Bug report for Tomcat Native [2017/08/27]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |53940|New|Enh|2012-09-27|Added support for new CRL loading after expiration| |55087|New|Cri|2013-06-10|tomcat crashes in tcnative-1.dll with OCSP when OC| |56378|New|Nor|2014-04-09|Cert load fails if cert is located in path with no| |57815|New|Enh|2015-04-15|Improve error message when OpenSSL does not suppor| |58194|Inf|Maj|2015-07-30|Tomcat crash EXCEPTION_ACCESS_VIOLATION in tcnativ| |59286|New|Nor|2016-04-07|Socket binding failures when using APR| +-+---+---+--+--+ | Total6 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 8 [2017/08/27]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |43925|Opn|Enh|2007-11-21|org.apache.jasper.runtime.BodyContentImpl causing | |51497|New|Enh|2011-07-11|Use canonical IPv6 text representation in logs| |53737|Opn|Enh|2012-08-18|Use ServletContext.getJspConfigDescriptor() in Jas| |53930|New|Enh|2012-09-24|allow capture of catalina stdout/stderr to a comma| |54700|New|Enh|2013-03-15|Improvement: Add support for system property to sp| |54741|New|Enh|2013-03-22|Add org.apache.catalina.startup.Tomcat#addWebapp(S| |55243|New|Enh|2013-07-11|Add special search string for nested roles| |55252|New|Enh|2013-07-12|Separate Ant and command-line wrappers for JspC | |55383|New|Enh|2013-08-07|Improve markup and design of Tomcat's HTML pages | |9|New|Enh|2013-09-14|UserDatabaseRealm enhacement: may use local JNDI | |55675|New|Enh|2013-10-18|Checking and handling invalid configuration option| |55770|New|Enh|2013-11-12|Allow the crlFile to be reloaded | |55788|New|Enh|2013-11-16|TagPlugins should key on tag QName rather than imp| |55969|New|Enh|2014-01-07|Security-related enhancements to the Windows Insta| |56166|New|Enh|2014-02-20|Suggestions for exception handling (avoid potentia| |56361|New|Enh|2014-04-08|org.apache.tomcat.websocket.WsWebSocketContainer#b| |56398|New|Enh|2014-04-11|Support Arquillian-based unit testing | |56399|New|Enh|2014-04-11|Re-factor request/response recycling so Coyote and| |56402|New|Enh|2014-04-11|Add support for HTTP Upgrade to AJP components| |56448|New|Enh|2014-04-23|Implement a robust solution for client initiated S| |56522|Opn|Enh|2014-05-14|jasper-el 8 does not comply to EL Spec 3.0 regardi| |56546|New|Enh|2014-05-19|Improve thread trace logging in WebappClassLoader.| |56676|New|Enh|2014-06-26|Normalize access to native library| |56713|New|Enh|2014-07-12|Limit time that incoming request waits while webap| |56724|New|Enh|2014-07-15|Restart Container background thread if it died une| |56890|Inf|Maj|2014-08-26|getRealPath returns null | |56966|New|Enh|2014-09-11|AccessLogValve's elapsed time has 15ms precision o| |57130|New|Enh|2014-10-22|Allow digest.sh to accept password from a file or | |57287|New|Enh|2014-11-29|Sort files listed by DefaultServlet | |57345|New|Enh|2014-12-12|APR/Native HTTPS Connector Should Support All Open| |57421|New|Enh|2015-01-07|Farming default directories | |57486|New|Enh|2015-01-23|Improve reuse of ProtectedFunctionMapper instances| |57665|New|Enh|2015-03-05|support x-forwarded-host | |57701|New|Enh|2015-03-13|Implement "[Redeploy]" button for a web applicatio| |57830|New|Enh|2015-04-18|Add support for ProxyProtocol | |58052|Opn|Enh|2015-06-19|RewriteValve: Implement additional RewriteRule dir| |58072|New|Enh|2015-06-23|ECDH curve selection | |58433|New|Enh|2015-09-21|RemoteIpValve not activated on redirect from mappi| |58577|New|Enh|2015-11-03|JMX Proxy Servlet can't handle overloaded methods | |58837|New|Enh|2016-01-12|support "X-Content-Security-Policy" a.k.a as "CSP"| |58935|Opn|Enh|2016-01-29|Re-deploy from war without deleting context | |59232|New|Enh|2016-03-24|Make the context name of an app available via JNDI| |59423|New|Enh|2016-05-03|amend "No LoginModules configured for ..." with hi| |59758|New|Enh|2016-06-27|Add http proxy username-password credentials suppo| |60276|New|Enh|2016-10-19|upgrade HTTP/2 can't use gzip compress. | |60281|Ver|Nor|2016-10-20|Pathname of uploaded WAR file should not be contai| |60511|Inf|Maj|2016-12-22|org.apache.coyote.ajp.AjpNio2Protocol sends wrong | |60560|New|Enh|2017-01-07|Support systemd/inetd style socket activation | |60721|Ver|Nor|2017-02-10|Unable to find key spec if more applications use b| |60762|New|Enh|2017-02-21|Enhancement: Add support for runtime SNI changes i| |60781|New|Nor|2017-02-27|Access Log Valve does not escape the same as mod_l| |60849|
Bug report for Tomcat 9 [2017/08/27]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |47467|New|Enh|2009-07-02|Deployment of the war file by URL when contextpath| |48672|New|Enh|2010-02-03|Tomcat Virtual Host Manager (/host-manager) needs | |57505|New|Enh|2015-01-27|Add integration tests for JspC| |57661|New|Enh|2015-03-04|Delay sending of 100 continue response until appli| |57767|Opn|Enh|2015-03-27|Websocket client proprietary configuration| |58242|New|Enh|2015-08-13|Scanning jars in classpath to get annotations in p| |58530|New|Enh|2015-10-23|Proposal for new Manager HTML GUI | |58548|New|Enh|2015-10-26|support certifcate transparency | |58590|New|Enh|2015-11-05|org.apache.catalina.realm.MemoryRealm can use back| |58859|New|Enh|2016-01-14|Allow to limit charsets / encodings supported by T| |59179|New|Enh|2016-03-14|HTTP Public Key Pinning (HPKP) for Tomcat | |59203|New|Enh|2016-03-21|Try to call Thread.interrupt before calling Thread| |59344|Ver|Enh|2016-04-18|PEM file support for JSSE | |59750|New|Enh|2016-06-24|Amend "authenticate" method with context by means | |59901|New|Enh|2016-07-26|Reduce I/O associated with JSP compilation| |60523|Opn|Enh|2016-12-27|Reduce number of network packets that server sends| |60997|New|Enh|2017-04-17|Enhance SemaphoreValve to support denied status an| |61171|New|Enh|2017-06-09|Add port offset attribute (portOffset?) to Server | |61189|New|Enh|2017-06-15|CGIServlet should be able to set specific environm| |61223|New|Enh|2017-06-26|Enhance the documentation for mbeans-descriptors.x| |61280|New|Enh|2017-07-11|Support characters sets other than ISO 8859-1 in H| |61393|New|Min|2017-08-08|org.apache.tomcat.jni.TestSocketServer timeout fai| |61394|New|Min|2017-08-08|NIO/NIO2 + OpenSSL renegotiation doesn't send list| +-+---+---+--+--+ | Total 23 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Taglibs [2017/08/27]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |38193|Ass|Enh|2006-01-09|[RDC] BuiltIn Grammar support for Field | |38600|Ass|Enh|2006-02-10|[RDC] Enable RDCs to be used in X+V markup (X+RDC)| |42413|New|Enh|2007-05-14|[PATCH] Log Taglib enhancements | |46052|New|Nor|2008-10-21|SetLocaleSupport is slow to initialize when many l| |48333|New|Enh|2009-12-02|TLD generator | |57434|New|Nor|2015-01-11|Race condition in EL1.0 validation| |57548|New|Min|2015-02-08|Auto-generate the value for org.apache.taglibs.sta| |57684|New|Min|2015-03-10|Version info should be taken from project version | |59359|New|Enh|2016-04-20|(Task) Extend validity period for signing KEY - be| |59668|New|Nor|2016-06-06|x:forEach retains the incorrect scope when used in| +-+---+---+--+--+ | Total 10 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 7 [2017/08/27]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |41007|Opn|Enh|2006-11-20|Can't define customized 503 error page| |43866|New|Enh|2007-11-14|add support for session attribute propagation with| |47242|New|Enh|2009-05-22|request for AJP command line client | |49395|New|Enh|2010-06-06|manager.findLeaks : display the date when the leak| |49821|New|Enh|2010-08-25|Tomcat CLI [PATCH/Contribution] | |50019|New|Enh|2010-09-28|Adding JNDI "lookup-name" support In XML and Resou| |50175|New|Enh|2010-10-28|Enhance memory leak detection by selectively apply| |50234|New|Enh|2010-11-08|JspC use servlet 3.0 features | |50670|New|Enh|2011-01-27|Tribes | RpcChannel | Add option to specify extern| |50944|Ver|Blk|2011-03-18|JSF: java.lang.NullPointerException at com.sun.fac| |51195|New|Enh|2011-05-13|"Find leaks" reports a false positive memory/class| |51423|Inf|Enh|2011-06-23|[Patch] to add a path and a version parameters to | |51496|New|Enh|2011-07-11|NSIS - Warn that duplicate service name will resul| |51587|New|Enh|2011-07-29|Implement status and uptime commands | |51953|New|Enh|2011-10-04|Proposal: netmask filtering valve and filter [PATC| |52381|New|Enh|2011-12-22|Please add OSGi metadata | |52448|New|Enh|2012-01-11|Cache jar indexes in WebappClassLoader to speed up| |52489|New|Enh|2012-01-19|Enhancement request for code signing of war files | |52688|New|Enh|2012-02-16|Add ability to remove old access log files [PATCHE| |52952|New|Enh|2012-03-20|Improve ExtensionValidator handling for embedded s| |53085|New|Enh|2012-04-16|[perf] [concurrency] DefaultInstanceManager.annota| |53387|New|Enh|2012-06-08|SSI: Allow to use $1 to get result of regular expr| |53411|Opn|Enh|2012-06-13|NullPointerException in org.apache.tomcat.util.buf| |53492|New|Enh|2012-07-01|Make JspC shell multithreaded | |53553|New|Enh|2012-07-16|[PATCH] Deploy uploaded WAR with context.xml from | |53620|New|Enh|2012-07-30|[juli] delay opening a file until something gets l| |54499|New|Enh|2013-01-29|Implementation of Extensible EL Interpreter | |54802|New|Enh|2013-04-04|Provide location information for exceptions thrown| |55104|New|Enh|2013-06-16|Allow passing arguments with spaces to Commons Dae| |55470|New|Enh|2013-08-23|Help users for ClassNotFoundExceptions during star| |55477|New|Enh|2013-08-23|Add a solution to map an realm name to a security | |56148|New|Enh|2014-02-17|support (multiple) ocsp stapling | |56181|New|Enh|2014-02-23|RemoteIpValve & RemoteIpFilter: HttpServletRequest| |56300|New|Enh|2014-03-22|[Tribes] No useful examples, lack of documentation| |56438|New|Enh|2014-04-21|If jar scan does not find context config or TLD co| |56614|New|Enh|2014-06-12|Add a switch to ignore annotations detection on ta| |56787|New|Enh|2014-07-29|Simplified jndi name parsing | |57367|New|Enh|2014-12-18|If JAR scan experiences a stack overflow, give the| |57827|New|Enh|2015-04-17|Enable adding/removing of members via jmx in a sta| |57870|New|Enh|2015-04-29|backport GzipOutputFilter #doWrite to Tomcat 7 to | |57872|New|Enh|2015-04-29|Do not auto-switch session cookie to version=1 due| |57892|New|Enh|2015-05-05|Log once a warning if a symbolic link is ignored (| |58338|New|Nor|2015-09-07|BasicDataSourceFactory uses wrong attribute name | |59716|New|Enh|2016-06-17|Allow JNDI configuration of CorsFilter| |60597|New|Enh|2017-01-17|Add ability to set cipher suites for websocket cli| |60944|Inf|Nor|2017-03-30|Tomcat Production Issue connections in CLOSE_WAIT | |61367|Inf|Nor|2017-08-01|NPE exception in org.apache.catalina.connector.Coy| +-+---+---+--+--+ | Total 47 bugs | +---+ - To unsubscribe
Bug report for Tomcat Connectors [2017/08/27]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |35959|Opn|Enh|2005-08-01|mod_jk not independant of UseCanonicalName| |43303|New|Enh|2007-09-04|Versioning under Windows not reported by many conn| |45313|New|Nor|2008-06-30|mod_jk 1.2.26 & apache 2.2.9 static compiled on so| |46767|New|Enh|2009-02-25|mod_jk to send DECLINED in case no fail-over tomca| |47327|New|Enh|2009-06-07|Return tomcat authenticated user back to mod_jk (A| |47750|New|Maj|2009-08-27|ISAPI: Loss of worker settings when changing via j| |47795|New|Maj|2009-09-07|service sticky_session not being set correctly wit| |48513|New|Enh|2010-01-09|IIS Quick setup instructions | |48564|New|Enh|2010-01-18|Allow to turn off retries for LB worker | |48830|New|Nor|2010-03-01|IIS shutdown blocked in endpoint service when serv| |49063|New|Enh|2010-04-07|Please add JkStripSession status in jk-status work| |49822|New|Enh|2010-08-25|Add hash lb worker method | |49903|New|Enh|2010-09-09|Make workers file reloadable | |52483|New|Enh|2012-01-18|Print JkOptions's options in log file and jkstatus| |53883|New|Maj|2012-09-17|isapi_redirect v 1.2.37 crashes w3wp.exe on the p| |53977|New|Maj|2012-10-07|32bits isapi connector cannot work in wow64 mode | |54027|New|Cri|2012-10-18|isapi send request to outside address instead of i| |54117|New|Maj|2012-11-08|access violation exception in isapi_redirect.dll | |54621|New|Enh|2013-02-28|[PATCH] custom mod_jk availability checks | |56489|New|Enh|2014-05-05|Include a directory for configuration files | |56576|New|Enh|2014-05-29|Websocket support | |57402|New|Enh|2014-12-30|Provide correlation ID between mod_jk log and acce| |57403|New|Enh|2014-12-30|Persist configuration changes made via status work| |57407|New|Enh|2014-12-31|Make session_cookie, session_path and session_cook| |57790|New|Enh|2015-04-03|Check worker names for typos | |57946|New|Nor|2015-05-23|Configuration example for mod_jk should be updated| |58287|New|Nor|2015-08-26|Questionable use of "Global" objects on Windows | |59897|New|Nor|2016-07-25|Buffer Overflow in FD_SET in nb_connect (jk_connec| |60240|New|Min|2016-10-11|Duplicate initialization log entry in mod_jk.log | |60745|New|Nor|2017-02-18|False positive: Somebody try to hack into the site| +-+---+---+--+--+ | Total 30 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Modules [2017/08/27]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |50571|Inf|Nor|2011-01-11|Tomcat 7 JDBC connection pool exception enhancemen| |51595|Inf|Nor|2011-08-01|org.apache.tomcat.jdbc.pool.jmx.ConnectionPool sho| |51879|Inf|Enh|2011-09-22|Improve access to Native Connection Methods | |52024|Inf|Enh|2011-10-13|Custom interceptor to support automatic failover o| |53199|Inf|Enh|2012-05-07|Refactor ConnectionPool to use ScheduledExecutorSe| |54437|New|Enh|2013-01-16|Update PoolProperties javadoc for ConnectState int| |54929|Inf|Nor|2013-05-05|jdbc-pool cannot be used with Java 1.5, "java.lang| |55078|New|Nor|2013-06-07|Configuring a DataSource Resource with dataSourceJ| |55662|New|Enh|2013-10-17|Add a way to set an instance of java.sql.Driver di| |56046|New|Enh|2014-01-21|org.apache.tomcat.jdbc.pool.XADataSource InitSQL p| |56088|New|Maj|2014-01-29|AbstractQueryReport$StatementProxy throws exceptio| |56310|Inf|Maj|2014-03-25|PooledConnection and XAConnection not handled corr| |56586|New|Nor|2014-06-02|initSQL should be committed if defaultAutoCommit =| |56775|New|Nor|2014-07-28|PoolCleanerTime schedule issue| |56779|New|Nor|2014-07-28|Allow multiple connection initialization statement| |56790|New|Nor|2014-07-29|Resizing pool.maxActive to a higher value at runti| |56798|New|Nor|2014-07-31|Idle eviction strategy could perform better (and i| |56804|New|Nor|2014-08-02|Use a default validationQueryTimeout other than "f| |56805|New|Nor|2014-08-02|datasource.getConnection() may be unnecessarily bl| |56837|New|Nor|2014-08-11|if validationQuery have error with timeBetweenEvic| |56970|New|Nor|2014-09-11|MaxActive vs. MaxTotal for commons-dbcp and tomcat| |56974|New|Nor|2014-09-12|jdbc-pool validation query defaultAutoCommit statu| |57460|New|Nor|2015-01-19|[DB2]Connection broken after few hours but not rem| |57729|New|Enh|2015-03-20|Add QueryExecutionReportInterceptor to log query e| |58489|Opn|Maj|2015-10-08|QueryStatsComparator throws IllegalArgumentExcepti| |59077|New|Nor|2016-02-26|DataSourceFactory creates a neutered data source | |59569|New|Nor|2016-05-18|isWrapperFor/unwrap implementations incorrect | |59879|New|Nor|2016-07-18|StatementCache interceptor returns ResultSet objec| |60195|New|Nor|2016-10-02|No javadoc in Maven Central | |60522|New|Nor|2016-12-27|An option for setting if the transaction should be| |60524|Inf|Nor|2016-12-28|NPE in SlowQueryReport in tomcat-jdbc-7.0.68 | |60645|New|Nor|2017-01-25|StatementFinalizer is not thread-safe | |61032|New|Nor|2017-04-24|min pool size is not being respected | |61103|New|Nor|2017-05-18|StatementCache potentially returning incorrect sta| |61302|New|Enh|2017-07-15|Refactoring of DataSourceProxy| |61303|New|Enh|2017-07-15|Refactoring of ConnectionPool | |61312|New|Nor|2017-07-17|NullPointerException in StatementCache.isCached | +-+---+---+--+--+ | Total 37 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1806356 - /tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
Author: rjung
Date: Sun Aug 27 12:21:41 2017
New Revision: 1806356
URL: http://svn.apache.org/viewvc?rev=1806356&view=rev
Log:
Revert part of r1805525:
Some attributes of the SSL connection actually
can change dynamically after initialization,
especially the auth mode during renegotiation.
Not allowing this broke multiple junit tests
in TestCustomSsl and TestClientCert.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1806356&r1=1806355&r2=1806356&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Sun
Aug 27 12:21:41 2017
@@ -1001,9 +1001,6 @@ public final class OpenSSLEngine extends
@Override
public void setUseClientMode(boolean clientMode) {
-if (initialized) {
-return;
-}
if (clientMode != this.clientMode) {
throw new UnsupportedOperationException();
}
@@ -1035,9 +1032,6 @@ public final class OpenSSLEngine extends
}
private void setClientAuth(ClientAuthMode mode) {
-if (initialized) {
-return;
-}
if (clientMode) {
return;
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.13
Am 26.08.2017 um 19:11 schrieb Rainer Jung: Am 25.08.2017 um 23:25 schrieb Rainer Jung: Am 25.08.2017 um 18:24 schrieb Mark Thomas: Version 1.2.13 includes the following changes compared to 1.2.12: - Update minimum recommended OpenSSL version to 1.0.2l - Update minimum recommended APR version to 1.6.2 - Windows binaries built with OpenSSL 1.0.2l and APR 1.6.2 - Support for the SSL_CONF_cmd API Various other fixes and improvements. See the changelog for details. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The Apache Tomcat Native 1.2.13 is [ ] Stable, go ahead and release [ ] Broken because of ... Another thing: the client auth with cert tests (TestClientCert and TestCustomSsl) fail for me currently when using TC trunk with a Java connector (NIO/NIO2) and OpenSSL impl (plus tcnative 1.2.13, APR 1.6.2, OpenSSL 1.0.2l). I am pretty sure the tests worked when I had added the additional client CA checks, but they do no longer. But there might have been some other setup, e.g. OpenSSL 1.1.0 instead of 1.0.2 or something else. i need to investigate further. The test does not only fail because the key manager does not get called, but the access to /unprotected also fails with a 401. These tests work with APR and also with the JSSE impl. This was broken by myself in r1805525 and now fixed again in r1806356 by partially reverting that change. Sorry for the noise, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.13
Am 25.08.2017 um 23:25 schrieb Rainer Jung:
Am 25.08.2017 um 18:24 schrieb Mark Thomas:
Version 1.2.13 includes the following changes compared to 1.2.12:
- Update minimum recommended OpenSSL version to 1.0.2l
- Update minimum recommended APR version to 1.6.2
- Windows binaries built with OpenSSL 1.0.2l and APR 1.6.2
- Support for the SSL_CONF_cmd API
Various other fixes and improvements. See the changelog for details.
The proposed release artefacts can be found at [1],
and the build was done using tag [2].
The Apache Tomcat Native 1.2.13 is
[ ] Stable, go ahead and release
[ ] Broken because of ...
Partial result: although tests in general look good until now, I found
one unit test specific problem on Linux using the APR connector and
OpenSSL 1.0.2.
The new test TestDefaultServletEncoding in TC 9 head executes many test
cases. All of them use the same Tomcat child process, but each test case
runs org.apache.catalina.core.AprLifecycleListener.initializeSSL() which
goes down to the native initialize() in native/src/ssl.c. There we
create a thread local using apr_threadkey_private_create() which in turn
calls pthread_key_create(). That pthread API is limited to creating not
more than PTHREAD_KEYS_MAX keys. On typical linux systems this limit is
1024, but the test runs initializeSSL() for about 2600 times. the first
1024 succeed, the remaining ones throw an exception in initializeSSL()
with errno EAGAIN (which is expected when getting above the limit).
On Solaris the limit is 128 but the problem does not occur. When using
OpenSSL 1.1.0 and above, that part of the native code doesn't run and
the problem also does not show up, the same for Windows. And for JSSE
connectors with OpenSSL impl the AprLifecycleListener only calls
initializeSSL() in the SSL related tests, so not for
TestDefaultServletEncoding in contrast to the APR connector.
I'd expect the initializeSSL() call for real TC and other tcnative using
apps is only called once or at least not extremely often, so that should
not be a problem outside of our unit tests. Still it would be nice if we
could add a cleanup using apr_threadkey_private_delete() somewhere.
Unfortunately in order to be able to call a cleanup from TC code, e.g.
the AprLifecycleListener, we would need an API extension in tcnative first.
Concerning the problem of the thread key cleanup: test
TestDefaultServletEncoding already calls
AprLifecycleListener.terminateAPR() during each encoding test, which in
turn calls Library.terminate(), which does the cleanup of the global
pool and executes the registered ssl clean up function
ssl_init_cleanup(). We could add the clean up of the thread_exit_key
there. For example the following patch works:
Index: native/src/ssl.c
===
--- native/src/ssl.c (revision 1806205)
+++ native/src/ssl.c (working copy)
@@ -52,6 +52,7 @@
#if ! (defined(WIN32) || defined(WIN64))
apr_threadkey_t *thread_exit_key;
+static int threadkey_initialized = 0;
#endif
#endif
@@ -331,6 +332,12 @@
return APR_SUCCESS;
ssl_initialized = 0;
+#if OPENSSL_VERSION_NUMBER < 0x1010L && ! (defined(WIN32) ||
defined(WIN64))
+if (threadkey_initialized) {
+threadkey_initialized = 0;
+apr_threadkey_private_delete(thread_exit_key);
+}
+#endif
if (tcn_password_callback.cb.obj) {
JNIEnv *env;
tcn_get_java_env(&env);
@@ -766,6 +773,7 @@
tcn_ThrowAPRException(e, err);
return (jint)err;
}
+threadkey_initialized = 1;
#endif
/* Initialize thread support */
ssl_thread_setup(tcn_global_pool);
Unfortunately that would be a change to tcnative, so we would have to do
another tag. I would prefer to include this fix in the release.
Regards,
Rainer
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1806376 - /tomcat/native/trunk/native/src/ssl.c
Author: rjung
Date: Sun Aug 27 16:24:08 2017
New Revision: 1806376
URL: http://svn.apache.org/viewvc?rev=1806376&view=rev
Log:
Fix thread local key leak introduced in r1781943.
The leak breaks TC trunk test TestDefaultServletEncoding
which executes more than 2500 APR init/terminate.
Modified:
tomcat/native/trunk/native/src/ssl.c
Modified: tomcat/native/trunk/native/src/ssl.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1806376&r1=1806375&r2=1806376&view=diff
==
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Sun Aug 27 16:24:08 2017
@@ -52,6 +52,7 @@ struct CRYPTO_dynlock_value {
#if ! (defined(WIN32) || defined(WIN64))
apr_threadkey_t *thread_exit_key;
+static int threadkey_initialized = 0;
#endif
#endif
@@ -331,6 +332,12 @@ static apr_status_t ssl_init_cleanup(voi
return APR_SUCCESS;
ssl_initialized = 0;
+#if OPENSSL_VERSION_NUMBER < 0x1010L && ! (defined(WIN32) ||
defined(WIN64))
+if (threadkey_initialized) {
+threadkey_initialized = 0;
+apr_threadkey_private_delete(thread_exit_key);
+}
+#endif
if (tcn_password_callback.cb.obj) {
JNIEnv *env;
tcn_get_java_env(&env);
@@ -766,6 +773,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize
tcn_ThrowAPRException(e, err);
return (jint)err;
}
+threadkey_initialized = 1;
#endif
/* Initialize thread support */
ssl_thread_setup(tcn_global_pool);
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.13
On 27/08/17 15:01, Rainer Jung wrote: > Unfortunately that would be a change to tcnative, so we would have to do > another tag. I would prefer to include this fix in the release. Thanks for tracking these various issues down. I'm happy to tag 1.2.14. I'll do that early next week. Before I do, I do want to look into why the TestDefaultServletEncoding unit tests didn't fail as I would have expected in this case. Another job for next week. Kind regards, Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1806380 - /tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
Author: rjung Date: Sun Aug 27 17:08:45 2017 New Revision: 1806380 URL: http://svn.apache.org/viewvc?rev=1806380&view=rev Log: Update changelog, add entry for r1806376. Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1806380&r1=1806379&r2=1806380&view=diff == --- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original) +++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Sun Aug 27 17:08:45 2017 @@ -34,6 +34,14 @@ This is the Changelog for Tomcat Native 1.2. + + + + Fix a thread local key leak. Only relevant when doing + SSL.initialize() and Library.terminate() a lot of times. (rjung) + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.13
Am 27.08.2017 um 18:57 schrieb Mark Thomas: On 27/08/17 15:01, Rainer Jung wrote: Unfortunately that would be a change to tcnative, so we would have to do another tag. I would prefer to include this fix in the release. Thanks for tracking these various issues down. I'm happy to tag 1.2.14. I'll do that early next week. Great. In the meantime I can run the tests with OpenSSL 1.1.0 and master. Before I do, I do want to look into why the TestDefaultServletEncoding unit tests didn't fail as I would have expected in this case. Another job for next week. At least in the logs I find: ... 25-Aug-2017 21:31:17.326 INFO [main] org.apache.catalina.startup.LoggingBaseTest.setUp Starting test case [testEncoding[1023: contextEnc[ibm850], fileEnc[cp1252], useBom[false], target[cp1252], useInclude[true], outputEnc[utf-8], callSetCharacterEnc[true], useWriter[false], expectedPass[true]]] 25-Aug-2017 21:31:17.361 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.13] using APR version [1.6.2]. 25-Aug-2017 21:31:17.361 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 25-Aug-2017 21:31:17.361 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 25-Aug-2017 21:31:16.144 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 11: Resource temporarily unavailable at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.GeneratedMethodAccessor26.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:289) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:136) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:424) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:135) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:173) at org.apache.catalina.startup.Tomcat.start(Tomcat.java:372) at org.apache.catalina.startup.TomcatBaseTest$TomcatWithFastSessionIDs.start(TomcatBaseTest.java:828) at org.apache.catalina.servlets.TestDefaultServletEncoding.testEncoding(TestDefaultServletEncoding.java:191) ... 25-Aug-2017 21:31:17.364 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-apr-127.0.0.1-auto-1024"] 25-Aug-2017 21:31:17.368 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Tomcat] 25-Aug-2017 21:31:17.368 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/9.0.0.M27-dev 25-Aug-2017 21:31:17.450 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-apr-127.0.0.1-auto-1024-36488"] 25-Aug-2017 21:31:17.479 INFO [main] org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["http-apr-127.0.0.1-auto-1024-36488"] 25-Aug-2017 21:31:17.530 INFO [main] org.apache.catalina.core.StandardService.stopInternal Stopping service [Tomcat] 25-Aug-2017 21:31:17.572 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-apr-127.0.0.1-auto-1024-36488"] 25-Aug-2017 21:31:17.626 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-apr-127.0.0.1-auto-1024-36488"] So the expection happens in the SSL init part only and the tomcat instance is still usable for the test via the http port. Only on some small virtual machines I had JVM crashes in addtion to the above exception. And the exception only shows once we have reached the maximum number of about 1024 keys. Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1806399 - in /tomcat/native/trunk: native/src/sslinfo.c xdocs/miscellaneous/changelog.xml
Author: rjung Date: Mon Aug 28 03:19:15 2017 New Revision: 1806399 URL: http://svn.apache.org/viewvc?rev=1806399&view=rev Log: Replace use of deprecated ASN1_STRING_data with ASN1_STRING_get0_data when building against OpenSSL 1.1.0 and newer. Modified: tomcat/native/trunk/native/src/sslinfo.c tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Modified: tomcat/native/trunk/native/src/sslinfo.c URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslinfo.c?rev=1806399&r1=1806398&r2=1806399&view=diff == --- tomcat/native/trunk/native/src/sslinfo.c (original) +++ tomcat/native/trunk/native/src/sslinfo.c Mon Aug 28 03:19:15 2017 @@ -182,7 +182,11 @@ static char *lookup_ssl_cert_dn(X509_NAM ASN1_STRING *adata = X509_NAME_ENTRY_get_data(xsne); int len = ASN1_STRING_length(adata); result = malloc(len + 1); +#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER) memcpy(result, ASN1_STRING_data(adata), len); +#else +memcpy(result, ASN1_STRING_get0_data(adata), len); +#endif result[len] = '\0'; #if APR_CHARSET_EBCDIC Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1806399&r1=1806398&r2=1806399&view=diff == --- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original) +++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Mon Aug 28 03:19:15 2017 @@ -37,6 +37,11 @@ + Replace use of deprecated ASN1_STRING_data with + ASN1_STRING_get0_data when building against + OpenSSL 1.1.0 and newer. (rjung) + + Fix a thread local key leak. Only relevant when doing SSL.initialize() and Library.terminate() a lot of times. (rjung) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61450] issue when certificateKeyAlias is not set
https://bz.apache.org/bugzilla/show_bug.cgi?id=61450 Svetlin Zarev changed: What|Removed |Added CC||svetlin.za...@abv.bg -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1806404 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
Author: rjung
Date: Mon Aug 28 06:49:29 2017
New Revision: 1806404
URL: http://svn.apache.org/viewvc?rev=1806404&view=rev
Log:
Fix a small memory leak during certificate initialization.
Also silence a compiler warning: SSL_CTX_set_ecdh_auto() isn't
needed for OpenSSL 1.1.0 and above and using it there results
in a compiler warning because the compat macro is a noop.
Backport of r1735770 from mod_ssl and partial backport of
r1787728 also from mod_ssl.
Modified:
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1806404&r1=1806403&r2=1806404&view=diff
==
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Mon Aug 28 06:49:29 2017
@@ -953,7 +953,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
const char *p;
char err[256];
#ifdef HAVE_ECC
-EC_GROUP *ecparams;
+EC_GROUP *ecparams = NULL;
int nid;
EC_KEY *eckey = NULL;
#endif
@@ -1034,6 +1034,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
* If only for PEM files move above to the PEM handling */
if ((idx == 0) && (dhparams = SSL_dh_GetParamFromFile(cert_file))) {
SSL_CTX_set_tmp_dh(c->ctx, dhparams);
+DH_free(dhparams);
}
#ifdef HAVE_ECC
@@ -1048,8 +1049,11 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
}
/*
- * ...otherwise, configure NIST P-256 (required to enable ECDHE)
+ * ...otherwise, enable auto curve selection (OpenSSL 1.0.2)
+ * or configure NIST P-256 (required to enable ECDHE for earlier versions)
+ * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
*/
+#if (OPENSSL_VERSION_NUMBER < 0x1010L)
else {
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(c->ctx, 1);
@@ -1058,7 +1062,10 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
#endif
}
+#endif
+/* OpenSSL assures us that _free() is NULL-safe */
EC_KEY_free(eckey);
+EC_GROUP_free(ecparams);
#endif
SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
@@ -1168,6 +1175,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
/*
* TODO try to read the ECDH curve name from somewhere...
*/
+#if (OPENSSL_VERSION_NUMBER < 0x1010L)
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(c->ctx, 1);
#else
@@ -1176,6 +1184,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
EC_KEY_free(eckey);
#endif
#endif
+#endif
SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
cleanup:
free(key);
Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1806404&r1=1806403&r2=1806404&view=diff
==
--- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Mon Aug 28 06:49:29
2017
@@ -37,6 +37,9 @@
+ Fix a small memory leak during certificate initialization. (rjung)
+
+
Replace use of deprecated ASN1_STRING_data with
ASN1_STRING_get0_data when building against
OpenSSL 1.1.0 and newer. (rjung)
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
