[Bug 59220] AsyncListener#onComplete not called after timeout if buffer is flushed
https://bz.apache.org/bugzilla/show_bug.cgi?id=59220 --- Comment #7 from Scott Nicklous --- Hi Violeta, That would be a potential workaround for the timeout case. I would have to ensure that the Pluto listener runs after all AsyncListeners registered by the portlet applications. It would be a little bit difficult to implement, since the servlet spec requires that the listeners be called in the order in which they are registered, and that's the way Tomcat works, too. So Pluto would not be able to simply call startAsync, add its listener to the AsyncContext, and pass the AsyncContext to the portlet application. I would probably have to wrap the AsyncContext object in order to make sure that the Pluto listener is always the last one added. But it would be possible. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59220] AsyncListener#onComplete not called after timeout if buffer is flushed
https://bz.apache.org/bugzilla/show_bug.cgi?id=59220 --- Comment #8 from Violeta Georgieva --- If you wait for Tomcat to invoke a complete(), then this will be an error situation and as it is per spec Tomcat will set the response code to 500. Isn't that a problem from application point of view? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59220] AsyncListener#onComplete not called after timeout if buffer is flushed
https://bz.apache.org/bugzilla/show_bug.cgi?id=59220 --- Comment #9 from Scott Nicklous --- In the specific case addressed by this bug report, both onTimeout() and onComplete() are correctly called as long as the buffer is not flushed. The problem occurs only when the buffer was flushed at least once before the timeout occurs. If the buffer was flushed, onTimeout() is called, but onComplete() is not. If the buffer was flushed, I don't think Tomcat can set the status code or do an error dispatch anymore. But it would be nice if onComplete() would be called after the onTimeout() anyway. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59220] AsyncListener#onComplete not called after timeout if buffer is flushed
https://bz.apache.org/bugzilla/show_bug.cgi?id=59220 --- Comment #10 from Violeta Georgieva --- (In reply to Scott Nicklous from comment #9) > In the specific case addressed by this bug report, both onTimeout() and > onComplete() are correctly called as long as the buffer is not flushed. > > The problem occurs only when the buffer was flushed at least once before the > timeout occurs. If the buffer was flushed, onTimeout() is called, but > onComplete() is not. > > If the buffer was flushed, I don't think Tomcat can set the status code or > do an error dispatch anymore. But it would be nice if onComplete() would be > called after the onTimeout() anyway. Actually it will as it is required by the spec " - Invoke the AsyncListener.onTimeout method on all the AsyncListener instances registered with the ServletRequest on which the asynchronous operation was initiated. - If none of the listeners called AsyncContext.complete() or any of the AsyncContext.dispatch methods, perform an error dispatch with a status code equal to HttpServletResponse.SC_INTERNAL_SERVER_ERROR." "GET /AsyncDebugListener/ltest?reps=3&timeout&flush HTTP/1.1" 500 642 "GET /AsyncDebugListener/ltest?reps=3&timeout HTTP/1.1" 500 624 This is what I will receive in the http access code with your example. Regards, Violeta -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59243] Path traversal Attack
https://bz.apache.org/bugzilla/show_bug.cgi?id=59243 --- Comment #7 from Mark Thomas --- Bugzilla is not a support forum. Your questions belong on the users mailing list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59220] AsyncListener#onComplete not called after timeout if buffer is flushed
https://bz.apache.org/bugzilla/show_bug.cgi?id=59220 --- Comment #11 from Mark Thomas --- It is worth taking a look to see if we can get consistent behaviour with and without flush. The client won't see the same result but hopefully the app will be able to see a consistent set of events. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737088 - in /tomcat/trunk/webapps/docs/config: ajp.xml http.xml
Author: markt Date: Wed Mar 30 09:42:21 2016 New Revision: 1737088 URL: http://svn.apache.org/viewvc?rev=1737088&view=rev Log: (empty) Modified: tomcat/trunk/webapps/docs/config/ajp.xml tomcat/trunk/webapps/docs/config/http.xml Modified: tomcat/trunk/webapps/docs/config/ajp.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/ajp.xml?rev=1737088&r1=1737087&r2=1737088&view=diff == --- tomcat/trunk/webapps/docs/config/ajp.xml (original) +++ tomcat/trunk/webapps/docs/config/ajp.xml Wed Mar 30 09:42:21 2016 @@ -764,55 +764,55 @@ APR/native ConnectorAPR -Classname +Classname AjpNioProtocol AjpNio2Protocol AjpAprProtocol -Tomcat Version +Tomcat Version 7.x onwards 8.x onwards 5.5.x onwards -Support Polling +Support Polling YES YES YES -Polling Size +Polling Size maxConnections maxConnections maxConnections -Read Request Headers +Read Request Headers Blocking Blocking Blocking -Read Request Body +Read Request Body Blocking Blocking Blocking -Write Response +Write Response Blocking Blocking Blocking -Wait for next Request +Wait for next Request Non Blocking Non Blocking Non Blocking -Max Connections +Max Connections maxConnections maxConnections maxConnections Modified: tomcat/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1737088&r1=1737087&r2=1737088&view=diff == --- tomcat/trunk/webapps/docs/config/http.xml (original) +++ tomcat/trunk/webapps/docs/config/http.xml Wed Mar 30 09:42:21 2016 @@ -1677,67 +1677,67 @@ APR/native ConnectorAPR -Classname +Classname Http11NioProtocol Http11Nio2Protocol Http11AprProtocol -Tomcat Version +Tomcat Version 6.x onwards 8.x onwards 5.5.x onwards -Support Polling +Support Polling YES YES YES -Polling Size +Polling Size maxConnections maxConnections maxConnections -Read HTTP Request +Read HTTP Request Non Blocking Non Blocking Non Blocking -Read HTTP Body +Read HTTP Body Blocking Blocking Blocking -Write HTTP Response +Write HTTP Response Blocking Blocking Blocking -Wait for next Request +Wait for next Request Non Blocking Non Blocking Non Blocking -SSL Support +SSL Support Java SSL or OpenSSL Java SSL or OpenSSL OpenSSL -SSL Handshake +SSL Handshake Non blocking Non blocking Blocking -Max Connections +Max Connections maxConnections maxConnections maxConnections - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot exception in on tomcat-trunk
The Buildbot has detected a build exception on builder tomcat-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/1210 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch tomcat/trunk] 1737088 Blamelist: markt BUILD FAILED: exception upload_2 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59220] AsyncListener#onComplete not called after timeout if buffer is flushed
https://bz.apache.org/bugzilla/show_bug.cgi?id=59220 --- Comment #12 from Scott Nicklous --- I would not see a problem in handling the SC=500 as long as onComplete() is called. It would seem to me to be the specified behavior. In the case of Pluto, the SC=500 along with any Tomcat-generated error text would be passed to the client, which would give the portlet application developers a nice clue that they need to fix their bug. :-) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1737088 - svn:log
Author: markt Revision: 1737088 Modified property: svn:log Modified: svn:log at Wed Mar 30 10:09:55 2016 -- --- svn:log (original) +++ svn:log Wed Mar 30 10:09:55 2016 @@ -0,0 +1 @@ +No need to specify default format - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737089 - in /tomcat/trunk/webapps/docs/config: ajp.xml http.xml
Author: markt Date: Wed Mar 30 10:10:31 2016 New Revision: 1737089 URL: http://svn.apache.org/viewvc?rev=1737089&view=rev Log: Better format for the comparison table headings Align HTTP and AJP row descriptions Be more explicit about Headers and Bodies Modified: tomcat/trunk/webapps/docs/config/ajp.xml tomcat/trunk/webapps/docs/config/http.xml Modified: tomcat/trunk/webapps/docs/config/ajp.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/ajp.xml?rev=1737089&r1=1737088&r2=1737089&view=diff == --- tomcat/trunk/webapps/docs/config/ajp.xml (original) +++ tomcat/trunk/webapps/docs/config/ajp.xml Wed Mar 30 10:10:31 2016 @@ -759,9 +759,9 @@ -Java Nio ConnectorNIO -Java Nio2 ConnectorNIO2 -APR/native ConnectorAPR +Java Nio ConnectorNIO +Java Nio2 ConnectorNIO2 +APR/native ConnectorAPR Classname @@ -800,7 +800,7 @@ Blocking -Write Response +Write Response Headers and Body Blocking Blocking Blocking Modified: tomcat/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1737089&r1=1737088&r2=1737089&view=diff == --- tomcat/trunk/webapps/docs/config/http.xml (original) +++ tomcat/trunk/webapps/docs/config/http.xml Wed Mar 30 10:10:31 2016 @@ -1672,9 +1672,9 @@ -Java Nio ConnectorNIO -Java Nio2 ConnectorNIO2 -APR/native ConnectorAPR +Java Nio ConnectorNIO +Java Nio2 ConnectorNIO2 +APR/native ConnectorAPR Classname @@ -1701,19 +1701,19 @@ maxConnections -Read HTTP Request +Read Request Headers Non Blocking Non Blocking Non Blocking -Read HTTP Body +Read Request Body Blocking Blocking Blocking -Write HTTP Response +Write Response Headers and Body Blocking Blocking Blocking - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in on tomcat-trunk
The Buildbot has detected a restored build on builder tomcat-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/1211 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch tomcat/trunk] 1737089 Blamelist: markt Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737095 - in /tomcat/tc8.5.x/trunk/webapps/docs/config: ajp.xml http.xml
Author: markt Date: Wed Mar 30 10:40:54 2016 New Revision: 1737095 URL: http://svn.apache.org/viewvc?rev=1737095&view=rev Log: No need to specify default format Better format for the comparison table headings Align HTTP and AJP row descriptions Be more explicit about Headers and Bodies Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/ajp.xml tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/ajp.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/config/ajp.xml?rev=1737095&r1=1737094&r2=1737095&view=diff == --- tomcat/tc8.5.x/trunk/webapps/docs/config/ajp.xml (original) +++ tomcat/tc8.5.x/trunk/webapps/docs/config/ajp.xml Wed Mar 30 10:40:54 2016 @@ -759,60 +759,60 @@ -Java Nio ConnectorNIO -Java Nio2 ConnectorNIO2 -APR/native ConnectorAPR +Java Nio ConnectorNIO +Java Nio2 ConnectorNIO2 +APR/native ConnectorAPR -Classname +Classname AjpNioProtocol AjpNio2Protocol AjpAprProtocol -Tomcat Version +Tomcat Version 7.x onwards 8.x onwards 5.5.x onwards -Support Polling +Support Polling YES YES YES -Polling Size +Polling Size maxConnections maxConnections maxConnections -Read Request Headers +Read Request Headers Blocking Blocking Blocking -Read Request Body +Read Request Body Blocking Blocking Blocking -Write Response +Write Response Headers and Body Blocking Blocking Blocking -Wait for next Request +Wait for next Request Non Blocking Non Blocking Non Blocking -Max Connections +Max Connections maxConnections maxConnections maxConnections Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml?rev=1737095&r1=1737094&r2=1737095&view=diff == --- tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml (original) +++ tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml Wed Mar 30 10:40:54 2016 @@ -1673,72 +1673,72 @@ -Java Nio ConnectorNIO -Java Nio2 ConnectorNIO2 -APR/native ConnectorAPR +Java Nio ConnectorNIO +Java Nio2 ConnectorNIO2 +APR/native ConnectorAPR -Classname +Classname Http11NioProtocol Http11Nio2Protocol Http11AprProtocol -Tomcat Version +Tomcat Version 6.x onwards 8.x onwards 5.5.x onwards -Support Polling +Support Polling YES YES YES -Polling Size +Polling Size maxConnections maxConnections maxConnections -Read HTTP Request +Read Request Headers Non Blocking Non Blocking Non Blocking -Read HTTP Body +Read Request Body Blocking Blocking Blocking -Write HTTP Response +Write Response Headers and Body Blocking Blocking Blocking -Wait for next Request +Wait for next Request Non Blocking Non Blocking Non Blocking -SSL Support +SSL Support Java SSL or OpenSSL Java SSL or OpenSSL OpenSSL -SSL Handshake +SSL Handshake Non blocking Non blocking Blocking -Max Connections +Max Connections maxConnections maxConnections maxConnections - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737097 - in /tomcat/tc8.0.x/trunk/webapps/docs/config: ajp.xml http.xml
Author: markt Date: Wed Mar 30 10:53:30 2016 New Revision: 1737097 URL: http://svn.apache.org/viewvc?rev=1737097&view=rev Log: No need to specify default format Better format for the comparison table headings Align HTTP and AJP row descriptions Be more explicit about Headers and Bodies Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/ajp.xml tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/ajp.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/ajp.xml?rev=1737097&r1=1737096&r2=1737097&view=diff == --- tomcat/tc8.0.x/trunk/webapps/docs/config/ajp.xml (original) +++ tomcat/tc8.0.x/trunk/webapps/docs/config/ajp.xml Wed Mar 30 10:53:30 2016 @@ -180,7 +180,7 @@ PATH (Windows) or LD_LIBRARY_PATH (on most unix systems) environment variables contain the Tomcat native library, the native/APR connector will be used. If the native library cannot be -found, the Java based connector will be used. +found, the Java NIO based connector will be used. To use an explicit protocol rather than rely on the auto-switching mechanism described above, the following values may be used: org.apache.coyote.ajp.AjpProtocol @@ -779,69 +779,69 @@ -Java Blocking ConnectorBIO -Java Nio ConnectorNIO -Java Nio2 ConnectorNIO2 -APR/native ConnectorAPR +Java Blocking ConnectorBIO +Java Nio ConnectorNIO +Java Nio2 ConnectorNIO2 +APR/native ConnectorAPR -Classname +Classname AjpProtocol AjpNioProtocol AjpNio2Protocol AjpAprProtocol -Tomcat Version +Tomcat Version 3.x onwards 7.x onwards 8.x onwards 5.5.x onwards -Support Polling +Support Polling NO YES YES YES -Polling Size +Polling Size N/A maxConnections maxConnections maxConnections -Read Request Headers +Read Request Headers Blocking Blocking Blocking Blocking -Read Request Body +Read Request Body Blocking Blocking Blocking Blocking -Write Response +Write Response Headers and Body Blocking Blocking Blocking Blocking -Wait for next Request +Wait for next Request Blocking Non Blocking Non Blocking Non Blocking -Max Connections +Max Connections maxConnections maxConnections maxConnections Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml?rev=1737097&r1=1737096&r2=1737097&view=diff == --- tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml (original) +++ tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml Wed Mar 30 10:53:30 2016 @@ -1463,83 +1463,83 @@ -Java Blocking ConnectorBIO -Java Nio ConnectorNIO -Java Nio2 ConnectorNIO2 -APR/native ConnectorAPR +Java Blocking ConnectorBIO +Java Nio ConnectorNIO +Java Nio2 ConnectorNIO2 +APR/native ConnectorAPR -Classname +Classname Http11Protocol Http11NioProtocol Http11Nio2Protocol Http11AprProtocol -Tomcat Version +Tomcat Version 3.x onwards 6.x onwards 8.x onwards 5.5.x onwards -Support Polling +Support Polling NO YES YES YES -Polling Size +Polling Size N/A maxConnections maxConnections maxConnections -Read HTTP Request +Read Request Headers Blocking Non Blocking Non Blocking Blocking -Read HTTP Body +Read Request Body Blocking Blocking Blocking Blocking -Write HTTP Response +Write Response Headers and Body Blocking Blocking Blocking Blocking -Wait for next Request +Wait for next Request Blocking Non Blocking Non Blocking Non Blocking -SSL Support +SSL Support Java SSL Java SSL Java SSL O
svn commit: r1737099 - /tomcat/tc7.0.x/trunk/webapps/docs/config/ajp.xml
Author: markt Date: Wed Mar 30 10:58:45 2016 New Revision: 1737099 URL: http://svn.apache.org/viewvc?rev=1737099&view=rev Log: Clarify which Java based connector will be used. Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/ajp.xml Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/ajp.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/ajp.xml?rev=1737099&r1=1737098&r2=1737099&view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/config/ajp.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/config/ajp.xml Wed Mar 30 10:58:45 2016 @@ -180,7 +180,7 @@ PATH (Windows) or LD_LIBRARY_PATH (on most unix systems) environment variables contain the Tomcat native library, the native/APR connector will be used. If the native library cannot be -found, the Java based connector will be used. +found, the Java BIO based connector will be used. To use an explicit protocol rather than rely on the auto-switching mechanism described above, the following values may be used: org.apache.coyote.ajp.AjpProtocol - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737100 - in /tomcat/tc7.0.x/trunk/webapps/docs: changelog.xml config/http.xml
Author: markt Date: Wed Mar 30 11:01:02 2016 New Revision: 1737100 URL: http://svn.apache.org/viewvc?rev=1737100&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59229 Fix regression in r1704287 Align/improve row titles Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1737100&r1=1737099&r2=1737100&view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Wed Mar 30 11:01:02 2016 @@ -208,6 +208,11 @@ Fix a potential indefinite wait in the Comet Chat servlet in the examples web application. (markt) + +59229: Fix error in HTTP docs and make clear the the HTTP NIO +connector uses non-blocking I/O to read the HTTP request headers. +(markt) + Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1737100&r1=1737099&r2=1737100&view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Wed Mar 30 11:01:02 2016 @@ -1329,9 +1329,9 @@ Tomcat Version 3.x onwards 6.x onwards 5.5.x onwards Support Polling NO YES YES Polling Size N/A maxConnections maxConnections -Read HTTP Request BlockingBlocking Blocking -Read HTTP BodyBlockingBlocking Blocking -Write HTTP Response BlockingBlocking Blocking +Read Request Headers Blocking Non Blocking Blocking +Read Request Body BlockingBlocking Blocking +Write ResponseBlockingBlocking Blocking Wait for next Request Blocking Non Blocking Non Blocking SSL Support Java SSLJava SSL OpenSSL SSL Handshake Blocking Non blocking Blocking - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59229] Wrong documentation: NIO connector is non-blocking when reading http request
https://bz.apache.org/bugzilla/show_bug.cgi?id=59229 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #9 from Mark Thomas --- Thanks for the report and for digging out the commit that introduced the error. Note: AJP IS blocking for all connectors for Request Headers and Request Bodies. I've corrected the HTTP docs for 7.0.x and improved the row titles for 7.0x through 9.0.x. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737104 - in /tomcat/trunk/java/org/apache/catalina/core: AprLifecycleListener.java LocalStrings.properties
Author: markt
Date: Wed Mar 30 11:38:38 2016
New Revision: 1737104
URL: http://svn.apache.org/viewvc?rev=1737104&view=rev
Log:
Log key APRListener config values at start.
Modified:
tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
Modified: tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=1737104&r1=1737103&r2=1737104&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java Wed
Mar 30 11:38:38 2016
@@ -253,6 +253,11 @@ public class AprLifecycleListener
Boolean.valueOf(Library.APR_HAS_SENDFILE),
Boolean.valueOf(Library.APR_HAS_SO_ACCEPTFILTER),
Boolean.valueOf(Library.APR_HAS_RANDOM)));
+
+initInfoLogMessages.add(sm.getString("aprListener.config",
+Boolean.valueOf(useAprConnector),
+Boolean.valueOf(useOpenSSL)));
+
aprAvailable = true;
}
Modified: tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1737104&r1=1737103&r2=1737104&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties Wed Mar
30 11:38:38 2016
@@ -65,6 +65,7 @@ aprListener.sslInit=Failed to initialize
aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0} using
APR version {1}.
aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters
[{2}], random [{3}].
aprListener.currentFIPSMode=Current FIPS mode: {0}
+aprListener.config=APR/OpenSSL configuration: useAprConnector [{0}],
useOpenSSL [{1}]
aprListener.skipFIPSInitialization=Already in FIPS mode; skipping FIPS
initialization.
aprListener.enterAlreadyInFIPSMode=AprLifecycleListener is configured to force
entering FIPS mode, but library is already in FIPS mode ({0})
aprListener.requireNotInFIPSMode=AprLifecycleListener is configured to require
the library to already be in FIPS mode, but it was not in FIPS mode
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737105 - in /tomcat/trunk/java/org/apache/coyote/http11: AbstractHttp11JsseProtocol.java Http11AprProtocol.java Http11Nio2Protocol.java Http11NioProtocol.java
Author: markt
Date: Wed Mar 30 11:39:11 2016
New Revision: 1737105
URL: http://svn.apache.org/viewvc?rev=1737105&view=rev
Log:
Include TLS implementation name in connector
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1737105&r1=1737104&r2=1737105&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
Wed Mar 30 11:39:11 2016
@@ -17,6 +17,7 @@
package org.apache.coyote.http11;
import org.apache.tomcat.util.net.AbstractJsseEndpoint;
+import org.apache.tomcat.util.net.openssl.OpenSSLImplementation;
public abstract class AbstractHttp11JsseProtocol
extends AbstractHttp11Protocol {
@@ -33,6 +34,13 @@ public abstract class AbstractHttp11Jsse
}
+protected String getSslImplemenationShortName() {
+if
(OpenSSLImplementation.class.getName().equals(getSslImplementationName())) {
+return "openssl";
+}
+return "jsse";
+}
+
public String getSslImplementationName() { return
getEndpoint().getSslImplementationName(); }
public void setSslImplementationName(String s) {
getEndpoint().setSslImplementationName(s); }
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1737105&r1=1737104&r2=1737105&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Wed Mar
30 11:39:11 2016
@@ -63,7 +63,7 @@ public class Http11AprProtocol extends A
@Override
protected String getNamePrefix() {
if (isSSLEnabled()) {
-return ("https-apr");
+return ("https-openssl-apr");
} else {
return ("http-apr");
}
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java?rev=1737105&r1=1737104&r2=1737105&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java Wed Mar
30 11:39:11 2016
@@ -44,7 +44,7 @@ public class Http11Nio2Protocol extends
@Override
protected String getNamePrefix() {
if (isSSLEnabled()) {
-return ("https-nio2");
+return ("https-" + getSslImplemenationShortName()+ "nio2");
} else {
return ("http-nio2");
}
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java?rev=1737105&r1=1737104&r2=1737105&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java Wed Mar
30 11:39:11 2016
@@ -76,7 +76,7 @@ public class Http11NioProtocol extends A
@Override
protected String getNamePrefix() {
if (isSSLEnabled()) {
-return ("https-nio");
+return ("https-" + getSslImplemenationShortName()+ "-nio");
} else {
return ("http-nio");
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1737105 - in /tomcat/trunk/java/org/apache/coyote/http11: AbstractHttp11JsseProtocol.java Http11AprProtocol.java Http11Nio2Protocol.java Http11NioProtocol.java
On 30/03/2016 12:39, ma...@apache.org wrote:
> Author: markt
> Date: Wed Mar 30 11:39:11 2016
> New Revision: 1737105
>
> URL: http://svn.apache.org/viewvc?rev=1737105&view=rev
> Log:
> Include TLS implementation name in connector
I thought about adding -none- to the HTTP and AJP connectors for a
consistent format of:
protocol-tlsImplementation-connector-
but decided not to since http- and ajp- imply no TLS implementation.
I'm happy to add it in if folks think it is better top have a more
consistent format across all connectors.
Mark
>
> Modified:
> tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
> tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
> tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
> tomcat/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
>
> Modified:
> tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1737105&r1=1737104&r2=1737105&view=diff
> ==
> ---
> tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
> (original)
> +++
> tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
> Wed Mar 30 11:39:11 2016
> @@ -17,6 +17,7 @@
> package org.apache.coyote.http11;
>
> import org.apache.tomcat.util.net.AbstractJsseEndpoint;
> +import org.apache.tomcat.util.net.openssl.OpenSSLImplementation;
>
> public abstract class AbstractHttp11JsseProtocol
> extends AbstractHttp11Protocol {
> @@ -33,6 +34,13 @@ public abstract class AbstractHttp11Jsse
> }
>
>
> +protected String getSslImplemenationShortName() {
> +if
> (OpenSSLImplementation.class.getName().equals(getSslImplementationName())) {
> +return "openssl";
> +}
> +return "jsse";
> +}
> +
> public String getSslImplementationName() { return
> getEndpoint().getSslImplementationName(); }
> public void setSslImplementationName(String s) {
> getEndpoint().setSslImplementationName(s); }
>
>
> Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1737105&r1=1737104&r2=1737105&view=diff
> ==
> --- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
> (original)
> +++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Wed Mar
> 30 11:39:11 2016
> @@ -63,7 +63,7 @@ public class Http11AprProtocol extends A
> @Override
> protected String getNamePrefix() {
> if (isSSLEnabled()) {
> -return ("https-apr");
> +return ("https-openssl-apr");
> } else {
> return ("http-apr");
> }
>
> Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java?rev=1737105&r1=1737104&r2=1737105&view=diff
> ==
> --- tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
> (original)
> +++ tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java Wed
> Mar 30 11:39:11 2016
> @@ -44,7 +44,7 @@ public class Http11Nio2Protocol extends
> @Override
> protected String getNamePrefix() {
> if (isSSLEnabled()) {
> -return ("https-nio2");
> +return ("https-" + getSslImplemenationShortName()+ "nio2");
> } else {
> return ("http-nio2");
> }
>
> Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java?rev=1737105&r1=1737104&r2=1737105&view=diff
> ==
> --- tomcat/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
> (original)
> +++ tomcat/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java Wed Mar
> 30 11:39:11 2016
> @@ -76,7 +76,7 @@ public class Http11NioProtocol extends A
> @Override
> protected String getNamePrefix() {
> if (isSSLEnabled()) {
> -return ("https-nio");
> +return ("https-" + getSslImplemenationShortName()+ "-nio");
> } else {
> return ("http-nio");
> }
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
-
To unsubscribe, e-mail: dev-unsubscr
buildbot failure in on tomcat-7-trunk
The Buildbot has detected a new failure on builder tomcat-7-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-7-trunk/builds/369 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-7-commit' triggered this build Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1737100 Blamelist: markt BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1737105 - in /tomcat/trunk/java/org/apache/coyote/http11: AbstractHttp11JsseProtocol.java Http11AprProtocol.java Http11Nio2Protocol.java Http11NioProtocol.java
2016-03-30 6:41 GMT-05:00 Mark Thomas : > On 30/03/2016 12:39, ma...@apache.org wrote: > > Author: markt > > Date: Wed Mar 30 11:39:11 2016 > > New Revision: 1737105 > > > > URL: http://svn.apache.org/viewvc?rev=1737105&view=rev > > Log: > > Include TLS implementation name in connector > > I thought about adding -none- to the HTTP and AJP connectors for a > consistent format of: > protocol-tlsImplementation-connector- > > but decided not to since http- and ajp- imply no TLS implementation. > > I'm happy to add it in if folks think it is better top have a more > consistent format across all connectors. > > BTW, there's a typo with nio2, it should be "-nio2". Rémy
Re: svn commit: r1737105 - in /tomcat/trunk/java/org/apache/coyote/http11: AbstractHttp11JsseProtocol.java Http11AprProtocol.java Http11Nio2Protocol.java Http11NioProtocol.java
On 30/03/2016 14:14, Rémy Maucherat wrote: > 2016-03-30 6:41 GMT-05:00 Mark Thomas : > >> On 30/03/2016 12:39, ma...@apache.org wrote: >>> Author: markt >>> Date: Wed Mar 30 11:39:11 2016 >>> New Revision: 1737105 >>> >>> URL: http://svn.apache.org/viewvc?rev=1737105&view=rev >>> Log: >>> Include TLS implementation name in connector >> >> I thought about adding -none- to the HTTP and AJP connectors for a >> consistent format of: >> protocol-tlsImplementation-connector- >> >> but decided not to since http- and ajp- imply no TLS implementation. >> >> I'm happy to add it in if folks think it is better top have a more >> consistent format across all connectors. >> > BTW, there's a typo with nio2, it should be "-nio2". Thanks. Fixed. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737112 - /tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
Author: markt
Date: Wed Mar 30 13:18:39 2016
New Revision: 1737112
URL: http://svn.apache.org/viewvc?rev=1737112&view=rev
Log:
Fix typo
Modified:
tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java?rev=1737112&r1=1737111&r2=1737112&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java Wed Mar
30 13:18:39 2016
@@ -44,7 +44,7 @@ public class Http11Nio2Protocol extends
@Override
protected String getNamePrefix() {
if (isSSLEnabled()) {
-return ("https-" + getSslImplemenationShortName()+ "nio2");
+return ("https-" + getSslImplemenationShortName()+ "-nio2");
} else {
return ("http-nio2");
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737117 - in /tomcat/trunk: conf/server.xml java/org/apache/coyote/http2/Http2UpgradeHandler.java java/org/apache/tomcat/util/net/SSLHostConfig.java webapps/docs/changelog.xml webapps/doc
Author: markt Date: Wed Mar 30 14:52:41 2016 New Revision: 1737117 URL: http://svn.apache.org/viewvc?rev=1737117&view=rev Log: Chnage honorCipherOrder default to false. Modified: tomcat/trunk/conf/server.xml tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java tomcat/trunk/webapps/docs/changelog.xml tomcat/trunk/webapps/docs/config/http.xml Modified: tomcat/trunk/conf/server.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/server.xml?rev=1737117&r1=1737116&r2=1737117&view=diff == --- tomcat/trunk/conf/server.xml (original) +++ tomcat/trunk/conf/server.xml Wed Mar 30 14:52:41 2016 @@ -98,7 +98,6 @@ - http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java?rev=1737117&r1=1737116&r2=1737117&view=diff == --- tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java (original) +++ tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java Wed Mar 30 14:52:41 2016 @@ -66,8 +66,6 @@ import org.apache.tomcat.util.res.String * * Note: * - * Tomcat needs to be configured with honorCipherOrder="false" otherwise - * Tomcat will prefer a cipher suite that is blacklisted by HTTP/2. * You will need to nest anelement inside * a TLS enabled Connector element in server.xml to enable HTTP/2 support. Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1737117&r1=1737116&r2=1737117&view=diff == --- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Wed Mar 30 14:52:41 2016 @@ -83,7 +83,7 @@ public class SSLHostConfig { private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"; private LinkedHashSet cipherList = null; private List jsseCipherNames = null; -private boolean honorCipherOrder = true; +private boolean honorCipherOrder = false; private Set protocols = new HashSet<>(); // JSSE private String keyManagerAlgorithm = KeyManagerFactory.getDefaultAlgorithm(); Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1737117&r1=1737116&r2=1737117&view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed Mar 30 14:52:41 2016 @@ -93,6 +93,12 @@ Align cipher configuration parsing with current OpenSSL master. (markt) + +Change the default for honorCipherOrder to +false. With the current default TLS configuration, it is no +longer necessary for this to be true for a reasonably +secure configuration. (markt) + Modified: tomcat/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1737117&r1=1737116&r2=1737117&view=diff == --- tomcat/trunk/webapps/docs/config/http.xml (original) +++ tomcat/trunk/webapps/docs/config/http.xml Wed Mar 30 14:52:41 2016 @@ -,7 +,7 @@ Set to true to enforce the server's cipher order (from the ciphers setting) instead of allowing - the client to choose the cipher. The default is true. + the client to choose the cipher. The default is false. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737120 - /tomcat/trunk/conf/server.xml
Author: markt Date: Wed Mar 30 15:05:18 2016 New Revision: 1737120 URL: http://svn.apache.org/viewvc?rev=1737120&view=rev Log: Align with file name patterns used elsewhere Modified: tomcat/trunk/conf/server.xml Modified: tomcat/trunk/conf/server.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/server.xml?rev=1737120&r1=1737119&r2=1737120&view=diff == --- tomcat/trunk/conf/server.xml (original) +++ tomcat/trunk/conf/server.xml Wed Mar 30 15:05:18 2016 @@ -84,7 +84,7 @@ - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "Security/Ciphers" by markt
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "Security/Ciphers" page has been changed by markt: https://wiki.apache.org/tomcat/Security/Ciphers?action=diff&rev1=7&rev2=8 Comment: Add some newer Tomcat 9 results. == JSSE (BIO/NIO/NIO2) Results (Default) == - || || Java 5 || Java 6 || Java 7 || Java 8 || + |||| Java 5 || Java 6 || Java 7 || Java 8 || - || Tomcat 6 || C|| C|| C|| B|| + || Tomcat 6 (JSSE)|| C|| C|| C|| B|| - || Tomcat 7 || N/A || C|| C|| B|| + || Tomcat 7 (JSSE)|| N/A || C|| C|| B|| - || Tomcat 8 || N/A || N/A || C|| B|| + || Tomcat 8 (JSSE)|| N/A || N/A || C|| B|| + || Tomcat 9 (JSSE)|| N/A || N/A || N/A || A|| + || Tomcat 9 (OpenSSL) || N/A || N/A || N/A || B|| + Note: There is a bug with Tomcat 9 with JSSE+OpenSSL that limits the grade to B because the certificate chain is not made available. == JSSE (BIO/NIO/NIO2) Results (Improved) == @@ -21, +24 @@ || Tomcat 6 || B|| B|| A- || A|| || Tomcat 7 || N/A || B|| A- || A|| || Tomcat 8 || N/A || N/A || A- || A|| + == JSSE Settings for Improved Results == @@ -48, +52 @@ * Java 5, 64-bit, update 22 * Java 6, 64-bit, update 45 * Java 7, 64-bit, update 76 - * Java 8, 64-bit, update 31 + * Java 8, 64-bit, update 77 * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled SSLv2 and SSLv3. * Apache Tomcat 7.0.60-dev, r1664373. * Apache Tomcat 8.0.21-dev, r1664594. - + * Apache Tomcat 9.0.0.M5-dev r1737119 == APR/native == - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737119 - in /tomcat/trunk: bin/catalina.bat bin/catalina.sh webapps/docs/changelog.xml
Author: markt Date: Wed Mar 30 14:56:10 2016 New Revision: 1737119 URL: http://svn.apache.org/viewvc?rev=1737119&view=rev Log: Enable strong DH keys by default Modified: tomcat/trunk/bin/catalina.bat tomcat/trunk/bin/catalina.sh tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/bin/catalina.bat URL: http://svn.apache.org/viewvc/tomcat/trunk/bin/catalina.bat?rev=1737119&r1=1737118&r2=1737119&view=diff == --- tomcat/trunk/bin/catalina.bat (original) +++ tomcat/trunk/bin/catalina.bat Wed Mar 30 14:56:10 2016 @@ -71,6 +71,10 @@ rem rem -agentlib:jdwp=transport=%JPDA_TRANSPORT%, rem address=%JPDA_ADDRESS%,server=y,suspend=%JPDA_SUSPEND% rem +rem JSSE_OPTS (Optional) Java runtime options used to control the TLS +rem implementation when JSSE is used. Default is: +rem "-Djdk.tls.ephemeralDHKeySize=2048" +rem rem LOGGING_CONFIG (Optional) Override Tomcat's logging config file rem Example (all one line) rem set LOGGING_CONFIG="-Djava.util.logging.config.file=%CATALINA_BASE%\conf\logging.properties" @@ -182,6 +186,11 @@ goto juliClasspathDone set "CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\tomcat-juli.jar" :juliClasspathDone +if not "%JSSE_OPTS%" == "" goto gotJsseOpts +set JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048" +:gotJsseOpts +set "JAVA_OPTS=%JAVA_OPTS% %JSSE_OPTS%" + if not "%LOGGING_CONFIG%" == "" goto noJuliConfig set LOGGING_CONFIG=-Dnop if not exist "%CATALINA_BASE%\conf\logging.properties" goto noJuliConfig Modified: tomcat/trunk/bin/catalina.sh URL: http://svn.apache.org/viewvc/tomcat/trunk/bin/catalina.sh?rev=1737119&r1=1737118&r2=1737119&view=diff == --- tomcat/trunk/bin/catalina.sh (original) +++ tomcat/trunk/bin/catalina.sh Wed Mar 30 14:56:10 2016 @@ -76,6 +76,10 @@ # -agentlib:jdwp=transport=$JPDA_TRANSPORT, # address=$JPDA_ADDRESS,server=y,suspend=$JPDA_SUSPEND # +# JSSE_OPTS (Optional) Java runtime options used to control the TLS +# implementation when JSSE is used. Default is: +# "-Djdk.tls.ephemeralDHKeySize=2048" +# # CATALINA_PID(Optional) Path of the file which should contains the pid # of the catalina startup java process, when start (fork) is # used @@ -224,6 +228,11 @@ if $cygwin; then CLASSPATH=`cygpath --path --windows "$CLASSPATH"` fi +if [ -z "$JSSE_OPTS" ] ; then + JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048" +fi +JAVA_OPTS="$JAVA_OPTS $JSSE_OPTS" + # Set juli LogManager config file if it is present and an override has not been issued if [ -z "$LOGGING_CONFIG" ]; then if [ -r "$CATALINA_BASE"/conf/logging.properties ]; then Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1737119&r1=1737118&r2=1737119&view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed Mar 30 14:56:10 2016 @@ -99,6 +99,12 @@ longer necessary for this to be true for a reasonably secure configuration. (markt) + +Add a new environment variable JSSE_OPTS that is intended +to be used to pass JVM wide configuration to the JSSE implementation. +The default value is -Djdk.tls.ephemeralDHKeySize=2048 +which protects against weak Diffie-Hellman keys. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
JSSE with OpenSSL and certificate chains
I'm currently looking (again) at Tomcat's default TLS configuration with SSLLabs. The initial results are promising. A few tweaks has got the default Tomcat 9 + NIO with JSSE to a grade A. I'm currently looking at Tomcat 9 + NIO with OpenSSL. The grade is capped at B because we don't send the full certificate chain. Looking at the code in o.a.t.u.n.openssl.OpenSSLContext that is because we don't set it. It looks like we need to create a new native method addChainCertificateRaw() that hooks into OpenSSL's SSL_CTX_add0_chain_cert. I can look at this but we all know how bad my C code is. Review and/or help will be appreciated. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1736849 - /tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
2016-03-28 12:59 GMT+03:00 Mark Thomas :
> On 28/03/2016 10:51, ma...@apache.org wrote:
>> Author: markt
>> Date: Mon Mar 28 09:51:14 2016
>> New Revision: 1736849
>>
>> URL: http://svn.apache.org/viewvc?rev=1736849&view=rev
>> Log:
>> TLSv1 is not exactly the same as SSLv3. Some ciphers are only available for
>> TLSv1.
>
> Hmm. As far as I can tell, OpenSSL 1.1.x and OpenSSL 1.0.x have a
> different view on what TLSv1 means.
>
> It looks like:
> 1.1.x treats it as those ciphers that require TLSv1
> 1.0.x treats it as an alias for SSLv3.
>
> Currently 9.0.x is aligned with 1.1.x and 8.0.x is aligned with 1.0.x.
>
> I'm going to align 8.5.x with 1.1.x.
>
> Experience tells me this stuff is easy to get wrong so a second pair of
> eyes would be appreciated.
1. I am not sure whether using two numbers as OpenSSL version is
correct. Current stable branches of OpenSSL are 1.0.1 and 1.0.2.
(support for 1.0.0 ended on 31st December 2015)
2. Technically, I think it is more correct to align 8.5.x with 1.0.2.
There have not been any stable release of OpenSSL 1.1.0 yet. The
latest is beta 1 (pre-release 4) issued on 16-Mar-2016. Once there is
a release, I think we will wait several (3?) months before releasing a
TCNative with that version of OpenSSL,
TCNative 1.2.5 was built with OpenSSL 1.0.2g.
3. I tried to look through source code of old openssl-1.0.2d sources
(dated Jul 2015) on whether "TLSv1" is actually a synonym for "SSLv3".
I do not see it.
Places that it is mentioned
CHANGES file:
Changes between 0.9.0b and 0.9.1b [not released]
...
*) Support the string "TLSv1" for all TLS v1 ciphers.
[Eric A. Young]
ssl/ssl.h
# define SSL_TXT_SSLV2 "SSLv2"
# define SSL_TXT_SSLV3 "SSLv3"
# define SSL_TXT_TLSV1 "TLSv1"
# define SSL_TXT_TLSV1_1 "TLSv1.1"
# define SSL_TXT_TLSV1_2 "TLSv1.2"
ssl/ssl_ciph.c
/* protocol version aliases */
{0, SSL_TXT_SSLV2, 0, 0, 0, 0, 0, SSL_SSLV2, 0, 0, 0, 0},
{0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0},
{0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0},
{0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, SSL_TLSV1_2, 0, 0, 0, 0},
ssl/ssl_locl.h
/* Bits for algorithm_ssl (protocol version) */
# define SSL_SSLV2 0x0001UL
# define SSL_SSLV3 0x0002UL
# define SSL_TLSV1 SSL_SSLV3/* for now */
# define SSL_TLSV1_2 0x0004UL
==
I master branch at https://github.com/openssl/openssl/
ssl/ssl_ciph.c
/* protocol version aliases */
{0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL3_VERSION, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, TLS1_VERSION, 0, 0, 0, 0, 0, 0, 0},
{0, "TLSv1.0", 0, 0, 0, 0, 0, TLS1_VERSION, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, TLS1_2_VERSION, 0, 0, 0, 0, 0, 0, 0},
So it looks that indeed 1.0.2 uses the same numerical value and there
was a change in OpenSSL master branch,
The commit that changed ssl_ciph.c is
https://github.com/openssl/openssl/commit/3eb2aff40116ecceab847c895cbf02cdb075d194#diff-3e095c8fd6cb53927997c3e898fc7a74
I wonder why their changelog does not mention this behaviour change,
http://openssl.org/news/changelog.html
I have never run 1.1.0, and I wonder whether the change is actually
noticeable: whether it changes output of OpenSSL ciphers command. If
it has a noticeable effect, not mentioning it looks like a bug.
4. One option is to deprecate/remove support for value "TLSv1" in
cipher specification, due to its ambiguity.
OpenSSL 1.0.2 users can use "SSLv3" which is a synonym.
OpenSSL 1.1.0 users can use "TLSv1.0", which is new in 1.1.0.
http://openssl.org/docs/manmaster/apps/ciphers.html
(man page for master version) lists "TLSv1.0". It does not list
"TLSv1" among values.
http://openssl.org/docs/man1.0.2/apps/ciphers.html
(man page for 1.0.2 version) lists "TLSv1".
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: JSSE with OpenSSL and certificate chains
2016-03-30 10:38 GMT-05:00 Mark Thomas : > I'm currently looking (again) at Tomcat's default TLS configuration with > SSLLabs. The initial results are promising. A few tweaks has got the > default Tomcat 9 + NIO with JSSE to a grade A. > > I'm currently looking at Tomcat 9 + NIO with OpenSSL. The grade is > capped at B because we don't send the full certificate chain. Looking at > the code in o.a.t.u.n.openssl.OpenSSLContext that is because we don't > set it. It looks like we need to create a new native method > addChainCertificateRaw() that hooks into OpenSSL's > SSL_CTX_add0_chain_cert. I can look at this but we all know how bad my C > code is. > > Review and/or help will be appreciated. > > Yes, that makes a lot of sense to me (only the certificate is set at the moment, not the chain). So we'll add it to the todo list. Rémy
Re: svn commit: r1731734 - in /tomcat/trunk: java/org/apache/catalina/manager/host/ webapps/docs/
In addition to the object array size restoration made in 1731735, I think
that another erroneous change that I submitted slipped in to your patch. I
noticed it while poking around at tomcat-8.5.0.Beta. Now when you add a
host you get a button that just contains {5} where the persist button that
I proposed would have been. You can revert the change with the following
patch to make it work the way it did before:
+++
Index: java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
===
--- java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java (revision
1737136)
+++ java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java (working
copy)
@@ -511,9 +511,6 @@
" " +
" " +
" \n" +
-" " +
-" " +
-" \n" +
" \n" +
"\n";
+++
Cheers
On Mon, Feb 22, 2016 at 3:19 PM, wrote:
> Author: markt
> Date: Mon Feb 22 20:19:15 2016
> New Revision: 1731734
>
> URL: http://svn.apache.org/viewvc?rev=1731734&view=rev
> Log:
> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=48674
> Implement an option within the Host Manager web pplication to persist the
> current configuration.
> Based on a patch by Coty Sutherland.
>
> Modified:
>
> tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
>
> tomcat/trunk/java/org/apache/catalina/manager/host/HostManagerServlet.java
>
> tomcat/trunk/java/org/apache/catalina/manager/host/LocalStrings.properties
> tomcat/trunk/webapps/docs/changelog.xml
>
> Modified:
> tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java?rev=1731734&r1=1731733&r2=1731734&view=diff
>
> ==
> ---
> tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
> (original)
> +++
> tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
> Mon Feb 22 20:19:15 2016
> @@ -94,7 +94,8 @@ public final class HTMLHostManagerServle
> } else if (command.equals("/list")) {
> // Nothing to do - always generate list
> } else if (command.equals("/add") || command.equals("/remove") ||
> -command.equals("/start") || command.equals("/stop")) {
> +command.equals("/start") || command.equals("/stop") ||
> +command.equals("/persist")) {
> message = smClient.getString(
> "hostManagerServlet.postCommand", command);
> } else {
> @@ -143,6 +144,8 @@ public final class HTMLHostManagerServle
> message = start(name, smClient);
> } else if (command.equals("/stop")) {
> message = stop(name, smClient);
> +} else if (command.equals("/persist")) {
> +message = persist(smClient);
> } else {
> //Try GET
> doGet(request, response);
> @@ -227,6 +230,22 @@ public final class HTMLHostManagerServle
>
>
> /**
> + * Persist the current configuration to server.xml.
> + *
> + * @param smClient i18n resources localized for the client
> + */
> +protected String persist(StringManager smClient) {
> +
> +StringWriter stringWriter = new StringWriter();
> +PrintWriter printWriter = new PrintWriter(stringWriter);
> +
> +super.persist(printWriter, smClient);
> +
> +return stringWriter.toString();
> +}
> +
> +
> +/**
> * Render a HTML list of the currently active Contexts in our virtual
> host,
> * and memory and server status information.
> *
> @@ -341,7 +360,7 @@ public final class HTMLHostManagerServle
> writer.print
> (MessageFormat.format(HOSTS_ROW_DETAILS_SECTION,
> args));
>
> -args = new Object[4];
> +args = new Object[6];
> if (host.getState().isAvailable()) {
> args[0] = response.encodeURL
> (request.getContextPath() +
> @@ -362,10 +381,10 @@ public final class HTMLHostManagerServle
> args[3] = hostsRemove;
> if (host == this.installedHost) {
> writer.print(MessageFormat.format(
> -MANAGER_HOST_ROW_BUTTON_SECTION, args));
> +MANAGER_HOST_ROW_BUTTON_SECTION, args));
> } else {
> writer.print(MessageFormat.format(
> -HOSTS_ROW_BUTTON_SECTION, args));
> +HOSTS_ROW_BUTTON_SECTION, args));
> }
> }
> }
> @@ -413,6 +432,14 @@ public final class HTMLHostManagerServle
> args[0] = smClient.getString("htmlHostManagerServlet.addButton");
> writer.print(MessageF
svn commit: r1737140 - in /tomcat/trunk: java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java webapps/docs/changelog.xml
Author: remm Date: Wed Mar 30 18:19:13 2016 New Revision: 1737140 URL: http://svn.apache.org/viewvc?rev=1737140&view=rev Log: Remove code that was mistakenly added when implementing 48674. Modified: tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java?rev=1737140&r1=1737139&r2=1737140&view=diff == --- tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java (original) +++ tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java Wed Mar 30 18:19:13 2016 @@ -511,9 +511,6 @@ public final class HTMLHostManagerServle " " + " " + " \n" + -" " + -" " + -" \n" + " \n" + "\n"; Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1737140&r1=1737139&r2=1737140&view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed Mar 30 18:19:13 2016 @@ -127,6 +127,10 @@ 59218: Correct the path to jaspic-providers.xml in Jaspic How-To. Patch is provided by Tatsuya Bessho. (violetagg) + +Remove button that has accidentally been added to the host manager. +Submitted by Coty Sutherland. (remm) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737142 - in /tomcat/tc8.5.x/trunk: java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java webapps/docs/changelog.xml
Author: remm Date: Wed Mar 30 18:21:06 2016 New Revision: 1737142 URL: http://svn.apache.org/viewvc?rev=1737142&view=rev Log: Remove code that was mistakenly added when implementing 48674. Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java?rev=1737142&r1=1737141&r2=1737142&view=diff == --- tomcat/tc8.5.x/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java (original) +++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java Wed Mar 30 18:21:06 2016 @@ -511,9 +511,6 @@ public final class HTMLHostManagerServle " " + " " + " \n" + -" " + -" " + -" \n" + " \n" + "\n"; Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1737142&r1=1737141&r2=1737142&view=diff == --- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Wed Mar 30 18:21:06 2016 @@ -110,6 +110,10 @@ 59218: Correct the path to jaspic-providers.xml in Jaspic How-To. Patch is provided by Tatsuya Bessho. (violetagg) + +Remove button that has accidentally been added to the host manager. +Submitted by Coty Sutherland. (remm) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59253] New: Read/Write errors
https://bz.apache.org/bugzilla/show_bug.cgi?id=59253 Bug ID: 59253 Summary: Read/Write errors Product: Tomcat 8 Version: 8.0.32 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P2 Component: WebSocket Assignee: dev@tomcat.apache.org Reporter: steve.d...@shaw.ca Environment Linux: GNU/Linux 3.13.0-83-generic x86_64 Java: build 1.8.0_77-b03 Oracle Tomcat:Tomcat 8.0.33 Framework: Vaadin 7.6.4 APR: Apache Tomcat Native library 1.2.5 using APR version 1.5.2 Connector: Description: The following stack traces are generated. There are no user complaints - I suspect these are generated when the UI closes. While bug 59014 has eliminated a large number of similar stack traces, these persist. Same problem in another location? I lack the skill for further analysis. Mar 30, 2016 8:28:01 AM org.atmosphere.container.JSR356Endpoint onError SEVERE: java.io.IOException: Unexpected error [32] writing data to the APR/native socket [139,838,766,510,368] with wrapper [org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@234a04d6:139838766510368]. at org.apache.coyote.http11.upgrade.AprServletOutputStream.doWriteInternal(AprServletOutputStream.java:142) at org.apache.coyote.http11.upgrade.AprServletOutputStream.doWrite(AprServletOutputStream.java:68) at org.apache.coyote.http11.upgrade.AbstractServletOutputStream.writeInternal(AbstractServletOutputStream.java:165) at org.apache.coyote.http11.upgrade.AbstractServletOutputStream.write(AbstractServletOutputStream.java:132) at org.apache.tomcat.websocket.server.WsRemoteEndpointImplServer.onWritePossible(WsRemoteEndpointImplServer.java:98) at org.apache.tomcat.websocket.server.WsRemoteEndpointImplServer.doWrite(WsRemoteEndpointImplServer.java:79) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:453) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.startMessage(WsRemoteEndpointImplBase.java:341) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.startMessageBlock(WsRemoteEndpointImplBase.java:273) at org.apache.tomcat.websocket.WsSession.sendCloseMessage(WsSession.java:587) at org.apache.tomcat.websocket.WsSession.doClose(WsSession.java:489) at org.apache.tomcat.websocket.server.WsHttpUpgradeHandler.onError(WsHttpUpgradeHandler.java:150) at org.apache.tomcat.websocket.server.WsHttpUpgradeHandler.access$300(WsHttpUpgradeHandler.java:48) at org.apache.tomcat.websocket.server.WsHttpUpgradeHandler$WsReadListener.onError(WsHttpUpgradeHandler.java:211) at org.apache.tomcat.websocket.server.WsHttpUpgradeHandler$WsReadListener.onDataAvailable(WsHttpUpgradeHandler.java:194) at org.apache.coyote.http11.upgrade.AbstractServletInputStream.onDataAvailable(AbstractServletInputStream.java:198) at org.apache.coyote.http11.upgrade.AbstractProcessor.upgradeDispatch(AbstractProcessor.java:96) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:647) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2500) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2489) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Mar 30, 2016 8:28:01 AM org.atmosphere.container.JSR356Endpoint onError SEVERE: java.io.IOException: Unexpected error [104] reading data from the APR/native socket [139,838,766,510,368] with wrapper [org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@234a04d6:139838766510368]. at org.apache.coyote.http11.upgrade.AprServletInputStream.doRead(AprServletInputStream.java:133) at org.apache.coyote.http11.upgrade.AbstractServletInputStream.read(AbstractServletInputStream.java:124) at org.apache.tomcat.websocket.server.WsFrameServer.onDataAvailable(WsFrameServer.java:60) at org.apache.tomcat.websocket.server.WsHttpUpgradeHandler$WsReadListener.onDataAvailable(WsHttpUpgradeHandler.java:186) at org.apache.coyote.http11.upgrade.AbstractServletInputStream.onDataAvailable(AbstractServletInputStream.java:198) at org.apache.coyote.http11.upgrade.AbstractProcessor.upgradeDispatch(AbstractProcessor.java:96) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:647) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2500) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2489) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPool
[Bug 59247] Using the IBM JDK with the security manager results in java.lang.RuntimePermission warning
https://bz.apache.org/bugzilla/show_bug.cgi?id=59247
--- Comment #3 from Remy Maucherat ---
There's nothing about the webapp in the stacktrace, so it shouldn't be added in
that section, which is the most sensitive.
The permission can be added to the following section instead:
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
Can you verify it works ?
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59247] Using the IBM JDK with the security manager results in java.lang.RuntimePermission warning
https://bz.apache.org/bugzilla/show_bug.cgi?id=59247 --- Comment #4 from Coty Sutherland --- Yes, testing confirms that adding the permission to the tomcat-juli.jar section resolves the issue as well. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GUMP@vmgump]: Project tomcat-native-trunk-make (in module tomcat-native-trunk) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-native-trunk-make has an issue affecting its community integration. This issue affects 3 projects. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-native-trunk-make : Tomcat native library using Apache Portable Runtime - tomcat-native-trunk-make-install : Tomcat native library using Apache Portable Runtime - tomcat-trunk-test-apr : Tomcat 9.x, a web server implementing the Java Servlet 4.0, ... Full details are available at: http://vmgump.apache.org/gump/public/tomcat-native-trunk/tomcat-native-trunk-make/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -INFO- Failed with reason build failed The following work was performed: http://vmgump.apache.org/gump/public/tomcat-native-trunk/tomcat-native-trunk-make/gump_work/build_tomcat-native-trunk_tomcat-native-trunk-make.html Work Name: build_tomcat-native-trunk_tomcat-native-trunk-make (Type: Build) Work ended in a state of : Failed Elapsed: 10 secs Command Line: make [Working Directory: /srv/gump/public/workspace/tomcat-native-trunk/native] - src/ssl.c:1019:5: warning: (near initialization for 'jbs_methods') [enabled by default] src/ssl.c:1020:5: warning: excess elements in struct initializer [enabled by default] "Java Callback", ^ src/ssl.c:1020:5: warning: (near initialization for 'jbs_methods') [enabled by default] src/ssl.c:1021:5: warning: excess elements in struct initializer [enabled by default] jbs_write, ^ src/ssl.c:1021:5: warning: (near initialization for 'jbs_methods') [enabled by default] src/ssl.c:1022:5: warning: excess elements in struct initializer [enabled by default] jbs_read, ^ src/ssl.c:1022:5: warning: (near initialization for 'jbs_methods') [enabled by default] src/ssl.c:1023:5: warning: excess elements in struct initializer [enabled by default] jbs_puts, ^ src/ssl.c:1023:5: warning: (near initialization for 'jbs_methods') [enabled by default] src/ssl.c:1024:5: warning: excess elements in struct initializer [enabled by default] jbs_gets, ^ src/ssl.c:1024:5: warning: (near initialization for 'jbs_methods') [enabled by default] src/ssl.c:1025:5: warning: excess elements in struct initializer [enabled by default] jbs_ctrl, ^ src/ssl.c:1025:5: warning: (near initialization for 'jbs_methods') [enabled by default] src/ssl.c:1026:5: warning: excess elements in struct initializer [enabled by default] jbs_new, ^ src/ssl.c:1026:5: warning: (near initialization for 'jbs_methods') [enabled by default] src/ssl.c:1027:5: warning: excess elements in struct initializer [enabled by default] jbs_free, ^ src/ssl.c:1027:5: warning: (near initialization for 'jbs_methods') [enabled by default] src/ssl.c:1029:1: warning: excess elements in struct initializer [enabled by default] }; ^ src/ssl.c:1029:1: warning: (near initialization for 'jbs_methods') [enabled by default] src/ssl.c: In function 'Java_org_apache_tomcat_jni_SSL_newBIO': src/ssl.c:1049:24: error: dereferencing pointer to incomplete type j = (BIO_JAVA *)bio->ptr; ^ src/ssl.c:1069:8: error: dereferencing pointer to incomplete type bio->init = 1; ^ src/ssl.c:1070:8: error: dereferencing pointer to incomplete type bio->flags = SSL_BIO_FLAG_CALLBACK; ^ make[1]: *** [src/ssl.lo] Error 1 make[1]: Leaving directory `/srv/gump/public/workspace/tomcat-native-trunk/native' make: *** [all-recursive] Error 1 - To subscribe to this information via syndicated feeds: - RSS: http://vmgump.apache.org/gump/public/tomcat-native-trunk/tomcat-native-trunk-make/rss.xml - Atom: http://vmgump.apache.org/gump/public/tomcat-native-trunk/tomcat-native-trunk-make/atom.xml == Gump Tracking Only === Produced by Apache Gump(TM) version 2.3. Gump Run 20160330180043, vmgump.apache.org:vmgump:20160330180043 Gump E-mail Identifier (unique within run) #1. -- Apache Gump http://gump.apache.org/ [Instance: vmgump] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737149 - in /tomcat/trunk: conf/catalina.policy webapps/docs/changelog.xml
Author: remm
Date: Wed Mar 30 19:08:33 2016
New Revision: 1737149
URL: http://svn.apache.org/viewvc?rev=1737149&view=rev
Log:
59247: Add loader package access permission to JULI. Based on a patch submitted
by Coty Sutherland.
Modified:
tomcat/trunk/conf/catalina.policy
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/conf/catalina.policy
URL:
http://svn.apache.org/viewvc/tomcat/trunk/conf/catalina.policy?rev=1737149&r1=1737148&r2=1737149&view=diff
==
--- tomcat/trunk/conf/catalina.policy (original)
+++ tomcat/trunk/conf/catalina.policy Wed Mar 30 19:08:33 2016
@@ -77,6 +77,7 @@ grant codeBase "file:${catalina.home}/bi
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
+permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.loader";
permission java.lang.management.ManagementPermission "monitor";
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1737149&r1=1737148&r2=1737149&view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Mar 30 19:08:33 2016
@@ -79,6 +79,11 @@
and javax.servlet.AsyncEvent.getSuppliedResponse
(violetagg)
+
+59247: Add loader package access permission to JULI.
+Based on a patch submitted by Coty Sutherland.
+(remm)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737150 - in /tomcat/tc8.5.x/trunk: conf/catalina.policy webapps/docs/changelog.xml
Author: remm
Date: Wed Mar 30 19:15:01 2016
New Revision: 1737150
URL: http://svn.apache.org/viewvc?rev=1737150&view=rev
Log:
59247: Add loader package access permission to JULI. Based on a patch submitted
by Coty Sutherland.
Modified:
tomcat/tc8.5.x/trunk/conf/catalina.policy
tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc8.5.x/trunk/conf/catalina.policy
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/conf/catalina.policy?rev=1737150&r1=1737149&r2=1737150&view=diff
==
--- tomcat/tc8.5.x/trunk/conf/catalina.policy (original)
+++ tomcat/tc8.5.x/trunk/conf/catalina.policy Wed Mar 30 19:15:01 2016
@@ -77,6 +77,7 @@ grant codeBase "file:${catalina.home}/bi
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
+permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.loader";
permission java.lang.management.ManagementPermission "monitor";
Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1737150&r1=1737149&r2=1737150&view=diff
==
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Wed Mar 30 19:15:01 2016
@@ -140,6 +140,11 @@
59211: Add hamcrest to Eclipse classpath. Patch is provided
by Huxing Zhang. (violetagg)
+
+59247: Add loader package access permission to JULI.
+Based on a patch submitted by Coty Sutherland.
+(remm)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737151 - in /tomcat/tc8.0.x/trunk: conf/catalina.policy webapps/docs/changelog.xml
Author: remm
Date: Wed Mar 30 19:15:14 2016
New Revision: 1737151
URL: http://svn.apache.org/viewvc?rev=1737151&view=rev
Log:
59247: Add loader package access permission to JULI. Based on a patch submitted
by Coty Sutherland.
Modified:
tomcat/tc8.0.x/trunk/conf/catalina.policy
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc8.0.x/trunk/conf/catalina.policy
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/conf/catalina.policy?rev=1737151&r1=1737150&r2=1737151&view=diff
==
--- tomcat/tc8.0.x/trunk/conf/catalina.policy (original)
+++ tomcat/tc8.0.x/trunk/conf/catalina.policy Wed Mar 30 19:15:14 2016
@@ -77,6 +77,7 @@ grant codeBase "file:${catalina.home}/bi
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
+permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.loader";
permission java.lang.management.ManagementPermission "monitor";
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1737151&r1=1737150&r2=1737151&view=diff
==
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Wed Mar 30 19:15:14 2016
@@ -87,6 +87,11 @@
59211: Add hamcrest to Eclipse classpath. Patch is provided
by Huxing Zhang. (violetagg)
+
+59247: Add loader package access permission to JULI.
+Based on a patch submitted by Coty Sutherland.
+(remm)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737153 - in /tomcat/tc6.0.x/trunk: conf/catalina.policy webapps/docs/changelog.xml
Author: remm
Date: Wed Mar 30 19:16:52 2016
New Revision: 1737153
URL: http://svn.apache.org/viewvc?rev=1737153&view=rev
Log:
59247: Add loader package access permission to JULI. Based on a patch submitted
by Coty Sutherland.
Modified:
tomcat/tc6.0.x/trunk/conf/catalina.policy
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/conf/catalina.policy
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/conf/catalina.policy?rev=1737153&r1=1737152&r2=1737153&view=diff
==
--- tomcat/tc6.0.x/trunk/conf/catalina.policy (original)
+++ tomcat/tc6.0.x/trunk/conf/catalina.policy Wed Mar 30 19:16:52 2016
@@ -77,6 +77,7 @@ grant codeBase "file:${catalina.home}/bi
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
+permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.loader";
permission java.util.logging.LoggingPermission "control";
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1737153&r1=1737152&r2=1737153&view=diff
==
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Mar 30 19:16:52 2016
@@ -111,6 +111,11 @@
for users to configure the entries intended for use with the examples
web application for the Manager application. (markt)
+
+59247: Add loader package access permission to JULI.
+Based on a patch submitted by Coty Sutherland.
+(remm)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737152 - in /tomcat/tc7.0.x/trunk: conf/catalina.policy webapps/docs/changelog.xml
Author: remm
Date: Wed Mar 30 19:16:41 2016
New Revision: 1737152
URL: http://svn.apache.org/viewvc?rev=1737152&view=rev
Log:
59247: Add loader package access permission to JULI. Based on a patch submitted
by Coty Sutherland.
Modified:
tomcat/tc7.0.x/trunk/conf/catalina.policy
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc7.0.x/trunk/conf/catalina.policy
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/conf/catalina.policy?rev=1737152&r1=1737151&r2=1737152&view=diff
==
--- tomcat/tc7.0.x/trunk/conf/catalina.policy (original)
+++ tomcat/tc7.0.x/trunk/conf/catalina.policy Wed Mar 30 19:16:41 2016
@@ -77,6 +77,7 @@ grant codeBase "file:${catalina.home}/bi
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
+permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.loader";
permission java.util.logging.LoggingPermission "control";
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1737152&r1=1737151&r2=1737152&view=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Wed Mar 30 19:16:41 2016
@@ -251,6 +251,11 @@
59211: Add hamcrest to Eclipse classpath. Patch is provided
by Huxing Zhang. (violetagg)
+
+59247: Add loader package access permission to JULI.
+Based on a patch submitted by Coty Sutherland.
+(remm)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59247] Using the IBM JDK with the security manager results in java.lang.RuntimePermission warning
https://bz.apache.org/bugzilla/show_bug.cgi?id=59247 Remy Maucherat changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Remy Maucherat --- Ok, so it will be in 9M5, 8.5.1, 8.0.34, 7.0.69 and 6.0.46, since it likely applies to all the branches. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
Author: markt
Date: Wed Mar 30 19:27:29 2016
New Revision: 1737154
URL: http://svn.apache.org/viewvc?rev=1737154&view=rev
Log:
Add support for obtaining the certificate chain from a Java keystore
Modified:
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737154&r1=1737153&r2=1737154&view=diff
==
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Wed Mar 30 19:27:29 2016
@@ -1051,7 +1051,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
certs = d2i_X509(NULL, &tmp, lengthOfCert);
if (certs == NULL) {
ERR_error_string(ERR_get_error(), err);
-tcn_Throw(e, "Error reading certificat (%s)", err);
+tcn_Throw(e, "Error reading certificate (%s)", err);
rv = JNI_FALSE;
goto cleanup;
}
@@ -1119,6 +1119,50 @@ cleanup:
free(cert);
return rv;
}
+
+TCN_IMPLEMENT_CALL(jboolean, SSLContext, addChainCertificateRaw)(TCN_STDARGS,
jlong ctx,
+ jbyteArray
javaCert)
+{
+jsize lengthOfCert;
+unsigned char* cert;
+X509 * certs;
+EVP_PKEY * evp;
+const unsigned char *tmp;
+BIO * bio;
+
+tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
+jboolean rv = JNI_TRUE;
+char err[256];
+
+/* we get the cert contents into a byte array */
+jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL);
+lengthOfCert = (*e)->GetArrayLength(e, javaCert);
+cert = malloc(lengthOfCert);
+memcpy(cert, bufferPtr, lengthOfCert);
+(*e)->ReleaseByteArrayElements(e, javaCert, bufferPtr, 0);
+
+UNREFERENCED(o);
+TCN_ASSERT(ctx != 0);
+
+tmp = (const unsigned char *)cert;
+certs = d2i_X509(NULL, &tmp, lengthOfCert);
+if (certs == NULL) {
+ERR_error_string(ERR_get_error(), err);
+tcn_Throw(e, "Error reading certificate (%s)", err);
+rv = JNI_FALSE;
+goto cleanup;
+}
+
+if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
+ERR_error_string(ERR_get_error(), err);
+tcn_Throw(e, "Error setting certificate (%s)", err);
+rv = JNI_FALSE;
+}
+
+cleanup:
+free(cert);
+return rv;
+}
static int ssl_array_index(apr_array_header_t *array,
const char *s)
Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1737154&r1=1737153&r2=1737154&view=diff
==
--- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Wed Mar 30 19:27:29
2016
@@ -54,6 +54,9 @@
Fix some compiler warnings in native ssl code. (rjung)
+
+ Add support for using Java keystores for certificate chains. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737155 - /tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
Author: markt
Date: Wed Mar 30 19:28:05 2016
New Revision: 1737155
URL: http://svn.apache.org/viewvc?rev=1737155&view=rev
Log:
Add the new method for setting the certificate chain from a keystore
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1737155&r1=1737154&r2=1737155&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java Wed Mar 30 19:28:05
2016
@@ -549,4 +549,17 @@ public final class SSLContext {
* @return {@code true} if success, {@code false} otherwise.
*/
public static native boolean setCertificateRaw(long ctx, byte[] cert,
byte[] key, int sslAidxRsa);
+
+/**
+ * Add a certificate to the certificate chain. Certs should be added in
+ * order starting with the issuer of the host certs and working up the
+ * certificate chain to the CA.
+ *
+ *
+ * Use keystore a certificate chain to fill the BIOP
+ * @param ctx Server or Client context to use.
+ * @param cert Byte array with the certificate in DER encoding.
+ * @return {@code true} if success, {@code false} otherwise.
+ */
+public static native boolean addChainCertificateRaw(long ctx, byte[] cert);
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737157 - /tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Author: markt
Date: Wed Mar 30 19:30:20 2016
New Revision: 1737157
URL: http://svn.apache.org/viewvc?rev=1737157&view=rev
Log:
Add the code (commented out else it will cause problems on systems without the
method) to set the certificate chain when using NIO/NIO2 + OpenSSL + JSSE config
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1737157&r1=1737156&r2=1737157&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Wed Mar 30 19:30:20 2016
@@ -322,12 +322,20 @@ public class OpenSSLContext implements o
} else {
X509KeyManager keyManager = chooseKeyManager(kms);
String alias = certificate.getCertificateKeyAlias();
-X509Certificate certificate =
keyManager.getCertificateChain(alias)[0];
+X509Certificate[] chain =
keyManager.getCertificateChain(alias);
PrivateKey key = keyManager.getPrivateKey(alias);
StringBuilder sb = new StringBuilder(BEGIN_KEY);
sb.append(Base64.getMimeEncoder(64, new byte[]
{'\n'}).encodeToString(key.getEncoded()));
sb.append(END_KEY);
-SSLContext.setCertificateRaw(ctx, certificate.getEncoded(),
sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA);
+SSLContext.setCertificateRaw(ctx, chain[0].getEncoded(),
sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA);
+/*
+ * Uncomment the code block below once there has been a
tc-native
+ * release with this method and the minimum tc-native version
+ * has been incremented.
+for (int i = 1; i < chain.length; i++) {
+SSLContext.addChainCertificateRaw(ctx,
chain[i].getEncoded());
+}
+*/
}
// Client certificate verification
int value = 0;
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
On 30/03/2016 20:27, ma...@apache.org wrote:
> Author: markt
> Date: Wed Mar 30 19:27:29 2016
> New Revision: 1737154
>
> URL: http://svn.apache.org/viewvc?rev=1737154&view=rev
> Log:
> Add support for obtaining the certificate chain from a Java keystore
This needs a review by someone who knows C better than I do.
The implementation is essentially a copy/paste of setCertificateRaw with
what looked to be the right changes to remove the unnecessary private
key code and to call the right OpenSSL method to set the chain.
It does work - in that SSL Labs sees the full chain - but the code may
well be terrible. I wouldn't be surprised if it leaked memory.
Once this has been reviewed and fixed, I plan to do a tc-native release
so we can up the minimum required version in 9.0.x and 8.5.x and ship
the next releases with the necessary tc-native code to use this feature.
Mark
>
> Modified:
> tomcat/native/trunk/native/src/sslcontext.c
> tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
>
> Modified: tomcat/native/trunk/native/src/sslcontext.c
> URL:
> http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737154&r1=1737153&r2=1737154&view=diff
> ==
> --- tomcat/native/trunk/native/src/sslcontext.c (original)
> +++ tomcat/native/trunk/native/src/sslcontext.c Wed Mar 30 19:27:29 2016
> @@ -1051,7 +1051,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
> certs = d2i_X509(NULL, &tmp, lengthOfCert);
> if (certs == NULL) {
> ERR_error_string(ERR_get_error(), err);
> -tcn_Throw(e, "Error reading certificat (%s)", err);
> +tcn_Throw(e, "Error reading certificate (%s)", err);
> rv = JNI_FALSE;
> goto cleanup;
> }
> @@ -1119,6 +1119,50 @@ cleanup:
> free(cert);
> return rv;
> }
> +
> +TCN_IMPLEMENT_CALL(jboolean, SSLContext,
> addChainCertificateRaw)(TCN_STDARGS, jlong ctx,
> + jbyteArray
> javaCert)
> +{
> +jsize lengthOfCert;
> +unsigned char* cert;
> +X509 * certs;
> +EVP_PKEY * evp;
> +const unsigned char *tmp;
> +BIO * bio;
> +
> +tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
> +jboolean rv = JNI_TRUE;
> +char err[256];
> +
> +/* we get the cert contents into a byte array */
> +jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL);
> +lengthOfCert = (*e)->GetArrayLength(e, javaCert);
> +cert = malloc(lengthOfCert);
> +memcpy(cert, bufferPtr, lengthOfCert);
> +(*e)->ReleaseByteArrayElements(e, javaCert, bufferPtr, 0);
> +
> +UNREFERENCED(o);
> +TCN_ASSERT(ctx != 0);
> +
> +tmp = (const unsigned char *)cert;
> +certs = d2i_X509(NULL, &tmp, lengthOfCert);
> +if (certs == NULL) {
> +ERR_error_string(ERR_get_error(), err);
> +tcn_Throw(e, "Error reading certificate (%s)", err);
> +rv = JNI_FALSE;
> +goto cleanup;
> +}
> +
> +if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
> +ERR_error_string(ERR_get_error(), err);
> +tcn_Throw(e, "Error setting certificate (%s)", err);
> +rv = JNI_FALSE;
> +}
> +
> +cleanup:
> +free(cert);
> +return rv;
> +}
>
> static int ssl_array_index(apr_array_header_t *array,
> const char *s)
>
> Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
> URL:
> http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1737154&r1=1737153&r2=1737154&view=diff
> ==
> --- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
> +++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Wed Mar 30 19:27:29
> 2016
> @@ -54,6 +54,9 @@
>
>Fix some compiler warnings in native ssl code. (rjung)
>
> +
> + Add support for using Java keystores for certificate chains. (markt)
> +
>
>
>
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "Security/Ciphers" by markt
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "Security/Ciphers" page has been changed by markt: https://wiki.apache.org/tomcat/Security/Ciphers?action=diff&rev1=8&rev2=9 Comment: Update Tomcat 9 results || Tomcat 7 (JSSE)|| N/A || C|| C|| B|| || Tomcat 8 (JSSE)|| N/A || N/A || C|| B|| || Tomcat 9 (JSSE)|| N/A || N/A || N/A || A|| - || Tomcat 9 (OpenSSL) || N/A || N/A || N/A || B|| + || Tomcat 9 (OpenSSL) || N/A || N/A || N/A || A|| - Note: There is a bug with Tomcat 9 with JSSE+OpenSSL that limits the grade to B because the certificate chain is not made available. + Note: Tomcat 9 with JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native release to achieve an A since without it the full certificate chain is not presented to the client. == JSSE (BIO/NIO/NIO2) Results (Improved) == - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in on tomcat-8-trunk
The Buildbot has detected a new failure on builder tomcat-8-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-8-trunk/builds/524 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-8-commit' triggered this build Build Source Stamp: [branch tomcat/tc8.0.x/trunk] 1737151 Blamelist: remm BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59247] Using the IBM JDK with the security manager results in java.lang.RuntimePermission warning
https://bz.apache.org/bugzilla/show_bug.cgi?id=59247 --- Comment #6 from Coty Sutherland --- Created attachment 33712 --> https://bz.apache.org/bugzilla/attachment.cgi?id=33712&action=edit stack trace for tomcat6 denial I accidentally neglected to test tomcat6 earlier, but the addition to the policy isn't quite enough for it. Tomcat7+ works with the addition. Here is the stack trace from the additional exception. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59247] Using the IBM JDK with the security manager results in java.lang.RuntimePermission warning
https://bz.apache.org/bugzilla/show_bug.cgi?id=59247 --- Comment #7 from Coty Sutherland --- Created attachment 33713 --> https://bz.apache.org/bugzilla/attachment.cgi?id=33713&action=edit patch proposal to resolve the tomcat6 denial And here is a patch that seemingly resolves the issue for review. It looks like the examples webapp wants to use a class in o.a.catalina and it's getting denied. I added a section for the examples webapp much like the manager and host-manager section and put the permission there. Hopefully I did it correctly :) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59247] Using the IBM JDK with the security manager results in java.lang.RuntimePermission warning
https://bz.apache.org/bugzilla/show_bug.cgi?id=59247
--- Comment #8 from Konstantin Kolinko ---
>From "java.security.debug stack trace" attachment,
[[[
java.lang.Exception: Stack trace
at java.security.AccessController.throwACE(AccessController.java:144)
at
java.security.AccessController.checkPermissionHelper(AccessController.java:217)
at
java.security.AccessController.checkPermission(AccessController.java:349)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1655)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:322)
at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:836)
at java.lang.ClassLoader.loadClass(ClassLoader.java:823)
at java.lang.ClassLoader.loadClass(ClassLoader.java:803)
at
org.apache.catalina.loader.WebappClassLoaderBase.findResource(WebappClassLoaderBase.java:903)
at
org.apache.juli.ClassLoaderLogManager.readConfiguration(ClassLoaderLogManager.java:429)
at
org.apache.juli.ClassLoaderLogManager$2.run(ClassLoaderLogManager.java:402)
at
org.apache.juli.ClassLoaderLogManager$2.run(ClassLoaderLogManager.java:398)
at java.security.AccessController.doPrivileged(AccessController.java:594)
at
org.apache.juli.ClassLoaderLogManager.getClassLoaderInfo(ClassLoaderLogManager.java:398)
at
org.apache.juli.ClassLoaderLogManager.getLogger(ClassLoaderLogManager.java:230)
at java.util.logging.LogManager.demandLogger(LogManager.java:562)
at java.util.logging.Logger.demandLogger(Logger.java:466)
at java.util.logging.Logger.getLogger(Logger.java:513)
at org.apache.juli.logging.DirectJDKLog.(DirectJDKLog.java:68)
at org.apache.juli.logging.DirectJDKLog.getInstance(DirectJDKLog.java:188)
at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:115)
at org.apache.juli.logging.LogFactory.getLog(LogFactory.java:206)
at org.apache.catalina.core.ContainerBase.getLogger(ContainerBase.java:363)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5143)
]]]
The line WebappClassLoaderBase.java:903 where it happens is
> ResourceEntry entry = resourceEntries.get(path);
so IBM JDK refuses WebappClassLoaderBase's right to load class from the same
package and from the same classloader.
This is rather odd behaviour. Isn't it a bug in IBM JDK?
Another thing is that I do not understand is why stacktrace goes into
sun.misc.Launcher$AppClassLoader. The ResourceEntry class shall be loaded by
URLClassLoader() -- the one that loads classes from ${catalina.home}/lib/*.jar
-- created by o.a.c.startup.ClassLoaderFactory during bootstrap time.
Maybe it tries to load something else besides that class, or this is a call to
a parent classloader,
I think that while allowing "accessClassInPackage.org.apache.catalina.loader"
permit to tomcat-juli.jar is rather safe, this permit does not have enough
grounds. (Formally: -1)
I think that this can be solved by preloading the
org.apache.catalina.loader.ResourceEntry class.
a. In an existing version of Tomcat the class can be preloaded by adding its
name to "classesToInitialize" attribute of a JreMemoryLeakPreventionListener
configured in server.xml
b. Permanent solution is to preload the class via
org.apache.catalina.security.SecurityClassLoad class, like many others.
[1]
http://tomcat.apache.org/tomcat-8.0-doc/config/listeners.html#JRE_Memory_Leak_Prevention_Listener_-_org.apache.catalina.core.JreMemoryLeakPreventionListener
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
2016-03-30 22:33 GMT+03:00 Mark Thomas : > On 30/03/2016 20:27, ma...@apache.org wrote: >> Author: markt >> Date: Wed Mar 30 19:27:29 2016 >> New Revision: 1737154 >> >> URL: http://svn.apache.org/viewvc?rev=1737154&view=rev >> Log: >> Add support for obtaining the certificate chain from a Java keystore > > This needs a review by someone who knows C better than I do. > > The implementation is essentially a copy/paste of setCertificateRaw with > what looked to be the right changes to remove the unnecessary private > key code and to call the right OpenSSL method to set the chain. > > It does work - in that SSL Labs sees the full chain - but the code may > well be terrible. I wouldn't be surprised if it leaked memory. > > Once this has been reviewed and fixed, I plan to do a tc-native release > so we can up the minimum required version in 9.0.x and 8.5.x and ship > the next releases with the necessary tc-native code to use this feature. > There is second half of this file (sslcontext.c) that defines stubs for all these methods for the case when the library is compiled without OpenSSL. Neither setCertificateRaw method, nor the new one are declared there. #else /* OpenSSL is not supported. * Create empty stubs. */ Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in on tomcat-7-trunk
The Buildbot has detected a restored build on builder tomcat-7-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-7-trunk/builds/370 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-7-commit' triggered this build Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1737152 Blamelist: remm Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
> From: Mark Thomas [mailto:ma...@apache.org]
> Subject: Re: svn commit: r1737154 - in /tomcat/native/trunk:
> native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
> The implementation is essentially a copy/paste of setCertificateRaw with
> what looked to be the right changes to remove the unnecessary private
> key code and to call the right OpenSSL method to set the chain.
> It does work - in that SSL Labs sees the full chain - but the code may
> well be terrible. I wouldn't be surprised if it leaked memory.
I don't see any obvious leaks (although I'm unfamiliar with OpenSSL semantics),
but using a goto is generally frowned upon. Better code might be something
like this:
+certs = d2i_X509(NULL, &tmp, lengthOfCert);
+if (certs == NULL) {
+ERR_error_string(ERR_get_error(), err);
+tcn_Throw(e, "Error reading certificate (%s)", err);
+rv = JNI_FALSE;
+} else if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
+ERR_error_string(ERR_get_error(), err);
+tcn_Throw(e, "Error setting certificate (%s)", err);
+rv = JNI_FALSE;
+}
+
+free(cert);
+return rv;
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: 2016 March 30, Wednesday 14:33
To: dev@tomcat.apache.org
Subject: Re: svn commit: r1737154 - in /tomcat/native/trunk:
native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
On 30/03/2016 20:27, ma...@apache.org wrote:
> Author: markt
> Date: Wed Mar 30 19:27:29 2016
> New Revision: 1737154
>
> URL: http://svn.apache.org/viewvc?rev=1737154&view=rev
> Log:
> Add support for obtaining the certificate chain from a Java keystore
This needs a review by someone who knows C better than I do.
The implementation is essentially a copy/paste of setCertificateRaw with
what looked to be the right changes to remove the unnecessary private
key code and to call the right OpenSSL method to set the chain.
It does work - in that SSL Labs sees the full chain - but the code may
well be terrible. I wouldn't be surprised if it leaked memory.
Once this has been reviewed and fixed, I plan to do a tc-native release
so we can up the minimum required version in 9.0.x and 8.5.x and ship
the next releases with the necessary tc-native code to use this feature.
Mark
>
> Modified:
> tomcat/native/trunk/native/src/sslcontext.c
> tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
>
> Modified: tomcat/native/trunk/native/src/sslcontext.c
> URL:
> http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737154&r1=1737153&r2=1737154&view=diff
> ==
> --- tomcat/native/trunk/native/src/sslcontext.c (original)
> +++ tomcat/native/trunk/native/src/sslcontext.c Wed Mar 30 19:27:29 2016
> @@ -1051,7 +1051,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
> certs = d2i_X509(NULL, &tmp, lengthOfCert);
> if (certs == NULL) {
> ERR_error_string(ERR_get_error(), err);
> -tcn_Throw(e, "Error reading certificat (%s)", err);
> +tcn_Throw(e, "Error reading certificate (%s)", err);
> rv = JNI_FALSE;
> goto cleanup;
> }
> @@ -1119,6 +1119,50 @@ cleanup:
> free(cert);
> return rv;
> }
> +
> +TCN_IMPLEMENT_CALL(jboolean, SSLContext,
> addChainCertificateRaw)(TCN_STDARGS, jlong ctx,
> + jbyteArray
> javaCert)
> +{
> +jsize lengthOfCert;
> +unsigned char* cert;
> +X509 * certs;
> +EVP_PKEY * evp;
> +const unsigned char *tmp;
> +BIO * bio;
> +
> +tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
> +jboolean rv = JNI_TRUE;
> +char err[256];
> +
> +/* we get the cert contents into a byte array */
> +jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL);
> +lengthOfCert = (*e)->GetArrayLength(e, javaCert);
> +cert = malloc(lengthOfCert);
> +memcpy(cert, bufferPtr, lengthOfCert);
> +(*e)->ReleaseByteArrayElements(e, javaCert, bufferPtr, 0);
> +
> +UNREFERENCED(o);
> +TCN_ASSERT(ctx != 0);
> +
> +tmp = (const unsigned char *)cert;
> +certs = d2i_X509(NULL, &tmp, lengthOfCert);
> +if (certs == NULL) {
> +ERR_error_string(ERR_get_error(), err);
> +tcn_Throw(e, "Error reading certificate (%s)", err);
> +rv = JNI_FALSE;
> +goto cleanup;
> +}
> +
> +if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
> +ERR_error_string(ERR_get_error(), err);
> +tcn_Throw(e, "Error setting certificate (%s)", err);
> +rv = JNI_FALSE;
> +}
> +
> +cleanup:
> +free(cert);
> +return rv;
> +}
>
> static int ssl_array_i
Re: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
2016-03-30 22:27 GMT+03:00 :
> Author: markt
> Date: Wed Mar 30 19:27:29 2016
> New Revision: 1737154
>
> URL: http://svn.apache.org/viewvc?rev=1737154&view=rev
> Log:
> Add support for obtaining the certificate chain from a Java keystore
>
> Modified:
> tomcat/native/trunk/native/src/sslcontext.c
> tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
>
> Modified: tomcat/native/trunk/native/src/sslcontext.c
> URL:
> http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737154&r1=1737153&r2=1737154&view=diff
> ==
> --- tomcat/native/trunk/native/src/sslcontext.c (original)
> +++ tomcat/native/trunk/native/src/sslcontext.c Wed Mar 30 19:27:29 2016
> @@ -1051,7 +1051,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
> certs = d2i_X509(NULL, &tmp, lengthOfCert);
> if (certs == NULL) {
> ERR_error_string(ERR_get_error(), err);
> -tcn_Throw(e, "Error reading certificat (%s)", err);
> +tcn_Throw(e, "Error reading certificate (%s)", err);
> rv = JNI_FALSE;
> goto cleanup;
> }
> @@ -1119,6 +1119,50 @@ cleanup:
> free(cert);
> return rv;
> }
> +
> +TCN_IMPLEMENT_CALL(jboolean, SSLContext,
> addChainCertificateRaw)(TCN_STDARGS, jlong ctx,
> + jbyteArray
> javaCert)
> +{
> +jsize lengthOfCert;
> +unsigned char* cert;
> +X509 * certs;
> +EVP_PKEY * evp;
> +const unsigned char *tmp;
> +BIO * bio;
The "BIO" and "evp" variables are declared, but never used. Can be removed.
> +
> +tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
> +jboolean rv = JNI_TRUE;
> +char err[256];
> +
> +/* we get the cert contents into a byte array */
> +jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL);
> +lengthOfCert = (*e)->GetArrayLength(e, javaCert);
> +cert = malloc(lengthOfCert);
> +memcpy(cert, bufferPtr, lengthOfCert);
> +(*e)->ReleaseByteArrayElements(e, javaCert, bufferPtr, 0);
> +
> +UNREFERENCED(o);
> +TCN_ASSERT(ctx != 0);
> +
> +tmp = (const unsigned char *)cert;
> +certs = d2i_X509(NULL, &tmp, lengthOfCert);
> +if (certs == NULL) {
> +ERR_error_string(ERR_get_error(), err);
> +tcn_Throw(e, "Error reading certificate (%s)", err);
> +rv = JNI_FALSE;
> +goto cleanup;
> +}
> +
> +if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
> +ERR_error_string(ERR_get_error(), err);
> +tcn_Throw(e, "Error setting certificate (%s)", err);
"Error adding certificate"
> +rv = JNI_FALSE;
> +}
> +
> +cleanup:
> +free(cert);
> +return rv;
> +}
>
This implementation matches the code of setCertificateRaw(), I see no
obvious errors (just high-level review comparing the two methods).
I wonder about "idx" argument in setCertificateRaw() - the case of
using several certificate types in parallel (RSA, DSA, ECC -- see
SSL_AIDX_DSA etc. in include/ssl_private.h and Javadoc for this
method).
I think that each certificate has its own chain going up to different
root CA certificate.
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
On 30/03/2016 21:31, Caldarale, Charles R wrote:
>> From: Mark Thomas [mailto:ma...@apache.org]
>> Subject: Re: svn commit: r1737154 - in /tomcat/native/trunk:
>> native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
>
>> The implementation is essentially a copy/paste of setCertificateRaw with
>> what looked to be the right changes to remove the unnecessary private
>> key code and to call the right OpenSSL method to set the chain.
>
>> It does work - in that SSL Labs sees the full chain - but the code may
>> well be terrible. I wouldn't be surprised if it leaked memory.
>
> I don't see any obvious leaks (although I'm unfamiliar with OpenSSL
> semantics),
ACK. Thanks.
> but using a goto is generally frowned upon. Better code might be something
> like this:
My defence is that I was copying the style of the previous method. If we
fix one, we should fix both. I'll see what I can do.
Cheers,
Mark
> +certs = d2i_X509(NULL, &tmp, lengthOfCert);
> +if (certs == NULL) {
> +ERR_error_string(ERR_get_error(), err);
> +tcn_Throw(e, "Error reading certificate (%s)", err);
> +rv = JNI_FALSE;
> +} else if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
> +ERR_error_string(ERR_get_error(), err);
> +tcn_Throw(e, "Error setting certificate (%s)", err);
> +rv = JNI_FALSE;
> +}
> +
> +free(cert);
> +return rv;
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org]
> Sent: 2016 March 30, Wednesday 14:33
> To: dev@tomcat.apache.org
> Subject: Re: svn commit: r1737154 - in /tomcat/native/trunk:
> native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
>
> On 30/03/2016 20:27, ma...@apache.org wrote:
>> Author: markt
>> Date: Wed Mar 30 19:27:29 2016
>> New Revision: 1737154
>>
>> URL: http://svn.apache.org/viewvc?rev=1737154&view=rev
>> Log:
>> Add support for obtaining the certificate chain from a Java keystore
>
> This needs a review by someone who knows C better than I do.
>
> The implementation is essentially a copy/paste of setCertificateRaw with
> what looked to be the right changes to remove the unnecessary private
> key code and to call the right OpenSSL method to set the chain.
>
> It does work - in that SSL Labs sees the full chain - but the code may
> well be terrible. I wouldn't be surprised if it leaked memory.
>
> Once this has been reviewed and fixed, I plan to do a tc-native release
> so we can up the minimum required version in 9.0.x and 8.5.x and ship
> the next releases with the necessary tc-native code to use this feature.
>
> Mark
>
>
>>
>> Modified:
>> tomcat/native/trunk/native/src/sslcontext.c
>> tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
>>
>> Modified: tomcat/native/trunk/native/src/sslcontext.c
>> URL:
>> http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737154&r1=1737153&r2=1737154&view=diff
>> ==
>> --- tomcat/native/trunk/native/src/sslcontext.c (original)
>> +++ tomcat/native/trunk/native/src/sslcontext.c Wed Mar 30 19:27:29 2016
>> @@ -1051,7 +1051,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
>> certs = d2i_X509(NULL, &tmp, lengthOfCert);
>> if (certs == NULL) {
>> ERR_error_string(ERR_get_error(), err);
>> -tcn_Throw(e, "Error reading certificat (%s)", err);
>> +tcn_Throw(e, "Error reading certificate (%s)", err);
>> rv = JNI_FALSE;
>> goto cleanup;
>> }
>> @@ -1119,6 +1119,50 @@ cleanup:
>> free(cert);
>> return rv;
>> }
>> +
>> +TCN_IMPLEMENT_CALL(jboolean, SSLContext,
>> addChainCertificateRaw)(TCN_STDARGS, jlong ctx,
>> + jbyteArray
>> javaCert)
>> +{
>> +jsize lengthOfCert;
>> +unsigned char* cert;
>> +X509 * certs;
>> +EVP_PKEY * evp;
>> +const unsigned char *tmp;
>> +BIO * bio;
>> +
>> +tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
>> +jboolean rv = JNI_TRUE;
>> +char err[256];
>> +
>> +/* we get the cert contents into a byte array */
>> +jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL);
>> +lengthOfCert = (*e)->GetArrayLength(e, javaCert);
>> +cert = malloc(lengthOfCert);
>> +memcpy(cert, bufferPtr, lengthOfCert);
>> +(*e)->ReleaseByteArrayElements(e, javaCert, bufferPtr, 0);
>> +
>> +UNREFERENCED(o);
>> +TCN_ASSERT(ctx != 0);
>> +
>> +tmp = (const unsigned char *)cert;
>> +certs = d2i_X509(NULL, &tmp, lengthOfCert);
>> +if (certs == NULL) {
>> +ERR_error_string(ERR_get_error(), err);
>> +tcn_Throw(e, "Error reading ce
Re: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
On 30/03/2016 21:41, Konstantin Kolinko wrote:
> 2016-03-30 22:27 GMT+03:00 :
>> Author: markt
>> Date: Wed Mar 30 19:27:29 2016
>> New Revision: 1737154
>>
>> URL: http://svn.apache.org/viewvc?rev=1737154&view=rev
>> Log:
>> Add support for obtaining the certificate chain from a Java keystore
>>
>> Modified:
>> tomcat/native/trunk/native/src/sslcontext.c
>> tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
>>
>> Modified: tomcat/native/trunk/native/src/sslcontext.c
>> URL:
>> http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737154&r1=1737153&r2=1737154&view=diff
>> ==
>> --- tomcat/native/trunk/native/src/sslcontext.c (original)
>> +++ tomcat/native/trunk/native/src/sslcontext.c Wed Mar 30 19:27:29 2016
>> @@ -1051,7 +1051,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
>> certs = d2i_X509(NULL, &tmp, lengthOfCert);
>> if (certs == NULL) {
>> ERR_error_string(ERR_get_error(), err);
>> -tcn_Throw(e, "Error reading certificat (%s)", err);
>> +tcn_Throw(e, "Error reading certificate (%s)", err);
>> rv = JNI_FALSE;
>> goto cleanup;
>> }
>> @@ -1119,6 +1119,50 @@ cleanup:
>> free(cert);
>> return rv;
>> }
>> +
>> +TCN_IMPLEMENT_CALL(jboolean, SSLContext,
>> addChainCertificateRaw)(TCN_STDARGS, jlong ctx,
>> + jbyteArray
>> javaCert)
>> +{
>> +jsize lengthOfCert;
>> +unsigned char* cert;
>> +X509 * certs;
>> +EVP_PKEY * evp;
>> +const unsigned char *tmp;
>> +BIO * bio;
>
> The "BIO" and "evp" variables are declared, but never used. Can be removed.
>
>> +
>> +tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
>> +jboolean rv = JNI_TRUE;
>> +char err[256];
>> +
>> +/* we get the cert contents into a byte array */
>> +jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL);
>> +lengthOfCert = (*e)->GetArrayLength(e, javaCert);
>> +cert = malloc(lengthOfCert);
>> +memcpy(cert, bufferPtr, lengthOfCert);
>> +(*e)->ReleaseByteArrayElements(e, javaCert, bufferPtr, 0);
>> +
>> +UNREFERENCED(o);
>> +TCN_ASSERT(ctx != 0);
>> +
>> +tmp = (const unsigned char *)cert;
>> +certs = d2i_X509(NULL, &tmp, lengthOfCert);
>> +if (certs == NULL) {
>> +ERR_error_string(ERR_get_error(), err);
>> +tcn_Throw(e, "Error reading certificate (%s)", err);
>> +rv = JNI_FALSE;
>> +goto cleanup;
>> +}
>> +
>> +if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
>> +ERR_error_string(ERR_get_error(), err);
>> +tcn_Throw(e, "Error setting certificate (%s)", err);
>
> "Error adding certificate"
>
>> +rv = JNI_FALSE;
>> +}
>> +
>> +cleanup:
>> +free(cert);
>> +return rv;
>> +}
>>
>
>
> This implementation matches the code of setCertificateRaw(), I see no
> obvious errors (just high-level review comparing the two methods).
Thanks. I'll look at implementing these tomorrow.
> I wonder about "idx" argument in setCertificateRaw() - the case of
> using several certificate types in parallel (RSA, DSA, ECC -- see
> SSL_AIDX_DSA etc. in include/ssl_private.h and Javadoc for this
> method).
>
> I think that each certificate has its own chain going up to different
> root CA certificate.
No. They have to have the same chain. That is a 'feature' of OpenSSL.
Cheers,
Mark
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
2016-03-30 15:43 GMT-05:00 Mark Thomas : > > This implementation matches the code of setCertificateRaw(), I see no > > obvious errors (just high-level review comparing the two methods). > > Thanks. I'll look at implementing these tomorrow. > > > I wonder about "idx" argument in setCertificateRaw() - the case of > > using several certificate types in parallel (RSA, DSA, ECC -- see > > SSL_AIDX_DSA etc. in include/ssl_private.h and Javadoc for this > > method). > > > > I think that each certificate has its own chain going up to different > > root CA certificate. > > No. They have to have the same chain. That is a 'feature' of OpenSSL. > > I can confirm that since I had a look because the init code looked a bit odd. The different types for a single certificate have to share the same chain. OTOH, the feature wouldn't be *so* useful either. Rémy
Re: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
Mark,
On 3/30/16 3:33 PM, Mark Thomas wrote:
> On 30/03/2016 20:27, ma...@apache.org wrote:
>> Author: markt
>> Date: Wed Mar 30 19:27:29 2016
>> New Revision: 1737154
>>
>> URL: http://svn.apache.org/viewvc?rev=1737154&view=rev
>> Log:
>> Add support for obtaining the certificate chain from a Java keystore
>
> This needs a review by someone who knows C better than I do.
See below.
> The implementation is essentially a copy/paste of setCertificateRaw with
> what looked to be the right changes to remove the unnecessary private
> key code and to call the right OpenSSL method to set the chain.
>
> It does work - in that SSL Labs sees the full chain - but the code may
> well be terrible. I wouldn't be surprised if it leaked memory.
>
> Once this has been reviewed and fixed, I plan to do a tc-native release
> so we can up the minimum required version in 9.0.x and 8.5.x and ship
> the next releases with the necessary tc-native code to use this feature.
>
> Mark
>
>
>>
>> Modified:
>> tomcat/native/trunk/native/src/sslcontext.c
>> tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
>>
>> Modified: tomcat/native/trunk/native/src/sslcontext.c
>> URL:
>> http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737154&r1=1737153&r2=1737154&view=diff
>> ==
>> --- tomcat/native/trunk/native/src/sslcontext.c (original)
>> +++ tomcat/native/trunk/native/src/sslcontext.c Wed Mar 30 19:27:29 2016
>> @@ -1051,7 +1051,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
>> certs = d2i_X509(NULL, &tmp, lengthOfCert);
>> if (certs == NULL) {
>> ERR_error_string(ERR_get_error(), err);
>> -tcn_Throw(e, "Error reading certificat (%s)", err);
>> +tcn_Throw(e, "Error reading certificate (%s)", err);
>> rv = JNI_FALSE;
>> goto cleanup;
>> }
>> @@ -1119,6 +1119,50 @@ cleanup:
>> free(cert);
>> return rv;
>> }
>> +
>> +TCN_IMPLEMENT_CALL(jboolean, SSLContext,
>> addChainCertificateRaw)(TCN_STDARGS, jlong ctx,
>> + jbyteArray
>> javaCert)
>> +{
>> +jsize lengthOfCert;
>> +unsigned char* cert;
>> +X509 * certs;
>> +EVP_PKEY * evp;
>> +const unsigned char *tmp;
>> +BIO * bio;
>> +
>> +tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
>> +jboolean rv = JNI_TRUE;
>> +char err[256];
>> +
>> +/* we get the cert contents into a byte array */
>> +jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL);
>> +lengthOfCert = (*e)->GetArrayLength(e, javaCert);
>> +cert = malloc(lengthOfCert);
>> +memcpy(cert, bufferPtr, lengthOfCert);
>> +(*e)->ReleaseByteArrayElements(e, javaCert, bufferPtr, 0);
Since bufferPtr is the byte array you want to use, you can probably just
use that directly for the call to d2i_x509(). I think the
malloc/memcpy/free is not necessary.
Obviously, don't call ReleaseByteArray until after calling d2i_509.
>> +
>> +UNREFERENCED(o);
>> +TCN_ASSERT(ctx != 0);
>> +
>> +tmp = (const unsigned char *)cert;
>> +certs = d2i_X509(NULL, &tmp, lengthOfCert);
>> +if (certs == NULL) {
>> +ERR_error_string(ERR_get_error(), err);
>> +tcn_Throw(e, "Error reading certificate (%s)", err);
>> +rv = JNI_FALSE;
>> +goto cleanup;
>> +}
>> +
>> +if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
>> +ERR_error_string(ERR_get_error(), err);
>> +tcn_Throw(e, "Error setting certificate (%s)", err);
>> +rv = JNI_FALSE;
>> +}
>> +
>> +cleanup:
>> +free(cert);
>> +return rv;
>> +}
You could probably avoid the label/goto with a slight more complicated
conditional structure, but I don't see a particular reason to do so.
-chris
signature.asc
Description: OpenPGP digital signature
[Bug 59247] Using the IBM JDK with the security manager results in java.lang.RuntimePermission warning
https://bz.apache.org/bugzilla/show_bug.cgi?id=59247 --- Comment #9 from Remy Maucherat --- Evidently there's a "bug" somewhere if only the IBM JDK does this. However, since this is only added to JULI, adding it is probably not a big issue [which is why I did it], so having a workaround sounds acceptable to me. I will challenge your veto on the grounds that it doesn't cause any harm. Let's see if someone seconds it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
> From: Christopher Schultz > Subject: RE: svn commit: r1737154 - in /tomcat/native/trunk: > native/src/sslcontext.c xdocs/miscellaneous/changelog.xml > Since bufferPtr is the byte array you want to use, you can probably just > use that directly for the call to d2i_x509(). I think the > malloc/memcpy/free is not necessary. Does calling d2i_X509() have the potential to block for any significant length of time? If so, the byte array would be pinned in the heap for the duration, which may impact GC. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
Chuck, On 3/30/16 5:10 PM, Caldarale, Charles R wrote: >> From: Christopher Schultz >> Subject: RE: svn commit: r1737154 - in /tomcat/native/trunk: >> native/src/sslcontext.c xdocs/miscellaneous/changelog.xml > >> Since bufferPtr is the byte array you want to use, you can probably just >> use that directly for the call to d2i_x509(). I think the >> malloc/memcpy/free is not necessary. > > Does calling d2i_X509() have the potential to block for any > significant length of time? If so, the byte array would be pinned in > the heap for the duration, which may impact GC. Good question. I assumed it was a conversion routine (foo2bar) and was just going to be converting from byte array to an internal representation of the X509 certificate. My justification for avoiding the malloc/memcpy/free was to reduce memory churn and improve performance, but you're right: if d2i_X509 is likely to take any significant amount of time, that outstanding pined array can cause a slowdown in other areas. In either case, I believe correctness is maintained so it will all come down to performance. I'll have to read about d2i_X509 and maybe read the implementation (which is likely to cause nightmares) to see. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59229] Wrong documentation: NIO connector is non-blocking when reading http request
https://bz.apache.org/bugzilla/show_bug.cgi?id=59229 --- Comment #10 from Huxing Zhang --- Thanks for clarifying AJP is blocking for NIO connector for reading http headers and request. My bad not digging into the AJP code. I will take care from next time. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59254] New: testWsCloseThenTcpResetWhenOnMessageSends failed for APR
https://bz.apache.org/bugzilla/show_bug.cgi?id=59254 Bug ID: 59254 Summary: testWsCloseThenTcpResetWhenOnMessageSends failed for APR Product: Tomcat 7 Version: trunk Hardware: PC OS: Mac OS X 10.1 Status: NEW Severity: normal Priority: P2 Component: WebSocket Assignee: dev@tomcat.apache.org Reporter: huxing.zh...@gmail.com Created attachment 33714 --> https://bz.apache.org/bugzilla/attachment.cgi?id=33714&action=edit Test case output The following test case is constantly failing in my environment. org.apache.tomcat.websocket.server.TestClose#testWsCloseThenTcpResetWhenOnMessageSends test case is run against trunk(r1737152). Environment details: OS: Mac OS X JDK: 1.6.0_65 + 1.7.0_80 (for web socket test cases, 1.7.0_80 should be used) tcnative version: 1.2.5 APR version: 1.5.2 openssl version: OpenSSL 1.0.2g 1 Mar 2016 Testcase: testWsCloseThenTcpResetWhenOnMessageSends took 0.148 sec FAILED Rx: NORMAL_CLOSURE junit.framework.AssertionFailedError: Rx: NORMAL_CLOSURE at org.apache.tomcat.websocket.server.TestClose.awaitOnClose(TestClose.java:107) at org.apache.tomcat.websocket.server.TestClose.awaitOnClose(TestClose.java:100) at org.apache.tomcat.websocket.server.TestClose.testWsCloseThenTcpResetWhenOnMessageSends(TestClose.java:267) I have confirmed that server received web socket NORMAL_CLOSURE frame before the connection is reset forcely. My suggestion is to expect NORMAL_CLOSURE as well as CLOSED_ABNORMALLY, just like what org.apache.tomcat.websocket.server.TestClose#testWsCloseThenTcpCloseWhenOnMessageSends does. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59254] testWsCloseThenTcpResetWhenOnMessageSends failed for APR
https://bz.apache.org/bugzilla/show_bug.cgi?id=59254 --- Comment #1 from Huxing Zhang --- Created attachment 33715 --> https://bz.apache.org/bugzilla/attachment.cgi?id=33715&action=edit Patch to fix the test case -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
tomcat 9.0.x/8.5.x github mirror
Hi, I am wondering that is there any plan on setting up github mirror for tomcat 9.0.x/8.5.x branch? If so, what is the ETA of it? Thanks, Huxing - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: tomcat 9.0.x/8.5.x github mirror
Sorry, 9.0.x mirror is already there, I mean the 8.5.x mirror. -- From:Huxing Zhang Time:2016 Mar 31 (Thu) 11:03 To:dev Subject:tomcat 9.0.x/8.5.x github mirror Hi, I am wondering that is there any plan on setting up github mirror for tomcat 9.0.x/8.5.x branch? If so, what is the ETA of it? Thanks, Huxing - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
