[Bug 53952] Add support for TLS 1.1 and 1.2
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 --- Comment #35 from Mark Thomas --- Agreed. I'll start looking at this today with a view to getting a release out next week. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632512 - in /tomcat/trunk: java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java webapps/docs/changelog.xml
Author: markt
Date: Fri Oct 17 08:28:32 2014
New Revision: 1632512
URL: http://svn.apache.org/r1632512
Log:
Disable SSLv3 by default for JSSE HTTPS connectors (BIO, NIO, NIO2)
Ensure SSLv2 is disabled (the JRE should do this anyway)
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/webapps/docs/changelog.xml
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1632512&r1=1632511&r2=1632512&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Fri Oct 17 08:28:32 2014
@@ -129,7 +129,16 @@ public class JSSESocketFactory implement
SSLServerSocket socket = (SSLServerSocket)
ssf.createServerSocket();
ciphers = socket.getEnabledCipherSuites();
-protocols = socket.getEnabledProtocols();
+// Filter out all the SSL protocols (SSLv2 and SSLv3) from the
+// default protocols since they are no longer considered secure
+List filteredProtocols = new ArrayList<>();
+for (String protocol : socket.getEnabledProtocols()) {
+if (protocol.contains("SSL")) {
+continue;
+}
+filteredProtocols.add(protocol);
+}
+protocols = filteredProtocols.toArray(new
String[filteredProtocols.size()]);
} catch (NoSuchAlgorithmException | KeyManagementException |
IOException |
IllegalArgumentException e) {
// Assume no RFC 5746 support if an SSLContext could not be created
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1632512&r1=1632511&r2=1632512&view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Oct 17 08:28:32 2014
@@ -163,6 +163,12 @@
arrays in the Connectors (e.g. when writing HTTP headers) to improve
throughput. (markt)
+
+Disable SSLv3 by default for JSSE based HTTPS connectors (BIO, NIO and
+NIO2). The change also ensures that SSLv2 is disabled for these
+connectors although SSLv2 should already be disabled by default by the
+JRE. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632514 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java webapps/docs/changelog.xml
Author: markt
Date: Fri Oct 17 08:31:36 2014
New Revision: 1632514
URL: http://svn.apache.org/r1632514
Log:
Disable SSLv3 by default for JSSE HTTPS connectors (BIO, NIO, NIO2)
Ensure SSLv2 is disabled (the JRE should do this anyway)
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
--
Merged /tomcat/trunk:r1632512
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1632514&r1=1632513&r2=1632514&view=diff
==
---
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Fri Oct 17 08:31:36 2014
@@ -129,7 +129,16 @@ public class JSSESocketFactory implement
SSLServerSocket socket = (SSLServerSocket)
ssf.createServerSocket();
ciphers = socket.getEnabledCipherSuites();
-protocols = socket.getEnabledProtocols();
+// Filter out all the SSL protocols (SSLv2 and SSLv3) from the
+// default protocols since they are no longer considered secure
+List filteredProtocols = new ArrayList();
+for (String protocol : socket.getEnabledProtocols()) {
+if (protocol.contains("SSL")) {
+continue;
+}
+filteredProtocols.add(protocol);
+}
+protocols = filteredProtocols.toArray(new
String[filteredProtocols.size()]);
} catch (NoSuchAlgorithmException e ) {
// Assume no RFC 5746 support if an SSLContext could not be created
// Unable to determine default ciphers/protocols so use none
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1632514&r1=1632513&r2=1632514&view=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct 17 08:31:36 2014
@@ -74,6 +74,15 @@
+
+
+
+Disable SSLv3 by default for JSSE based HTTPS connectors (BIO and NIO).
+The change also ensures that SSLv2 is disabled for these connectors
+although SSLv2 should already be disabled by default by the JRE.
(markt)
+
+
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Analysis of apache-tomcat-8.0.12 dependency on JDK-Internal APIs
Hi Mark, Did you get a chance to followup on the discussion on core-libs-dev@openjdk mailing list ? Rgds,Rory On 12/09/2014 11:11, dalibor topic wrote: On 11.09.2014 20:50, Mark Thomas wrote: The protection against JRE triggered memory leaks is a source of a lot of internal API usage: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java?view=annotate It would be great of there were public APIs we could use instead or better still if the various memory leaks could be fixed. Other than that, I can't think of any off-hand. Use the internal API is something we try to avoid if at all possible. Thanks, Mark - I think this discussion would warrant its own thread on the core-libs-dev@openjdk mailing list [1] - can you start a thread there? cheers, dalibor topic [1] http://mail.openjdk.java.net/mailman/listinfo/core-libs-dev -- Rgds,Rory O'Donnell Quality Engineering Manager Oracle EMEA , Dublin, Ireland - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57105] New: under in web.xml only accept integer which doesn't follow spec
https://issues.apache.org/bugzilla/show_bug.cgi?id=57105 Bug ID: 57105 Summary: under in web.xml only accept integer which doesn't follow spec Product: Tomcat 8 Version: 8.0.14 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Meta Assignee: dev@tomcat.apache.org Reporter: xuyi...@gmail.com For example, I expected the following should be fine: 32kb BUT actually, it will cause start app fail. If I change it to: 32000 It is accepted. BUT, jsp compile will FAIL! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in ASF Buildbot on tomcat-7-trunk
The Buildbot has detected a new failure on builder tomcat-7-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-7-trunk/builds/340 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1632514 Blamelist: markt BUILD FAILED: failed compile_1 sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57105] under in web.xml only accept integer which doesn't follow spec and cause jsp compile fail
https://issues.apache.org/bugzilla/show_bug.cgi?id=57105 Tommy Xu changed: What|Removed |Added Summary| under | under | in| in |web.xml only accept integer |web.xml only accept integer |which doesn't follow spec |which doesn't follow spec ||and cause jsp compile fail -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632523 - /tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
Author: markt
Date: Fri Oct 17 09:25:44 2014
New Revision: 1632523
URL: http://svn.apache.org/r1632523
Log:
Remove forcing use of SSLv3 in unit tests
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?rev=1632523&r1=1632522&r2=1632523&view=diff
==
--- tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java Fri Oct 17
09:25:44 2014
@@ -20,17 +20,12 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
-import java.net.InetAddress;
-import java.net.Socket;
-import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
@@ -109,12 +104,11 @@ public final class TesterSupport {
protected static void configureClientSsl() {
try {
-SSLContext sc = SSLContext.getInstance("SSL");
+SSLContext sc = SSLContext.getInstance("TLS");
sc.init(TesterSupport.getUser1KeyManagers(),
TesterSupport.getTrustManagers(),
null);
-javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(
-new TesterSSLSocketFactory(sc.getSocketFactory()));
+
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
e.printStackTrace();
}
@@ -243,67 +237,4 @@ public final class TesterSupport {
// NOOP - Trust everything
}
}
-
-private static class TesterSSLSocketFactory
-extends SSLSocketFactory {
-
-private SSLSocketFactory factory;
-
-public TesterSSLSocketFactory(SSLSocketFactory factory) {
-this.factory = factory;
-}
-
-@Override
-public String[] getDefaultCipherSuites() {
-return factory.getDefaultCipherSuites();
-}
-
-@Override
-public String[] getSupportedCipherSuites() {
-return factory.getSupportedCipherSuites();
-}
-
-@Override
-public Socket createSocket(Socket socket, String s, int i, boolean
flag)
-throws IOException {
-SSLSocket result =
-(SSLSocket) factory.createSocket(socket, s, i, flag);
-result.setEnabledProtocols(new String[] { "SSLv3" } );
-return result;
-}
-
-@Override
-public Socket createSocket(String s, int i) throws IOException,
-UnknownHostException {
-SSLSocket result = (SSLSocket) factory.createSocket(s, i);
-result.setEnabledProtocols(new String[] { "SSLv3" } );
-return result;
-}
-
-@Override
-public Socket createSocket(String s, int i, InetAddress inetaddress,
-int j) throws IOException, UnknownHostException {
-SSLSocket result =
-(SSLSocket) factory.createSocket(s, i, inetaddress, j);
-result.setEnabledProtocols(new String[] { "SSLv3" } );
-return result;
-}
-
-@Override
-public Socket createSocket(InetAddress inetaddress, int i)
-throws IOException {
-SSLSocket result = (SSLSocket) factory.createSocket(inetaddress,
i);
-result.setEnabledProtocols(new String[] { "SSLv3" } );
-return result;
-}
-
-@Override
-public Socket createSocket(InetAddress inetaddress, int i,
-InetAddress inetaddress1, int j) throws IOException {
-SSLSocket result = (SSLSocket) factory.createSocket(
-inetaddress, i, inetaddress1, j);
-result.setEnabledProtocols(new String[] { "SSLv3" } );
-return result;
-}
-}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632524 - in /tomcat/tc7.0.x/trunk: ./ test/org/apache/tomcat/util/net/TesterSupport.java
Author: markt
Date: Fri Oct 17 09:28:15 2014
New Revision: 1632524
URL: http://svn.apache.org/r1632524
Log:
Remove forcing use of SSLv3 in unit tests
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
Propchange: tomcat/tc7.0.x/trunk/
--
Merged /tomcat/trunk:r1632523
Modified:
tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?rev=1632524&r1=1632523&r2=1632524&view=diff
==
--- tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
(original)
+++ tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TesterSupport.java Fri
Oct 17 09:28:15 2014
@@ -20,10 +20,7 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
-import java.net.InetAddress;
-import java.net.Socket;
import java.net.URISyntaxException;
-import java.net.UnknownHostException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
@@ -33,8 +30,6 @@ import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocketFactory;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
@@ -155,12 +150,11 @@ public final class TesterSupport {
protected static void configureClientSsl() {
try {
-SSLContext sc = SSLContext.getInstance("SSL");
+SSLContext sc = SSLContext.getInstance("TLS");
sc.init(TesterSupport.getUser1KeyManagers(),
TesterSupport.getTrustManagers(),
null);
-javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(
-new TesterSSLSocketFactory(sc.getSocketFactory()));
+
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
e.printStackTrace();
}
@@ -292,67 +286,4 @@ public final class TesterSupport {
// NOOP - Trust everything
}
}
-
-private static class TesterSSLSocketFactory
-extends SSLSocketFactory {
-
-private SSLSocketFactory factory;
-
-public TesterSSLSocketFactory(SSLSocketFactory factory) {
-this.factory = factory;
-}
-
-@Override
-public String[] getDefaultCipherSuites() {
-return factory.getDefaultCipherSuites();
-}
-
-@Override
-public String[] getSupportedCipherSuites() {
-return factory.getSupportedCipherSuites();
-}
-
-@Override
-public Socket createSocket(Socket socket, String s, int i, boolean
flag)
-throws IOException {
-SSLSocket result =
-(SSLSocket) factory.createSocket(socket, s, i, flag);
-result.setEnabledProtocols(new String[] { "SSLv3" } );
-return result;
-}
-
-@Override
-public Socket createSocket(String s, int i) throws IOException,
-UnknownHostException {
-SSLSocket result = (SSLSocket) factory.createSocket(s, i);
-result.setEnabledProtocols(new String[] { "SSLv3" } );
-return result;
-}
-
-@Override
-public Socket createSocket(String s, int i, InetAddress inetaddress,
-int j) throws IOException, UnknownHostException {
-SSLSocket result =
-(SSLSocket) factory.createSocket(s, i, inetaddress, j);
-result.setEnabledProtocols(new String[] { "SSLv3" } );
-return result;
-}
-
-@Override
-public Socket createSocket(InetAddress inetaddress, int i)
-throws IOException {
-SSLSocket result = (SSLSocket) factory.createSocket(inetaddress,
i);
-result.setEnabledProtocols(new String[] { "SSLv3" } );
-return result;
-}
-
-@Override
-public Socket createSocket(InetAddress inetaddress, int i,
-InetAddress inetaddress1, int j) throws IOException {
-SSLSocket result = (SSLSocket) factory.createSocket(
-inetaddress, i, inetaddress1, j);
-result.setEnabledProtocols(new String[] { "SSLv3" } );
-return result;
-}
-}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.42
On 30/09/2014 21:48, jean-frederic clere wrote: > The proposed Apache Tomcat 6.0.42 release is now available for voting. > > It can be obtained from: > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.42/ > > The Maven staging repo is: > https://repository.apache.org/content/repositories/orgapachetomcat-1023/ > The svn tag is: > http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_42/ > > The proposed 6.0.42 release is: > [X] Broken - do not release > [ ] Stable - go ahead and release as 6.0.42 Stable The sslEnabledProtocols setting is broken for NIO which means it is not possible to mitigate POODLE for that connector. It isn't a regression as far as I can tell but I still think it is serious enough to warrant re-rolling the release after this has been fixed. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in ASF Buildbot on tomcat-7-trunk
The Buildbot has detected a restored build on builder tomcat-7-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-7-trunk/builds/341 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1632524 Blamelist: markt Build succeeded! sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57102] Cannot Specify sslEnabledProtocols
https://issues.apache.org/bugzilla/show_bug.cgi?id=57102 Mark Thomas changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID |--- --- Comment #2 from Mark Thomas --- This issue has been confirmed. It affects the HTTPS NIO connector. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57103] Download page should provide details on how to verify the downloads
https://issues.apache.org/bugzilla/show_bug.cgi?id=57103 --- Comment #1 from Konstantin Kolinko --- The HTTPD page does it wrong. The following command is seriously broken: % gpg --verify httpd-2.2.0.tar.gz.asc It must be % gpg --verify httpd-2.2.0.tar.gz.asc httpd-2.2.0.tar.gz per http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html https://www.gnupg.org/gph/en/manual/x135.html It makes little sense for each project to maintain a "how to verify PGP" page. There is an ASF-wide one, http://www.apache.org/info/verification.html -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632532 - /tomcat/trunk/webapps/docs/config/http.xml
Author: markt Date: Fri Oct 17 10:47:47 2014 New Revision: 1632532 URL: http://svn.apache.org/r1632532 Log: Updates docs for new sslEnabledProtocols default. Modified: tomcat/trunk/webapps/docs/config/http.xml Modified: tomcat/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1632532&r1=1632531&r2=1632532&view=diff == --- tomcat/trunk/webapps/docs/config/http.xml (original) +++ tomcat/trunk/webapps/docs/config/http.xml Fri Oct 17 10:47:47 2014 @@ -1175,8 +1175,9 @@ The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and supported by the SSL implementation will be enabled. If not specified, - the JVM default is used. The permitted values may be obtained from the - JVM documentation for the allowed values for + the JVM default (excluding SSLv2 and SSLv3 if the JVM enables either or + both of them by default) is used. The permitted values may be obtained + from the JVM documentation for the allowed values for SSLSocket.setEnabledProtocols() e.g. http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames";> Oracle Java 7. Note: There is overlap between this attribute and - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632533 - /tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
Author: markt Date: Fri Oct 17 10:48:02 2014 New Revision: 1632533 URL: http://svn.apache.org/r1632533 Log: Updates docs for new sslEnabledProtocols default. Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1632533&r1=1632532&r2=1632533&view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Fri Oct 17 10:48:02 2014 @@ -1044,8 +1044,9 @@ The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and - supported by the SSL implementation will be enabled. If not specified, - the JVM default is used. The permitted values may be obtained from the + supported by the SSL implementation will be enabled. If not specified, + the JVM default (excluding SSLv2 and SSLv3 if the JVM enables either or + both of them by default) is used. The permitted values may be obtained from the JVM documentation for the allowed values for SSLSocket.setEnabledProtocols() e.g. http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#jssenames";> - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632537 - in /tomcat/tc6.0.x/trunk/java/org/apache: catalina/connector/Connector.java coyote/http11/Http11NioProtocol.java coyote/http11/Http11Protocol.java
Author: markt
Date: Fri Oct 17 11:07:47 2014
New Revision: 1632537
URL: http://svn.apache.org/r1632537
Log:
CTR: Whitespace clean-up prior to proposing a patch
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Connector.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Connector.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Connector.java?rev=1632537&r1=1632536&r2=1632537&view=diff
==
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Connector.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Connector.java Fri
Oct 17 11:07:47 2014
@@ -701,7 +701,7 @@ public class Connector
return getProtocolHandlerClassName();
}
-
+
/**
* Set the Coyote protocol which will be used by the connector.
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java?rev=1632537&r1=1632536&r2=1632537&view=diff
==
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
Fri Oct 17 11:07:47 2014
@@ -14,7 +14,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-
package org.apache.coyote.http11;
import java.net.InetAddress;
@@ -58,7 +57,7 @@ import org.apache.tomcat.util.res.String
public class Http11NioProtocol extends AbstractProtocol implements
MBeanRegistration
{
protected JSSEImplementation sslImplementation = null;
-
+
public Http11NioProtocol() {
cHandler = new Http11ConnectionHandler( this );
setSoLinger(Constants.DEFAULT_CONNECTION_LINGER);
@@ -102,7 +101,7 @@ public class Http11NioProtocol extends A
} else {
return ep.setProperty(name,value); //make sure we at least try to
set all properties
}
-
+
}
/**
@@ -128,11 +127,11 @@ public class Http11NioProtocol extends A
public void init() throws Exception {
ep.setName(getName());
ep.setHandler(cHandler);
-
+
//todo, determine if we even need these
ep.getSocketProperties().setRxBufSize(Math.max(ep.getSocketProperties().getRxBufSize(),getMaxHttpHeaderSize()));
ep.getSocketProperties().setTxBufSize(Math.max(ep.getSocketProperties().getTxBufSize(),getMaxHttpHeaderSize()));
-
+
try {
ep.init();
sslImplementation = new JSSEImplementation();
@@ -225,7 +224,7 @@ public class Http11NioProtocol extends A
private int socketCloseDelay=-1;
private boolean disableUploadTimeout = true;
private int socketBuffer = 9000;
-
+
private Adapter adapter;
private Http11ConnectionHandler cHandler;
@@ -245,15 +244,15 @@ public class Http11NioProtocol extends A
public void setPollerThreadCount(int count) {
ep.setPollerThreadCount(count);
}
-
+
public int getPollerThreadCount() {
return ep.getPollerThreadCount();
}
-
+
public void setSelectorTimeout(long timeout) {
ep.setSelectorTimeout(timeout);
}
-
+
public long getSelectorTimeout() {
return ep.getSelectorTimeout();
}
@@ -266,7 +265,7 @@ public class Http11NioProtocol extends A
public void setExecutor(Executor executor) {
ep.setExecutor(executor);
}
-
+
public void setUseExecutor(boolean useexec) {
ep.setUseExecutor(useexec);
}
@@ -284,7 +283,7 @@ public class Http11NioProtocol extends A
ep.setThreadPriority(threadPriority);
setAttribute("threadPriority", "" + threadPriority);
}
-
+
public void setAcceptorThreadPriority(int threadPriority) {
ep.setAcceptorThreadPriority(threadPriority);
setAttribute("acceptorThreadPriority", "" + threadPriority);
@@ -302,12 +301,12 @@ public class Http11NioProtocol extends A
public int getAcceptorThreadPriority() {
return ep.getAcceptorThreadPriority();
}
-
+
public int getPollerThreadPriority() {
return ep.getThreadPriority();
}
-
-
+
+
public boolean getUseSendfile() {
return ep.getUseSendfile();
}
@@ -315,7 +314,7 @@ public class Http11NioProtocol extends A
public void setUseSendfile(boolean useSendfile) {
ep.setUseSendfile(useSendfile);
}
-
+
// Tcp setup
public int getBacklog() {
@@ -549,19 +548,19 @@ public class Http1
[Bug 57102] Cannot Specify sslEnabledProtocols
https://issues.apache.org/bugzilla/show_bug.cgi?id=57102 --- Comment #3 from Mark Thomas --- Fix proposed for 6.0.x -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632538 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: markt Date: Fri Oct 17 11:15:51 2014 New Revision: 1632538 URL: http://svn.apache.org/r1632538 Log: Proposal Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1632538&r1=1632537&r2=1632538&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Oct 17 11:15:51 2014 @@ -102,6 +102,12 @@ PATCHES PROPOSED TO BACKPORT: +1: kkolinko, markt -1: +* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57102 + Ensure the the sslEnabledProtocols option works with both BIO and NIO + http://people.apache.org/~markt/patches/2014-10-17-bug57102-tc6-v1.patch + +1: markt + -1: + PATCHES/ISSUES THAT ARE STALLED: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57102] Cannot Specify sslEnabledProtocols
https://issues.apache.org/bugzilla/show_bug.cgi?id=57102 --- Comment #4 from Konstantin Kolinko --- How about protocols="TLSv1,TLSv1.1,TLSv1.2" ? See bug 54691 for original introduction of sslEnabledProtocols in Tomcat 6. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632541 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: kkolinko Date: Fri Oct 17 11:41:35 2014 New Revision: 1632541 URL: http://svn.apache.org/r1632541 Log: vote Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1632541&r1=1632540&r2=1632541&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Oct 17 11:41:35 2014 @@ -105,7 +105,7 @@ PATCHES PROPOSED TO BACKPORT: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57102 Ensure the the sslEnabledProtocols option works with both BIO and NIO http://people.apache.org/~markt/patches/2014-10-17-bug57102-tc6-v1.patch - +1: markt + +1: markt, kkolinko -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot exception in ASF Buildbot on tomcat-trunk
The Buildbot has detected a build exception on builder tomcat-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-trunk/builds/556 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/trunk] 1632512 Blamelist: markt BUILD FAILED: exception compile_1 upload_3 sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57102] Cannot Specify sslEnabledProtocols
https://issues.apache.org/bugzilla/show_bug.cgi?id=57102
--- Comment #5 from Konstantin Kolinko ---
(In reply to Konstantin Kolinko from comment #4)
> How about protocols="TLSv1,TLSv1.1,TLSv1.2" ?
>
> See bug 54691 for original introduction of sslEnabledProtocols in Tomcat 6.
I see now, r1521514 was wrong as there was no "protocols" setting for Nio in
Tomcat 6. Bio uses "attributes.get("protocols")" in
JSSESocketFactory.initServerSocket(), but Nio has different code with
NioEndpoint.createSSLEngine().
Voted for the patch.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1632538 - /tomcat/tc6.0.x/trunk/STATUS.txt
2014-10-17 15:15 GMT+04:00 : > Author: markt > Date: Fri Oct 17 11:15:51 2014 > New Revision: 1632538 > > URL: http://svn.apache.org/r1632538 > Log: > Proposal > > Modified: > tomcat/tc6.0.x/trunk/STATUS.txt > > +* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57102 > + Ensure the the sslEnabledProtocols option works with both BIO and NIO > + http://people.apache.org/~markt/patches/2014-10-17-bug57102-tc6-v1.patch I think it makes sense to also implement getters for those properties in Http11NioProtocol. The NioEndpoint does not have a getter yet, but it has NioEndpoint.sslEnabledProtocols field that stores original setting. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632550 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: remm Date: Fri Oct 17 12:22:15 2014 New Revision: 1632550 URL: http://svn.apache.org/r1632550 Log: Votes. Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1632550&r1=1632549&r2=1632550&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Oct 17 12:22:15 2014 @@ -76,7 +76,7 @@ PATCHES PROPOSED TO BACKPORT: - Builds successfully with Ant 1.8.0. https://people.apache.org/~kkolinko/patches/2014-09-22_tc6_Ant180.patch - +1: kkolinko, markt + +1: kkolinko, markt, remm -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56988 @@ -89,7 +89,7 @@ PATCHES PROPOSED TO BACKPORT: may run in different environments, e.g. Buildbot. https://issues.apache.org/bugzilla/attachment.cgi?id=32041 - +1: kkolinko, markt + +1: kkolinko, markt, remm -1: * For https://issues.apache.org/bugzilla/show_bug.cgi?id=56079 @@ -99,13 +99,13 @@ PATCHES PROPOSED TO BACKPORT: them. I do not envision any drawbacks. http://svn.apache.org/r1627420 - +1: kkolinko, markt + +1: kkolinko, markt, remm -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57102 Ensure the the sslEnabledProtocols option works with both BIO and NIO http://people.apache.org/~markt/patches/2014-10-17-bug57102-tc6-v1.patch - +1: markt, kkolinko + +1: markt, kkolinko, remm -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57105] under in web.xml only accept integer which doesn't follow spec and cause jsp compile fail
https://issues.apache.org/bugzilla/show_bug.cgi?id=57105 --- Comment #1 from Konstantin Kolinko --- The allowed values are "none" and "kb". It is verified in org.apache.jasper.compiler.PageInfo.setBufferValue() 1. The buffer size can also be specified via buffer attribute on @page directive. The same code is used to verify both use cases. Thus no wonder that the check happens in JSP compiler. 2. I would say that the better place to do verification is XSD schema, jsp_2_3.xsd. Unfortunately it is currently declared there just as type="javaee:string" with no further constraints. I think that to make changes there, it has to be raised with the specification folks. Note that validation of web.xml is only enabled if you are running in "strict compliance" mode by setting a system property or setting xmlValidation="true" on Context. https://tomcat.apache.org/tomcat-8.0-doc/config/systemprops.html#Specifications 3. I does not really feels as a job for JSP engine to verify web.xml, and Servlet engine has little interest in those effectively foreign settings. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: digest.bat (RealmBase.main()) is broken in current Tomcat 8 trunk. Tomcat 8.0.14 is OK.
2014-09-30 19:22 GMT+04:00 Konstantin Kolinko :
> 2014-09-29 14:43 GMT+04:00 Mark Thomas :
>> On 27/09/2014 15:52, Konstantin Kolinko wrote:
> ()
>
>>> 4) The current javadoc for RealmBase.main() says that algorithm (-a)
>>> is not required and "If not specified a default of SHA-512 will be
>>> used."
>>>
>>> I wonder whether that is justified.
>>
>> That is what is currently implemented. Happy to discuss changes but
>> SHA-512 doesn't seem unreasonable to me.
>
>
> I think there is a contradiction between -a and -h
> keys:
> 1) If -h is used I think it shall default to whatever default
> algorithm the credential handler implements.
> 2) Custom credential handler implementations may lack setAlgorithm() method.
>
> I think that one of (-a, -h) is required, with no default for either.
> The old code had no default for algorithm.
>
>> String encoding = "UTF-8";
>
> I think it shall use system encoding, because the value is passed on
> the command line and is not read from file etc.
>
> The old code used system encoding by default. The system encoding is
> what the system uses, so it is reasonable.
>
> Note the following text (I am linking to Tomcat 7 docs),
> -> Realms and AAA -> Common Features -> Digested passwords
>
> http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#Digested_Passwords
>
> [quote]
> Non-ASCII usernames and/or passwords are supported using
>
> CATALINA_HOME/bin/digest.[bat|sh] -a {algorithm} -e {encoding} {input}
>
> but care is required to ensure that the non-ASCII input is correctly
> passed to the digester. The digester returns {input}:{digest}. If the
> input appears corrupted in the return, the digest will be invalid.
> [/quote]
>
> BTW, That chapter in realm-howto in Tomcat 8 needs an update for the
> new features of digest.sh / RealmBase.main().
>
I think that this have to be fixed before tagging next Tomcat 8 release.
1. Remove default value for algorithm. Ask the caller to provide
either "-a" or "-h" option explicitly.
Motivation:
- Revert to previous behaviour.
- I see contradiction between -a and -h, as I wrote above.
2. Use system default encoding instead of UTF-8 by default.
Motivation:
- Revert to previous behaviour. It makes sense to expect system
encoding when you are calling something from the command line, as that
is the encoding that command line uses.
3. Update realm-howto.html#Digested_Passwords
It does not document the new -h option.
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57105] under in web.xml only accept integer which doesn't follow spec and cause jsp compile fail
https://issues.apache.org/bugzilla/show_bug.cgi?id=57105 --- Comment #2 from Tommy Xu --- What I mean is when set 32kb in in web.xml is ok, BUT when tomcat start, it will throw Exception, because in source code, it parse it by calling Integer.valueOf(...) which is want to convert "32kb" into a integer. Please consider it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632570 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: markt Date: Fri Oct 17 13:29:00 2014 New Revision: 1632570 URL: http://svn.apache.org/r1632570 Log: Vote Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1632570&r1=1632569&r2=1632570&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Oct 17 13:29:00 2014 @@ -45,7 +45,7 @@ PATCHES PROPOSED TO BACKPORT: https://people.apache.org/~kkolinko/patches/2014-06-23_tc6_Mapper_diff-x-b.patch https://people.apache.org/~kkolinko/patches/2014-06-23_tc6_Mapper.patch - +1: kkolinko + +1: kkolinko, markt -1: * Fix generics warnings in Mapper. @@ -54,7 +54,7 @@ PATCHES PROPOSED TO BACKPORT: errors when working on this class. It is just some local variables. No change in functionality or APIs. https://people.apache.org/~kkolinko/patches/2014-06-23_tc6_Mapper_generics.patch - +1: kkolinko + +1: kkolinko, markt -1: * Update documented minimum Ant version to use at build time to be 1.8.0 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632571 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/catalina/connector/Connector.java java/org/apache/coyote/http11/Http11NioProtocol.java java/org/apache/coyote/http11/Http11P
Author: markt
Date: Fri Oct 17 13:29:51 2014
New Revision: 1632571
URL: http://svn.apache.org/r1632571
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57102
Ensure the the sslEnabledProtocols option works with both BIO and NIO
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Connector.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1632571&r1=1632570&r2=1632571&view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Oct 17 13:29:51 2014
@@ -102,12 +102,6 @@ PATCHES PROPOSED TO BACKPORT:
+1: kkolinko, markt, remm
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57102
- Ensure the the sslEnabledProtocols option works with both BIO and NIO
- http://people.apache.org/~markt/patches/2014-10-17-bug57102-tc6-v1.patch
- +1: markt, kkolinko, remm
- -1:
-
PATCHES/ISSUES THAT ARE STALLED:
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Connector.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Connector.java?rev=1632571&r1=1632570&r2=1632571&view=diff
==
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Connector.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Connector.java Fri
Oct 17 13:29:51 2014
@@ -312,7 +312,6 @@ public class Connector
replacements.put("keystoreType", "keytype");
replacements.put("sslProtocol", "protocol");
replacements.put("sslProtocols", "protocols");
- replacements.put("sslEnabledProtocols", "protocols");
}
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java?rev=1632571&r1=1632570&r2=1632571&view=diff
==
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
Fri Oct 17 13:29:51 2014
@@ -24,6 +24,7 @@ import java.util.concurrent.ConcurrentHa
import java.util.concurrent.ConcurrentLinkedQueue;
import java.util.concurrent.Executor;
import java.util.concurrent.atomic.AtomicInteger;
+
import javax.management.MBeanRegistration;
import javax.management.MBeanServer;
import javax.management.ObjectName;
@@ -587,6 +588,16 @@ public class Http11NioProtocol extends A
public boolean getSSLEnabled() { return ep.isSSLEnabled(); }
public void setSSLEnabled(boolean SSLEnabled) {
ep.setSSLEnabled(SSLEnabled); }
+// Alias for sslEnabledProtocols
+public void setProtocols(String k) {
+setSslEnabledProtocols(k);
+}
+
+public void setSslEnabledProtocols(String k) {
+ep.setSslEnabledProtocols(k);
+}
+
+
/**
* When client certificate information is presented in a form other than
* instances of {@link java.security.cert.X509Certificate} it needs to be
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java?rev=1632571&r1=1632570&r2=1632571&view=diff
==
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java Fri
Oct 17 13:29:51 2014
@@ -498,6 +498,15 @@ public class Http11Protocol extends Abst
setAttribute("protocols", k);
}
+// Alias for protocols
+public String getSslEnabledProtocols() {
+return getProtocols();
+}
+
+public void setSslEnabledProtocols(String k) {
+setProtocols(k);
+}
+
public String getAlgorithm() {
return (String) getAttribute("algorithm");
}
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1632571&r1=1632570&r2=1632571&view=diff
==
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri Oct 17 13:29:51 2014
@@ -73,6 +73,10 @@
56661: Support using AJP request attribute
AJP_LOCAL_ADDR to fix getLocalAddr(). (rjung)
+
+57102: Fix bug that me
Re: svn commit: r1632538 - /tomcat/tc6.0.x/trunk/STATUS.txt
On 17/10/2014 13:18, Konstantin Kolinko wrote: > 2014-10-17 15:15 GMT+04:00 : >> Author: markt >> Date: Fri Oct 17 11:15:51 2014 >> New Revision: 1632538 >> >> URL: http://svn.apache.org/r1632538 >> Log: >> Proposal >> >> Modified: >> tomcat/tc6.0.x/trunk/STATUS.txt >> > >> +* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57102 >> + Ensure the the sslEnabledProtocols option works with both BIO and NIO >> + http://people.apache.org/~markt/patches/2014-10-17-bug57102-tc6-v1.patch > > > I think it makes sense to also implement getters for those properties > in Http11NioProtocol. > The NioEndpoint does not have a getter yet, but it has > NioEndpoint.sslEnabledProtocols field that stores original setting. My aim was the simplest / most obvious patch that fixed the issue. I'm not against further changes but clean-up of this nature is much further down my personal priority list than bug fixes. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57097] Add name attribute to standard connectors
https://issues.apache.org/bugzilla/show_bug.cgi?id=57097 --- Comment #3 from Christopher Schultz --- I think there is a legitimate use case here. The "name" shouldn't override the existing JMX name... just add another property that can be used to locate the connector, even if you have to grab the whole set of connectors and loop through them looking for it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632573 - /tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
Author: markt
Date: Fri Oct 17 13:37:21 2014
New Revision: 1632573
URL: http://svn.apache.org/r1632573
Log:
CTR: Whitespace changes only to make subsequent patch proposal cleaner
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1632573&r1=1632572&r2=1632573&view=diff
==
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Fri
Oct 17 13:37:21 2014
@@ -112,7 +112,7 @@ public class NioEndpoint extends Abstrac
public static final int OP_REGISTER = 0x100; //register interest op
public static final int OP_CALLBACK = 0x200; //callback interest op
-
+
// - Fields
@@ -156,51 +156,51 @@ public class NioEndpoint extends Abstrac
* Sequence number used to generate thread names.
*/
protected int sequence = 0;
-
+
protected NioSelectorPool selectorPool = new NioSelectorPool();
-
+
/**
* Server socket "pointer".
*/
protected ServerSocketChannel serverSock = null;
-
+
/**
* use send file
*/
protected boolean useSendfile = true;
-
+
/**
* The size of the OOM parachute.
*/
protected int oomParachute = 1024*1024;
/**
- * The oom parachute, when an OOM error happens,
- * will release the data, giving the JVM instantly
+ * The oom parachute, when an OOM error happens,
+ * will release the data, giving the JVM instantly
* a chunk of data to be able to recover with.
*/
protected byte[] oomParachuteData = null;
-
+
/**
* Make sure this string has already been allocated
*/
-protected static final String oomParachuteMsg =
+protected static final String oomParachuteMsg =
"SEVERE:Memory usage is low, parachute is non existent, your system
may start failing.";
-
+
/**
* Keep track of OOM warning messages.
*/
long lastParachuteCheck = System.currentTimeMillis();
-
+
/**
* Keep track of how many threads are in use
*/
protected AtomicInteger activeSocketProcessors = new AtomicInteger(0);
-
+
/**
- *
+ *
*/
protected volatile CountDownLatch stopLatch = null;
-
+
/**
* Cache for SocketProcessor objects
*/
@@ -219,7 +219,7 @@ public class NioEndpoint extends Abstrac
}
else return false;
}
-
+
public SocketProcessor poll() {
SocketProcessor result = super.poll();
if ( result != null ) {
@@ -227,7 +227,7 @@ public class NioEndpoint extends Abstrac
}
return result;
}
-
+
public void clear() {
super.clear();
size.set(0);
@@ -268,7 +268,7 @@ public class NioEndpoint extends Abstrac
}
};
-
+
/**
* Cache for poller events
*/
@@ -323,7 +323,7 @@ public class NioEndpoint extends Abstrac
}
else return false;
}
-
+
public NioChannel poll() {
NioChannel result = super.poll();
if ( result != null ) {
@@ -332,7 +332,7 @@ public class NioEndpoint extends Abstrac
}
return result;
}
-
+
public void clear() {
super.clear();
size.set(0);
@@ -340,7 +340,7 @@ public class NioEndpoint extends Abstrac
}
};
-
+
// - Properties
@@ -351,7 +351,7 @@ public class NioEndpoint extends Abstrac
protected Executor executor = null;
public void setExecutor(Executor executor) { this.executor = executor; }
public Executor getExecutor() { return executor; }
-
+
protected boolean useExecutor = true;
public void setUseExecutor(boolean useexec) { useExecutor = useexec;}
public boolean getUseExecutor() { return useExecutor || (executor!=null);}
@@ -367,7 +367,7 @@ public class NioEndpoint extends Abstrac
if (executor instanceof ThreadPoolExecutor) {
((ThreadPoolExecutor)executor).setMaximumPoolSize(maxThreads);
}
-}else if (workers!=null){
+}else if (workers!=null){
synchronized(workers) {
workers.resize(maxThreads);
}
@@ -454,7 +454,7 @@ public class NioEndpoint extends Abstrac
* Socket linger.
*/
public int getSoLinger() { return socketProperties.getSoLingerTime(); }
-public void se
[Bug 53952] Add support for TLS 1.1 and 1.2
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 --- Comment #36 from Christopher Schultz --- I'll do another review of the tcnative patch and apply as appropriate. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57102] Cannot Specify sslEnabledProtocols
https://issues.apache.org/bugzilla/show_bug.cgi?id=57102 --- Comment #6 from Christopher Schultz --- Whoops, sorry for the oversight on the NIO connector. It looks like markt applied this patch. Is this then FIXED? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: digest.bat (RealmBase.main()) is broken in current Tomcat 8 trunk. Tomcat 8.0.14 is OK.
Konstantin,
On 10/17/14 9:13 AM, Konstantin Kolinko wrote:
> 2014-09-30 19:22 GMT+04:00 Konstantin Kolinko :
>> 2014-09-29 14:43 GMT+04:00 Mark Thomas :
>>> On 27/09/2014 15:52, Konstantin Kolinko wrote:
>> ()
>>
4) The current javadoc for RealmBase.main() says that algorithm (-a)
is not required and "If not specified a default of SHA-512 will be
used."
I wonder whether that is justified.
>>>
>>> That is what is currently implemented. Happy to discuss changes but
>>> SHA-512 doesn't seem unreasonable to me.
>>
>>
>> I think there is a contradiction between -a and -h
>> keys:
>> 1) If -h is used I think it shall default to whatever default
>> algorithm the credential handler implements.
>> 2) Custom credential handler implementations may lack setAlgorithm() method.
>>
>> I think that one of (-a, -h) is required, with no default for either.
>> The old code had no default for algorithm.
>>
>>> String encoding = "UTF-8";
>>
>> I think it shall use system encoding, because the value is passed on
>> the command line and is not read from file etc.
>>
>> The old code used system encoding by default. The system encoding is
>> what the system uses, so it is reasonable.
>>
>> Note the following text (I am linking to Tomcat 7 docs),
>> -> Realms and AAA -> Common Features -> Digested passwords
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#Digested_Passwords
>>
>> [quote]
>> Non-ASCII usernames and/or passwords are supported using
>>
>> CATALINA_HOME/bin/digest.[bat|sh] -a {algorithm} -e {encoding} {input}
>>
>> but care is required to ensure that the non-ASCII input is correctly
>> passed to the digester. The digester returns {input}:{digest}. If the
>> input appears corrupted in the return, the digest will be invalid.
>> [/quote]
>>
>> BTW, That chapter in realm-howto in Tomcat 8 needs an update for the
>> new features of digest.sh / RealmBase.main().
>>
>
> I think that this have to be fixed before tagging next Tomcat 8 release.
>
> 1. Remove default value for algorithm. Ask the caller to provide
> either "-a" or "-h" option explicitly.
>
> Motivation:
> - Revert to previous behaviour.
> - I see contradiction between -a and -h, as I wrote above.
+1
> 2. Use system default encoding instead of UTF-8 by default.
>
> Motivation:
> - Revert to previous behaviour. It makes sense to expect system
> encoding when you are calling something from the command line, as that
> is the encoding that command line uses.
+1
We might want to
a) Allow credentials on stdin to avoid system encoding
b) Instruct the user to use -Dfile.encoding to alter the encoding
instead of using "-e"
> 3. Update realm-howto.html#Digested_Passwords
>
> It does not document the new -h option.
I can fix that, but only after we agree on these changes.
-chris
signature.asc
Description: OpenPGP digital signature
svn commit: r1632577 - /tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
Author: schultz
Date: Fri Oct 17 13:52:24 2014
New Revision: 1632577
URL: http://svn.apache.org/r1632577
Log:
Maintain SSL_OP parity with OpenSSL: add SSL_OP_NO_TLSv1_1 and
SSL_OP_NO_TLSv1_2.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632577&r1=1632576&r2=1632577&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17 13:52:24 2014
@@ -135,6 +135,9 @@ public final class SSL {
public static final int SSL_OP_NO_SSLv2 =
0x0100;
public static final int SSL_OP_NO_SSLv3 =
0x0200;
public static final int SSL_OP_NO_TLSv1 =
0x0400;
+public static final int SSL_OP_NO_TLSv1_1 =
0x0800;
+public static final int SSL_OP_NO_TLSv1_2 =
0x1000;
+
public static final int SSL_OP_NO_TICKET=
0x4000;
/* The next flag deliberately changes the ciphertest, this is a check
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632578 - /tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Author: markt
Date: Fri Oct 17 13:52:40 2014
New Revision: 1632578
URL: http://svn.apache.org/r1632578
Log:
CTR: Whitespace changes only to make subsequent patch proposal cleaner
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1632578&r1=1632577&r2=1632578&view=diff
==
---
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Fri Oct 17 13:52:40 2014
@@ -69,7 +69,7 @@ import org.apache.tomcat.util.res.String
/**
* SSL server socket factory. It _requires_ a valid RSA key and
- * JSSE.
+ * JSSE.
*
* @author Harish Prabandham
* @author Costin Manolache
@@ -95,7 +95,7 @@ public class JSSESocketFactory
private static final String defaultKeyPass = "changeit";
private static final int defaultSessionCacheSize = 0;
private static final int defaultSessionTimeout = 86400;
-
+
static org.apache.juli.logging.Log log =
org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
@@ -149,7 +149,7 @@ public class JSSESocketFactory
initServerSocket(socket);
return socket;
}
-
+
public ServerSocket createSocket (int port, int backlog)
throws IOException
{
@@ -158,18 +158,18 @@ public class JSSESocketFactory
initServerSocket(socket);
return socket;
}
-
+
public ServerSocket createSocket (int port, int backlog,
InetAddress ifAddress)
throws IOException
-{
+{
if (!initialized) init();
ServerSocket socket = sslProxy.createServerSocket(port, backlog,
ifAddress);
initServerSocket(socket);
return socket;
}
-
+
public Socket acceptSocket(ServerSocket socket)
throws IOException
{
@@ -182,7 +182,7 @@ public class JSSESocketFactory
}
return asock;
}
-
+
public void handshake(Socket sock) throws IOException {
((SSLSocket)sock).startHandshake();
@@ -254,7 +254,7 @@ public class JSSESocketFactory
}
}
}
-}
+}
if (vec != null) {
enabledCiphers = new String[vec.size()];
@@ -266,7 +266,7 @@ public class JSSESocketFactory
return enabledCiphers;
}
-
+
/*
* Gets the SSL server's keystore password.
*/
@@ -477,7 +477,7 @@ public class JSSESocketFactory
}
// Create and init SSLContext
-SSLContext context = SSLContext.getInstance(protocol);
+SSLContext context = SSLContext.getInstance(protocol);
context.init(getKeyManagers(keystoreType, keystoreProvider,
algorithm,
(String) attributes.get("keyAlias")),
@@ -517,7 +517,7 @@ public class JSSESocketFactory
allowUnsafeLegacyRenegotiation =
"true".equals(attributes.get("allowUnsafeLegacyRenegotiation"));
-
+
// Check the SSL config is OK
checkConfig();
@@ -569,9 +569,9 @@ public class JSSESocketFactory
String keystoreProvider, String algorithm)
throws Exception {
String crlf = (String) attributes.get("crlFile");
-
+
TrustManager[] tms = null;
-
+
KeyStore trustStore = getTrustStore(keystoreType, keystoreProvider);
if (trustStore != null) {
if (crlf == null) {
@@ -586,7 +586,7 @@ public class JSSESocketFactory
tms = getTrustManagers(tmf);
}
}
-
+
return tms;
}
@@ -595,10 +595,10 @@ public class JSSESocketFactory
* trustManagerClassName attribute (if set) else from the
* {@link TrustManagerFactory}.
* @return The TrustManagers to use for this connector.
- * @throws NoSuchAlgorithmException
- * @throws ClassNotFoundException
- * @throws IllegalAccessException
- * @throws InstantiationException
+ * @throws NoSuchAlgorithmException
+ * @throws ClassNotFoundException
+ * @throws IllegalAccessException
+ * @throws InstantiationException
*/
protected TrustManager[] getTrustManagers(TrustManagerFactory tmf)
throws NoSuchAlgorithmException, ClassNotFoundException,
@@ -615,26 +615,26 @@ public class JSSESocketFactory
Object trustManagerObject = clazz.newInstance();
TrustManager trustManager =
Re: svn commit: r1632577 - /tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
All,
On 10/17/14 9:52 AM, schu...@apache.org wrote:
> Author: schultz
> Date: Fri Oct 17 13:52:24 2014
> New Revision: 1632577
>
> URL: http://svn.apache.org/r1632577
> Log:
> Maintain SSL_OP parity with OpenSSL: add SSL_OP_NO_TLSv1_1 and
> SSL_OP_NO_TLSv1_2.
>
> Modified:
> tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
>
> Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632577&r1=1632576&r2=1632577&view=diff
> ==
> --- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
> +++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17 13:52:24 2014
> @@ -135,6 +135,9 @@ public final class SSL {
> public static final int SSL_OP_NO_SSLv2 =
> 0x0100;
> public static final int SSL_OP_NO_SSLv3 =
> 0x0200;
> public static final int SSL_OP_NO_TLSv1 =
> 0x0400;
> +public static final int SSL_OP_NO_TLSv1_1 =
> 0x0800;
> +public static final int SSL_OP_NO_TLSv1_2 =
> 0x1000;
> +
> public static final int SSL_OP_NO_TICKET=
> 0x4000;
I just noticed that this conflicts with the SSL_OPs defined just below
these in SSL.java:
> /* The next flag deliberately changes the ciphertest, this is a check
> * for the PKCS#1 attack */
> public static final int SSL_OP_PKCS1_CHECK_1=
> 0x0800;
> public static final int SSL_OP_PKCS1_CHECK_2=
> 0x1000;
At some point (1.0, I think), OpenSSL deprecated the PKCS1 constants,
made their values 0x0, and re-purposed the flag values for the TLSv1_1
and TLSv1_2 options shown above.
Without checking the OpenSSL version, client code will have no way of
knowing whether they are checking for the TLSv1_x or PKCS1 SSL_OP flags,
especially if the Java code has been compiled against a prior version of
SSL.java (because javac stupidly copies constant values from one class
to another instead of looking them up at runtime, at least the last time
I checked).
What should we do, here? We can make those constants dynamic, but then
we have to do the OpenSSL library load in the class's static initializer
instead of in APRLifecycleListener.
We could remove SSL_OP_PKCS1_CHECK but then that means anyone relying on
it for use with OpenSSL 0.9.8* might be out of luck.
I'm a bit nervous about picking a winner here between OpenSSL 0.9.8 and
1.0.1.
Any thoughts?
-chris
signature.asc
Description: OpenPGP digital signature
svn commit: r1632580 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: markt Date: Fri Oct 17 14:00:49 2014 New Revision: 1632580 URL: http://svn.apache.org/r1632580 Log: Proposal Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1632580&r1=1632579&r2=1632580&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Oct 17 14:00:49 2014 @@ -102,6 +102,11 @@ PATCHES PROPOSED TO BACKPORT: +1: kkolinko, markt, remm -1: +* Mitigate POODLE by disabling SSLv3 by default + http://people.apache.org/~markt/patches/2014-10-17-poodle-tc6-v1.patch + +1: markt + -1: + PATCHES/ISSUES THAT ARE STALLED: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57102] Cannot Specify sslEnabledProtocols
https://issues.apache.org/bugzilla/show_bug.cgi?id=57102 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --- Comment #7 from Mark Thomas --- This is fixed in 6.0.x and will be included in 6.0.x onwards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [Bug 56401] Log version information on startup
Hi, 2014-09-25 19:31 GMT+03:00 : > > https://issues.apache.org/bugzilla/show_bug.cgi?id=56401 > > --- Comment #9 from Mark Thomas --- > Imporved fix applied to 8.0.x for 8.0.15 onwards. What do you think if I back-port this feature to Tomcat 7? Thanks, Violeta > > -- > You are receiving this mail because: > You are the assignee for the bug. > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org >
Re: svn commit: r1632577 - /tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
2014-10-17 17:59 GMT+04:00 Christopher Schultz :
> All,
>
> On 10/17/14 9:52 AM, schu...@apache.org wrote:
>> Author: schultz
>> Date: Fri Oct 17 13:52:24 2014
>> New Revision: 1632577
>>
>> URL: http://svn.apache.org/r1632577
>> Log:
>> Maintain SSL_OP parity with OpenSSL: add SSL_OP_NO_TLSv1_1 and
>> SSL_OP_NO_TLSv1_2.
>>
>> Modified:
>> tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
>>
>> Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632577&r1=1632576&r2=1632577&view=diff
>> ==
>> --- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
>> +++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17 13:52:24 2014
>> @@ -135,6 +135,9 @@ public final class SSL {
>> public static final int SSL_OP_NO_SSLv2 =
>> 0x0100;
>> public static final int SSL_OP_NO_SSLv3 =
>> 0x0200;
>> public static final int SSL_OP_NO_TLSv1 =
>> 0x0400;
>> +public static final int SSL_OP_NO_TLSv1_1 =
>> 0x0800;
>> +public static final int SSL_OP_NO_TLSv1_2 =
>> 0x1000;
>> +
>> public static final int SSL_OP_NO_TICKET=
>> 0x4000;
>
> I just noticed that this conflicts with the SSL_OPs defined just below
> these in SSL.java:
>
>> /* The next flag deliberately changes the ciphertest, this is a check
>> * for the PKCS#1 attack */
>> public static final int SSL_OP_PKCS1_CHECK_1=
>> 0x0800;
>> public static final int SSL_OP_PKCS1_CHECK_2=
>> 0x1000;
>
> At some point (1.0, I think), OpenSSL deprecated the PKCS1 constants,
> made their values 0x0, and re-purposed the flag values for the TLSv1_1
> and TLSv1_2 options shown above.
>
> Without checking the OpenSSL version, client code will have no way of
> knowing whether they are checking for the TLSv1_x or PKCS1 SSL_OP flags,
> especially if the Java code has been compiled against a prior version of
> SSL.java (because javac stupidly copies constant values from one class
> to another instead of looking them up at runtime, at least the last time
> I checked).
>
> What should we do, here? We can make those constants dynamic, but then
> we have to do the OpenSSL library load in the class's static initializer
> instead of in APRLifecycleListener.
>
> We could remove SSL_OP_PKCS1_CHECK but then that means anyone relying on
> it for use with OpenSSL 0.9.8* might be out of luck.
>
> I'm a bit nervous about picking a winner here between OpenSSL 0.9.8 and
> 1.0.1.
>
> Any thoughts?
>
I think just mark them as @Deprecated as "Not defined in OpenSSL 1.x",
"Removed since OpenSSL 1.0" or "Have different values in different
OpenSSL versions".
Tomcat code does not use them.
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [Bug 56401] Log version information on startup
2014-10-17 18:08 GMT+04:00 Violeta Georgieva : > Hi, > > 2014-09-25 19:31 GMT+03:00 : >> >> https://issues.apache.org/bugzilla/show_bug.cgi?id=56401 >> >> --- Comment #9 from Mark Thomas --- >> Imporved fix applied to 8.0.x for 8.0.15 onwards. > > What do you think if I back-port this feature to Tomcat 7? +1 I think it is useful and implementation is pretty stabilized now. Caveats: a) Do not forget to backport r1627569 (AprLifecycleListener logging improvement) b) The output does not look good if logged with java.util.logging.SimpleFormatter that is default in Tomcat 7. It is just a matter of taste and may be addressed later. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1632580 - /tomcat/tc6.0.x/trunk/STATUS.txt
2014-10-17 18:00 GMT+04:00 :
> Author: markt
> Date: Fri Oct 17 14:00:49 2014
> New Revision: 1632580
>
> URL: http://svn.apache.org/r1632580
> Log:
> Proposal
>
> Modified:
> tomcat/tc6.0.x/trunk/STATUS.txt
>
> +* Mitigate POODLE by disabling SSLv3 by default
> + http://people.apache.org/~markt/patches/2014-10-17-poodle-tc6-v1.patch
> + +1: markt
> + -1:
I think that filtering by protocol.contains("SSL") in NioEndpoint also disables
"SSLv2Hello". I am OK with that. Just noting in case it needs to be documented.
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632586 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/jni/SSL.java webapps/docs/changelog.xml webapps/docs/config/http.xml
Author: markt
Date: Fri Oct 17 14:30:06 2014
New Revision: 1632586
URL: http://svn.apache.org/r1632586
Log:
Disable SSLv3 by default for APR/native
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
Propchange: tomcat/tc7.0.x/trunk/
--
Merged /tomcat/trunk:r1632584
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632586&r1=1632585&r2=1632586&view=diff
==
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17
14:30:06 2014
@@ -72,7 +72,7 @@ public final class SSL {
public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
-public static final int SSL_PROTOCOL_ALL =
(SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1);
+public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1);
/*
* Define the SSL verify levels
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1632586&r1=1632585&r2=1632586&view=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct 17 14:30:06 2014
@@ -81,6 +81,9 @@
The change also ensures that SSLv2 is disabled for these connectors
although SSLv2 should already be disabled by default by the JRE.
(markt)
+
+Disable SSLv3 by default for the APT/native HTTPS connector. (markt)
+
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1632586&r1=1632585&r2=1632586&view=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Fri Oct 17 14:30:06 2014
@@ -1243,11 +1243,11 @@
Protocol which may be used for communicating with clients. The default
- value is all, which is equivalent to
SSLv3+TLSv1
+ value is all, which is equivalent to TLSv1
with other acceptable values being SSLv2,
SSLv3, TLSv1 and any combination of the three
- protocols concatenated with a plus sign. Note that the protocol
- SSLv2 is inherently unsafe.
+ protocols concatenated with a plus sign. Note that the protocols
+ SSLv2 and SSLv3 are inherently unsafe.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632584 - in /tomcat/trunk: java/org/apache/tomcat/jni/SSL.java webapps/docs/changelog.xml webapps/docs/config/http.xml
Author: markt
Date: Fri Oct 17 14:27:34 2014
New Revision: 1632584
URL: http://svn.apache.org/r1632584
Log: (empty)
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632584&r1=1632583&r2=1632584&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17 14:27:34 2014
@@ -70,7 +70,7 @@ public final class SSL {
public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
-public static final int SSL_PROTOCOL_ALL =
(SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1);
+public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1);
/*
* Define the SSL verify levels
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1632584&r1=1632583&r2=1632584&view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Oct 17 14:27:34 2014
@@ -169,6 +169,9 @@
connectors although SSLv2 should already be disabled by default by the
JRE. (markt)
+
+Disable SSLv3 by default for the APT/native HTTPS connector. (markt)
+
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1632584&r1=1632583&r2=1632584&view=diff
==
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Fri Oct 17 14:27:34 2014
@@ -1368,11 +1368,11 @@
Protocol which may be used for communicating with clients. The default
- value is all, which is equivalent to
SSLv3+TLSv1
+ value is all, which is equivalent to TLSv1
with other acceptable values being SSLv2,
SSLv3, TLSv1 and any combination of the three
- protocols concatenated with a plus sign. Note that the protocol
- SSLv2 is inherently unsafe.
+ protocols concatenated with a plus sign. Note that the protocols
+ SSLv2 and SSLv3 are inherently unsafe.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1632577 - /tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
Konstantin,
On 10/17/14 10:09 AM, Konstantin Kolinko wrote:
> 2014-10-17 17:59 GMT+04:00 Christopher Schultz :
>> All,
>>
>> On 10/17/14 9:52 AM, schu...@apache.org wrote:
>>> Author: schultz
>>> Date: Fri Oct 17 13:52:24 2014
>>> New Revision: 1632577
>>>
>>> URL: http://svn.apache.org/r1632577
>>> Log:
>>> Maintain SSL_OP parity with OpenSSL: add SSL_OP_NO_TLSv1_1 and
>>> SSL_OP_NO_TLSv1_2.
>>>
>>> Modified:
>>> tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
>>>
>>> Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
>>> URL:
>>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632577&r1=1632576&r2=1632577&view=diff
>>> ==
>>> --- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
>>> +++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17 13:52:24
>>> 2014
>>> @@ -135,6 +135,9 @@ public final class SSL {
>>> public static final int SSL_OP_NO_SSLv2 =
>>> 0x0100;
>>> public static final int SSL_OP_NO_SSLv3 =
>>> 0x0200;
>>> public static final int SSL_OP_NO_TLSv1 =
>>> 0x0400;
>>> +public static final int SSL_OP_NO_TLSv1_1 =
>>> 0x0800;
>>> +public static final int SSL_OP_NO_TLSv1_2 =
>>> 0x1000;
>>> +
>>> public static final int SSL_OP_NO_TICKET=
>>> 0x4000;
>>
>> I just noticed that this conflicts with the SSL_OPs defined just below
>> these in SSL.java:
>>
>>> /* The next flag deliberately changes the ciphertest, this is a check
>>> * for the PKCS#1 attack */
>>> public static final int SSL_OP_PKCS1_CHECK_1=
>>> 0x0800;
>>> public static final int SSL_OP_PKCS1_CHECK_2=
>>> 0x1000;
>>
>> At some point (1.0, I think), OpenSSL deprecated the PKCS1 constants,
>> made their values 0x0, and re-purposed the flag values for the TLSv1_1
>> and TLSv1_2 options shown above.
>>
>> Without checking the OpenSSL version, client code will have no way of
>> knowing whether they are checking for the TLSv1_x or PKCS1 SSL_OP flags,
>> especially if the Java code has been compiled against a prior version of
>> SSL.java (because javac stupidly copies constant values from one class
>> to another instead of looking them up at runtime, at least the last time
>> I checked).
>>
>> What should we do, here? We can make those constants dynamic, but then
>> we have to do the OpenSSL library load in the class's static initializer
>> instead of in APRLifecycleListener.
>>
>> We could remove SSL_OP_PKCS1_CHECK but then that means anyone relying on
>> it for use with OpenSSL 0.9.8* might be out of luck.
>>
>> I'm a bit nervous about picking a winner here between OpenSSL 0.9.8 and
>> 1.0.1.
>>
>> Any thoughts?
>>
>
>
> I think just mark them as @Deprecated as "Not defined in OpenSSL 1.x",
> "Removed since OpenSSL 1.0" or "Have different values in different
> OpenSSL versions".
>
> Tomcat code does not use them.
Thanks for the review. Shall I change the values for the PKCS constants
to be 0x0 to match OpenSSL 1.0+, or leave them with their current values?
-chris
signature.asc
Description: OpenPGP digital signature
[Bug 57097] Add name attribute to standard connectors
https://issues.apache.org/bugzilla/show_bug.cgi?id=57097 --- Comment #4 from Mark Thomas --- (In reply to Christopher Schultz from comment #3) > I think there is a legitimate use case here. I disagree. The connectors already have a unique name and I have no desire to add unecessary code to provide another attribute that does exactly the same thing. > The "name" shouldn't override the existing JMX name... just add another > property that can be used to locate the connector, even if you have to grab > the whole set of connectors and loop through them looking for it. The only difference between the approaches whether Tomcat provides the option for a unique name to be added to a connector as defined by some external (to Tomcat) system or if Tomcat requires the external system to use Tomcat's unique name. I'm fine with the latter approach. The connectors need less code,not more. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632587 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: markt Date: Fri Oct 17 14:39:08 2014 New Revision: 1632587 URL: http://svn.apache.org/r1632587 Log: Proposal Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1632587&r1=1632586&r2=1632587&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Oct 17 14:39:08 2014 @@ -102,11 +102,16 @@ PATCHES PROPOSED TO BACKPORT: +1: kkolinko, markt, remm -1: -* Mitigate POODLE by disabling SSLv3 by default +* Mitigate POODLE by disabling SSLv3 by default for JSSE http://people.apache.org/~markt/patches/2014-10-17-poodle-tc6-v1.patch +1: markt -1: +* Mitigate POODLE by disabling SSLv3 by default for APR/native + http://svn.apache.org/r1632586 + +1: markt + -1: + PATCHES/ISSUES THAT ARE STALLED: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632589 - in /tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl: TestCipher.java TesterOpenSSL.java
Author: markt
Date: Fri Oct 17 14:42:50 2014
New Revision: 1632589
URL: http://svn.apache.org/r1632589
Log:
Stop Eclipse moaning if stricter Javadoc checks are enabled
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java?rev=1632589&r1=1632588&r2=1632589&view=diff
==
--- tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java
(original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java
Fri Oct 17 14:42:50 2014
@@ -34,7 +34,7 @@ public class TestCipher {
Assume.assumeTrue(TesterOpenSSL.IS_EXPECTED_VERSION);
}
-/**
+/*
* Checks that every cipher suite returned by OpenSSL is mapped to at least
* one cipher suite that is recognised by JSSE or is a cipher suite known
* not to be supported by JSSE.
@@ -70,7 +70,7 @@ public class TestCipher {
}
-/**
+/*
* Checks that the unit tests are running with a version of OpenSSL that
* includes all the expected ciphers and does not include any unexpected
* ones.
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java?rev=1632589&r1=1632588&r2=1632589&view=diff
==
---
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
(original)
+++
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
Fri Oct 17 14:42:50 2014
@@ -139,7 +139,7 @@ public class TesterOpenSSL {
}
-/**
+/*
* Use this method to filter parser results when comparing them to OpenSSL
* results to take account of unimplemented cipher suites.
*/
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 53952] Add support for TLS 1.1 and 1.2
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 --- Comment #37 from Christopher Schultz --- I'm looking at Marcel's attachment #30150 and the protocol selection is a bit verbose though methodical. It took a bit of thinking to understand why the code does what it does. Specifically, it does not explicitly cover all possible combinations of values for "protocol". Instead, it takes a top-down approach assuming that the user will want the highest-available protocol to be supported. Checks for exact matches are performed for TLSv1.2, TLSv1.1, TLSv1(.0), SSLv3, and SSLv2 are performed and the client gets the requested version unless the library doesn't support that version, in which case the client gets an inert SSL engine. It's debatable whether or not this should throw some kind of error. After the exact checks, there are checks for "anything including TLSv1.2" and "anything including TLSv1.1", except that those checks are not even compiled if OpenSSL does not support them. (Of those, the highest protocol supported by the library is used.) Failing the above, SSL2/3 is selected. I see a consistency problem, here: if TLSv1.2 is not supported by OpenSSL but the client requests is specifically, then they will get an inert engine. If the client requests TLSv1.2 + SSLv3 and TLSv1.2 is not supported, they'll get the SSLv2/3 engine instead instead of the SSLv3 engine. It's not clear to me whether this was intentional. I will be committing attachment #30150 without modification and we can debate the correct behavior later. What's interesting (or awful: you decide) about OpenSSL is that you can't choose the exact set of protocols to support when choosing an engine method. Instead, you have to choose the engine method that makes the most sense (usually the highest version-number that is supported and requested by the client) and then you have to go back and black-list all the protocols that the selected method may support but that you don't want. A perfect case is that of requesting TLS1.2+TLS1.1 and nothing else. For that, you have to ask for the TLSv1.2 method in OpenSSL, but that method also provides TLS1, SSLv3, and SSLv2. So you have to call SSL_CTX_set_options and *enable* the *disable flags* for those other protocols. It's not straightforward at all and worth mentioning this to those who would like to review the patch. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1632577 - /tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
2014-10-17 18:32 GMT+04:00 Christopher Schultz :
> Konstantin,
>
> On 10/17/14 10:09 AM, Konstantin Kolinko wrote:
>> 2014-10-17 17:59 GMT+04:00 Christopher Schultz
>> :
>>> All,
>>>
>>> On 10/17/14 9:52 AM, schu...@apache.org wrote:
Author: schultz
Date: Fri Oct 17 13:52:24 2014
New Revision: 1632577
URL: http://svn.apache.org/r1632577
Log:
Maintain SSL_OP parity with OpenSSL: add SSL_OP_NO_TLSv1_1 and
SSL_OP_NO_TLSv1_2.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632577&r1=1632576&r2=1632577&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17 13:52:24
2014
@@ -135,6 +135,9 @@ public final class SSL {
public static final int SSL_OP_NO_SSLv2 =
0x0100;
public static final int SSL_OP_NO_SSLv3 =
0x0200;
public static final int SSL_OP_NO_TLSv1 =
0x0400;
+public static final int SSL_OP_NO_TLSv1_1 =
0x0800;
+public static final int SSL_OP_NO_TLSv1_2 =
0x1000;
+
public static final int SSL_OP_NO_TICKET=
0x4000;
>>>
>>> I just noticed that this conflicts with the SSL_OPs defined just below
>>> these in SSL.java:
>>>
/* The next flag deliberately changes the ciphertest, this is a check
* for the PKCS#1 attack */
public static final int SSL_OP_PKCS1_CHECK_1=
0x0800;
public static final int SSL_OP_PKCS1_CHECK_2=
0x1000;
>>>
>>> At some point (1.0, I think), OpenSSL deprecated the PKCS1 constants,
>>> made their values 0x0, and re-purposed the flag values for the TLSv1_1
>>> and TLSv1_2 options shown above.
>>>
>>> Without checking the OpenSSL version, client code will have no way of
>>> knowing whether they are checking for the TLSv1_x or PKCS1 SSL_OP flags,
>>> especially if the Java code has been compiled against a prior version of
>>> SSL.java (because javac stupidly copies constant values from one class
>>> to another instead of looking them up at runtime, at least the last time
>>> I checked).
>>>
>>> What should we do, here? We can make those constants dynamic, but then
>>> we have to do the OpenSSL library load in the class's static initializer
>>> instead of in APRLifecycleListener.
>>>
>>> We could remove SSL_OP_PKCS1_CHECK but then that means anyone relying on
>>> it for use with OpenSSL 0.9.8* might be out of luck.
>>>
>>> I'm a bit nervous about picking a winner here between OpenSSL 0.9.8 and
>>> 1.0.1.
>>>
>>> Any thoughts?
>>>
>>
>>
>> I think just mark them as @Deprecated as "Not defined in OpenSSL 1.x",
>> "Removed since OpenSSL 1.0" or "Have different values in different
>> OpenSSL versions".
>>
>> Tomcat code does not use them.
>
> Thanks for the review. Shall I change the values for the PKCS constants
> to be 0x0 to match OpenSSL 1.0+, or leave them with their current values?
I would leave them as is. Those are historical values and have no
meaning for the current OpenSSL (according to your description).
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632590 - /tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
Author: markt
Date: Fri Oct 17 14:45:46 2014
New Revision: 1632590
URL: http://svn.apache.org/r1632590
Log:
Update OpenSSL unit tests to use 1.0.1j
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java?rev=1632590&r1=1632589&r2=1632590&view=diff
==
---
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
(original)
+++
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
Fri Oct 17 14:45:46 2014
@@ -30,7 +30,7 @@ import org.apache.tomcat.util.http.fileu
public class TesterOpenSSL {
-public static final String EXPECTED_VERSION = "1.0.1i";
+public static final String EXPECTED_VERSION = "1.0.1j";
public static final boolean IS_EXPECTED_VERSION;
public static final Set OPENSSL_UNIMPLEMENTED_CIPHERS =
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632593 - in /tomcat/native/trunk/native: include/ssl_private.h src/ssl.c src/sslcontext.c
Author: schultz
Date: Fri Oct 17 14:47:04 2014
New Revision: 1632593
URL: http://svn.apache.org/r1632593
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Add support for TLSv1.2 and TLSv1.1.
Modified:
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/native/src/ssl.c
tomcat/native/trunk/native/src/sslcontext.c
Modified: tomcat/native/trunk/native/include/ssl_private.h
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1632593&r1=1632592&r2=1632593&view=diff
==
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Fri Oct 17 14:47:04 2014
@@ -115,7 +115,9 @@
#define SSL_PROTOCOL_SSLV2 (1<<0)
#define SSL_PROTOCOL_SSLV3 (1<<1)
#define SSL_PROTOCOL_TLSV1 (1<<2)
-#define SSL_PROTOCOL_ALL
(SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#define SSL_PROTOCOL_TLSV1_1(1<<3)
+#define SSL_PROTOCOL_TLSV1_2(1<<4)
+#define SSL_PROTOCOL_ALL
(SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
#define SSL_MODE_CLIENT (0)
#define SSL_MODE_SERVER (1)
Modified: tomcat/native/trunk/native/src/ssl.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1632593&r1=1632592&r2=1632593&view=diff
==
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Fri Oct 17 14:47:04 2014
@@ -190,6 +190,14 @@ static const jint supported_ssl_opts = 0
| SSL_OP_PKCS1_CHECK_2
#endif
+#ifdef SSL_OP_NO_TLSv1_1
+ | SSL_OP_NO_TLSv1_1
+#endif
+
+#ifdef SSL_OP_NO_TLSv1_2
+ | SSL_OP_NO_TLSv1_2
+#endif
+
#ifdef SSL_OP_SINGLE_DH_USE
| SSL_OP_SINGLE_DH_USE
#endif
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1632593&r1=1632592&r2=1632593&view=diff
==
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Fri Oct 17 14:47:04 2014
@@ -71,43 +71,64 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
SSL_CTX *ctx = NULL;
UNREFERENCED(o);
-switch (protocol) {
-case SSL_PROTOCOL_SSLV2:
-if (mode == SSL_MODE_CLIENT)
-ctx = SSL_CTX_new(SSLv2_client_method());
-else if (mode == SSL_MODE_SERVER)
-ctx = SSL_CTX_new(SSLv2_server_method());
-else
-ctx = SSL_CTX_new(SSLv2_method());
-break;
-case SSL_PROTOCOL_SSLV3:
-if (mode == SSL_MODE_CLIENT)
-ctx = SSL_CTX_new(SSLv3_client_method());
-else if (mode == SSL_MODE_SERVER)
-ctx = SSL_CTX_new(SSLv3_server_method());
-else
-ctx = SSL_CTX_new(SSLv3_method());
-break;
-case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3:
-case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLSV1:
-case SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1:
-case SSL_PROTOCOL_ALL:
-if (mode == SSL_MODE_CLIENT)
-ctx = SSL_CTX_new(SSLv23_client_method());
-else if (mode == SSL_MODE_SERVER)
-ctx = SSL_CTX_new(SSLv23_server_method());
-else
-ctx = SSL_CTX_new(SSLv23_method());
-break;
-case SSL_PROTOCOL_TLSV1:
-if (mode == SSL_MODE_CLIENT)
-ctx = SSL_CTX_new(TLSv1_client_method());
-else if (mode == SSL_MODE_SERVER)
-ctx = SSL_CTX_new(TLSv1_server_method());
-else
-ctx = SSL_CTX_new(TLSv1_method());
-break;
+if (protocol == SSL_PROTOCOL_TLSV1_2) {
+#ifdef SSL_OP_NO_TLSv1_2
+if (mode == SSL_MODE_CLIENT)
+ctx = SSL_CTX_new(TLSv1_2_client_method());
+else if (mode == SSL_MODE_SERVER)
+ctx = SSL_CTX_new(TLSv1_2_server_method());
+else
+ctx = SSL_CTX_new(TLSv1_2_method());
+#endif
+} else if (protocol == SSL_PROTOCOL_TLSV1_1) {
+#ifdef SSL_OP_NO_TLSv1_1
+if (mode == SSL_MODE_CLIENT)
+ctx = SSL_CTX_new(TLSv1_1_client_method());
+else if (mode == SSL_MODE_SERVER)
+ctx = SSL_CTX_new(TLSv1_1_server_method());
+else
+ctx = SSL_CTX_new(TLSv1_1_method());
+#endif
+} else if (protocol == SSL_PROTOCOL_TLSV1) {
+if (mode == SSL_MODE_CLIENT)
+ctx = SSL_CTX_new(TLSv1_client_method());
+else if (mode == SSL_MODE_SERVER)
+ctx = SSL_CTX_new(TLSv1_server_method());
+else
+ctx = SSL_CTX_new(TLSv1_method());
+} else if (protocol == SSL_PROTOCOL_SSLV3) {
+if (mode
svn commit: r1632595 - in /tomcat/native/branches/1.1.x: native/include/ssl_private.h native/src/ssl.c native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
Author: schultz
Date: Fri Oct 17 14:50:34 2014
New Revision: 1632595
URL: http://svn.apache.org/r1632595
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Add support for TLSv1.2 and TLSv1.1.
Modified:
tomcat/native/branches/1.1.x/native/include/ssl_private.h
tomcat/native/branches/1.1.x/native/src/ssl.c
tomcat/native/branches/1.1.x/native/src/sslcontext.c
tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
Modified: tomcat/native/branches/1.1.x/native/include/ssl_private.h
URL:
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/include/ssl_private.h?rev=1632595&r1=1632594&r2=1632595&view=diff
==
--- tomcat/native/branches/1.1.x/native/include/ssl_private.h (original)
+++ tomcat/native/branches/1.1.x/native/include/ssl_private.h Fri Oct 17
14:50:34 2014
@@ -117,7 +117,9 @@
#define SSL_PROTOCOL_SSLV2 (1<<0)
#define SSL_PROTOCOL_SSLV3 (1<<1)
#define SSL_PROTOCOL_TLSV1 (1<<2)
-#define SSL_PROTOCOL_ALL
(SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#define SSL_PROTOCOL_TLSV1_1(1<<3)
+#define SSL_PROTOCOL_TLSV1_2(1<<4)
+#define SSL_PROTOCOL_ALL
(SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
#define SSL_MODE_CLIENT (0)
#define SSL_MODE_SERVER (1)
Modified: tomcat/native/branches/1.1.x/native/src/ssl.c
URL:
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/ssl.c?rev=1632595&r1=1632594&r2=1632595&view=diff
==
--- tomcat/native/branches/1.1.x/native/src/ssl.c (original)
+++ tomcat/native/branches/1.1.x/native/src/ssl.c Fri Oct 17 14:50:34 2014
@@ -190,6 +190,14 @@ static const jint supported_ssl_opts = 0
| SSL_OP_PKCS1_CHECK_2
#endif
+#ifdef SSL_OP_NO_TLSv1_1
+ | SSL_OP_NO_TLSv1_1
+#endif
+
+#ifdef SSL_OP_NO_TLSv1_2
+ | SSL_OP_NO_TLSv1_2
+#endif
+
#ifdef SSL_OP_SINGLE_DH_USE
| SSL_OP_SINGLE_DH_USE
#endif
Modified: tomcat/native/branches/1.1.x/native/src/sslcontext.c
URL:
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?rev=1632595&r1=1632594&r2=1632595&view=diff
==
--- tomcat/native/branches/1.1.x/native/src/sslcontext.c (original)
+++ tomcat/native/branches/1.1.x/native/src/sslcontext.c Fri Oct 17 14:50:34
2014
@@ -71,43 +71,64 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
SSL_CTX *ctx = NULL;
UNREFERENCED(o);
-switch (protocol) {
-case SSL_PROTOCOL_SSLV2:
-if (mode == SSL_MODE_CLIENT)
-ctx = SSL_CTX_new(SSLv2_client_method());
-else if (mode == SSL_MODE_SERVER)
-ctx = SSL_CTX_new(SSLv2_server_method());
-else
-ctx = SSL_CTX_new(SSLv2_method());
-break;
-case SSL_PROTOCOL_SSLV3:
-if (mode == SSL_MODE_CLIENT)
-ctx = SSL_CTX_new(SSLv3_client_method());
-else if (mode == SSL_MODE_SERVER)
-ctx = SSL_CTX_new(SSLv3_server_method());
-else
-ctx = SSL_CTX_new(SSLv3_method());
-break;
-case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3:
-case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLSV1:
-case SSL_PROTOCOL_ALL:
-case SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1:
-if (mode == SSL_MODE_CLIENT)
-ctx = SSL_CTX_new(SSLv23_client_method());
-else if (mode == SSL_MODE_SERVER)
-ctx = SSL_CTX_new(SSLv23_server_method());
-else
-ctx = SSL_CTX_new(SSLv23_method());
-break;
-case SSL_PROTOCOL_TLSV1:
-if (mode == SSL_MODE_CLIENT)
-ctx = SSL_CTX_new(TLSv1_client_method());
-else if (mode == SSL_MODE_SERVER)
-ctx = SSL_CTX_new(TLSv1_server_method());
-else
-ctx = SSL_CTX_new(TLSv1_method());
-break;
+if (protocol == SSL_PROTOCOL_TLSV1_2) {
+#ifdef SSL_OP_NO_TLSv1_2
+if (mode == SSL_MODE_CLIENT)
+ctx = SSL_CTX_new(TLSv1_2_client_method());
+else if (mode == SSL_MODE_SERVER)
+ctx = SSL_CTX_new(TLSv1_2_server_method());
+else
+ctx = SSL_CTX_new(TLSv1_2_method());
+#endif
+} else if (protocol == SSL_PROTOCOL_TLSV1_1) {
+#ifdef SSL_OP_NO_TLSv1_1
+if (mode == SSL_MODE_CLIENT)
+ctx = SSL_CTX_new(TLSv1_1_client_method());
+else if (mode == SSL_MODE_SERVER)
+ctx = SSL_CTX_new(TLSv1_1_server_method());
+else
+ctx = SSL_CTX_new(TLSv1_1_method());
+#endif
+} else if (protocol == SSL_PROTOCOL_TLSV1) {
+if (mode == SSL_MODE_CLIENT)
+ctx = SSL_CTX_new(TLSv1_client_method());
+else if (mode
svn propchange: r1632584 - svn:log
Author: kkolinko Revision: 1632584 Modified property: svn:log Modified: svn:log at Fri Oct 17 14:51:04 2014 -- --- svn:log (original) +++ svn:log Fri Oct 17 14:51:04 2014 @@ -0,0 +1 @@ +Disable SSLv3 by default for APR/native - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632596 - /tomcat/native/trunk/native/srclib/VERSIONS
Author: markt Date: Fri Oct 17 14:51:34 2014 New Revision: 1632596 URL: http://svn.apache.org/r1632596 Log: Update dependencies Modified: tomcat/native/trunk/native/srclib/VERSIONS Modified: tomcat/native/trunk/native/srclib/VERSIONS URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/srclib/VERSIONS?rev=1632596&r1=1632595&r2=1632596&view=diff == --- tomcat/native/trunk/native/srclib/VERSIONS (original) +++ tomcat/native/trunk/native/srclib/VERSIONS Fri Oct 17 14:51:34 2014 @@ -1,4 +1,4 @@ Use the following version of the libraries -- APR 1.4.6, http://apr.apache.org -- OpenSSL 1.0.0g, http://www.openssl.org +- APR 1.4.8, http://apr.apache.org +- OpenSSL 1.0.1j, http://www.openssl.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 53952] Add support for TLS 1.1 and 1.2
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 Christopher Schultz changed: What|Removed |Added Attachment #32115|0 |1 is patch|| -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56397] Establish parallel Maven-based build process
https://issues.apache.org/bugzilla/show_bug.cgi?id=56397 Pierre Viret changed: What|Removed |Added Attachment #32113|0 |1 is obsolete|| --- Comment #42 from Pierre Viret --- Created attachment 32120 --> https://issues.apache.org/bugzilla/attachment.cgi?id=32120&action=edit patch for tomcat-maven-layout created with "svn diff -x -u" This new patch contains following fixes: - add the service configuration in META-INF from some jars (thanks Mark for the tip!) - fix tomcat-websocket svn:externals to import the correct java classes (it contained the api classes...) - implement a workaround for the problem with the empty logs & temp dirs --> now the tomcat server starts and the standard web-application is displayed quite correctly ! I haven't verified it yet but it looks nice ;-) Next steps: - verify the standard web-applications (f.i. manager) - implement the tests I'm off for 10 days for vacation and without my computer so you will hear from me again at the beginning of november :-) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632599 - /tomcat/native/branches/1.1.x/native/srclib/VERSIONS
Author: markt Date: Fri Oct 17 14:53:11 2014 New Revision: 1632599 URL: http://svn.apache.org/r1632599 Log: Update OpenSSL version Modified: tomcat/native/branches/1.1.x/native/srclib/VERSIONS Modified: tomcat/native/branches/1.1.x/native/srclib/VERSIONS URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/srclib/VERSIONS?rev=1632599&r1=1632598&r2=1632599&view=diff == --- tomcat/native/branches/1.1.x/native/srclib/VERSIONS (original) +++ tomcat/native/branches/1.1.x/native/srclib/VERSIONS Fri Oct 17 14:53:11 2014 @@ -1,4 +1,4 @@ Use the following version of the libraries - APR 1.4.8, http://apr.apache.org -- OpenSSL 1.0.1h, http://www.openssl.org +- OpenSSL 1.0.1j, http://www.openssl.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 53952] Add support for TLS 1.1 and 1.2
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 Christopher Schultz changed: What|Removed |Added Attachment #32114|0 |1 is patch|| Attachment #32114|0 |1 is obsolete|| --- Comment #38 from Christopher Schultz --- Comment on attachment 32114 --> https://issues.apache.org/bugzilla/attachment.cgi?id=32114 patch for the issue. Marking jfclere's patch as obsolete because I like the changes to the protocol selection that Marcel made. He also correctly included support for the SSL_OP_NO_TLS* options in supported_ssl_opts. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632600 - /tomcat/trunk/webapps/docs/changelog.xml
Author: kkolinko Date: Fri Oct 17 14:59:01 2014 New Revision: 1632600 URL: http://svn.apache.org/r1632600 Log: Correct a typo Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1632600&r1=1632599&r2=1632600&view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Fri Oct 17 14:59:01 2014 @@ -170,7 +170,7 @@ JRE. (markt) -Disable SSLv3 by default for the APT/native HTTPS connector. (markt) +Disable SSLv3 by default for the APR/native HTTPS connector. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632601 - in /tomcat/trunk/java/org/apache/jasper: compiler/Node.java resources/LocalStrings.properties
Author: kkolinko
Date: Fri Oct 17 15:03:44 2014
New Revision: 1632601
URL: http://svn.apache.org/r1632601
Log:
Correct typo in message key, order alphabetically - followup to r1632310
Modified:
tomcat/trunk/java/org/apache/jasper/compiler/Node.java
tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
Modified: tomcat/trunk/java/org/apache/jasper/compiler/Node.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/compiler/Node.java?rev=1632601&r1=1632600&r2=1632601&view=diff
==
--- tomcat/trunk/java/org/apache/jasper/compiler/Node.java (original)
+++ tomcat/trunk/java/org/apache/jasper/compiler/Node.java Fri Oct 17 15:03:44
2014
@@ -608,7 +608,7 @@ abstract class Node implements TagConsta
// name with a wildcard
if (importEntry.indexOf(';') > -1) {
throw new IllegalArgumentException(
-Localizer.getMessage("jsp.error.page.invaild.import"));
+Localizer.getMessage("jsp.error.page.invalid.import"));
}
return importEntry.trim();
}
Modified: tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties?rev=1632601&r1=1632600&r2=1632601&view=diff
==
--- tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties Fri
Oct 17 15:03:44 2014
@@ -36,9 +36,9 @@ jsp.error.page.invalid.session=Page dire
jsp.error.page.conflict.buffer=Page directive: illegal to have multiple
occurrences of 'buffer' with different values (old: {0}, new: {1})
jsp.error.page.invalid.buffer=Page directive: invalid value for buffer
jsp.error.page.conflict.autoflush=Page directive: illegal to have multiple
occurrences of 'autoFlush' with different values (old: {0}, new: {1})
+jsp.error.page.invalid.import=Page directive: invalid value for import
jsp.error.page.conflict.isthreadsafe=Page directive: illegal to have multiple
occurrences of 'isThreadSafe' with different values (old: {0}, new: {1})
jsp.error.page.invalid.isthreadsafe=Page directive: invalid value for
isThreadSafe
-jsp.error.page.invaild.import=Page directive: invalid value for import
jsp.error.page.conflict.info=Page directive: illegal to have multiple
occurrences of 'info' with different values (old: {0}, new: {1})
jsp.error.page.invalid.info=Page directive: invalid value for info
jsp.error.page.conflict.iserrorpage=Page directive: illegal to have multiple
occurrences of 'isErrorPage' with different values (old: {0}, new: {1})
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632602 - in /tomcat/tc7.0.x/trunk: ./ webapps/docs/changelog.xml
Author: kkolinko Date: Fri Oct 17 15:08:34 2014 New Revision: 1632602 URL: http://svn.apache.org/r1632602 Log: Correct a typo Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1632600 Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1632602&r1=1632601&r2=1632602&view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct 17 15:08:34 2014 @@ -82,7 +82,7 @@ although SSLv2 should already be disabled by default by the JRE. (markt) -Disable SSLv3 by default for the APT/native HTTPS connector. (markt) +Disable SSLv3 by default for the APR/native HTTPS connector. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632603 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/jasper/compiler/Node.java java/org/apache/jasper/resources/LocalStrings.properties
Author: kkolinko
Date: Fri Oct 17 15:10:00 2014
New Revision: 1632603
URL: http://svn.apache.org/r1632603
Log:
Merged r1632601 from tomcat/trunk:
Correct typo in message key, order alphabetically - followup to r1632310
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/Node.java
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
Propchange: tomcat/tc7.0.x/trunk/
--
Merged /tomcat/trunk:r1632601
Modified: tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/Node.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/Node.java?rev=1632603&r1=1632602&r2=1632603&view=diff
==
--- tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/Node.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/Node.java Fri Oct 17
15:10:00 2014
@@ -626,7 +626,7 @@ abstract class Node implements TagConsta
// name with a wildcard
if (importEntry.indexOf(';') > -1) {
throw new IllegalArgumentException(
-Localizer.getMessage("jsp.error.page.invaild.import"));
+Localizer.getMessage("jsp.error.page.invalid.import"));
}
return importEntry.trim();
}
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties?rev=1632603&r1=1632602&r2=1632603&view=diff
==
---
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
Fri Oct 17 15:10:00 2014
@@ -58,9 +58,9 @@ jsp.error.page.conflict.buffer=Page dire
jsp.error.page.invalid.buffer=Page directive: invalid value for buffer
jsp.error.page.conflict.autoflush=Page directive: illegal to have multiple
occurrences of 'autoFlush' with different values (old: {0}, new: {1})
jsp.error.page.invalid.autoflush=Page directive: invalid value for autoFlush
+jsp.error.page.invalid.import=Page directive: invalid value for import
jsp.error.page.conflict.isthreadsafe=Page directive: illegal to have multiple
occurrences of 'isThreadSafe' with different values (old: {0}, new: {1})
jsp.error.page.invalid.isthreadsafe=Page directive: invalid value for
isThreadSafe
-jsp.error.page.invaild.import=Page directive: invalid value for import
jsp.error.page.conflict.info=Page directive: illegal to have multiple
occurrences of 'info' with different values (old: {0}, new: {1})
jsp.error.page.invalid.info=Page directive: invalid value for info
jsp.error.page.conflict.iserrorpage=Page directive: illegal to have multiple
occurrences of 'isErrorPage' with different values (old: {0}, new: {1})
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 47714] Response mixed between users
https://issues.apache.org/bugzilla/show_bug.cgi?id=47714 --- Comment #27 from Rami Stefanidis --- . -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632604 - in /tomcat/trunk: java/org/apache/tomcat/jni/ java/org/apache/tomcat/jni/socket/ java/org/apache/tomcat/util/net/ webapps/docs/ webapps/docs/config/
Author: schultz
Date: Fri Oct 17 15:19:35 2014
New Revision: 1632604
URL: http://svn.apache.org/r1632604
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Add support for TLSv1.1 and TLSv1.2 to APR connector.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
tomcat/trunk/webapps/docs/ssl-howto.xml
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632604&r1=1632603&r2=1632604&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17 15:19:35 2014
@@ -70,7 +70,9 @@ public final class SSL {
public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
-public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1);
+public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
+public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
+public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 |
SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2);
/*
* Define the SSL verify levels
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1632604&r1=1632603&r2=1632604&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java Fri Oct 17 15:19:35
2014
@@ -27,13 +27,15 @@ public final class SSLContext {
/**
* Initialize new SSL context
* @param pool The pool to use.
- * @param protocol The SSL protocol to use. It can be one of:
+ * @param protocol The SSL protocol to use. It can be any combination of
+ * the following:
*
- * SSL_PROTOCOL_SSLV2
- * SSL_PROTOCOL_SSLV3
- * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
- * SSL_PROTOCOL_TLSV1
- * SSL_PROTOCOL_ALL
+ * {@link SSL#SSL_PROTOCOL_SSLV2}
+ * {@link SSL#SSL_PROTOCOL_SSLV3}
+ * {@link SSL#SSL_PROTOCOL_TLSV1}
+ * {@link SSL#SSL_PROTOCOL_TLSV1_1}
+ * {@link SSL#SSL_PROTOCOL_TLSV1_2}
+ * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL)
*
* @param mode SSL mode to use
*
Modified: tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java?rev=1632604&r1=1632603&r2=1632604&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java Fri
Oct 17 15:19:35 2014
@@ -181,7 +181,7 @@ public class AprSocketContext {
private boolean useSendfile;
-private int sslProtocol = SSL.SSL_PROTOCOL_TLSV1 | SSL.SSL_PROTOCOL_SSLV3;
+private int sslProtocol = SSL.SSL_PROTOCOL_TLSV1 |
SSL.SSL_PROTOCOL_TLSV1_1 | SSL.SSL_PROTOCOL_TLSV1_2;
/**
* Max time spent in a callback ( will be longer for blocking )
@@ -302,6 +302,10 @@ public class AprSocketContext {
sslProtocol = SSL.SSL_PROTOCOL_SSLV3;
} else if ("TLSv1".equalsIgnoreCase(protocol)) {
sslProtocol = SSL.SSL_PROTOCOL_TLSV1;
+} else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
+sslProtocol = SSL.SSL_PROTOCOL_TLSV1_1;
+} else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
+sslProtocol = SSL.SSL_PROTOCOL_TLSV1_2;
} else if ("all".equalsIgnoreCase(protocol)) {
sslProtocol = SSL.SSL_PROTOCOL_ALL;
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1632604&r1=1632603&r2=1632604&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri Oct 17
15:19:35 2014
@@ -506,6 +506,10 @@ public class AprEndpoint extends Abstrac
value |= SSL.SSL_PROTOCOL_SSLV3;
} else if ("TLSv1".equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_TLSV1;
+} else if ("TLSv1.1".equalsIgno
[Bug 53952] Add support for TLS 1.1 and 1.2
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 --- Comment #39 from Christopher Schultz --- Fixed in tcnative-trunk in r1632593 and tcnative-1.1.x in r1632595. Will be in tcnative 1.1.32. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632606 - in /tomcat/tc7.0.x/trunk: java/org/apache/tomcat/jni/ java/org/apache/tomcat/util/net/ webapps/docs/ webapps/docs/config/
Author: schultz
Date: Fri Oct 17 15:31:16 2014
New Revision: 1632606
URL: http://svn.apache.org/r1632606
Log:
Back-ported r1632604 to fix
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Add support for TLSv1.1 and TLSv1.2 to APR connector.
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632606&r1=1632605&r2=1632606&view=diff
==
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17
15:31:16 2014
@@ -72,7 +72,9 @@ public final class SSL {
public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
-public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1);
+public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
+public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
+public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 |
SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2);
/*
* Define the SSL verify levels
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1632606&r1=1632605&r2=1632606&view=diff
==
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java Fri Oct 17
15:31:16 2014
@@ -27,13 +27,15 @@ public final class SSLContext {
/**
* Initialize new SSL context
* @param pool The pool to use.
- * @param protocol The SSL protocol to use. It can be one of:
+ * @param protocol The SSL protocol to use. It can be any combination of
+ * the following:
*
- * SSL_PROTOCOL_SSLV2
- * SSL_PROTOCOL_SSLV3
- * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
- * SSL_PROTOCOL_TLSV1
- * SSL_PROTOCOL_ALL
+ * {@link SSL#SSL_PROTOCOL_SSLV2}
+ * {@link SSL#SSL_PROTOCOL_SSLV3}
+ * {@link SSL#SSL_PROTOCOL_TLSV1}
+ * {@link SSL#SSL_PROTOCOL_TLSV1_1}
+ * {@link SSL#SSL_PROTOCOL_TLSV1_2}
+ * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL)
*
* @param mode SSL mode to use
*
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1632606&r1=1632605&r2=1632606&view=diff
==
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri
Oct 17 15:31:16 2014
@@ -503,6 +503,10 @@ public class AprEndpoint extends Abstrac
value |= SSL.SSL_PROTOCOL_SSLV3;
} else if ("TLSv1".equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_TLSV1;
+} else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
+value |= SSL.SSL_PROTOCOL_TLSV1_1;
+} else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
+value |= SSL.SSL_PROTOCOL_TLSV1_2;
} else if ("all".equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_ALL;
} else {
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1632606&r1=1632605&r2=1632606&view=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct 17 15:31:16 2014
@@ -59,6 +59,9 @@
+53952: Add support for TLSv1.1 and TLSv1.2 for APR
connector.
+Based upon a patch by Marcel Šebek. (schultz/jfclere)
+
57022: Ensure SPNEGO authentication continues to work with
the JNDI Realm using delegated credentials with recent Oracle JREs.
(markt)
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1632606&r1=1632605&r2=1632606&view=diff
===
[Bug 53952] Add support for TLS 1.1 and 1.2
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 Christopher Schultz changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #40 from Christopher Schultz --- Fixed in Tomcat-trunk in r1632604. Will be in Tomcat 8.0.15. Fixed in Tomcat 7 in r1632606. Will be in Tomcat 7.0.57. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632608 - /tomcat/tc7.0.x/trunk/
Author: schultz Date: Fri Oct 17 15:33:22 2014 New Revision: 1632608 URL: http://svn.apache.org/r1632608 Log: Register mack-port of r1632604 missed in r1632606. Modified: tomcat/tc7.0.x/trunk/ (props changed) Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1632604 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in ASF Buildbot on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-trunk/builds/558 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/trunk] 1632584 Blamelist: markt,schultz BUILD FAILED: failed compile_1 sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57106] New: Apache service continual out of memory issues
https://issues.apache.org/bugzilla/show_bug.cgi?id=57106 Bug ID: 57106 Summary: Apache service continual out of memory issues Product: Tomcat 7 Version: 7.0.54 Hardware: Other OS: other Status: NEW Severity: critical Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: chris.cir...@toysrus.com We have just migrated our Vista application to a Linux 6.5 server has 12gb memory and we are using Orcle as our DB system and are using tomcat 7 ver 7.0.54 and have catalina memory set to 1024 however it is continually failing and getting out of memory issues. we are going to change to 2048 but I am concerned we have memory leak issues. This is a production system that support all of Toys R Us stores and is having a significant impact. here is some detail from the log Subject: RE: catalina.out errors The last lines of catalina.out for today’s issue are: Oct 17, 2014 9:26:08 AM org.apache.catalina.loader.WebappClassLoader clearRefere ncesThreads SEVERE: The web application [/vp_web] appears to have started a thread named [Ti mer-1059] but has failed to stop it. This is very likely to create a memory leak . Oct 17, 2014 9:26:08 AM org.apache.catalina.loader.WebappClassLoader clearRefere ncesThreads SEVERE: The web application [/vp_web] appears to have started a thread named [Ti mer-1060] but has failed to stop it. This is very likely to create a memory leak . Oct 17, 2014 9:26:08 AM org.apache.catalina.loader.WebappClassLoader clearRefere ncesThreads SEVERE: The web application [/vp_web] appears to have started a thread named [Ti mer-1061] but has failed to stop it. This is very likely to create a memory leak . Oct 17, 2014 9:26:08 AM org.apache.catalina.loader.WebappClassLoader clearRefere ncesThreads SEVERE: The web application [/vp_web] appears to have started a thread named [Ti mer-1062] but has failed to stop it. This is very likely to create a memory leak . Oct 17, 2014 9:26:08 AM org.apache.catalina.loader.WebappClassLoader checkThread LocalMapForLeaks SEVERE: The web application [/vp_web] created a ThreadLocal with key of type [ja va.lang.ThreadLocal] (value [java.lang.ThreadLocal@4331ecb6]) and a value of typ e [org.apache.xerces.parsers.SAXParser] (value [org.apache.xerces.parsers.SAXPar ser@5763c0fe]) but failed to remove it when the web application was stopped. Thr eads are going to be renewed over time to try and avoid a probable memory leak. Oct 17, 2014 9:26:08 AM org.apache.catalina.loader.WebappClassLoader checkThread LocalMapForLeaks SEVERE: The web application [/vp_web] created a ThreadLocal with key of type [ja va.lang.ThreadLocal] (value [java.lang.ThreadLocal@4331ecb6]) and a value of typ e [org.apache.xerces.parsers.SAXParser] (value [org.apache.xerces.parsers.SAXPar ser@1d6da840]) but failed to remove it when the web application was stopped. Thr eads are going to be renewed over time to try and avoid a probable memory leak. Oct 17, 2014 9:26:08 AM org.apache.catalina.loader.WebappClassLoader checkThread LocalMapForLeaks SEVERE: The web application [/vp_web] created a ThreadLocal with key of type [ja va.lang.ThreadLocal] (value [java.lang.ThreadLocal@4331ecb6]) and a value of typ e [org.apache.xerces.parsers.SAXParser] (value [org.apache.xerces.parsers.SAXPar ser@7dbe915c]) but failed to remove it when the web application was stopped. Thr eads are going to be renewed over time to try and avoid a probable memory leak. Oct 17, 2014 9:26:08 AM org.apache.catalina.loader.WebappClassLoader checkThread LocalMapForLeaks SEVERE: The web application [/vp_web] created a ThreadLocal with key of type [ja va.lang.ThreadLocal] (value [java.lang.ThreadLocal@4331ecb6]) and a value of typ e [org.apache.xerces.parsers.SAXParser] (value [org.apache.xerces.parsers.SAXPar ser@b31e0fd]) but failed to remove it when the web application was stopped. Thre ads are going to be renewed over time to try and avoid a probable memory leak. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot exception in ASF Buildbot on tomcat-trunk
The Buildbot has detected a build exception on builder tomcat-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-trunk/builds/559 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/trunk] 1632604 Blamelist: kkolinko,markt,schultz BUILD FAILED: exception compile_1 upload_3 sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57106] Apache service continual out of memory issues
https://issues.apache.org/bugzilla/show_bug.cgi?id=57106 Christopher Schultz changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #1 from Christopher Schultz --- Bugzilla is not a support forum. Please post a question on the Tomcat users' mailing list if you'd like some help. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 53952] Add support for TLS 1.1 and 1.2
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 Christopher Schultz changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED |--- --- Comment #41 from Christopher Schultz --- I'll prepare a patch for Tomcat 6 as well. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in ASF Buildbot on tomcat-7-trunk
The Buildbot has detected a new failure on builder tomcat-7-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-7-trunk/builds/345 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1632608 Blamelist: schultz BUILD FAILED: failed compile sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632619 - /tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Author: kkolinko Date: Fri Oct 17 16:08:39 2014 New Revision: 1632619 URL: http://svn.apache.org/r1632619 Log: Fix xml markup broken by r1632606, move connector change into Coyote section. Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1632619&r1=1632618&r2=1632619&view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct 17 16:08:39 2014 @@ -59,9 +59,6 @@ -53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. -Based upon a patch by Marcel Šebek. (schultz/jfclere) - 57022: Ensure SPNEGO authentication continues to work with the JNDI Realm using delegated credentials with recent Oracle JREs. (markt) @@ -80,6 +77,10 @@ +53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. +Based upon a patch by Marcel Šebek. (schultz/jfclere) + + Disable SSLv3 by default for JSSE based HTTPS connectors (BIO and NIO). The change also ensures that SSLv2 is disabled for these connectors although SSLv2 should already be disabled by default by the JRE. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1631520 - in /tomcat/trunk: java/org/apache/tomcat/util/buf/LocalStrings.properties java/org/apache/tomcat/util/buf/MessageBytes.java webapps/docs/changelog.xml
2014-10-13 23:27 GMT+04:00 :
> Author: markt
> Date: Mon Oct 13 19:27:37 2014
> New Revision: 1631520
>
> URL: http://svn.apache.org/r1631520
> Log:
> Cache the Encoder instances used to convert Strings to byte arrays in the
> Connectors (e.g. when writing HTTP headers) to improve throughput.
In this implementation I think the cache only plays when the same
MessageBytes instance is re-used in subsequent requests.
I think an alternative implementation using a thread-local cache will
allow to reuse encoders between different MessageByte instances in the
same request and will require less memory.
Best regards,
Konstantin Kolinko
>
> Modified:
> tomcat/trunk/java/org/apache/tomcat/util/buf/LocalStrings.properties
> tomcat/trunk/java/org/apache/tomcat/util/buf/MessageBytes.java
> tomcat/trunk/webapps/docs/changelog.xml
>
> @@ -36,6 +44,9 @@ import java.util.Locale;
> public final class MessageBytes implements Cloneable, Serializable {
> private static final long serialVersionUID = 1L;
>
> +private static final StringManager sm = StringManager.getManager(
> +Constants.Package);
> +
> // primary type ( whatever is set as original value )
> private int type = T_NULL;
>
> @@ -64,6 +75,8 @@ public final class MessageBytes implemen
> // strValue!=null is the same
> private boolean hasStrValue=false;
>
> +private Map encoders = new HashMap<>();
> +
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632624 - /tomcat/trunk/webapps/docs/changelog.xml
Author: kkolinko Date: Fri Oct 17 16:21:14 2014 New Revision: 1632624 URL: http://svn.apache.org/r1632624 Log: Move connector change into Coyote section. Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1632624&r1=1632623&r2=1632624&view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Fri Oct 17 16:21:14 2014 @@ -68,10 +68,6 @@ cache for a web application via JMX. (markt) -53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. -Based upon a patch by Marcel Šebek. (schultz/jfclere) - - 55951: Allow cookies to use UTF-8 encoded values in HTTP headers. This requires the use of the RFC6265 CookieProcessor. (markt) @@ -162,6 +158,10 @@ + +53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. +Based upon a patch by Marcel Šebek. (schultz/jfclere) + Cache the Encoder instances used to convert Strings to byte arrays in the Connectors (e.g. when writing HTTP headers) to improve - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632625 - in /tomcat/trunk/java/org/apache/tomcat/websocket: LocalStrings.properties WsRemoteEndpointImplBase.java
Author: remm
Date: Fri Oct 17 16:22:43 2014
New Revision: 1632625
URL: http://svn.apache.org/r1632625
Log:
Add null checks for arguments in remote endpoint.
Modified:
tomcat/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
Modified: tomcat/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties?rev=1632625&r1=1632624&r2=1632625&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties Fri
Oct 17 16:22:43 2014
@@ -74,6 +74,8 @@ wsRemoteEndpoint.flushOnCloseFailed=Flus
wsRemoteEndpoint.invalidEncoder=The specified encoder of type [{0}] could not
be instantiated
wsRemoteEndpoint.noEncoder=No encoder specified for object of class [{0}]
wsRemoteEndpoint.wrongState=The remote endpoint was in state [{0}] which is an
invalid state for called method
+wsRemoteEndpoint.nullData=Invalid null data argument
+wsRemoteEndpoint.nullHandler=Invalid null handler argument
# Note the following message is used as a close reason in a WebSocket control
# frame and therefore must be 123 bytes (not characters) or less in length.
Modified:
tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java?rev=1632625&r1=1632624&r2=1632625&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
Fri Oct 17 16:22:43 2014
@@ -125,6 +125,9 @@ public abstract class WsRemoteEndpointIm
public void sendBytes(ByteBuffer data) throws IOException {
+if (data == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
stateMachine.binaryStart();
startMessageBlock(Constants.OPCODE_BINARY, data, true);
stateMachine.complete(true);
@@ -139,6 +142,12 @@ public abstract class WsRemoteEndpointIm
public void sendBytesByCompletion(ByteBuffer data, SendHandler handler) {
+if (data == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
+if (handler == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullHandler"));
+}
StateUpdateSendHandler sush = new StateUpdateSendHandler(handler);
stateMachine.binaryStart();
startMessage(Constants.OPCODE_BINARY, data, true, sush);
@@ -147,6 +156,9 @@ public abstract class WsRemoteEndpointIm
public void sendPartialBytes(ByteBuffer partialByte, boolean last)
throws IOException {
+if (partialByte == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
stateMachine.binaryPartialStart();
startMessageBlock(Constants.OPCODE_BINARY, partialByte, last);
stateMachine.complete(last);
@@ -168,6 +180,9 @@ public abstract class WsRemoteEndpointIm
public void sendString(String text) throws IOException {
+if (text == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
stateMachine.textStart();
sendPartialString(CharBuffer.wrap(text), true);
}
@@ -181,6 +196,12 @@ public abstract class WsRemoteEndpointIm
public void sendStringByCompletion(String text, SendHandler handler) {
+if (text == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
+if (handler == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullHandler"));
+}
stateMachine.textStart();
TextMessageSendHandler tmsh = new TextMessageSendHandler(handler,
CharBuffer.wrap(text), true, encoder, encoderBuffer, this);
@@ -191,6 +212,9 @@ public abstract class WsRemoteEndpointIm
public void sendPartialString(String fragment, boolean isLast)
throws IOException {
+if (fragment == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
stateMachine.textPartialStart();
sendPartialString(CharBuffer.wrap(fragment), isLast);
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1632625 - in /tomcat/trunk/java/org/apache/tomcat/websocket: LocalStrings.properties WsRemoteEndpointImplBase.java
2014-10-17 20:22 GMT+04:00 :
> Author: remm
> Date: Fri Oct 17 16:22:43 2014
> New Revision: 1632625
>
> URL: http://svn.apache.org/r1632625
> Log:
> Add null checks for arguments in remote endpoint.
>
Wouldn't it better to throw a NullPointerException with those messages?
Best regards,
Konstantin Kolinko
> Modified:
> tomcat/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties
>
> tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
>
> Modified:
> tomcat/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties?rev=1632625&r1=1632624&r2=1632625&view=diff
> ==
> --- tomcat/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties
> (original)
> +++ tomcat/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties Fri
> Oct 17 16:22:43 2014
> @@ -74,6 +74,8 @@ wsRemoteEndpoint.flushOnCloseFailed=Flus
> wsRemoteEndpoint.invalidEncoder=The specified encoder of type [{0}] could
> not be instantiated
> wsRemoteEndpoint.noEncoder=No encoder specified for object of class [{0}]
> wsRemoteEndpoint.wrongState=The remote endpoint was in state [{0}] which is
> an invalid state for called method
> +wsRemoteEndpoint.nullData=Invalid null data argument
> +wsRemoteEndpoint.nullHandler=Invalid null handler argument
>
> # Note the following message is used as a close reason in a WebSocket control
> # frame and therefore must be 123 bytes (not characters) or less in length.
>
> Modified:
> tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java?rev=1632625&r1=1632624&r2=1632625&view=diff
> ==
> ---
> tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
> (original)
> +++
> tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
> Fri Oct 17 16:22:43 2014
> @@ -125,6 +125,9 @@ public abstract class WsRemoteEndpointIm
>
>
> public void sendBytes(ByteBuffer data) throws IOException {
> +if (data == null) {
> +throw new
> IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
> +}
> stateMachine.binaryStart();
> startMessageBlock(Constants.OPCODE_BINARY, data, true);
> stateMachine.complete(true);
> @@ -139,6 +142,12 @@ public abstract class WsRemoteEndpointIm
>
>
> public void sendBytesByCompletion(ByteBuffer data, SendHandler handler) {
> +if (data == null) {
> +throw new
> IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
> +}
> +if (handler == null) {
> +throw new
> IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullHandler"));
> +}
> StateUpdateSendHandler sush = new StateUpdateSendHandler(handler);
> stateMachine.binaryStart();
> startMessage(Constants.OPCODE_BINARY, data, true, sush);
> @@ -147,6 +156,9 @@ public abstract class WsRemoteEndpointIm
>
> public void sendPartialBytes(ByteBuffer partialByte, boolean last)
> throws IOException {
> +if (partialByte == null) {
> +throw new
> IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
> +}
> stateMachine.binaryPartialStart();
> startMessageBlock(Constants.OPCODE_BINARY, partialByte, last);
> stateMachine.complete(last);
> @@ -168,6 +180,9 @@ public abstract class WsRemoteEndpointIm
>
>
> public void sendString(String text) throws IOException {
> +if (text == null) {
> +throw new
> IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
> +}
> stateMachine.textStart();
> sendPartialString(CharBuffer.wrap(text), true);
> }
> @@ -181,6 +196,12 @@ public abstract class WsRemoteEndpointIm
>
>
> public void sendStringByCompletion(String text, SendHandler handler) {
> +if (text == null) {
> +throw new
> IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
> +}
> +if (handler == null) {
> +throw new
> IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullHandler"));
> +}
> stateMachine.textStart();
> TextMessageSendHandler tmsh = new TextMessageSendHandler(handler,
> CharBuffer.wrap(text), true, encoder, encoderBuffer, this);
> @@ -191,6 +212,9 @@ public abstract class WsRemoteEndpointIm
>
> public void sendPartialString(String fragment, boolean isLast)
> throws IOException {
> +if (fragment == null) {
> +throw new
> IllegalArgumentException(sm.getString("wsRemoteEndpoint.
buildbot success in ASF Buildbot on tomcat-7-trunk
The Buildbot has detected a restored build on builder tomcat-7-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-7-trunk/builds/346 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1632619 Blamelist: kkolinko Build succeeded! sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632633 - /tomcat/trunk/webapps/docs/changelog.xml
Author: remm Date: Fri Oct 17 16:51:33 2014 New Revision: 1632633 URL: http://svn.apache.org/r1632633 Log: Forgot changelog. Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1632633&r1=1632632&r2=1632633&view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Fri Oct 17 16:51:33 2014 @@ -212,6 +212,9 @@ Fix client subprotocol handling. (remm) + +Add null checks for arguments in remote endpoint. (remm) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632634 - in /tomcat/tc7.0.x/trunk: java/org/apache/tomcat/websocket/LocalStrings.properties java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java webapps/docs/changelog.xml
Author: remm
Date: Fri Oct 17 16:51:49 2014
New Revision: 1632634
URL: http://svn.apache.org/r1632634
Log:
Add null checks for arguments in remote endpoint.
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties?rev=1632634&r1=1632633&r2=1632634&view=diff
==
---
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/websocket/LocalStrings.properties
Fri Oct 17 16:51:49 2014
@@ -72,6 +72,8 @@ wsRemoteEndpoint.flushOnCloseFailed=Flus
wsRemoteEndpoint.invalidEncoder=The specified encoder of type [{0}] could not
be instantiated
wsRemoteEndpoint.noEncoder=No encoder specified for object of class [{0}]
wsRemoteEndpoint.wrongState=The remote endpoint was in state [{0}] which is an
invalid state for called method
+wsRemoteEndpoint.nullData=Invalid null data argument
+wsRemoteEndpoint.nullHandler=Invalid null handler argument
# Note the following message is used as a close reason in a WebSocket control
# frame and therefore must be 123 bytes (not characters) or less in length.
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java?rev=1632634&r1=1632633&r2=1632634&view=diff
==
---
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java
Fri Oct 17 16:51:49 2014
@@ -125,6 +125,9 @@ public abstract class WsRemoteEndpointIm
public void sendBytes(ByteBuffer data) throws IOException {
+if (data == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
stateMachine.binaryStart();
startMessageBlock(Constants.OPCODE_BINARY, data, true);
stateMachine.complete(true);
@@ -139,6 +142,12 @@ public abstract class WsRemoteEndpointIm
public void sendBytesByCompletion(ByteBuffer data, SendHandler handler) {
+if (data == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
+if (handler == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullHandler"));
+}
StateUpdateSendHandler sush = new StateUpdateSendHandler(handler);
stateMachine.binaryStart();
startMessage(Constants.OPCODE_BINARY, data, true, sush);
@@ -147,6 +156,9 @@ public abstract class WsRemoteEndpointIm
public void sendPartialBytes(ByteBuffer partialByte, boolean last)
throws IOException {
+if (partialByte == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
stateMachine.binaryPartialStart();
startMessageBlock(Constants.OPCODE_BINARY, partialByte, last);
stateMachine.complete(last);
@@ -168,6 +180,9 @@ public abstract class WsRemoteEndpointIm
public void sendString(String text) throws IOException {
+if (text == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
stateMachine.textStart();
sendPartialString(CharBuffer.wrap(text), true);
}
@@ -181,6 +196,12 @@ public abstract class WsRemoteEndpointIm
public void sendStringByCompletion(String text, SendHandler handler) {
+if (text == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
+if (handler == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullHandler"));
+}
stateMachine.textStart();
TextMessageSendHandler tmsh = new TextMessageSendHandler(handler,
CharBuffer.wrap(text), true, encoder, encoderBuffer, this);
@@ -191,6 +212,9 @@ public abstract class WsRemoteEndpointIm
public void sendPartialString(String fragment, boolean isLast)
throws IOException {
+if (fragment == null) {
+throw new
IllegalArgumentException(sm.getString("wsRemoteEndpoint.nullData"));
+}
stateMachine.textPartialStart();
sendPartialString(CharBuffer.wrap(fragment), isLast);
}
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http:/
[GUMP@vmgump]: Project tomcat-trunk-test-apr (in module tomcat-trunk) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-trunk-test-apr has an issue affecting its community integration. This issue affects 1 projects. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-trunk-test-apr : Tomcat 8.x, a web server implementing the Java Servlet 3.1, ... Full details are available at: http://vmgump.apache.org/gump/public/tomcat-trunk/tomcat-trunk-test-apr/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -DEBUG- Dependency on commons-daemon exists, no need to add for property commons-daemon.native.src.tgz. -DEBUG- Dependency on commons-daemon exists, no need to add for property tomcat-native.tar.gz. -INFO- Failed with reason build failed -INFO- Project Reports in: /srv/gump/public/workspace/tomcat-trunk/output/logs-APR -INFO- Project Reports in: /srv/gump/public/workspace/tomcat-trunk/output/test-tmp-APR/logs The following work was performed: http://vmgump.apache.org/gump/public/tomcat-trunk/tomcat-trunk-test-apr/gump_work/build_tomcat-trunk_tomcat-trunk-test-apr.html Work Name: build_tomcat-trunk_tomcat-trunk-test-apr (Type: Build) Work ended in a state of : Failed Elapsed: 25 mins 34 secs Command Line: /usr/lib/jvm/java-7-oracle/bin/java -Djava.awt.headless=true -Dbuild.sysclasspath=only org.apache.tools.ant.Main -Dgump.merge=/srv/gump/public/gump/work/merge.xml -Djunit.jar=/srv/gump/public/workspace/junit/target/junit-4.12-SNAPSHOT.jar -Dobjenesis.jar=/srv/gump/public/workspace/objenesis/main/target/objenesis-2.2-SNAPSHOT.jar -Dtest.reports=output/logs-APR -Dtomcat-native.tar.gz=/srv/gump/public/workspace/apache-commons/daemon/dist/bin/commons-daemon-20141017-native-src.tar.gz -Dexamples.sources.skip=true -Djdt.jar=/srv/gump/packages/eclipse/plugins/P20140317-1600/ecj-P20140317-1600.jar -Dtest.apr.loc=/srv/gump/public/workspace/tomcat-native/dest-20141017/lib -Dcommons-daemon.jar=/srv/gump/public/workspace/apache-commons/daemon/dist/commons-daemon-20141017.jar -Dcommons-daemon.native.src.tgz=/srv/gump/public/workspace/apache-commons/daemon/dist/bin/commons-daemon-20141017-native-src.tar.gz -Dtest.temp=output/test-tmp-APR -Dtest.accesslog=true -Dexecute.test.nio=false -Dtest.openssl.path=/srv/gump/public/workspace/openssl/dest-20141017/bin/openssl -Dexecute.test.apr=true -Dexecute.test.bio=false -Dexecute.test.nio2=false -Deasymock.jar=/srv/gump/public/workspace/easymock/easymock/target/easymock-3.3-SNAPSHOT.jar -Dhamcrest.jar=/srv/gump/public/workspace/hamcrest/build/hamcrest-all-20141017.jar -Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test [Working Directory: /srv/gump/public/workspace/tomcat-trunk] CLASSPATH: /usr/lib/jvm/java-7-oracle/lib/tools.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/webapps/examples/WEB-INF/classes:/srv/gump/public/workspace/tomcat-trunk/output/testclasses:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/bin/bootstrap.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/bin/tomcat-juli.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/annotations-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/servlet-api.ja r:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jsp-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/el-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/websocket-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-ant.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-storeconfig.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/tomcat-coyote.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jasper.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jasper-el.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-tribes.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-ha.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/tomcat-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/tomcat-jni.jar:/srv/g
[Bug 57103] Download page should provide details on how to verify the downloads
https://issues.apache.org/bugzilla/show_bug.cgi?id=57103 --- Comment #2 from Sebb --- (In reply to Konstantin Kolinko from comment #1) > The HTTPD page does it wrong. > > The following command is seriously broken: > % gpg --verify httpd-2.2.0.tar.gz.asc It works for me - see below. > It must be > % gpg --verify httpd-2.2.0.tar.gz.asc httpd-2.2.0.tar.gz That works too. > per > http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html That page no longer exists. > https://www.gnupg.org/gph/en/manual/x135.html That page does mention both the sig and the input file. However I have found that gpg verify works fine with just the .sig or .asc file. GPG looks for a file with the .asc/.sig removed and uses that if it is found; if not it reports: gpg: no signed data gpg: can't hash datafile: No data > It makes little sense for each project to maintain a "how to verify PGP" > page. There is an ASF-wide one, > http://www.apache.org/info/verification.html Indeed. The ASF one probably appeared after the httpd one. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57103] Download page should provide details on how to verify the downloads
https://issues.apache.org/bugzilla/show_bug.cgi?id=57103 --- Comment #3 from Konstantin Kolinko --- (In reply to Sebb from comment #2) > (In reply to Konstantin Kolinko from comment #1) > > per > > http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html > > That page no longer exists. > It is available from http://archive.org/web/ -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57108] New: Implement multiple sslcontext SNI (server name indication) dispatch
https://issues.apache.org/bugzilla/show_bug.cgi?id=57108 Bug ID: 57108 Summary: Implement multiple sslcontext SNI (server name indication) dispatch Product: Tomcat Connectors Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: Common Assignee: dev@tomcat.apache.org Reporter: quartz...@yahoo.com SSL/TLS defines a mechanism for virtual host names on the same ip/port to have distinct server certs (and protocols, and else), avoiding the use of wildcard certs. With jdk8, a TLS server can prefetch the ClientHello's server name indication (SNI) extension from the tcp accepted socket inputstream, then create an sslsocket with the new SSLSocketFactory.createSocket(socket, inputstream, autoclose) method (the the inputstream arg is just the replay of the prefetched bytes). Unfortunately, all socket factories come from a SSLContext already initialized on keymanagers/trustmanagers on key/trust stores. Once a sslsocket is accepted from an sslsocketfactory, the sslcontext/server cert is already chosen. To implement this under tomcat, the SSL connectors must only accept tcp connetions, detect the intended hostname, choose the proper sslcontext and then forward to the sslsocketfactory to handshake correctly. This means defining more than one keystore/truststore/params on the unique ssl connector. One way to express this potentially large configuration would be to point to a mapping file outside the server.xml, but it should be possible to inline this data section too (some new tag element under the connector, perhaps a collection). Ultimately, the admin should be able to map a hostname to an sslcontext descriptor (which is more than just keystore/truststore, but also versions, protocols, etc...) Backward compatibility is desirable, so the previous attributes would only be assimilated as a single mapping of all hostnames. In fact, these mapping will require a default when no hostname pattern matches, so it is probably good to plan for a collection of sslcontext mappings plus 1 default sslcontext. The jdk8 docs are giving complete examples on the prefectching mecanism and how to use SNI. http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExamples Particularly the section "Working with Virtual Infrastructures". -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57108] Implement multiple sslcontext SNI (server name indication) dispatch
https://issues.apache.org/bugzilla/show_bug.cgi?id=57108 quartz changed: What|Removed |Added CC||quartz...@yahoo.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57108] Implement multiple sslcontext SNI (server name indication) dispatch
https://issues.apache.org/bugzilla/show_bug.cgi?id=57108 Chuck Caldarale changed: What|Removed |Added Severity|normal |enhancement -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57103] Download page should provide details on how to verify the downloads
https://issues.apache.org/bugzilla/show_bug.cgi?id=57103 --- Comment #4 from Sebb --- (In reply to Konstantin Kolinko from comment #3) > (In reply to Sebb from comment #2) > > (In reply to Konstantin Kolinko from comment #1) > > > per > > > http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html > > > > That page no longer exists. > > > > It is available from http://archive.org/web/ OK, I see now. I agree it's badly broken. The ASF page is also wrong; I'll fix it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] tomcat-maven-plugin pull request: add "clientAuth" parameter for t...
GitHub user manhole opened a pull request: https://github.com/apache/tomcat-maven-plugin/pull/12 add "clientAuth" parameter for tomcat6 You can merge this pull request into a Git repository by running: $ git pull https://github.com/manhole/tomcat-maven-plugin clientAuth Alternatively you can review and apply these changes as the patch at: https://github.com/apache/tomcat-maven-plugin/pull/12.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #12 commit 545fbe7c97a66517d3b672f2c2ff9c163e0b3b67 Author: manhole Date: 2014-10-17T18:25:07Z add "clientAuth" parameter for TC6. (Itâs already available in TC7) --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57108] Implement multiple sslcontext SNI (server name indication) dispatch
https://issues.apache.org/bugzilla/show_bug.cgi?id=57108 Mark Thomas changed: What|Removed |Added Component|Common |Connectors Version|unspecified |trunk Product|Tomcat Connectors |Tomcat 8 Target Milestone|--- | --- Comment #1 from Mark Thomas --- Correct the component - this has nothing to do with the Connectors component which is the web server end of the AJP implementation. Tomcat 8 has to run on a minimum of Java 7 so this is something on the roadmap for Tomcat 9. Leave this in Tomact 8 until work starts on Tomcat 9 and the product exists in Bugzilla. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1632606 - in /tomcat/tc7.0.x/trunk: java/org/apache/tomcat/jni/ java/org/apache/tomcat/util/net/ webapps/docs/ webapps/docs/config/
On 17/10/2014 16:31, schu...@apache.org wrote:
> Author: schultz
> Date: Fri Oct 17 15:31:16 2014
> New Revision: 1632606
>
> URL: http://svn.apache.org/r1632606
> Log:
> Back-ported r1632604 to fix
> https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
> Add support for TLSv1.1 and TLSv1.2 to APR connector.
This triggers an error if you start Tomcat with tc-native 1.1.31 or
earlier since the lib doesn't understand the TLSv1.1 or TLSv1.2 settings
that are part of ALL.
I'm find with that for now - this is a development branch after all.
My current thinking is get a 1.1.32 release out ASAP, bump the minimum
required version to 1.1.32 and then do a 8.0.x release (and probably
7.0.x and 6.0.x as well).
I'm planning to do some prep work (change log, version updates etc) for
a 1.1.32 release over the weekend with a tag early next week. Unless
anyone else wants to take a crack at the release...
Mark
>
> Modified:
> tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
> tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
> tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
> tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
> tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
> tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml
>
> Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
> URL:
> http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632606&r1=1632605&r2=1632606&view=diff
> ==
> --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
> +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17
> 15:31:16 2014
> @@ -72,7 +72,9 @@ public final class SSL {
> public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
> public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
> public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
> -public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1);
> +public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
> +public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
> +public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 |
> SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2);
>
> /*
> * Define the SSL verify levels
>
> Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
> URL:
> http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1632606&r1=1632605&r2=1632606&view=diff
> ==
> --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
> +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java Fri Oct
> 17 15:31:16 2014
> @@ -27,13 +27,15 @@ public final class SSLContext {
> /**
> * Initialize new SSL context
> * @param pool The pool to use.
> - * @param protocol The SSL protocol to use. It can be one of:
> + * @param protocol The SSL protocol to use. It can be any combination of
> + * the following:
> *
> - * SSL_PROTOCOL_SSLV2
> - * SSL_PROTOCOL_SSLV3
> - * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
> - * SSL_PROTOCOL_TLSV1
> - * SSL_PROTOCOL_ALL
> + * {@link SSL#SSL_PROTOCOL_SSLV2}
> + * {@link SSL#SSL_PROTOCOL_SSLV3}
> + * {@link SSL#SSL_PROTOCOL_TLSV1}
> + * {@link SSL#SSL_PROTOCOL_TLSV1_1}
> + * {@link SSL#SSL_PROTOCOL_TLSV1_2}
> + * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL)
> *
> * @param mode SSL mode to use
> *
>
> Modified:
> tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
> URL:
> http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1632606&r1=1632605&r2=1632606&view=diff
> ==
> --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
> (original)
> +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri
> Oct 17 15:31:16 2014
> @@ -503,6 +503,10 @@ public class AprEndpoint extends Abstrac
> value |= SSL.SSL_PROTOCOL_SSLV3;
> } else if ("TLSv1".equalsIgnoreCase(protocol)) {
> value |= SSL.SSL_PROTOCOL_TLSV1;
> +} else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
> +value |= SSL.SSL_PROTOCOL_TLSV1_1;
> +} else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
> +value |= SSL.SSL_PROTOCOL_TLSV1_2;
> } else if ("all".equalsIgnoreCase(protocol)) {
> value |= SSL.SSL_PROTOCOL_ALL;
> } else {
>
> Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
> URL:
> http://svn.apache.org/viewvc/tomcat/tc7.0.x
svn commit: r1632654 - in /tomcat/sandbox/trunk-maven-layout: apache-tomcat/pom.xml apache-tomcat/src/assembly/distrib.xml tomcat-jasper/src/main/resources/ tomcat-websocket/src/main/java/org/apache/t
Author: markt Date: Fri Oct 17 19:31:00 2014 New Revision: 1632654 URL: http://svn.apache.org/r1632654 Log: Further improvements from Pierre Viret to fix JSPs Added: tomcat/sandbox/trunk-maven-layout/tomcat-jasper/src/main/resources/ (with props) tomcat/sandbox/trunk-maven-layout/tomcat-websocket/src/main/resources/ (with props) Modified: tomcat/sandbox/trunk-maven-layout/apache-tomcat/pom.xml tomcat/sandbox/trunk-maven-layout/apache-tomcat/src/assembly/distrib.xml tomcat/sandbox/trunk-maven-layout/tomcat-websocket/src/main/java/org/apache/tomcat/ (props changed) Modified: tomcat/sandbox/trunk-maven-layout/apache-tomcat/pom.xml URL: http://svn.apache.org/viewvc/tomcat/sandbox/trunk-maven-layout/apache-tomcat/pom.xml?rev=1632654&r1=1632653&r2=1632654&view=diff == --- tomcat/sandbox/trunk-maven-layout/apache-tomcat/pom.xml (original) +++ tomcat/sandbox/trunk-maven-layout/apache-tomcat/pom.xml Fri Oct 17 19:31:00 2014 @@ -241,6 +241,10 @@ resources generate-resources + + +true + Modified: tomcat/sandbox/trunk-maven-layout/apache-tomcat/src/assembly/distrib.xml URL: http://svn.apache.org/viewvc/tomcat/sandbox/trunk-maven-layout/apache-tomcat/src/assembly/distrib.xml?rev=1632654&r1=1632653&r2=1632654&view=diff == --- tomcat/sandbox/trunk-maven-layout/apache-tomcat/src/assembly/distrib.xml (original) +++ tomcat/sandbox/trunk-maven-layout/apache-tomcat/src/assembly/distrib.xml Fri Oct 17 19:31:00 2014 @@ -16,6 +16,8 @@ / **/* +temp +logs bin/*.sh @@ -28,7 +30,16 @@ bin/*.sh 0755 - + + + +src/main/resources/logs +/logs + + +src/main/resources/temp +/temp + @@ -222,4 +233,4 @@ false - \ No newline at end of file + Propchange: tomcat/sandbox/trunk-maven-layout/tomcat-jasper/src/main/resources/ -- --- svn:externals (added) +++ svn:externals Fri Oct 17 19:31:00 2014 @@ -0,0 +1 @@ +^/tomcat/trunk/res/META-INF/jasper.jar META-INF Propchange: tomcat/sandbox/trunk-maven-layout/tomcat-websocket/src/main/java/org/apache/tomcat/ -- --- svn:externals (original) +++ svn:externals Fri Oct 17 19:31:00 2014 @@ -1 +1 @@ -^/tomcat/trunk/java/javax/websocket websocket +^/tomcat/trunk/java/org/apache/tomcat/websocket websocket Propchange: tomcat/sandbox/trunk-maven-layout/tomcat-websocket/src/main/resources/ -- --- svn:externals (added) +++ svn:externals Fri Oct 17 19:31:00 2014 @@ -0,0 +1 @@ +^/tomcat/trunk/res/META-INF/tomcat-websocket.jar META-INF - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56397] Establish parallel Maven-based build process
https://issues.apache.org/bugzilla/show_bug.cgi?id=56397 --- Comment #43 from Mark Thomas --- Nice. This passes a simple smoke test (WebSocket snake game). One thing to think about when you get back is how to translate the version number filtering to Maven. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1632606 - in /tomcat/tc7.0.x/trunk: java/org/apache/tomcat/jni/ java/org/apache/tomcat/util/net/ webapps/docs/ webapps/docs/config/
Mark, On 10/17/14 3:13 PM, Mark Thomas wrote: > On 17/10/2014 16:31, schu...@apache.org wrote: >> Author: schultz >> Date: Fri Oct 17 15:31:16 2014 >> New Revision: 1632606 >> >> URL: http://svn.apache.org/r1632606 >> Log: >> Back-ported r1632604 to fix >> https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 >> Add support for TLSv1.1 and TLSv1.2 to APR connector. > > This triggers an error if you start Tomcat with tc-native 1.1.31 or > earlier since the lib doesn't understand the TLSv1.1 or TLSv1.2 settings > that are part of ALL. Hmm, really? I would have expected tcnative to simply ignore the additional protocol bits. Grumble... > I'm find with that for now - this is a development branch after all. > > My current thinking is get a 1.1.32 release out ASAP, bump the minimum > required version to 1.1.32 and then do a 8.0.x release (and probably > 7.0.x and 6.0.x as well). Agreed. I had forgotten to bump the minimum-required-version of tcnative. > I'm planning to do some prep work (change log, version updates etc) for > a 1.1.32 release over the weekend with a tag early next week. Unless > anyone else wants to take a crack at the release... Thanks, -chris signature.asc Description: OpenPGP digital signature
svn commit: r1632656 - /tomcat/native/branches/1.1.x/native/srclib/VERSIONS
Author: markt Date: Fri Oct 17 19:46:32 2014 New Revision: 1632656 URL: http://svn.apache.org/r1632656 Log: Update APR for next release Modified: tomcat/native/branches/1.1.x/native/srclib/VERSIONS Modified: tomcat/native/branches/1.1.x/native/srclib/VERSIONS URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/srclib/VERSIONS?rev=1632656&r1=1632655&r2=1632656&view=diff == --- tomcat/native/branches/1.1.x/native/srclib/VERSIONS (original) +++ tomcat/native/branches/1.1.x/native/srclib/VERSIONS Fri Oct 17 19:46:32 2014 @@ -1,4 +1,4 @@ Use the following version of the libraries -- APR 1.4.8, http://apr.apache.org +- APR 1.5.1, http://apr.apache.org - OpenSSL 1.0.1j, http://www.openssl.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1632657 - /tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
Author: markt Date: Fri Oct 17 19:47:04 2014 New Revision: 1632657 URL: http://svn.apache.org/r1632657 Log: Update changelog Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml?rev=1632657&r1=1632656&r2=1632657&view=diff == --- tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml (original) +++ tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Fri Oct 17 19:47:04 2014 @@ -41,6 +41,13 @@ 53952: Add support for TLSv1.2 and TLSv1.1. Patch provided by Marcel Šebek. (schultz) + + + 56844: Use OpenSSL 1.0.1j with Windows binaries. (markt) + + + Use APR 1.5.1 with Windows binaries (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
