ${SF_SELECTED}
+  IntCmp $0 0 Disable 0 0
+
+Enable:
+  ; Enable the user and password controls if the manager or host-manager app is
+  ; being installed
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 5" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 5" "Flags" ""
+  EnableWindow $0 1
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 7" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 7" "Flags" ""
+  EnableWindow $0 1
+  Goto Display
+
+Disable:
+  ; Disable the user and password controls if neither the manager nor
+  ; host-manager app is being installed
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 5" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 5" "Flags" 
"DISABLED"
+  EnableWindow $0 0
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 7" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 7" "Flags" 
"DISABLED"
+  EnableWindow $0 0
+
+Display:
   !insertmacro MUI_INSTALLOPTIONS_DISPLAY "config.ini"
+
 FunctionEnd
 
 Function Void
@@ -355,6 +404,8 @@
   !insertmacro MUI_DESCRIPTION_TEXT ${SecTomcatNative} $(DESC_SecTomcatNative)
   !insertmacro MUI_DESCRIPTION_TEXT ${SecMenu} $(DESC_SecMenu)
   !insertmacro MUI_DESCRIPTION_TEXT ${SecDocs} $(DESC_SecDocs)
+  !insertmacro MUI_DESCRIPTION_TEXT ${SecManager} $(DESC_SecManager)
+  !insertmacro MUI_DESCRIPTION_TEXT ${SecHostManager} $(DESC_SecHostManager)
   !insertmacro MUI_DESCRIPTION_TEXT ${SecExamples} $(DESC_SecExamples)
 !insertmacro MUI_FUNCTION_DESCRIPTION_END
 
@@ -556,11 +607,13 @@
   Call xmlEscape
   Pop $R2
   
+  StrCmp $R1 "" +4 0  ; Blank user - do not add anything to tomcat-users.xml
+  StrCmp $R2 "" +3 0  ; Blank password - do not add anything to 
tomcat-users.xml
   StrCpy $R5 ''
-
+  DetailPrint 'Admin user added: "$R1"'
+  
 Silent:
   DetailPrint 'HTTP/1.1 Connector configured on port "$R0"'
-  DetailPrint 'Admin user added: "$R1"'
 
   SetOutPath $TEMP
   File /r confinstall



-
To

DO NOT REPLY [Bug 48157] describe how to disable X-Header trick to attack client cert auth

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48157

--- Comment #4 from Konstantin Kolinko  2009-11-09 
05:12:13 UTC ---
If you really want something like that, you can write a Filter or a Valve. See
org.apache.catalina.valves.RequestDumperValve for an example.

http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834050 - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/

[markt]

Author: markt
Date: Mon Nov  9 13:18:42 2009
New Revision: 834050

URL: http://svn.apache.org/viewvc?rev=834050&view=rev
Log:
Correct latest Tomcat 4 version
Since it has been almost 6 months since the final 4.1.x release, remove the 
download and doc links and mark it as archived.

Removed:
tomcat/site/trunk/docs/download-41.cgi
tomcat/site/trunk/docs/download-41.html
tomcat/site/trunk/xdocs/download-41.cgi
tomcat/site/trunk/xdocs/download-41.xml
Modified:
tomcat/site/trunk/docs/bugreport.html
tomcat/site/trunk/docs/contact.html
tomcat/site/trunk/docs/download-55.html
tomcat/site/trunk/docs/download-60.html
tomcat/site/trunk/docs/download-connectors.html
tomcat/site/trunk/docs/download-native.html
tomcat/site/trunk/docs/findhelp.html
tomcat/site/trunk/docs/getinvolved.html
tomcat/site/trunk/docs/heritage.html
tomcat/site/trunk/docs/index.html
tomcat/site/trunk/docs/irc.html
tomcat/site/trunk/docs/legal.html
tomcat/site/trunk/docs/lists.html
tomcat/site/trunk/docs/migration.html
tomcat/site/trunk/docs/oldnews.html
tomcat/site/trunk/docs/resources.html
tomcat/site/trunk/docs/security-3.html
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-impact.html
tomcat/site/trunk/docs/security-jk.html
tomcat/site/trunk/docs/security.html
tomcat/site/trunk/docs/svn.html
tomcat/site/trunk/docs/whichversion.html
tomcat/site/trunk/docs/whoweare.html
tomcat/site/trunk/xdocs/stylesheets/project.xml
tomcat/site/trunk/xdocs/whichversion.xml

Modified: tomcat/site/trunk/docs/bugreport.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/bugreport.html?rev=834050&r1=834049&r2=834050&view=diff
==
--- tomcat/site/trunk/docs/bugreport.html (original)
+++ tomcat/site/trunk/docs/bugreport.html Mon Nov  9 13:18:42 2009
@@ -72,9 +72,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 
@@ -95,9 +92,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 

Modified: tomcat/site/trunk/docs/contact.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/contact.html?rev=834050&r1=834049&r2=834050&view=diff
==
--- tomcat/site/trunk/docs/contact.html (original)
+++ tomcat/site/trunk/docs/contact.html Mon Nov  9 13:18:42 2009
@@ -71,9 +71,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 
@@ -94,9 +91,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 

Modified: tomcat/site/trunk/docs/download-55.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-55.html?rev=834050&r1=834049&r2=834050&view=diff
==
--- tomcat/site/trunk/docs/download-55.html (original)
+++ tomcat/site/trunk/docs/download-55.html Mon Nov  9 13:18:42 2009
@@ -71,9 +71,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 
@@ -94,9 +91,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 

Modified: tomcat/site/trunk/docs/download-60.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-60.html?rev=834050&r1=834049&r2=834050&view=diff
==
--- tomcat/site/trunk/docs/download-60.html (original)
+++ tomcat/site/trunk/docs/download-60.html Mon Nov  9 13:18:42 2009
@@ -71,9 +71,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 
@@ -94,9 +91,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 

Modified: tomcat/site/trunk/docs/download-connectors.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-connectors.html?rev=834050&r1=834049&r2=834050&view=diff
==
--- tomcat/site/trunk/docs/download-connectors.html (original)
+++ tomcat/site/trunk/docs/download-connectors.html Mon Nov  9 13:18:42 2009
@@ -71,9 +71,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 
@@ -94,9 +91,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 

Modified: tomcat/site/trunk/docs/download-native.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-native.html?rev=834050&r1=834049&r2=834050&view=diff
==
--- tomcat/site/trunk/docs/download-native.html (original)
+++ tomcat/site/trunk/docs/download-native.html Mon Nov  9 13:18:42 2009
@@ -71,9 +71,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 
@@ -94,9 +91,6 @@
 Tomcat 5.5
 
 
-Tomcat 4.1
-
-
 Tomcat Connectors
 
 

Modified: tomcat/site/trunk/docs/findhelp.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/findhelp.html?rev=834050&r1=834049&r2=834050&view=diff
==

svn commit: r834052 [1/2] - in /tomcat/trunk/res/META-INF: jasper-jdt.jar.license jasper-jdt.jar.notice servlet-api.jar.license servlet-api.jar.notice

[kkolinko]

Author: kkolinko
Date: Mon Nov  9 13:19:42 2009
New Revision: 834052

URL: http://svn.apache.org/viewvc?rev=834052&view=rev
Log:
svn:eol-style

Modified:
tomcat/trunk/res/META-INF/jasper-jdt.jar.license   (contents, props changed)
tomcat/trunk/res/META-INF/jasper-jdt.jar.notice   (contents, props changed)
tomcat/trunk/res/META-INF/servlet-api.jar.license   (contents, props 
changed)
tomcat/trunk/res/META-INF/servlet-api.jar.notice   (contents, props changed)

Modified: tomcat/trunk/res/META-INF/jasper-jdt.jar.license
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/res/META-INF/jasper-jdt.jar.license?rev=834052&r1=834051&r2=834052&view=diff
==
--- tomcat/trunk/res/META-INF/jasper-jdt.jar.license (original)
+++ tomcat/trunk/res/META-INF/jasper-jdt.jar.license Mon Nov  9 13:19:42 2009
@@ -1,424 +1,424 @@
-
- Apache License
-   Version 2.0, January 2004
-http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-  "License" shall mean the terms and conditions for use, reproduction,
-  and distribution as defined by Sections 1 through 9 of this document.
-
-  "Licensor" shall mean the copyright owner or entity authorized by
-  the copyright owner that is granting the License.
-
-  "Legal Entity" shall mean the union of the acting entity and all
-  other entities that control, are controlled by, or are under common
-  control with that entity. For the purposes of this definition,
-  "control" means (i) the power, direct or indirect, to cause the
-  direction or management of such entity, whether by contract or
-  otherwise, or (ii) ownership of fifty percent (50%) or more of the
-  outstanding shares, or (iii) beneficial ownership of such entity.
-
-  "You" (or "Your") shall mean an individual or Legal Entity
-  exercising permissions granted by this License.
-
-  "Source" form shall mean the preferred form for making modifications,
-  including but not limited to software source code, documentation
-  source, and configuration files.
-
-  "Object" form shall mean any form resulting from mechanical
-  transformation or translation of a Source form, including but
-  not limited to compiled object code, generated documentation,
-  and conversions to other media types.
-
-  "Work" shall mean the work of authorship, whether in Source or
-  Object form, made available under the License, as indicated by a
-  copyright notice that is included in or attached to the work
-  (an example is provided in the Appendix below).
-
-  "Derivative Works" shall mean any work, whether in Source or Object
-  form, that is based on (or derived from) the Work and for which the
-  editorial revisions, annotations, elaborations, or other modifications
-  represent, as a whole, an original work of authorship. For the purposes
-  of this License, Derivative Works shall not include works that remain
-  separable from, or merely link (or bind by name) to the interfaces of,
-  the Work and Derivative Works thereof.
-
-  "Contribution" shall mean any work of authorship, including
-  the original version of the Work and any modifications or additions
-  to that Work or Derivative Works thereof, that is intentionally
-  submitted to Licensor for inclusion in the Work by the copyright owner
-  or by an individual or Legal Entity authorized to submit on behalf of
-  the copyright owner. For the purposes of this definition, "submitted"
-  means any form of electronic, verbal, or written communication sent
-  to the Licensor or its representatives, including but not limited to
-  communication on electronic mailing lists, source code control systems,
-  and issue tracking systems that are managed by, or on behalf of, the
-  Licensor for the purpose of discussing and improving the Work, but
-  excluding communication that is conspicuously marked or otherwise
-  designated in writing by the copyright owner as "Not a Contribution."
-
-  "Contributor" shall mean Licensor and any individual or Legal Entity
-  on behalf of whom a Contribution has been received by Licensor and
-  subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-  this License, each Contributor hereby grants to You a perpetual,
-  worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-  copyright license to reproduce, prepare Derivative Works of,
-  publicly display, publicly perform, sublicense, and distribute the
-  Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-  this License, each Cont

svn commit: r834059 - in /tomcat/tc6.0.x/trunk/res/META-INF: jasper-jdt.jar.license jasper-jdt.jar.notice

[kkolinko]

Author: kkolinko
Date: Mon Nov  9 13:39:59 2009
New Revision: 834059

URL: http://svn.apache.org/viewvc?rev=834059&view=rev
Log:
svn:eol-style

Modified:
tomcat/tc6.0.x/trunk/res/META-INF/jasper-jdt.jar.license   (contents, props 
changed)
tomcat/tc6.0.x/trunk/res/META-INF/jasper-jdt.jar.notice   (contents, props 
changed)

Modified: tomcat/tc6.0.x/trunk/res/META-INF/jasper-jdt.jar.license
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/res/META-INF/jasper-jdt.jar.license?rev=834059&r1=834058&r2=834059&view=diff
==
--- tomcat/tc6.0.x/trunk/res/META-INF/jasper-jdt.jar.license (original)
+++ tomcat/tc6.0.x/trunk/res/META-INF/jasper-jdt.jar.license Mon Nov  9 
13:39:59 2009
@@ -1,424 +1,424 @@
-
- Apache License
-   Version 2.0, January 2004
-http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-  "License" shall mean the terms and conditions for use, reproduction,
-  and distribution as defined by Sections 1 through 9 of this document.
-
-  "Licensor" shall mean the copyright owner or entity authorized by
-  the copyright owner that is granting the License.
-
-  "Legal Entity" shall mean the union of the acting entity and all
-  other entities that control, are controlled by, or are under common
-  control with that entity. For the purposes of this definition,
-  "control" means (i) the power, direct or indirect, to cause the
-  direction or management of such entity, whether by contract or
-  otherwise, or (ii) ownership of fifty percent (50%) or more of the
-  outstanding shares, or (iii) beneficial ownership of such entity.
-
-  "You" (or "Your") shall mean an individual or Legal Entity
-  exercising permissions granted by this License.
-
-  "Source" form shall mean the preferred form for making modifications,
-  including but not limited to software source code, documentation
-  source, and configuration files.
-
-  "Object" form shall mean any form resulting from mechanical
-  transformation or translation of a Source form, including but
-  not limited to compiled object code, generated documentation,
-  and conversions to other media types.
-
-  "Work" shall mean the work of authorship, whether in Source or
-  Object form, made available under the License, as indicated by a
-  copyright notice that is included in or attached to the work
-  (an example is provided in the Appendix below).
-
-  "Derivative Works" shall mean any work, whether in Source or Object
-  form, that is based on (or derived from) the Work and for which the
-  editorial revisions, annotations, elaborations, or other modifications
-  represent, as a whole, an original work of authorship. For the purposes
-  of this License, Derivative Works shall not include works that remain
-  separable from, or merely link (or bind by name) to the interfaces of,
-  the Work and Derivative Works thereof.
-
-  "Contribution" shall mean any work of authorship, including
-  the original version of the Work and any modifications or additions
-  to that Work or Derivative Works thereof, that is intentionally
-  submitted to Licensor for inclusion in the Work by the copyright owner
-  or by an individual or Legal Entity authorized to submit on behalf of
-  the copyright owner. For the purposes of this definition, "submitted"
-  means any form of electronic, verbal, or written communication sent
-  to the Licensor or its representatives, including but not limited to
-  communication on electronic mailing lists, source code control systems,
-  and issue tracking systems that are managed by, or on behalf of, the
-  Licensor for the purpose of discussing and improving the Work, but
-  excluding communication that is conspicuously marked or otherwise
-  designated in writing by the copyright owner as "Not a Contribution."
-
-  "Contributor" shall mean Licensor and any individual or Legal Entity
-  on behalf of whom a Contribution has been received by Licensor and
-  subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-  this License, each Contributor hereby grants to You a perpetual,
-  worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-  copyright license to reproduce, prepare Derivative Works of,
-  publicly display, publicly perform, sublicense, and distribute the
-  Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-  this License, each Contributor hereby grants to You a perpetual,
-  worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-

svn commit: r834061 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html xdocs/security-5.xml xdocs/security-6.xml

[markt]

Author: markt
Date: Mon Nov  9 13:48:26 2009
New Revision: 834061

URL: http://svn.apache.org/viewvc?rev=834061&view=rev
Log:
Add CVE-2009-3548 info

Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-5.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=834061&r1=834060&r2=834061&view=diff
==
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Nov  9 13:48:26 2009
@@ -218,6 +218,50 @@
 
 
 
+
+Not fixed in Apache Tomcat 5.5.x
+
+
+
+
+
+
+
+
+  
+
+Note: It is expected that this issue will be fixed in 5.5.29 but the
+   patch has not yet received the necessary votes to be applied to the 
5.5.x
+   code base.
+
+   
+
+Low: Insecure default password
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548";>
+   CVE-2009-3548
+
+
+The Windows installer defaults to a blank password for the 
administrative
+   user. If this is not changed during the install process, then by default
+   a user is created with the name admin, roles admin and manager and a
+   blank password.
+
+Affects: 5.5.0-5.5.28
+
+  
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 Fixed in Apache Tomcat 5.5.28
 

Modified: tomcat/site/trunk/docs/security-6.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=834061&r1=834060&r2=834061&view=diff
==
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Nov  9 13:48:26 2009
@@ -212,6 +212,50 @@
 
 
 
+
+Not fixed in Apache Tomcat 6.0.x
+
+
+
+
+
+
+
+
+  
+
+Note: It is expected that this issue will be fixed in 6.0.21 but the
+   patch has not yet received the necessary votes to be applied to the 
6.0.x
+   code base.
+
+   
+
+Low: Insecure default password
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548";>
+   CVE-2009-3548
+
+
+The Windows installer defaults to a blank password for the 
administrative
+   user. If this is not changed during the install process, then by default
+   a user is created with the name admin, roles admin and manager and a
+   blank password.
+
+Affects: 6.0.0-6.0.20
+
+  
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 Fixed in Apache Tomcat 6.0.20
 

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=834061&r1=834060&r2=834061&view=diff
==
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Nov  9 13:48:26 2009
@@ -28,6 +28,25 @@
 
   
 
+  
+  
+Note: It is expected that this issue will be fixed in 5.5.29 but the
+   patch has not yet received the necessary votes to be applied to the 
5.5.x
+   code base.
+   
+Low: Insecure default password
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548";>
+   CVE-2009-3548
+
+The Windows installer defaults to a blank password for the 
administrative
+   user. If this is not changed during the install process, then by default
+   a user is created with the name admin, roles admin and manager and a
+   blank password.
+
+Affects: 5.5.0-5.5.28
+
+  
+
   
 Important: Information Disclosure
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515";>

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=834061&r1=834060&r2=834061&view=diff
==
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Nov  9 13:48:26 2009
@@ -22,6 +22,25 @@
 
   
 
+  
+  
+Note: It is expected that this issue will be fixed in 6.0.21 but the
+   patch has not yet received the necessary votes to be applied to the 
6.0.x
+   code base.
+   
+Low: Insecure default password
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548";>
+   CVE-2009-3548
+
+The Windows installer defaults to a blank password for the 
administrative
+   user. If this is not changed during the install process, then by default
+   a user is created with the name admin, roles admin and manager and a
+   blank password.
+
+Affects: 6.0.0-6.0.20
+
+  
+
   
 Note: These issues were fixed in Apache Tomcat 6.0.19 but the release
vote for that release candidate did not pass. Therefore, although users



-
To unsubscribe, e-mail: dev

[SECURITY] CVE-2009-3548 Apache Tomcat Windows Installer insecure default administrative password

[Mark Thomas]

CVE-2009-3548: Apache Tomcat Windows Installer insecure default
administrative password

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20

The unsupported Tomcat 3.x, 4.0.x, 4.1.x and 5.0.x versions may be also
affected.

Description:
The Windows installer defaults to a blank password for the
administrative user. If this is not changed during the install process,
then by default a user is created with the name admin, roles admin and
manager and a blank password.

Mitigation:
Users of all Tomcat versions may mitigate this issue by one of the
following methods:
- Using the .zip or .tar.gz distributions
- Specifying a strong password for the admin user when using the
  Windows installer
- Removing the admin user from the tomcat-users.xml file after the
  Windows installer has completed
- Editing the tomcat-users.xml file to provide the admin user with
  a strong password after the Windows installer has completed

A patch for this issue [1] has been applied to trunk and will be
included in the next releases of 6.0.x and 5.5.x

Credit:
This issue was reported directly [2] to the tomcat users public mailing
list by David Horheim.
Security researchers are reminded that undisclosed vulnerabilities in
Apache Tomcat should, in the first instance, be reported to the private
security mailing list. [3]

References:
[1] http://svn.apache.org/viewvc?view=revision&revision=834047
[2] http://markmail.org/thread/wfu4nff5chvkb6xp
[3] http://tomcat.apache.org/security.html

Mark Thomas



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834068 - /tomcat/tc5.5.x/trunk/STATUS.txt

[markt]

Author: markt
Date: Mon Nov  9 14:01:25 2009
New Revision: 834068

URL: http://svn.apache.org/viewvc?rev=834068&view=rev
Log:
Proposal

Modified:
tomcat/tc5.5.x/trunk/STATUS.txt

Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=834068&r1=834067&r2=834068&view=diff
==
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Mon Nov  9 14:01:25 2009
@@ -181,3 +181,8 @@
   http://svn.apache.org/viewvc?rev=832351&view=rev
   +1: kkolinko
   -1:
+
+* Fix CVE-2009-3548 - Windows installer uses insecure default password
+  http://svn.apache.org/viewvc?rev=834047&view=rev
+  +1: markt
+  -1: 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834070 - /tomcat/tc6.0.x/trunk/STATUS.txt

[markt]

Author: markt
Date: Mon Nov  9 14:01:46 2009
New Revision: 834070

URL: http://svn.apache.org/viewvc?rev=834070&view=rev
Log:
Proposal

Modified:
tomcat/tc6.0.x/trunk/STATUS.txt

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=834070&r1=834069&r2=834070&view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Mon Nov  9 14:01:46 2009
@@ -378,3 +378,8 @@
   https://issues.apache.org/bugzilla/show_bug.cgi?id=47495  
   +1: funkman, markt, jfclere
   -1:
+
+* Fix CVE-2009-3548 - Windows installer uses insecure default password
+  http://svn.apache.org/viewvc?rev=834047&view=rev
+  +1: markt
+  -1: 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

DO NOT REPLY [Bug 48157] describe how to disable X-Header trick to attack client cert auth

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48157

--- Comment #5 from Mark Thomas  2009-11-09 06:08:15 GMT ---
My current understanding is that a filter/valve as proposed will do very little
to mitigate this attack as the SSL handshaking occurs at the JSSE level and is
simply not visible to the BIO & NIO connector code.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

DO NOT REPLY [Bug 48158] warn that "per directory client certificate authentication" is harmful

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48158

--- Comment #3 from Mark Thomas  2009-11-09 06:15:15 GMT ---
(In reply to comment #2)
> Couldn't you make this an optional server.xml attribute
See the clientAuth connector attribute for options already available for
limiting server side re-negotiation.

> > We can't do anything to prevent client initiated renegotiation.
> Sure, but closing 2 out of 3 attack vectors is at least something, isn't it?
In this case, I don't think it is. However, the options are already in place if
you wish to use them.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834078 - /tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java

[kkolinko]

Author: kkolinko
Date: Mon Nov  9 14:26:00 2009
New Revision: 834078

URL: http://svn.apache.org/viewvc?rev=834078&view=rev
Log:
Revert r.831830. A better patch for issue 48097 was proposed.

Modified:
tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java

Modified: tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java?rev=834078&r1=834077&r2=834078&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java Mon 
Nov  9 14:26:00 2009
@@ -89,8 +89,6 @@
 loader.loadClass
 (basePackage +
  "loader.WebappClassLoader$PrivilegedFindResource");
-loader.loadClass
-(basePackage + "loader.ResourceEntry");
 }
 
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834080 - /tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java

[kkolinko]

Author: kkolinko
Date: Mon Nov  9 14:29:55 2009
New Revision: 834080

URL: http://svn.apache.org/viewvc?rev=834080&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097
Patch by Mark Thomas.

Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java

Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=834080&r1=834079&r2=834080&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Mon Nov 
 9 14:29:55 2009
@@ -131,6 +131,23 @@
 
 }
 
+protected class PrivilegedFindResourceByName
+implements PrivilegedAction {
+
+protected String name;
+protected String path;
+
+PrivilegedFindResourceByName(String name, String path) {
+this.name = name;
+this.path = path;
+}
+
+public ResourceEntry run() {
+return findResourceInternal(name, path);
+}
+
+}
+
 
 protected final class PrivilegedGetClassLoader
 implements PrivilegedAction {
@@ -973,7 +990,13 @@
 
 ResourceEntry entry = resourceEntries.get(name);
 if (entry == null) {
-entry = findResourceInternal(name, name);
+if (securityManager != null) {
+PrivilegedAction dp =
+new PrivilegedFindResourceByName(name, name);
+entry = AccessController.doPrivileged(dp);
+} else {
+entry = findResourceInternal(name, name);
+}
 }
 if (entry != null) {
 url = entry.source;
@@ -1874,7 +1897,13 @@
 
 ResourceEntry entry = null;
 
-entry = findResourceInternal(name, classPath);
+if (securityManager != null) {
+PrivilegedAction dp =
+new PrivilegedFindResourceByName(name, classPath);
+entry = AccessController.doPrivileged(dp);
+} else {
+entry = findResourceInternal(name, classPath);
+}
 
 if (entry == null)
 throw new ClassNotFoundException(name);



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

DO NOT REPLY [Bug 47330] proposal : port of mod_remoteip in Tomcat as RemoteIpValve

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=47330

--- Comment #12 from Mark Thomas  2009-11-09 06:31:33 GMT ---
Patch applied. Many thanks.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834081 - /tomcat/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java

[markt]

Author: markt
Date: Mon Nov  9 14:31:40 2009
New Revision: 834081

URL: http://svn.apache.org/viewvc?rev=834081&view=rev
Log:
Patch provided by Cyrille Le Clerc
* fix NPE in log statement if protocolHeader has not been defined and the 
servlet container does not support request.getHeader(null)
* fix mismatch between javadoc  and code for filter parameter name 
"allowedInternalProxies" -> "internalProxies"
* finish javadoc refactoring "XForwardedFilter" -> "RemoteIpFilter"
Also fix some Eclipse warnings

Modified:
tomcat/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java

Modified: tomcat/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java?rev=834081&r1=834080&r2=834081&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java Mon Nov  
9 14:31:40 2009
@@ -156,8 +156,8 @@
  * 
  * 
  * 
- *XForwardedFilter
- *
fr.xebia.servlet.filter.XForwardedFilter
+ *RemoteIpFilter
+ *
org.apache.catalina.filters.RemoteIpFilter
  *
  *   
internalProxies192\.168\.0\.10,
 192\.168\.0\.11
  *
@@ -173,7 +173,7 @@
  * 
  * 
  * 
- *XForwardedFilter
+ *RemoteIpFilter
  */*
  *REQUEST
  * 
@@ -182,8 +182,8 @@
  * 
  * 
  * property
- * Value Before XForwardedFilter
- * Value After XForwardedFilter
+ * Value Before RemoteIpFilter
+ * Value After RemoteIpFilter
  * 
  * 
  * request.remoteAddr
@@ -229,12 +229,12 @@
  * Sample with trusted proxies
  * 
  * 
- * XForwardedFilter configuration:
+ * RemoteIpFilter configuration:
  * 
  * 
  * 
- *XForwardedFilter
- *
fr.xebia.servlet.filter.XForwardedFilter
+ *RemoteIpFilter
+ *
org.apache.catalina.filters.RemoteIpFilter
  *
  *   
internalProxies192\.168\.0\.10,
 192\.168\.0\.11
  *
@@ -250,7 +250,7 @@
  * 
  * 
  * 
- *XForwardedFilter
+ *RemoteIpFilter
  */*
  *REQUEST
  * 
@@ -259,8 +259,8 @@
  * 
  * 
  * property
- * Value Before XForwardedFilter
- * Value After XForwardedFilter
+ * Value Before RemoteIpFilter
+ * Value After RemoteIpFilter
  * 
  * 
  * request.remoteAddr
@@ -286,12 +286,12 @@
  * Sample with internal and trusted proxies
  * 
  * 
- * XForwardedFilter configuration:
+ * RemoteIpFilter configuration:
  * 
  * 
  * 
- *XForwardedFilter
- *
fr.xebia.servlet.filter.XForwardedFilter
+ *RemoteIpFilter
+ *
org.apache.catalina.filters.RemoteIpFilter
  *
  *   
internalProxies192\.168\.0\.10,
 192\.168\.0\.11
  *
@@ -307,7 +307,7 @@
  * 
  * 
  * 
- *XForwardedFilter
+ *RemoteIpFilter
  */*
  *REQUEST
  * 
@@ -316,8 +316,8 @@
  * 
  * 
  * property
- * Value Before XForwardedFilter
- * Value After XForwardedFilter
+ * Value Before RemoteIpFilter
+ * Value After RemoteIpFilter
  * 
  * 
  * request.remoteAddr
@@ -344,12 +344,12 @@
  * Sample with an untrusted proxy
  * 
  * 
- * XForwardedFilter configuration:
+ * RemoteIpFilter configuration:
  * 
  * 
  * 
- *XForwardedFilter
- *
fr.xebia.servlet.filter.XForwardedFilter
+ *RemoteIpFilter
+ *
org.apache.catalina.filters.RemoteIpFilter
  *
  *   
internalProxies192\.168\.0\.10,
 192\.168\.0\.11
  *
@@ -365,7 +365,7 @@
  * 
  * 
  * 
- *XForwardedFilter
+ *RemoteIpFilter
  */*
  *REQUEST
  * 
@@ -374,8 +374,8 @@
  * 
  * 
  * property
- * Value Before XForwardedFilter
- * Value After XForwardedFilt

svn commit: r834082 - /tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java

[markt]

Author: markt
Date: Mon Nov  9 14:33:03 2009
New Revision: 834082

URL: http://svn.apache.org/viewvc?rev=834082&view=rev
Log:
Remove unnecessary code

Modified:
tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java

Modified: tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java?rev=834082&r1=834081&r2=834082&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java Mon Nov  9 
14:33:03 2009
@@ -33,7 +33,6 @@
 import org.apache.catalina.comet.CometEvent;
 import org.apache.catalina.comet.CometFilter;
 import org.apache.catalina.comet.CometFilterChain;
-import org.apache.tomcat.util.res.StringManager;
 
 /**
  * Implementation of a Filter that performs filtering based on comparing the
@@ -73,16 +72,6 @@
 extends FilterBase implements CometFilter {
 
 
-// - Class Variables
-
-
-/**
- * The StringManager for this package.
- */
-protected static StringManager sm =
-StringManager.getManager(Constants.Package);
-
-
 // - Instance Variables
 
 /**



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834084 - in /tomcat: tc5.5.x/trunk/STATUS.txt tc6.0.x/trunk/STATUS.txt

[kkolinko]

Author: kkolinko
Date: Mon Nov  9 14:41:35 2009
New Revision: 834084

URL: http://svn.apache.org/viewvc?rev=834084&view=rev
Log:
Revoke patch that has concerns. Vote for the alternative one.

Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/STATUS.txt

Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=834084&r1=834083&r2=834084&view=diff
==
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Mon Nov  9 14:41:35 2009
@@ -159,8 +159,8 @@
   +1: kkolinko
   -1:
 
-  2) Patch for SecurityClassLoad to preload o.a.c.loader.ResourceEntry class
-  http://svn.apache.org/viewvc?rev=831830&view=rev
+  2) Add a new PrivilegedAction. Patch by markt
+  http://svn.apache.org/viewvc?rev=834080&view=rev
   +1: kkolinko
   -1:
 

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=834084&r1=834083&r2=834084&view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Mon Nov  9 14:41:35 2009
@@ -196,18 +196,13 @@
   -1:
 
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097
-  Patch for SecurityClassLoad to preload o.a.c.loader.ResourceEntry class
-  http://svn.apache.org/viewvc?rev=831830&view=rev
-  +1: kkolinko
-  -0: billbarker Exposing ResourceEntry is harmless enough, but 
WebappClassLoader should 
-  really be using it's PrivilegedFindResource class in this case instead. 
-  After all, that is what it is there for.
-  -1:
   Alternative patch that adds a new PrivilegedAction. The test case provided
   passes with this patch
   http://people.apache.org/~markt/patches/2009-11-06-bug48097-alt.patch
-  +1: markt, funkman, billbarker
+  +1: markt, funkman, billbarker, kkolinko
   -1: 
+  kkolinko: Confirming that testcase passes. Applied to trunk as
+http://svn.apache.org/viewvc?rev=834080&view=rev
 
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47893
   Use StringBuilder instead of StringBuffer



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834096 - /tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java

[kkolinko]

Author: kkolinko
Date: Mon Nov  9 15:04:07 2009
New Revision: 834096

URL: http://svn.apache.org/viewvc?rev=834096&view=rev
Log:
With rev.834080 WebappClassLoader#findResourceInternal(String,String) is always 
called with AccessController.doPrivileged(), thus there is no need to wrap 
#findResourceInternal(File,String) call that is inside it.

Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java

Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=834096&r1=834095&r2=834096&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Mon Nov 
 9 15:04:07 2009
@@ -1989,8 +1989,7 @@
 }
 
 /**
- * Find specified resource in local repositories. This block
- * will execute under an AccessControl.doPrivilege block.
+ * Find specified resource in local repositories.
  *
  * @return the loaded resource, or null if the resource isn't found
  */
@@ -2049,13 +2048,7 @@
 
 // Note : Not getting an exception here means the resource was
 // found
- if (securityManager != null) {
-PrivilegedAction dp =
-new PrivilegedFindResource(files[i], path);
-entry = AccessController.doPrivileged(dp);
- } else {
-entry = findResourceInternal(files[i], path);
- }
+entry = findResourceInternal(files[i], path);
 
 ResourceAttributes attributes =
 (ResourceAttributes) resources.getAttributes(fullPath);



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834099 - in /tomcat/trunk/java/org/apache/catalina: loader/WebappClassLoader.java security/SecurityClassLoad.java

[kkolinko]

Author: kkolinko
Date: Mon Nov  9 15:08:50 2009
New Revision: 834099

URL: http://svn.apache.org/viewvc?rev=834099&view=rev
Log:
Remove unused inner class

Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java

Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=834099&r1=834098&r2=834099&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Mon Nov 
 9 15:08:50 2009
@@ -114,23 +114,6 @@
 public static final boolean ENABLE_CLEAR_REFERENCES = 
 
Boolean.valueOf(System.getProperty("org.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES",
 "true")).booleanValue();
 
-protected class PrivilegedFindResource
-implements PrivilegedAction {
-
-protected File file;
-protected String path;
-
-PrivilegedFindResource(File file, String path) {
-this.file = file;
-this.path = path;
-}
-
-public ResourceEntry run() {
-return findResourceInternal(file, path);
-}
-
-}
-
 protected class PrivilegedFindResourceByName
 implements PrivilegedAction {
 

Modified: tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java?rev=834099&r1=834098&r2=834099&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java Mon 
Nov  9 15:08:50 2009
@@ -88,7 +88,7 @@
 String basePackage = "org.apache.catalina.";
 loader.loadClass
 (basePackage +
- "loader.WebappClassLoader$PrivilegedFindResource");
+ "loader.WebappClassLoader$PrivilegedFindResourceByName");
 }
 
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Rainer Jung]

On 09.11.2009 11:56, Mark Thomas wrote:
> Summarising the information gathered so far from various channels
> (thanks to Bill B., Bill W. & Rainer who have done most of the actual
> work to find the info below).
> 
> BIO/NIO connectors using JSSE.
> Vulnerable when renegotiation is triggered by the client or server.
> We could prevent server initiated renegotiation (and probably break the
> majority of configurations using CLIENT-CERT).
> We can't do anything to prevent client initiated renegotiation.
> 
> APR/native connector using OpenSSL
> It is vulnerable when renegotiation is triggered by the client or by the
> server.
> Client triggered negotiation is supported.
> Server triggered negotiation will be supported from 1.1.17 onwards.
> 
> OpenSSL 0.9.8l disables negotiation by default
> 
> 
> In terms of what this means for users:
> 
> BIO/NIO
> - There isn't anything we can do in Tomcat to stop client
>   initiated renegotiation so it is a case of waiting for the JVM
>   vendors to respond.
> 
> APR/native
> - Re-building their current version with 0.9.8l will protect
>   users at the risk of breaking any configurations that
>   require renegotiation.
> - We can release 1.1.17 with the binaries built with 0.9.8l. This
>   will also protect users at the risk of breaking any
>   configurations that require renegotiation. Mladen is doing this
>   now.
> - Supporting renegotiation whilst avoiding the vulnerability will
>   require a protocol fix. In the meantime, we could port port
>   r833582 from httpd which would disable client triggered
>   renegotiation for OpenSSL < 0.9.8l (which may help some users
>   who can't easily change their OpenSSl version and release 1.1.18
>   with this fix
> - Once the protocol is fixed, release 1.1.next bundled with the
>   appropriate version of OpenSSL
> 
> 
> Have I got my facts right above? If so, any objections to posting the
> above to the users@ and announce@ lists along with adding something to
> the security pages?

+1, everything seems right to me and ready for notice to the users.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

DO NOT REPLY [Bug 48158] warn that "per directory client certificate authentication" is harmful

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48158

Luciana Moreira  changed:

   What|Removed |Added

 CC||more...@privasphere.com

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

DO NOT REPLY [Bug 48157] describe how to disable X-Header trick to attack client cert auth

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48157

Luciana Moreira  changed:

   What|Removed |Added

 CC||more...@privasphere.com

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Konstantin Kolinko]

2009/11/9 Mark Thomas :
> Summarising the information gathered so far from various channels
> (thanks to Bill B., Bill W. & Rainer who have done most of the actual
> work to find the info below).
>
> BIO/NIO connectors using JSSE.
> Vulnerable when renegotiation is triggered by the client or server.
> We could prevent server initiated renegotiation (and probably break the
> majority of configurations using CLIENT-CERT).
> We can't do anything to prevent client initiated renegotiation.
>
> APR/native connector using OpenSSL
> It is vulnerable when renegotiation is triggered by the client or by the
> server.
> Client triggered negotiation is supported.
> Server triggered negotiation will be supported from 1.1.17 onwards.
>
> OpenSSL 0.9.8l disables negotiation by default
>
>
> In terms of what this means for users:
>
> BIO/NIO
> - There isn't anything we can do in Tomcat to stop client
>  initiated renegotiation so it is a case of waiting for the JVM
>  vendors to respond.
>
> APR/native
> - Re-building their current version with 0.9.8l will protect
>  users at the risk of breaking any configurations that
>  require renegotiation.
> - We can release 1.1.17 with the binaries built with 0.9.8l. This
>  will also protect users at the risk of breaking any
>  configurations that require renegotiation. Mladen is doing this
>  now.
> - Supporting renegotiation whilst avoiding the vulnerability will
>  require a protocol fix. In the meantime, we could port port
>  r833582 from httpd which would disable client triggered
>  renegotiation for OpenSSL < 0.9.8l (which may help some users
>  who can't easily change their OpenSSl version and release 1.1.18
>  with this fix
> - Once the protocol is fixed, release 1.1.next bundled with the
>  appropriate version of OpenSSL
>
>
> Have I got my facts right above? If so, any objections to posting the
> above to the users@ and announce@ lists along with adding something to
> the security pages?
>
> Mark
>

+1

s/negotiation/renegotiation/
s/port port/port/

A question:
My understanding of renegotiation is that it changes SSL session. Is
it possible to observe changes in the value of SSL sessionId?  I doubt
so, but may be?
We read that value once and provide it to our users as
"javax.servlet.request.ssl_session" request attribute.

Regarding valves (as mentioned in issue 48157):
I understand, that that is not sufficient, but if anyone wants to
check against malformed headers, they can do so.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Mark Thomas]

Konstantin Kolinko wrote:
> 2009/11/9 Mark Thomas :
>> Summarising the information gathered so far from various channels
>> (thanks to Bill B., Bill W. & Rainer who have done most of the actual
>> work to find the info below).
>>
>> BIO/NIO connectors using JSSE.
>> Vulnerable when renegotiation is triggered by the client or server.
>> We could prevent server initiated renegotiation (and probably break the
>> majority of configurations using CLIENT-CERT).
>> We can't do anything to prevent client initiated renegotiation.
>>
>> APR/native connector using OpenSSL
>> It is vulnerable when renegotiation is triggered by the client or by the
>> server.
>> Client triggered negotiation is supported.
>> Server triggered negotiation will be supported from 1.1.17 onwards.
>>
>> OpenSSL 0.9.8l disables negotiation by default
>>
>>
>> In terms of what this means for users:
>>
>> BIO/NIO
>> - There isn't anything we can do in Tomcat to stop client
>>  initiated renegotiation so it is a case of waiting for the JVM
>>  vendors to respond.
>>
>> APR/native
>> - Re-building their current version with 0.9.8l will protect
>>  users at the risk of breaking any configurations that
>>  require renegotiation.
>> - We can release 1.1.17 with the binaries built with 0.9.8l. This
>>  will also protect users at the risk of breaking any
>>  configurations that require renegotiation. Mladen is doing this
>>  now.
>> - Supporting renegotiation whilst avoiding the vulnerability will
>>  require a protocol fix. In the meantime, we could port port
>>  r833582 from httpd which would disable client triggered
>>  renegotiation for OpenSSL < 0.9.8l (which may help some users
>>  who can't easily change their OpenSSl version and release 1.1.18
>>  with this fix
>> - Once the protocol is fixed, release 1.1.next bundled with the
>>  appropriate version of OpenSSL
>>
>>
>> Have I got my facts right above? If so, any objections to posting the
>> above to the users@ and announce@ lists along with adding something to
>> the security pages?
>>
>> Mark
>>
> 
> +1
> 
> s/negotiation/renegotiation/
> s/port port/port/

Noted. I'll get the notice out.

> A question:
> My understanding of renegotiation is that it changes SSL session. Is
> it possible to observe changes in the value of SSL sessionId?  I doubt
> so, but may be?
> We read that value once and provide it to our users as
> "javax.servlet.request.ssl_session" request attribute.

Hmm. Interesting. I need to do some testing :)

I'll add something along the lines of "We are currently evaluating a
number of possible work-arounds prior to a protocol fix becoming
available. Discussion is happening on the dev list and any significant
developments will be posted to the users@ and announce@ mailing lists.

Mark



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[SECURITY] CVE-2009-3555 SSL Man-In-The-Middle attack

[Mark Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

A vulnerability in the TLS protocol has recently been made public [1]
that allows an attacker to inject arbitrary requests into an TLS stream.

The current understanding of the Tomcat developers is as follows:

BIO & NIO connectors using JSSE
These connectors are vulnerable when renegotiation is triggered by the
client or the server.
Server initiated re-negotiation can be limited by configuration
Server initiated re-negotiation could be prevented by a code change
Client initiated re-negotiation can not currently be prevented

APR/Native connector using OpenSSL
Vulnerable when renegotiation is triggered by the client or the server.
Server initiated re-negotiation is not supported prior to 1.1.17
Client initiated re-negotiation is supported but can not be prevented

OpenSSL 0.9.8l disables all negotiation by default


In terms of what this means for users:

BIO/NIO
- - We haven't yet (we are still looking) found a way to stop client
  initiated renegotiation. It may be necessary to wait for the JVM
  vendors to respond.

APR/native
- - Re-building any version of the APR/native connector with OpenSSL
  0.9.8l will protect against this vulnerability but any configurations
  that require renegotiation will break.
- - Version 1.1.17 of the APR/native connector will be released shortly.
  The binary versions will be built with OpenSSL 0.9.8l which will
  protect against this vulnerability but configurations that require
  renegotiation will break.

Supporting renegotiation whilst avoiding the vulnerability requires a
protocol fix. The Tomcat development team is examining possible
work-arounds that may provide an interim solution. These options include
porting r833582 from httpd to the APR/native connector which would
disable client triggered renegotiation for OpenSSL < 0.9.8l which may
help some users who can't easily change their OpenSSL version.

If you'd would like to join/follow the work-around discussions, please
join the Tomcat dev mailing list. Any significant developments in this
area will be posted to the Tomcat announce@ and users@ mailing lists.

Mark

[1] http://extendedsubset.com/?p=8
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJK+Ea6AAoJEBDAHFovYFnnjggP/RU6UpOmXDCzOG/neVmMI0RX
XMKMZdpph8TCdjOzOd1UdCGPK5q3U1CDvB7P96eYZ5R745YTT6Ct1hXETC++SAh2
Q6jRD2qNPXX7hA9JFallC6+PUjq+IaHknJQYGAFaHCEdvwocp8NYWxUSqg5yTc6U
toUclHntjEwXc6jpEeNwuU3An8WNf2rX5OV9IX17lS7mxtElfVVIM5o4PrkMV0Tn
5i3YpLXTzHIHZ3Wv6VOlsQy+X+JhM4GMWF+4wWgHzdUfQ3wCpUrmC/tOgsXp23j8
ITPqIcf5dsDsOEd9RAZRWoRPpgcJH3bypnmG65VpITRkjnvKq6GC1TcKXTdUBxER
0OwpAY2A/e6OzHpw68q0wn5deYKBEo+6DJ/rFmHCs4KYiw7WXpOQFsL5LXxuDfEr
7W79w1nEPAaXz6KGSGiEuPxyLtJafAP16ZtaITqzoI9Pn1bpl9iP/OK+2OTc/e+/
BF0vI0gh2ZD2AbktNZJLY8+i5FmF/jcJP6/SQLnFQl5AZQ6YhRNQl87bc4lEkZkm
IHIdJW28EbD/4V0Yex8MnAFIFEq/jyWe2LgUep0/j9LEkMKlFGpoNNgEQsA9E8ml
RR9adgTCESBN6cCCsn5CrYTlsTKyfxk/Db2inI7L/OM3zfQoCTQDFnxY1l13I+Dt
FiHrC9dgiTCEZL0fR69F
=xrMK
-END PGP SIGNATURE-



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Rainer Jung]

On 09.11.2009 17:16, Mark Thomas wrote:
> Konstantin Kolinko wrote:
>> 2009/11/9 Mark Thomas :
>>> Summarising the information gathered so far from various channels
>>> (thanks to Bill B., Bill W. & Rainer who have done most of the actual
>>> work to find the info below).
>>>
>>> BIO/NIO connectors using JSSE.
>>> Vulnerable when renegotiation is triggered by the client or server.
>>> We could prevent server initiated renegotiation (and probably break the
>>> majority of configurations using CLIENT-CERT).
>>> We can't do anything to prevent client initiated renegotiation.
>>>
>>> APR/native connector using OpenSSL
>>> It is vulnerable when renegotiation is triggered by the client or by the
>>> server.
>>> Client triggered negotiation is supported.
>>> Server triggered negotiation will be supported from 1.1.17 onwards.
>>>
>>> OpenSSL 0.9.8l disables negotiation by default
>>>
>>>
>>> In terms of what this means for users:
>>>
>>> BIO/NIO
>>> - There isn't anything we can do in Tomcat to stop client
>>>  initiated renegotiation so it is a case of waiting for the JVM
>>>  vendors to respond.
>>>
>>> APR/native
>>> - Re-building their current version with 0.9.8l will protect
>>>  users at the risk of breaking any configurations that
>>>  require renegotiation.
>>> - We can release 1.1.17 with the binaries built with 0.9.8l. This
>>>  will also protect users at the risk of breaking any
>>>  configurations that require renegotiation. Mladen is doing this
>>>  now.
>>> - Supporting renegotiation whilst avoiding the vulnerability will
>>>  require a protocol fix. In the meantime, we could port port
>>>  r833582 from httpd which would disable client triggered
>>>  renegotiation for OpenSSL < 0.9.8l (which may help some users
>>>  who can't easily change their OpenSSl version and release 1.1.18
>>>  with this fix
>>> - Once the protocol is fixed, release 1.1.next bundled with the
>>>  appropriate version of OpenSSL
>>>
>>>
>>> Have I got my facts right above? If so, any objections to posting the
>>> above to the users@ and announce@ lists along with adding something to
>>> the security pages?
>>>
>>> Mark
>>>
>>
>> +1
>>
>> s/negotiation/renegotiation/
>> s/port port/port/
> 
> Noted. I'll get the notice out.
> 
>> A question:
>> My understanding of renegotiation is that it changes SSL session. Is
>> it possible to observe changes in the value of SSL sessionId?  I doubt
>> so, but may be?
>> We read that value once and provide it to our users as
>> "javax.servlet.request.ssl_session" request attribute.
> 
> Hmm. Interesting. I need to do some testing :)

Yes, using the naive openssl test with s_client and the "R" command, the
session id changes.

In order to find out, whether this is optional behaviour or will always
happen, I guess we would need to ask on the openssl dev list, which I
will do in a minute :)

> I'll add something along the lines of "We are currently evaluating a
> number of possible work-arounds prior to a protocol fix becoming
> available. Discussion is happening on the dev list and any significant
> developments will be posted to the users@ and announce@ mailing lists.

+1

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Costin Manolache]

On Mon, Nov 9, 2009 at 8:04 AM, Konstantin Kolinko
wrote:

> 2009/11/9 Mark Thomas :
> > Summarising the information gathered so far from various channels
> > (thanks to Bill B., Bill W. & Rainer who have done most of the actual
> > work to find the info below).
> >
> > BIO/NIO connectors using JSSE.
> > Vulnerable when renegotiation is triggered by the client or server.
> > We could prevent server initiated renegotiation (and probably break the
> > majority of configurations using CLIENT-CERT).
> > We can't do anything to prevent client initiated renegotiation.
> >
> > APR/native connector using OpenSSL
> > It is vulnerable when renegotiation is triggered by the client or by the
> > server.
> > Client triggered negotiation is supported.
> > Server triggered negotiation will be supported from 1.1.17 onwards.
> >
> > OpenSSL 0.9.8l disables negotiation by default
> >
> >
> > In terms of what this means for users:
> >
> > BIO/NIO
> > - There isn't anything we can do in Tomcat to stop client
> >  initiated renegotiation so it is a case of waiting for the JVM
> >  vendors to respond.
> >
> > APR/native
> > - Re-building their current version with 0.9.8l will protect
> >  users at the risk of breaking any configurations that
> >  require renegotiation.
> > - We can release 1.1.17 with the binaries built with 0.9.8l. This
> >  will also protect users at the risk of breaking any
> >  configurations that require renegotiation. Mladen is doing this
> >  now.
> > - Supporting renegotiation whilst avoiding the vulnerability will
> >  require a protocol fix. In the meantime, we could port port
> >  r833582 from httpd which would disable client triggered
> >  renegotiation for OpenSSL < 0.9.8l (which may help some users
> >  who can't easily change their OpenSSl version and release 1.1.18
> >  with this fix
> > - Once the protocol is fixed, release 1.1.next bundled with the
> >  appropriate version of OpenSSL
> >
> >
> > Have I got my facts right above? If so, any objections to posting the
> > above to the users@ and announce@ lists along with adding something to
> > the security pages?
> >
> > Mark
> >
>
> +1
>
> s/negotiation/renegotiation/
> s/port port/port/
>
> A question:
> My understanding of renegotiation is that it changes SSL session. Is
> it possible to observe changes in the value of SSL sessionId?  I doubt
> so, but may be?
>

AFAIK you can reuse the session ID across negotiations ( it's a nice
optimization BTW, too
bad we're not using, it can speed up SSL connections a lot ), I'm not sure
if it changes
within a renegotation, but AFAIK when you start any negotiation you can
specify you want
to reuse the old session id.  But if I understand the exploit correctly -
they would want a different
cypher, and if you reuse the session you reuse the old one.


Maybe we can modify JSSESupport.Listener to break the connection if
handshakeCompleted is
called > once in a connection ? That is besides disabling server-initiated
handshakes.

Costin



> We read that value once and provide it to our users as
> "javax.servlet.request.ssl_session" request attribute.
>
> Regarding valves (as mentioned in issue 48157):
> I understand, that that is not sufficient, but if anyone wants to
> check against malformed headers, they can do so.
>
> Best regards,
> Konstantin Kolinko
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

svn commit: r834220 - in /tomcat/trunk/java/org/apache/catalina: core/ApplicationContext.java core/StandardContext.java ha/context/ReplicatedContext.java startup/DefaultJarScanner.java

[markt]

Author: markt
Date: Mon Nov  9 20:43:47 2009
New Revision: 834220

URL: http://svn.apache.org/viewvc?rev=834220&view=rev
Log:
The assumption that contexts will always be file system based or that resources 
will always be extracted to the work does not hold true, particularly for 
custom DirContext implementations. Don't make the assumption and clean-up up 
the redundant field that is no longer required.

Modified:
tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java
tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
tomcat/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java
tomcat/trunk/java/org/apache/catalina/startup/DefaultJarScanner.java

Modified: tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java?rev=834220&r1=834219&r2=834220&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java Mon Nov  
9 20:43:47 2009
@@ -19,7 +19,6 @@
 package org.apache.catalina.core;
 
 
-import java.io.File;
 import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
@@ -90,10 +89,9 @@
  *
  * @param context The associated Context instance
  */
-public ApplicationContext(String basePath, StandardContext context) {
+public ApplicationContext(StandardContext context) {
 super();
 this.context = context;
-this.basePath = basePath;
 
 // Populate session tracking modes
 populateSessionTrackingModes();
@@ -158,12 +156,6 @@
 
 
 /**
- * Base path.
- */
-private String basePath = null;
-
-
-/**
  * Thread local data used during request dispatch.
  */
 private ThreadLocal dispatchData =
@@ -492,37 +484,21 @@
 throw new 
MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", 
path));
 
 
-path = RequestUtil.normalize(path);
-if (path == null)
+String normPath = RequestUtil.normalize(path);
+if (normPath == null)
 return (null);
 
-String libPath = "/WEB-INF/lib/";
-if ((path.startsWith(libPath)) && (path.endsWith(".jar"))) {
-File jarFile = null;
-if (context.isFilesystemBased()) {
-jarFile = new File(basePath, path);
-} else {
-jarFile = new File(context.getWorkPath(), path);
-}
-if (jarFile.exists()) {
-return jarFile.toURI().toURL();
-} else {
-return null;
-}
-} else {
-
-DirContext resources = context.getResources();
-if (resources != null) {
-String fullPath = context.getName() + path;
-String hostName = context.getParent().getName();
-try {
-resources.lookup(path);
-return new URL
-("jndi", "", 0, getJNDIUri(hostName, fullPath),
- new DirContextURLStreamHandler(resources));
-} catch (Exception e) {
-// Ignore
-}
+DirContext resources = context.getResources();
+if (resources != null) {
+String fullPath = context.getName() + normPath;
+String hostName = context.getParent().getName();
+try {
+resources.lookup(path);
+return new URL
+("jndi", "", 0, getJNDIUri(hostName, fullPath),
+ new DirContextURLStreamHandler(resources));
+} catch (Exception e) {
+// Ignore
 }
 }
 

Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=834220&r1=834219&r2=834220&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Mon Nov  9 
20:43:47 2009
@@ -1758,7 +1758,7 @@
 public ServletContext getServletContext() {
 
 if (context == null) {
-context = new ApplicationContext(getBasePath(), this);
+context = new ApplicationContext(this);
 if (altDDName != null)
 context.setAttribute(Globals.ALT_DD_ATTR,altDDName);
 }

Modified: 
tomcat/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java?rev=834220&r1=834219&r2=834220&view=diff

svn commit: r834227 - /tomcat/trunk/java/org/apache/catalina/util/Base64.java

[markt]

Author: markt
Date: Mon Nov  9 20:52:49 2009
New Revision: 834227

URL: http://svn.apache.org/viewvc?rev=834227&view=rev
Log:
Unused code

Modified:
tomcat/trunk/java/org/apache/catalina/util/Base64.java

Modified: tomcat/trunk/java/org/apache/catalina/util/Base64.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/util/Base64.java?rev=834227&r1=834226&r2=834227&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/util/Base64.java (original)
+++ tomcat/trunk/java/org/apache/catalina/util/Base64.java Mon Nov  9 20:52:49 
2009
@@ -42,7 +42,6 @@
 static private final byte PAD= (byte) '=';
 static private byte [] base64Alphabet   = new byte[BASELENGTH];
 static private byte [] lookUpBase64Alphabet = new byte[LOOKUPLENGTH];
-//static private final Log log = 
LogSource.getInstance("org.apache.commons.util.Base64");
 
 static
 {



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834229 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ java/org/apache/catalina/connector/ java/org/apache/catalina/core/ java/org/apache/catalina/ha/session/ java/org/apache/

[markt]

Author: markt
Date: Mon Nov  9 21:00:22 2009
New Revision: 834229

URL: http://svn.apache.org/viewvc?rev=834229&view=rev
Log:
StringManagers should be final

Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java
tomcat/trunk/java/org/apache/catalina/connector/CometEventImpl.java
tomcat/trunk/java/org/apache/catalina/connector/InputBuffer.java
tomcat/trunk/java/org/apache/catalina/connector/Request.java
tomcat/trunk/java/org/apache/catalina/connector/RequestFacade.java
tomcat/trunk/java/org/apache/catalina/connector/Response.java
tomcat/trunk/java/org/apache/catalina/connector/ResponseFacade.java
tomcat/trunk/java/org/apache/catalina/core/ApplicationFilterConfig.java
tomcat/trunk/java/org/apache/catalina/core/ApplicationHttpRequest.java
tomcat/trunk/java/org/apache/catalina/core/ApplicationHttpResponse.java
tomcat/trunk/java/org/apache/catalina/core/ApplicationRequest.java
tomcat/trunk/java/org/apache/catalina/core/ApplicationResponse.java
tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
tomcat/trunk/java/org/apache/catalina/core/ContainerBase.java
tomcat/trunk/java/org/apache/catalina/core/NamingContextListener.java
tomcat/trunk/java/org/apache/catalina/core/StandardPipeline.java
tomcat/trunk/java/org/apache/catalina/ha/session/DeltaManager.java
tomcat/trunk/java/org/apache/catalina/ha/session/DeltaRequest.java
tomcat/trunk/java/org/apache/catalina/ha/session/DeltaSession.java
tomcat/trunk/java/org/apache/catalina/ha/session/SerializablePrincipal.java
tomcat/trunk/java/org/apache/catalina/ha/tcp/ReplicationValve.java
tomcat/trunk/java/org/apache/catalina/manager/ManagerServlet.java
tomcat/trunk/java/org/apache/catalina/manager/StatusManagerServlet.java
tomcat/trunk/java/org/apache/catalina/manager/host/HostManagerServlet.java
tomcat/trunk/java/org/apache/catalina/realm/CombinedRealm.java
tomcat/trunk/java/org/apache/catalina/realm/JAASMemoryLoginModule.java
tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java
tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
tomcat/trunk/java/org/apache/catalina/realm/UserDatabaseRealm.java
tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
tomcat/trunk/java/org/apache/catalina/session/StandardSession.java
tomcat/trunk/java/org/apache/catalina/startup/Embedded.java
tomcat/trunk/java/org/apache/catalina/tribes/transport/bio/BioSender.java
tomcat/trunk/java/org/apache/catalina/tribes/util/StringManager.java
tomcat/trunk/java/org/apache/catalina/users/MemoryUserDatabase.java
tomcat/trunk/java/org/apache/catalina/util/ExtensionValidator.java
tomcat/trunk/java/org/apache/catalina/util/HexUtils.java
tomcat/trunk/java/org/apache/catalina/valves/ErrorReportValve.java
tomcat/trunk/java/org/apache/catalina/valves/RemoteIpValve.java
tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java
tomcat/trunk/java/org/apache/catalina/valves/ValveBase.java
tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProtocol.java
tomcat/trunk/java/org/apache/coyote/ajp/AjpMessage.java
tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
tomcat/trunk/java/org/apache/coyote/ajp/AjpProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractInputBuffer.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractOutputBuffer.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/InternalAprInputBuffer.java
tomcat/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
tomcat/trunk/java/org/apache/naming/ContextBindings.java
tomcat/trunk/java/org/apache/naming/StringManager.java
tomcat/trunk/java/org/apache/tomcat/util/http/HttpMessages.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/java/org/apache/tomcat/util/res/StringManager.java
tomcat/trunk/modules/tomcat-lite/test/org/apache/tomcat/lite/HexDump.java

Modified: tomcat/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java?rev=834229&r1=834228&r2=834229&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java Mon 
Nov  9 21:00

svn commit: r834233 - in /tomcat/trunk/java/org/apache: catalina/connector/ catalina/core/ catalina/ha/ catalina/ha/session/ catalina/ha/tcp/ catalina/session/ catalina/tribes/membership/ catalina/tri

[markt]

Author: markt
Date: Mon Nov  9 21:06:37 2009
New Revision: 834233

URL: http://svn.apache.org/viewvc?rev=834233&view=rev
Log:
StringManagers should be static final

Modified:
tomcat/trunk/java/org/apache/catalina/connector/Connector.java
tomcat/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
tomcat/trunk/java/org/apache/catalina/connector/MapperListener.java
tomcat/trunk/java/org/apache/catalina/core/JasperListener.java
tomcat/trunk/java/org/apache/catalina/ha/ClusterListener.java
tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
tomcat/trunk/java/org/apache/catalina/ha/tcp/SimpleTcpCluster.java
tomcat/trunk/java/org/apache/catalina/session/StoreBase.java
tomcat/trunk/java/org/apache/catalina/tribes/membership/McastService.java

tomcat/trunk/java/org/apache/catalina/tribes/transport/ReplicationTransmitter.java
tomcat/trunk/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java
tomcat/trunk/java/org/apache/catalina/valves/AccessLogValve.java

tomcat/trunk/java/org/apache/catalina/valves/CometConnectionManagerValve.java
tomcat/trunk/java/org/apache/catalina/valves/JDBCAccessLogValve.java
tomcat/trunk/java/org/apache/catalina/valves/SemaphoreValve.java
tomcat/trunk/java/org/apache/naming/NamingContext.java
tomcat/trunk/java/org/apache/naming/SelectorContext.java
tomcat/trunk/java/org/apache/naming/resources/BaseDirContext.java
tomcat/trunk/java/org/apache/naming/resources/ProxyDirContext.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java

Modified: tomcat/trunk/java/org/apache/catalina/connector/Connector.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Connector.java?rev=834233&r1=834232&r2=834233&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/connector/Connector.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Connector.java Mon Nov  9 
21:06:37 2009
@@ -187,7 +187,7 @@
 /**
  * The string manager for this package.
  */
-protected StringManager sm =
+protected static final StringManager sm =
 StringManager.getManager(Constants.Package);
 
 

Modified: tomcat/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java?rev=834233&r1=834232&r2=834233&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java Mon Nov  
9 21:06:37 2009
@@ -106,7 +106,7 @@
 /**
  * The string manager for this package.
  */
-protected StringManager sm =
+protected static final StringManager sm =
 StringManager.getManager(Constants.Package);
 
 

Modified: tomcat/trunk/java/org/apache/catalina/connector/MapperListener.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/MapperListener.java?rev=834233&r1=834232&r2=834233&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/connector/MapperListener.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/connector/MapperListener.java Mon Nov 
 9 21:06:37 2009
@@ -76,7 +76,7 @@
 /**
  * The string manager for this package.
  */
-private StringManager sm =
+private static final StringManager sm =
 StringManager.getManager(Constants.Package);
 
 // It should be null - and fail if not set

Modified: tomcat/trunk/java/org/apache/catalina/core/JasperListener.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/JasperListener.java?rev=834233&r1=834232&r2=834233&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/JasperListener.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/JasperListener.java Mon Nov  9 
21:06:37 2009
@@ -43,7 +43,7 @@
 /**
  * The string manager for this package.
  */
-protected StringManager sm =
+protected static final StringManager sm =
 StringManager.getManager(Constants.Package);
 
 

Modified: tomcat/trunk/java/org/apache/catalina/ha/ClusterListener.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/ha/ClusterListener.java?rev=834233&r1=834232&r2=834233&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/ha/ClusterListener.java (original)
+++ tomcat/trunk/java/org/apache/catalina/ha/ClusterListener.java Mon Nov  9 
21:06:37 2009
@@ -45,7 +45,7 @@
 /**
  * The string manager for this package.
  */
-protected StringManager sm = Strin

svn commit: r834238 - in /tomcat/trunk/java/org/apache: catalina/tribes/util/StringManager.java naming/StringManager.java tomcat/util/res/StringManager.java

[markt]

Author: markt
Date: Mon Nov  9 21:18:01 2009
New Revision: 834238

URL: http://svn.apache.org/viewvc?rev=834238&view=rev
Log:
Align all three StringManager implementations

Modified:
tomcat/trunk/java/org/apache/catalina/tribes/util/StringManager.java
tomcat/trunk/java/org/apache/naming/StringManager.java
tomcat/trunk/java/org/apache/tomcat/util/res/StringManager.java

Modified: tomcat/trunk/java/org/apache/catalina/tribes/util/StringManager.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/util/StringManager.java?rev=834238&r1=834237&r2=834238&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/tribes/util/StringManager.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/util/StringManager.java Mon 
Nov  9 21:18:01 2009
@@ -1,21 +1,20 @@
 /*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- * 
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
  *  http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-
 package org.apache.catalina.tribes.util;
 
 import java.text.MessageFormat;
@@ -23,7 +22,6 @@
 import java.util.Locale;
 import java.util.MissingResourceException;
 import java.util.ResourceBundle;
-import java.net.URLClassLoader;
 
 /**
  * An internationalization / localization helper class which reduces
@@ -44,8 +42,12 @@
  * Please see the documentation for java.util.ResourceBundle for
  * more information.
  *
+ * @version $Revision$ $Date$
+ *
  * @author James Duncan Davidson [dun...@eng.sun.com]
  * @author James Todd [go...@eng.sun.com]
+ * @author Mel Martinez [mmarti...@g1440.com]
+ * @see java.util.ResourceBundle
  */
 
 public class StringManager {
@@ -53,11 +55,8 @@
 /**
  * The ResourceBundle for this StringManager.
  */
-
 private ResourceBundle bundle;
-
-private static org.apache.juli.logging.Log log=
-org.apache.juli.logging.LogFactory.getLog( StringManager.class );
+private Locale locale;
 
 /**
  * Creates a new StringManager for a given package. This is a
@@ -67,60 +66,62 @@
  *
  * @param packageName Name of package to create StringManager for.
  */
-
 private StringManager(String packageName) {
 String bundleName = packageName + ".LocalStrings";
 try {
-bundle = ResourceBundle.getBundle(bundleName);
-return;
+bundle = ResourceBundle.getBundle(bundleName, Locale.getDefault());
 } catch( MissingResourceException ex ) {
-// Try from the current loader ( that's the case for trusted apps )
-ClassLoader cl=Thread.currentThread().getContextClassLoader();
+// Try from the current loader (that's the case for trusted apps)
+// Should only be required if using a TC5 style classloader 
structure
+// where common != shared != server
+ClassLoader cl = Thread.currentThread().getContextClassLoader();
 if( cl != null ) {
 try {
-bundle=ResourceBundle.getBundle(bundleName, 
Locale.getDefault(), cl);
-return;
+bundle = ResourceBundle.getBundle(
+bundleName, Locale.getDefault(), cl);
 } catch(MissingResourceException ex2) {
+// Ignore
 }
 }
-if( cl==null )
-cl=this.getClass().getClassLoader();
-
-if (log.isDebugEnabled())
-log.debug("Can't find resour

Re: SSL & Tomcat

[Costin Manolache]

On Mon, Nov 9, 2009 at 10:47 AM, Costin Manolache  wrote:

>
>
> On Mon, Nov 9, 2009 at 8:04 AM, Konstantin Kolinko  > wrote:
>
>> 2009/11/9 Mark Thomas :
>> > Summarising the information gathered so far from various channels
>> > (thanks to Bill B., Bill W. & Rainer who have done most of the actual
>> > work to find the info below).
>> >
>> > BIO/NIO connectors using JSSE.
>> > Vulnerable when renegotiation is triggered by the client or server.
>> > We could prevent server initiated renegotiation (and probably break the
>> > majority of configurations using CLIENT-CERT).
>> > We can't do anything to prevent client initiated renegotiation.
>> >
>> > APR/native connector using OpenSSL
>> > It is vulnerable when renegotiation is triggered by the client or by the
>> > server.
>> > Client triggered negotiation is supported.
>> > Server triggered negotiation will be supported from 1.1.17 onwards.
>> >
>> > OpenSSL 0.9.8l disables negotiation by default
>> >
>> >
>> > In terms of what this means for users:
>> >
>> > BIO/NIO
>> > - There isn't anything we can do in Tomcat to stop client
>> >  initiated renegotiation so it is a case of waiting for the JVM
>> >  vendors to respond.
>> >
>> > APR/native
>> > - Re-building their current version with 0.9.8l will protect
>> >  users at the risk of breaking any configurations that
>> >  require renegotiation.
>> > - We can release 1.1.17 with the binaries built with 0.9.8l. This
>> >  will also protect users at the risk of breaking any
>> >  configurations that require renegotiation. Mladen is doing this
>> >  now.
>> > - Supporting renegotiation whilst avoiding the vulnerability will
>> >  require a protocol fix. In the meantime, we could port port
>> >  r833582 from httpd which would disable client triggered
>> >  renegotiation for OpenSSL < 0.9.8l (which may help some users
>> >  who can't easily change their OpenSSl version and release 1.1.18
>> >  with this fix
>> > - Once the protocol is fixed, release 1.1.next bundled with the
>> >  appropriate version of OpenSSL
>> >
>> >
>> > Have I got my facts right above? If so, any objections to posting the
>> > above to the users@ and announce@ lists along with adding something to
>> > the security pages?
>> >
>> > Mark
>> >
>>
>> +1
>>
>> s/negotiation/renegotiation/
>> s/port port/port/
>>
>> A question:
>> My understanding of renegotiation is that it changes SSL session. Is
>> it possible to observe changes in the value of SSL sessionId?  I doubt
>> so, but may be?
>>
>
> AFAIK you can reuse the session ID across negotiations ( it's a nice
> optimization BTW, too
> bad we're not using, it can speed up SSL connections a lot ), I'm not sure
> if it changes
> within a renegotation, but AFAIK when you start any negotiation you can
> specify you want
> to reuse the old session id.  But if I understand the exploit correctly -
> they would want a different
> cypher, and if you reuse the session you reuse the old one.
>
>
> Maybe we can modify JSSESupport.Listener to break the connection if
> handshakeCompleted is
> called > once in a connection ? That is besides disabling server-initiated
> handshakes.
>
>

BTW - confirmed that JSSESupport.Listener is called when client does
re-negotiate, but it is not called on the first
negotiation ( it's added too late ).

However it's pretty easy to add a listener earlier, patch attached - it
should break all client re-negotiations, so we don't need
to wait for a JDK fix.

I wrote a small unit test - but I'm can't seem to get jsse client to
re-negotiate for the test, can only do it using command line
openssl. The patch seems to work - but you need so system properties  or
flags if we want to let people
 disable this ( "allowManInTheMiddle" is a good name for a flag ).  Also the
test needs a bit of work.

If anyone has more time, my 20% is getting low 


Costin



> Costin
>
>
>
>> We read that value once and provide it to our users as
>> "javax.servlet.request.ssl_session" request attribute.
>>
>> Regarding valves (as mentioned in issue 48157):
>> I understand, that that is not sufficient, but if anyone wants to
>> check against malformed headers, they can do so.
>>
>> Best regards,
>> Konstantin Kolinko
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: dev-h...@tomcat.apache.org
>>
>>
>
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 * 
 *  http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is d

svn commit: r834260 - /tomcat/tc6.0.x/trunk/STATUS.txt

[markt]

Author: markt
Date: Mon Nov  9 22:34:35 2009
New Revision: 834260

URL: http://svn.apache.org/viewvc?rev=834260&view=rev
Log:
Cookie changes proposal

Modified:
tomcat/tc6.0.x/trunk/STATUS.txt

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=834260&r1=834259&r2=834260&view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Mon Nov  9 22:34:35 2009
@@ -378,3 +378,15 @@
   http://svn.apache.org/viewvc?rev=834047&view=rev
   +1: markt
   -1: 
+
+* Backport cookie changes
+  - Add option to control treatment of / as a separator
+  - Single quote is not a spearator
+  - Link ALWAYS_ADD_EXPIRES so STRICT_SERVLET_COMPLIANCE
+  - Add option to enforce cookie naming rules
+  - Add option to allow = in cookie values
+  - Auto switching is not a spec breach
+  - Auto switch on use of comment
+  http://people.apache.org/~markt/patches/2009-11-09-tc6-cookies.patch
+  +1: markt
+  -1: 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834262 - /tomcat/tc5.5.x/trunk/STATUS.txt

[markt]

Author: markt
Date: Mon Nov  9 22:35:04 2009
New Revision: 834262

URL: http://svn.apache.org/viewvc?rev=834262&view=rev
Log:
Cookie changes proposal

Modified:
tomcat/tc5.5.x/trunk/STATUS.txt

Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=834262&r1=834261&r2=834262&view=diff
==
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Mon Nov  9 22:35:04 2009
@@ -186,3 +186,15 @@
   http://svn.apache.org/viewvc?rev=834047&view=rev
   +1: markt
   -1: 
+
+* Backport cookie changes
+  - Add option to control treatment of / as a separator
+  - Single quote is not a spearator
+  - Link ALWAYS_ADD_EXPIRES so STRICT_SERVLET_COMPLIANCE
+  - Add option to enforce cookie naming rules
+  - Add option to allow = in cookie values
+  - Auto switching is not a spec breach
+  - Auto switch on use of comment
+  http://people.apache.org/~markt/patches/2009-11-09-tc5-cookies.patch
+  +1: markt
+  -1: 
\ No newline at end of file



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

broken link on tomcat resource page

[Peter Lin]

Last week I noticed the link to Filip's old tomcat 16,000 concurrent
connections was broken on the resources page.

http://tomcat.apache.org/resources.html

peter lin

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: SSL & Tomcat

[Costin Manolache]

Unless someone has a better solution - I'll submit the fix ( tonight ), will
disable re-negotiation for
Jsse-mode.
I added a system property to allow people how don't care about this, IMO by
default it should
be on.

Also got the test case to work - please let me know if it's acceptable to
commit it, it depends
on having a .keystore with a 'localhost' cert, didn't find any other SSL
tests in the suite.
Forgot that you need to read() after startHandshake() - just cut&pasted the
code from
JsseSupport and it worked.


Costin

On Mon, Nov 9, 2009 at 1:32 PM, Costin Manolache  wrote:

>
>
> On Mon, Nov 9, 2009 at 10:47 AM, Costin Manolache wrote:
>
>>
>>
>> On Mon, Nov 9, 2009 at 8:04 AM, Konstantin Kolinko <
>> knst.koli...@gmail.com> wrote:
>>
>>> 2009/11/9 Mark Thomas :
>>> > Summarising the information gathered so far from various channels
>>> > (thanks to Bill B., Bill W. & Rainer who have done most of the actual
>>> > work to find the info below).
>>> >
>>> > BIO/NIO connectors using JSSE.
>>> > Vulnerable when renegotiation is triggered by the client or server.
>>> > We could prevent server initiated renegotiation (and probably break the
>>> > majority of configurations using CLIENT-CERT).
>>> > We can't do anything to prevent client initiated renegotiation.
>>> >
>>> > APR/native connector using OpenSSL
>>> > It is vulnerable when renegotiation is triggered by the client or by
>>> the
>>> > server.
>>> > Client triggered negotiation is supported.
>>> > Server triggered negotiation will be supported from 1.1.17 onwards.
>>> >
>>> > OpenSSL 0.9.8l disables negotiation by default
>>> >
>>> >
>>> > In terms of what this means for users:
>>> >
>>> > BIO/NIO
>>> > - There isn't anything we can do in Tomcat to stop client
>>> >  initiated renegotiation so it is a case of waiting for the JVM
>>> >  vendors to respond.
>>> >
>>> > APR/native
>>> > - Re-building their current version with 0.9.8l will protect
>>> >  users at the risk of breaking any configurations that
>>> >  require renegotiation.
>>> > - We can release 1.1.17 with the binaries built with 0.9.8l. This
>>> >  will also protect users at the risk of breaking any
>>> >  configurations that require renegotiation. Mladen is doing this
>>> >  now.
>>> > - Supporting renegotiation whilst avoiding the vulnerability will
>>> >  require a protocol fix. In the meantime, we could port port
>>> >  r833582 from httpd which would disable client triggered
>>> >  renegotiation for OpenSSL < 0.9.8l (which may help some users
>>> >  who can't easily change their OpenSSl version and release 1.1.18
>>> >  with this fix
>>> > - Once the protocol is fixed, release 1.1.next bundled with the
>>> >  appropriate version of OpenSSL
>>> >
>>> >
>>> > Have I got my facts right above? If so, any objections to posting the
>>> > above to the users@ and announce@ lists along with adding something to
>>> > the security pages?
>>> >
>>> > Mark
>>> >
>>>
>>> +1
>>>
>>> s/negotiation/renegotiation/
>>> s/port port/port/
>>>
>>> A question:
>>> My understanding of renegotiation is that it changes SSL session. Is
>>> it possible to observe changes in the value of SSL sessionId?  I doubt
>>> so, but may be?
>>>
>>
>> AFAIK you can reuse the session ID across negotiations ( it's a nice
>> optimization BTW, too
>> bad we're not using, it can speed up SSL connections a lot ), I'm not sure
>> if it changes
>> within a renegotation, but AFAIK when you start any negotiation you can
>> specify you want
>> to reuse the old session id.  But if I understand the exploit correctly -
>> they would want a different
>> cypher, and if you reuse the session you reuse the old one.
>>
>>
>> Maybe we can modify JSSESupport.Listener to break the connection if
>> handshakeCompleted is
>> called > once in a connection ? That is besides disabling server-initiated
>> handshakes.
>>
>>
>
> BTW - confirmed that JSSESupport.Listener is called when client does
> re-negotiate, but it is not called on the first
> negotiation ( it's added too late ).
>
> However it's pretty easy to add a listener earlier, patch attached - it
> should break all client re-negotiations, so we don't need
> to wait for a JDK fix.
>
> I wrote a small unit test - but I'm can't seem to get jsse client to
> re-negotiate for the test, can only do it using command line
> openssl. The patch seems to work - but you need so system properties  or
> flags if we want to let people
>  disable this ( "allowManInTheMiddle" is a good name for a flag ).  Also
> the test needs a bit of work.
>
> If anyone has more time, my 20% is getting low 
>
>
> Costin
>
>
>
>> Costin
>>
>>
>>
>>> We read that value once and provide it to our users as
>>> "javax.servlet.request.ssl_session" request attribute.
>>>
>>> Regarding valves (as mentioned in issue 48157):
>>> I understand, that that is not sufficient, but if anyone wants to
>>> check against malformed headers, they can do so.
>>>
>>> Best regards,
>>> Konstantin Kolinko
>>>
>>> ---

Re: SSL & Tomcat

[Mark Thomas]

Costin Manolache wrote:
> Unless someone has a better solution - I'll submit the fix ( tonight ), will
> disable re-negotiation for
> Jsse-mode.
> I added a system property to allow people how don't care about this, IMO by
> default it should
> be on.

Sounds good. Any chance it could be a connector property rather than a
system property? If you don't have a chance to do this I can always make
that change (and do some testing) tomorrow.

> Also got the test case to work - please let me know if it's acceptable to
> commit it, it depends
> on having a .keystore with a 'localhost' cert, didn't find any other SSL
> tests in the suite.

Add the keystore to svn as well. That way, the test should always work.

> Forgot that you need to read() after startHandshake() - just cut&pasted the
> code from
> JsseSupport and it worked.

Mark


> Costin
> 
> On Mon, Nov 9, 2009 at 1:32 PM, Costin Manolache  wrote:
> 
>>
>> On Mon, Nov 9, 2009 at 10:47 AM, Costin Manolache wrote:
>>
>>>
>>> On Mon, Nov 9, 2009 at 8:04 AM, Konstantin Kolinko <
>>> knst.koli...@gmail.com> wrote:
>>>
 2009/11/9 Mark Thomas :
> Summarising the information gathered so far from various channels
> (thanks to Bill B., Bill W. & Rainer who have done most of the actual
> work to find the info below).
>
> BIO/NIO connectors using JSSE.
> Vulnerable when renegotiation is triggered by the client or server.
> We could prevent server initiated renegotiation (and probably break the
> majority of configurations using CLIENT-CERT).
> We can't do anything to prevent client initiated renegotiation.
>
> APR/native connector using OpenSSL
> It is vulnerable when renegotiation is triggered by the client or by
 the
> server.
> Client triggered negotiation is supported.
> Server triggered negotiation will be supported from 1.1.17 onwards.
>
> OpenSSL 0.9.8l disables negotiation by default
>
>
> In terms of what this means for users:
>
> BIO/NIO
> - There isn't anything we can do in Tomcat to stop client
>  initiated renegotiation so it is a case of waiting for the JVM
>  vendors to respond.
>
> APR/native
> - Re-building their current version with 0.9.8l will protect
>  users at the risk of breaking any configurations that
>  require renegotiation.
> - We can release 1.1.17 with the binaries built with 0.9.8l. This
>  will also protect users at the risk of breaking any
>  configurations that require renegotiation. Mladen is doing this
>  now.
> - Supporting renegotiation whilst avoiding the vulnerability will
>  require a protocol fix. In the meantime, we could port port
>  r833582 from httpd which would disable client triggered
>  renegotiation for OpenSSL < 0.9.8l (which may help some users
>  who can't easily change their OpenSSl version and release 1.1.18
>  with this fix
> - Once the protocol is fixed, release 1.1.next bundled with the
>  appropriate version of OpenSSL
>
>
> Have I got my facts right above? If so, any objections to posting the
> above to the users@ and announce@ lists along with adding something to
> the security pages?
>
> Mark
>
 +1

 s/negotiation/renegotiation/
 s/port port/port/

 A question:
 My understanding of renegotiation is that it changes SSL session. Is
 it possible to observe changes in the value of SSL sessionId?  I doubt
 so, but may be?

>>> AFAIK you can reuse the session ID across negotiations ( it's a nice
>>> optimization BTW, too
>>> bad we're not using, it can speed up SSL connections a lot ), I'm not sure
>>> if it changes
>>> within a renegotation, but AFAIK when you start any negotiation you can
>>> specify you want
>>> to reuse the old session id.  But if I understand the exploit correctly -
>>> they would want a different
>>> cypher, and if you reuse the session you reuse the old one.
>>>
>>>
>>> Maybe we can modify JSSESupport.Listener to break the connection if
>>> handshakeCompleted is
>>> called > once in a connection ? That is besides disabling server-initiated
>>> handshakes.
>>>
>>>
>> BTW - confirmed that JSSESupport.Listener is called when client does
>> re-negotiate, but it is not called on the first
>> negotiation ( it's added too late ).
>>
>> However it's pretty easy to add a listener earlier, patch attached - it
>> should break all client re-negotiations, so we don't need
>> to wait for a JDK fix.
>>
>> I wrote a small unit test - but I'm can't seem to get jsse client to
>> re-negotiate for the test, can only do it using command line
>> openssl. The patch seems to work - but you need so system properties  or
>> flags if we want to let people
>>  disable this ( "allowManInTheMiddle" is a good name for a flag ).  Also
>> the test needs a bit of work.
>>
>> If anyone has more time, my 20% is getting low 
>>
>>
>> Costin
>>
>>
>>
>>> Costin
>>>
>>>
>>>
 W

svn commit: r834286 - in /tomcat/trunk/java/org/apache/catalina/startup: LocalStrings.properties WebXml.java

[markt]

Author: markt
Date: Tue Nov 10 00:31:25 2009
New Revision: 834286

URL: http://svn.apache.org/viewvc?rev=834286&view=rev
Log:
Add merge code for the remaining elements in web.xml

Modified:
tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/startup/WebXml.java

Modified: tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties?rev=834286&r1=834285&r2=834286&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties Tue 
Nov 10 00:31:25 2009
@@ -115,9 +115,11 @@
 webXml.duplicateResourceRef=Duplicate resource-ref name
 webXml.reservedName=A web.xml file was detected using a reserved name [{0}]. 
The name element will be ignored for this fragment.
 webXml.mergeConflictDisplayName=The display name was defined in multiple 
fragments with different values including fragment with name [{0}] located at 
[{1}]
-webXml.mergeConflictErrorPage=The Error Page for [{0}] was defined in multiple 
fragments including fragment with name [{1}] located at [{2}]
-webXml.mergeConflictListener=Listener [{0}] was defined in multiple fragments 
including fragment with name [{1}] located at [{2}]
-webXml.mergeConflictLoginConfig=A LoginConfig was defined in multiple 
fragments including fragment with name [{1}] located at [{2}]
-webXml.mergeConflictResource=The Resource [{0}] was defined in multiple 
fragments including fragment with name [{1}] located at [{2}]
-webXml.mergeConflictString=The [{0}] with name [{1}] was defined in multiple 
fragments including fragment with name [{2}] located at [{3}]
+webXml.mergeConflictErrorPage=The Error Page for [{0}] was defined 
inconsistently in multiple fragments including fragment with name [{1}] located 
at [{2}]
+webXml.mergeConflictFilter=The Filter [{0}] was defined inconsistently in 
multiple fragments including fragment with name [{1}] located at [{2}]
+webXml.mergeConflictLoginConfig=A LoginConfig was defined inconsistently in 
multiple fragments including fragment with name [{1}] located at [{2}]
+webXml.mergeConflictResource=The Resource [{0}] was defined inconsistently in 
multiple fragments including fragment with name [{1}] located at [{2}]
+webXml.mergeConflictFilter=The Servlet [{0}] was defined inconsistently in 
multiple fragments including fragment with name [{1}] located at [{2}]
+webXml.mergeConflictSessionTimeout=The session timeout was defined 
inconsistently in multiple fragments with different values including fragment 
with name [{0}] located at [{1}]
+webXml.mergeConflictString=The [{0}] with name [{1}] was defined 
inconsistently in multiple fragments including fragment with name [{2}] located 
at [{3}]
 webXml.multipleOther=Multiple others entries in ordering

Modified: tomcat/trunk/java/org/apache/catalina/startup/WebXml.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/WebXml.java?rev=834286&r1=834285&r2=834286&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/startup/WebXml.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/WebXml.java Tue Nov 10 
00:31:25 2009
@@ -250,6 +250,7 @@
 }
 welcomeFiles.add(welcomeFile);
 }
+public Set getWelcomeFiles() { return welcomeFiles; }
 
 // error-page
 private Map errorPages = new HashMap();
@@ -341,11 +342,12 @@
 // TODO: Should support multiple description elements with language
 // TODO: Should support multiple display-names elements with language
 // TODO: Should support multiple icon elements ???
-private Set serviceRefs = new HashSet();
+private Map serviceRefs =
+new HashMap();
 public void addServiceRef(ContextService serviceRef) {
-serviceRefs.add(serviceRef);
+serviceRefs.put(serviceRef.getName(), serviceRef);
 }
-public Set getServiceRefs() { return serviceRefs; }
+public Map getServiceRefs() { return serviceRefs; }
 
 // resource-ref
 // TODO: Should support multiple description elements with language
@@ -512,7 +514,7 @@
 for (String role : securityRoles) {
 context.addSecurityRole(role);
 }
-for (ContextService service : serviceRefs) {
+for (ContextService service : serviceRefs.values()) {
 context.getNamingResources().addService(service);
 }
 for (ServletDef servlet : servlets.values()) {
@@ -660,6 +662,27 @@
 }
 
 for (WebXml fragment : fragments) {
+for (Map.Entry entry :
+fragment.getFilters().entrySet()) {
+if (filters.containsKey(entry.getKey())) {
+

svn commit: r834289 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

[costin]

Author: costin
Date: Tue Nov 10 01:02:43 2009
New Revision: 834289

URL: http://svn.apache.org/viewvc?rev=834289&view=rev
Log:
Fix for the SSL midm - disable client re-negotiation, connection will be 
closed. 


Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=834289&r1=834288&r2=834289&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
Tue Nov 10 01:02:43 2009
@@ -42,6 +42,8 @@
 import java.util.Vector;
 
 import javax.net.ssl.CertPathTrustManagerParameters;
+import javax.net.ssl.HandshakeCompletedEvent;
+import javax.net.ssl.HandshakeCompletedListener;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.ManagerFactoryParameters;
@@ -93,6 +95,9 @@
 private static final int defaultSessionCacheSize = 0;
 private static final int defaultSessionTimeout = 86400;
 
+private static final boolean midmMode = 
+"true".equals(System.getProperty("enable_ssl_mitm_vulnerability"));
+
 static org.apache.juli.logging.Log log =
 org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
 
@@ -154,12 +159,34 @@
 SSLSocket asock = null;
 try {
  asock = (SSLSocket)socket.accept();
+ if (!midmMode) {
+ asock.addHandshakeCompletedListener(
+ new DisableSslRenegotiation());
+ }
  configureClientAuth(asock);
 } catch (SSLException e){
   throw new SocketException("SSL handshake error" + e.toString());
 }
 return asock;
 }
+
+private static class DisableSslRenegotiation 
+implements HandshakeCompletedListener {
+private volatile boolean completed = false;
+
+public void handshakeCompleted(HandshakeCompletedEvent event) {
+if (completed) {
+try {
+log.warn("SSL renegotiation is disabled, closing 
connection");
+event.getSocket().close();
+} catch (IOException e) {
+// ignore
+}
+}
+completed = true;
+}
+}
+
 
 @Override
 public void handshake(Socket sock) throws IOException {



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r834290 - in /tomcat/trunk/test/org/apache/catalina/startup: TestTomcatSSL.java test.keystore

[costin]

Author: costin
Date: Tue Nov 10 01:04:13 2009
New Revision: 834290

URL: http://svn.apache.org/viewvc?rev=834290&view=rev
Log:
Test case for the MITM/ssl re-negotiation, also a unit test for a simple ssl 
request 
( to check the fix didn't broke anything and ssl still works )


Added:
tomcat/trunk/test/org/apache/catalina/startup/TestTomcatSSL.java   (with 
props)
tomcat/trunk/test/org/apache/catalina/startup/test.keystore   (with props)

Added: tomcat/trunk/test/org/apache/catalina/startup/TestTomcatSSL.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/startup/TestTomcatSSL.java?rev=834290&view=auto
==
--- tomcat/trunk/test/org/apache/catalina/startup/TestTomcatSSL.java (added)
+++ tomcat/trunk/test/org/apache/catalina/startup/TestTomcatSSL.java Tue Nov 10 
01:04:13 2009
@@ -0,0 +1,153 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.startup;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+import javax.net.ssl.HandshakeCompletedEvent;
+import javax.net.ssl.HandshakeCompletedListener;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+import org.apache.tomcat.util.buf.ByteChunk;
+
+/**
+ * Requires test.keystore (checked in), generated with:
+ *  keytool -genkey -alias tomcat -keyalg RSA
+ *  pass: changeit 
+ *  CN: localhost ( for hostname validation )
+ */
+public class TestTomcatSSL extends TomcatBaseTest {
+static TrustManager[] trustAllCerts = new TrustManager[] { 
+new X509TrustManager() { 
+public java.security.cert.X509Certificate[] getAcceptedIssuers() { 
+return null;
+}
+public void 
checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) 
{
+}
+public void 
checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) 
{
+}
+}
+};
+
+private void initSsl(Tomcat tomcat) {
+tomcat.getConnector().setSecure(true);
+tomcat.getConnector().setProperty("SSLEnabled", "true");
+tomcat.getConnector().setProperty("sslProtocol",
+"tls");
+// test runs in output/tmp
+tomcat.getConnector().setAttribute("keystore", 
+"../../test/org/apache/catalina/startup/test.keystore");
+}
+
+
+public void testSimpleSsl() throws Exception {
+//  Install the all-trusting trust manager so https:// works 
+// with unsigned certs. 
+
+// TODO: cleanup ? 
+try {
+SSLContext sc = SSLContext.getInstance("SSL");
+sc.init(null, trustAllCerts, new java.security.SecureRandom());
+javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(
+sc.getSocketFactory());
+} catch (Exception e) {
+e.printStackTrace();
+} 
+
+Tomcat tomcat = getTomcatInstance();
+
+File appDir = 
+new File("output/build/webapps/examples");
+tomcat.addWebapp(null, "/examples", appDir.getAbsolutePath());
+initSsl(tomcat);
+
+tomcat.start();
+ByteChunk res = getUrl("https://localhost:"; + getPort() +
+"/examples/servlets/servlet/HelloWorldExample");
+assertTrue(res.toString().indexOf("Hello World!") > 0);
+}
+
+boolean handshakeDone = false;
+
+public void testReHandshake() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+
+File appDir = 
+new File("output/build/webapps/examples");
+// app dir is relative to server home
+tomcat.addWebapp(null, "/examples", appDir.getAbsolutePath());
+
+initSsl(tomcat);
+
+tomcat.start();
+SSLContext sslCtx = SSLContext.getInstance("TLS");
+sslCtx.init(null, trustAllCerts, new java.security.SecureRandom());
+SSLSocketFactory socketFactory = sslCtx.getSocketFactory

Re: svn commit: r834289 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

[Bill Barker]

 wrote in message 
news:20091110010244.4f8382388...@eris.apache.org...
> Author: costin
> Date: Tue Nov 10 01:02:43 2009
> New Revision: 834289
>
> URL: http://svn.apache.org/viewvc?rev=834289&view=rev
> Log:
> Fix for the SSL midm - disable client re-negotiation, connection will be 
> closed.
>
>
> Modified:
> 
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>
> Modified: 
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> URL: 
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=834289&r1=834288&r2=834289&view=diff
> ==
> ---  
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
> (original)
> +++ 
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
> Tue Nov 10 01:02:43 2009
> @@ -42,6 +42,8 @@
> import java.util.Vector;
>
> import javax.net.ssl.CertPathTrustManagerParameters;
> +import javax.net.ssl.HandshakeCompletedEvent;
> +import javax.net.ssl.HandshakeCompletedListener;
> import javax.net.ssl.KeyManager;
> import javax.net.ssl.KeyManagerFactory;
> import javax.net.ssl.ManagerFactoryParameters;
> @@ -93,6 +95,9 @@
> private static final int defaultSessionCacheSize = 0;
> private static final int defaultSessionTimeout = 86400;
>
> +private static final boolean midmMode =
> + 
> "true".equals(System.getProperty("enable_ssl_mitm_vulnerability"));
> +
> static org.apache.juli.logging.Log log =
> 
> org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
>
> @@ -154,12 +159,34 @@
> SSLSocket asock = null;
> try {
>  asock = (SSLSocket)socket.accept();
> + if (!midmMode) {
> + asock.addHandshakeCompletedListener(
> + new DisableSslRenegotiation());
> + }
>  configureClientAuth(asock);
> } catch (SSLException e){
>   throw new SocketException("SSL handshake error" + e.toString());
> }
> return asock;
> }
> +
> +private static class DisableSslRenegotiation
> +implements HandshakeCompletedListener {
> +private volatile boolean completed = false;
> +
> +public void handshakeCompleted(HandshakeCompletedEvent event) {
> +if (completed) {
> +try {
> +log.warn("SSL renegotiation is disabled, closing 
> connection");
> +event.getSocket().close();

This is just a nuisance.  The black-hat can simply reconnect and request to 
resume the session.  At the very least, the session would need to be 
invalidated as well.  But from what I've read, even this isn't a very 
effective mitigation tactic.  Since we are notified after the handshake is 
done, the black-hat already has all the information she needs to continue 
the attack.

> +} catch (IOException e) {
> +// ignore
> +}
> +}
> +completed = true;
> +}
> +}
> +
>
> @Override
> public void handshake(Socket sock) throws IOException { 




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r834289 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

[Costin Manolache]

Right, need to invalidate as well.

The request will not be executed - how can he continue the attack ?

On Mon, Nov 9, 2009 at 7:49 PM, Bill Barker  wrote:

>
>  wrote in message
> news:20091110010244.4f8382388...@eris.apache.org...
> > Author: costin
> > Date: Tue Nov 10 01:02:43 2009
> > New Revision: 834289
> >
> > URL: http://svn.apache.org/viewvc?rev=834289&view=rev
> > Log:
> > Fix for the SSL midm - disable client re-negotiation, connection will be
> > closed.
> >
> >
> > Modified:
> >
> > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> >
> > Modified:
> > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> > URL:
> >
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=834289&r1=834288&r2=834289&view=diff
> >
> ==
> > ---
> > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> > (original)
> > +++
> > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> > Tue Nov 10 01:02:43 2009
> > @@ -42,6 +42,8 @@
> > import java.util.Vector;
> >
> > import javax.net.ssl.CertPathTrustManagerParameters;
> > +import javax.net.ssl.HandshakeCompletedEvent;
> > +import javax.net.ssl.HandshakeCompletedListener;
> > import javax.net.ssl.KeyManager;
> > import javax.net.ssl.KeyManagerFactory;
> > import javax.net.ssl.ManagerFactoryParameters;
> > @@ -93,6 +95,9 @@
> > private static final int defaultSessionCacheSize = 0;
> > private static final int defaultSessionTimeout = 86400;
> >
> > +private static final boolean midmMode =
> > +
> > "true".equals(System.getProperty("enable_ssl_mitm_vulnerability"));
> > +
> > static org.apache.juli.logging.Log log =
> >
> > org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
> >
> > @@ -154,12 +159,34 @@
> > SSLSocket asock = null;
> > try {
> >  asock = (SSLSocket)socket.accept();
> > + if (!midmMode) {
> > + asock.addHandshakeCompletedListener(
> > + new DisableSslRenegotiation());
> > + }
> >  configureClientAuth(asock);
> > } catch (SSLException e){
> >   throw new SocketException("SSL handshake error" +
> e.toString());
> > }
> > return asock;
> > }
> > +
> > +private static class DisableSslRenegotiation
> > +implements HandshakeCompletedListener {
> > +private volatile boolean completed = false;
> > +
> > +public void handshakeCompleted(HandshakeCompletedEvent event) {
> > +if (completed) {
> > +try {
> > +log.warn("SSL renegotiation is disabled, closing
> > connection");
> > +event.getSocket().close();
>
> This is just a nuisance.  The black-hat can simply reconnect and request to
> resume the session.  At the very least, the session would need to be
> invalidated as well.  But from what I've read, even this isn't a very
> effective mitigation tactic.  Since we are notified after the handshake is
> done, the black-hat already has all the information she needs to continue
> the attack.
>
> > +} catch (IOException e) {
> > +// ignore
> > +}
> > +}
> > +completed = true;
> > +}
> > +}
> > +
> >
> > @Override
> > public void handshake(Socket sock) throws IOException {
>
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

svn commit: r834340 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

[costin]

Author: costin
Date: Tue Nov 10 04:54:34 2009
New Revision: 834340

URL: http://svn.apache.org/viewvc?rev=834340&view=rev
Log:
Invalidate the session - so it can't be resumed. 
Not sure what else we can do using this hook - we could switch to SSLEngine, 
but that's pretty large change. 

Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=834340&r1=834339&r2=834340&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
Tue Nov 10 04:54:34 2009
@@ -178,6 +178,7 @@
 if (completed) {
 try {
 log.warn("SSL renegotiation is disabled, closing 
connection");
+event.getSession().invalidate();
 event.getSocket().close();
 } catch (IOException e) {
 // ignore



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org