[Bug 62273] Add support for alternate URL specification
https://bz.apache.org/bugzilla/show_bug.cgi?id=62273
Ayoub changed:
What|Removed |Added
Resolution|FIXED |---
Status|RESOLVED|REOPENED
--- Comment #29 from Ayoub ---
how to fix error rfc 7230 and rfc 3986 on tomcat 9
I want to Allow special character "é" and "è" in to the URL
I have already tested this but it does not work:
relaxedQueryChars="[]|{}^\`èé+"<>"
relaxedPathChars="[]|{}^\`èé+"<>"
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62273] Add support for alternate URL specification
https://bz.apache.org/bugzilla/show_bug.cgi?id=62273 Remy Maucherat changed: What|Removed |Added Resolution|--- |FIXED Status|REOPENED|RESOLVED --- Comment #30 from Remy Maucherat --- Please do not reopen bugs to ask a support question. The Tomcat user mailing list is the right place for that. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62817] New: error rfc 7230 and rfc 3986
https://bz.apache.org/bugzilla/show_bug.cgi?id=62817
Bug ID: 62817
Summary: error rfc 7230 and rfc 3986
Product: Tomcat 9
Version: 9.0.x
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Servlet
Assignee: dev@tomcat.apache.org
Reporter: daha.ayo...@gmail.com
Target Milestone: -
how to fix error rfc 7230 and rfc 3986 on tomcat 9
I want to Allow special character "é" and "è" in to the URL
I have already tested this but it does not work:
relaxedQueryChars="[]|{}^\`èé+"<>"
relaxedPathChars="[]|{}^\`èé+"<>"
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62817] error rfc 7230 and rfc 3986
https://bz.apache.org/bugzilla/show_bug.cgi?id=62817 Mark Thomas changed: What|Removed |Added OS||All Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #1 from Mark Thomas --- Bugzilla is not a support forum. Please use the users mailing list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1843536 - /tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java
Author: markt
Date: Thu Oct 11 08:55:24 2018
New Revision: 1843536
URL: http://svn.apache.org/viewvc?rev=1843536&view=rev
Log:
Add missing check for TLS 1.3
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java
Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java?rev=1843536&r1=1843535&r2=1843536&view=diff
==
--- tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java
(original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java Thu
Oct 11 08:55:24 2018
@@ -33,7 +33,8 @@ import org.apache.tomcat.util.compat.TLS
* repository since not all of them are AL2 licensed.
*
* The JSSE implementation of TLSv1.3 only supports authentication during the
- * initial handshake.
+ * initial handshake. This test requires TLSv1.3 on client and server so it is
+ * skipped unless running on a Java version that supports TLSv1.3.
*/
public class TestClientCertTls13 extends TomcatBaseTest {
@@ -47,6 +48,7 @@ public class TestClientCertTls13 extends
@Test
public void testClientCertPost() throws Exception {
+Assume.assumeTrue(TLS.isTlsv13Available());
getTomcatInstance().start();
int size = 32 * 1024;
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62748] Add support for TLS 1.3 (RFC 8446)
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 --- Comment #26 from Remy Maucherat --- Is it really doable to have it for 9.0.13 ? I see the algorithm you added for native, and translating it into OpenSSLEngine isn't very easy (it needs JNI additions for that SSL.verifyClientPostHandshake, and that blocking IO in the middle won't fit well at all either - any IO to sneak in between async stuff is a problem usually). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in on tomcat-trunk
The Buildbot has detected a restored build on builder tomcat-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/3649 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch tomcat/trunk] 1843536 Blamelist: markt Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1843541 - in /tomcat/native/trunk: native/src/ssl.c xdocs/miscellaneous/changelog.xml
Author: markt
Date: Thu Oct 11 10:12:21 2018
New Revision: 1843541
URL: http://svn.apache.org/viewvc?rev=1843541&view=rev
Log:
Need to expose SSL_renegotiate_pending so NIO[2]+OPenSSL can implement
CLIENT-CERT correctly
Modified:
tomcat/native/trunk/native/src/ssl.c
tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
Modified: tomcat/native/trunk/native/src/ssl.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1843541&r1=1843540&r2=1843541&view=diff
==
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Thu Oct 11 10:12:21 2018
@@ -1527,6 +1527,19 @@ TCN_IMPLEMENT_CALL(jint, SSL, renegotiat
return SSL_renegotiate(ssl_);
}
+TCN_IMPLEMENT_CALL(jint, SSL, renegotiatePending)(TCN_STDARGS,
+ jlong ssl /* SSL * */) {
+SSL *ssl_ = J2P(ssl, SSL *);
+if (ssl_ == NULL) {
+tcn_ThrowException(e, "ssl is null");
+return 0;
+}
+
+UNREFERENCED(o);
+
+return SSL_renegotiate_pending(ssl_);
+}
+
/* Read which protocol was negotiated for the given SSL *. */
TCN_IMPLEMENT_CALL(jstring, SSL, getNextProtoNegotiated)(TCN_STDARGS,
jlong ssl /* SSL *
*/) {
Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1843541&r1=1843540&r2=1843541&view=diff
==
--- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Thu Oct 11 10:12:21
2018
@@ -46,6 +46,11 @@
62748: Add support for TLS 1.3. (schultz/markt)
+
+ Expose the API necessary for CLIENT-CERT authentication to be correctly
+ supported when using Tomcat's JSSE implementation backed by OpenSSL.
+ (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1843542 - in /tomcat/trunk: java/org/apache/tomcat/jni/SSL.java java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java webapps/docs/changelog.xml
Author: markt
Date: Thu Oct 11 10:18:39 2018
New Revision: 1843542
URL: http://svn.apache.org/viewvc?rev=1843542&view=rev
Log:
Fix server initiated TLS renegotiation to obtain a client certificate when
using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation.
Prior to this fix, the client would send the certs but the server would not
read them and would timeout the request.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1843542&r1=1843541&r2=1843542&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Thu Oct 11 10:18:39 2018
@@ -557,6 +557,13 @@ public final class SSL {
public static native int renegotiate(long ssl);
/**
+ * SSL_renegotiate_pending
+ * @param ssl the SSL instance (SSL *)
+ * @return the operation status
+ */
+public static native int renegotiatePending(long ssl);
+
+/**
* SSL_in_init.
* @param ssl the SSL instance (SSL *)
* @return the status
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1843542&r1=1843541&r2=1843542&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Thu
Oct 11 10:18:39 2018
@@ -982,7 +982,7 @@ public final class OpenSSLEngine extends
// No pending data to be sent to the peer
// Check to see if we have finished handshaking
int handshakeCount = SSL.getHandshakeCount(ssl);
-if (handshakeCount != currentHandshake) {
+if (handshakeCount != currentHandshake &&
SSL.renegotiatePending(ssl) == 0) {
if (alpn) {
selectedProtocol = SSL.getAlpnSelected(ssl);
if (selectedProtocol == null) {
@@ -994,7 +994,7 @@ public final class OpenSSLEngine extends
return SSLEngineResult.HandshakeStatus.FINISHED;
}
-// No pending data and still handshaking
+// No pending data and still handshaking / renegotiation pending
// Must be waiting on the peer to send more data
return SSLEngineResult.HandshakeStatus.NEED_UNWRAP;
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1843542&r1=1843541&r2=1843542&view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Oct 11 10:18:39 2018
@@ -127,6 +127,11 @@
implementation that prevented from secure WebSocket connections from
being established. (markt)
+
+Fix server initiated TLS renegotiation to obtain a client certificate
+when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation.
+(markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62748] Add support for TLS 1.3 (RFC 8446)
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 --- Comment #27 from Mark Thomas --- I don't know yet. I was going to start on that this morning but when I tested it with TLSv1.2 I found that CLIENT-CERT + NIO[2]+OpenSSL wasn't working with TLS1.2 either. I've just fixed that and I plan to look at CLIENT-CERT + NIO[2]+OpenSSL with TLS1.3 next. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62817] error rfc 7230 and rfc 3986
https://bz.apache.org/bugzilla/show_bug.cgi?id=62817 Ayoub changed: What|Removed |Added Resolution|INVALID |--- Status|RESOLVED|REOPENED --- Comment #2 from Ayoub --- (In reply to Mark Thomas from comment #1) > Bugzilla is not a support forum. Please use the users mailing list. I sent an email but I do not receive an answer -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62817] error rfc 7230 and rfc 3986
https://bz.apache.org/bugzilla/show_bug.cgi?id=62817 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |INVALID --- Comment #3 from Mark Thomas --- http://tomcat.apache.org/lists.html#tomcat-users -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1843551 - in /tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud: CloudMembershipProvider.java KubernetesMembershipProvider.java
Author: remm
Date: Thu Oct 11 13:52:56 2018
New Revision: 1843551
URL: http://svn.apache.org/viewvc?rev=1843551&view=rev
Log:
Add "kind" checks and improve logging.
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/CloudMembershipProvider.java
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/CloudMembershipProvider.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/CloudMembershipProvider.java?rev=1843551&r1=1843550&r2=1843551&view=diff
==
---
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/CloudMembershipProvider.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/CloudMembershipProvider.java
Thu Oct 11 13:52:56 2018
@@ -104,11 +104,13 @@ public abstract class CloudMembershipPro
@Override
public void heartbeat() {
-log.debug("Fetching announced members");
Member[] announcedMembers = fetchMembers();
// Add new members or refresh the members in the membership
for (Member member : announcedMembers) {
if (membership.memberAlive(member)) {
+if (log.isDebugEnabled()) {
+log.debug("Member added: " + member);
+}
membershipListener.memberAdded(member);
}
}
@@ -116,7 +118,7 @@ public abstract class CloudMembershipPro
Member[] expired = membership.expire(100); // TODO: is 100ms a good
value?
for (Member member : expired) {
if (log.isDebugEnabled()) {
-log.debug("Member is dead: " + member);
+log.debug("Member disappeared: " + member);
}
membershipListener.memberDisappeared(member);
}
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java?rev=1843551&r1=1843550&r2=1843551&view=diff
==
---
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java
Thu Oct 11 13:52:56 2018
@@ -141,30 +141,40 @@ public class KubernetesMembershipProvide
return members.toArray(new Member[0]);
}
+@SuppressWarnings("unchecked")
protected void parsePods(Reader reader, List members) {
JSONParser parser = new JSONParser(reader);
try {
LinkedHashMap json = parser.object();
+// If there is a "kind", check it is "PodList"
+Object kindObject = json.get("kind");
+if (kindObject != null && !"PodList".equals(kindObject)) {
+
log.error(sm.getString("kubernetesMembershipProvider.invalidPodsList", "not
podList"));
+return;
+}
Object itemsObject = json.get("items");
if (!(itemsObject instanceof List)) {
log.error(sm.getString("kubernetesMembershipProvider.invalidPodsList", "no
items"));
return;
}
-@SuppressWarnings("unchecked")
List items = (List) itemsObject;
for (Object podObject : items) {
if (!(podObject instanceof LinkedHashMap)) {
log.warn(sm.getString("kubernetesMembershipProvider.invalidPod"));
continue;
}
-@SuppressWarnings("unchecked")
LinkedHashMap pod = (LinkedHashMap) podObject;
+// If there is a "kind", check it is "Pod"
+Object podKindObject = pod.get("kind");
+if (podKindObject != null && !"Pod".equals(podKindObject)) {
+continue;
+}
+// "metadata" contains "name", "uid" and "creationTimestamp"
Object metadataObject = pod.get("metadata");
if (!(metadataObject instanceof LinkedHashMap)) {
log.warn(sm.getString("kubernetesMembershipProvider.invalidPod"));
continue;
}
-@SuppressWarnings("unchecked")
LinkedHashMap metadata =
(LinkedHashMap) metadataObject;
Object nameObject = metadata.get("name");
if (nameObject == null) {
@@ -180,12 +190,12 @@ public class KubernetesMembershipProvide
continue;
}
String creationTimestamp = creationTimestampObject.toString();
+// "status" contains "phase" (w
buildbot failure in on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/3651 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch tomcat/trunk] 1843551 Blamelist: remm BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1843554 - /tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java
Author: remm
Date: Thu Oct 11 14:21:49 2018
New Revision: 1843554
URL: http://svn.apache.org/viewvc?rev=1843554&view=rev
Log:
Drop check (I was testing with another config).
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java?rev=1843554&r1=1843553&r2=1843554&view=diff
==
---
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java
Thu Oct 11 14:21:49 2018
@@ -146,12 +146,6 @@ public class KubernetesMembershipProvide
JSONParser parser = new JSONParser(reader);
try {
LinkedHashMap json = parser.object();
-// If there is a "kind", check it is "PodList"
-Object kindObject = json.get("kind");
-if (kindObject != null && !"PodList".equals(kindObject)) {
-
log.error(sm.getString("kubernetesMembershipProvider.invalidPodsList", "not
podList"));
-return;
-}
Object itemsObject = json.get("items");
if (!(itemsObject instanceof List)) {
log.error(sm.getString("kubernetesMembershipProvider.invalidPodsList", "no
items"));
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in on tomcat-trunk
The Buildbot has detected a restored build on builder tomcat-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/3652 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch tomcat/trunk] 1843554 Blamelist: remm Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1843600 - /tomcat/native/trunk/native/src/ssl.c
Author: markt
Date: Thu Oct 11 20:20:44 2018
New Revision: 1843600
URL: http://svn.apache.org/viewvc?rev=1843600&view=rev
Log:
Add additional hooks to enable Tomcat to determine if post-handshake
authentication is in progress.
Add missing dummy methods for when OpenSSL is not present.
Modified:
tomcat/native/trunk/native/src/ssl.c
Modified: tomcat/native/trunk/native/src/ssl.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1843600&r1=1843599&r2=1843600&view=diff
==
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Thu Oct 11 20:20:44 2018
@@ -1540,6 +1540,41 @@ TCN_IMPLEMENT_CALL(jint, SSL, renegotiat
return SSL_renegotiate_pending(ssl_);
}
+TCN_IMPLEMENT_CALL(jint, SSL, verifyClientPostHandshake)(TCN_STDARGS,
+ jlong ssl /* SSL *
*/) {
+SSL *ssl_ = J2P(ssl, SSL *);
+tcn_ssl_conn_t *con;
+
+if (ssl_ == NULL) {
+tcn_ThrowException(e, "ssl is null");
+return 0;
+}
+
+UNREFERENCED(o);
+
+con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl_);
+con->pha_state = PHA_STARTED;
+
+return SSL_verify_client_post_handshake(ssl_);
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, getPostHandshakeAuthInProgress)(TCN_STDARGS,
+ jlong ssl /* SSL
* */) {
+SSL *ssl_ = J2P(ssl, SSL *);
+tcn_ssl_conn_t *con;
+
+if (ssl_ == NULL) {
+tcn_ThrowException(e, "ssl is null");
+return 0;
+}
+
+UNREFERENCED(o);
+
+con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl_);
+
+return (con->pha_state == PHA_STARTED);
+}
+
/* Read which protocol was negotiated for the given SSL *. */
TCN_IMPLEMENT_CALL(jstring, SSL, getNextProtoNegotiated)(TCN_STDARGS,
jlong ssl /* SSL *
*/) {
@@ -2168,6 +2203,27 @@ TCN_IMPLEMENT_CALL(jint, SSL, renegotiat
UNREFERENCED(o);
UNREFERENCED(ssl);
tcn_ThrowException(e, "Not implemented");
+ return 0;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, renegotiatePending)(TCN_STDARGS, jlong ssl) {
+ UNREFERENCED(o);
+ UNREFERENCED(ssl);
+ tcn_ThrowException(e, "Not implemented");
+ return 0;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, verifyClientPostHandshake)(TCN_STDARGS, jlong
ssl) {
+ UNREFERENCED(o);
+ UNREFERENCED(ssl);
+ tcn_ThrowException(e, "Not implemented");
+ return 0;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, getPostHandshakeAuthInProgress)(TCN_STDARGS,
jlong ssl) {
+ UNREFERENCED(o);
+ UNREFERENCED(ssl);
+ tcn_ThrowException(e, "Not implemented");
return 0;
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1843601 - in /tomcat/trunk: java/org/apache/tomcat/jni/SSL.java java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java webapps/docs/changelog.xml
Author: markt
Date: Thu Oct 11 20:25:42 2018
New Revision: 1843601
URL: http://svn.apache.org/viewvc?rev=1843601&view=rev
Log:
Fix server initiated TLS renegotiation to obtain a client certificate when
using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation with TLSv1.3.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1843601&r1=1843600&r2=1843601&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Thu Oct 11 20:25:42 2018
@@ -564,6 +564,20 @@ public final class SSL {
public static native int renegotiatePending(long ssl);
/**
+ * SSL_verify_client_post_handshake
+ * @param ssl the SSL instance (SSL *)
+ * @return the operation status
+ */
+public static native int verifyClientPostHandshake(long ssl);
+
+/**
+ * Is post handshake authentication in progress on this connection?
+ * @param ssl the SSL instance (SSL *)
+ * @return the operation status
+ */
+public static native int getPostHandshakeAuthInProgress(long ssl);
+
+/**
* SSL_in_init.
* @param ssl the SSL instance (SSL *)
* @return the status
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1843601&r1=1843600&r2=1843601&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Thu
Oct 11 20:25:42 2018
@@ -908,7 +908,12 @@ public final class OpenSSLEngine extends
private synchronized void renegotiate() throws SSLException {
clearLastError();
-int code = SSL.renegotiate(ssl);
+int code;
+if (SSL.getVersion(ssl).equals(Constants.SSL_PROTO_TLSv1_3)) {
+code = SSL.verifyClientPostHandshake(ssl);
+} else {
+code = SSL.renegotiate(ssl);
+}
if (code <= 0) {
checkLastError();
}
@@ -979,10 +984,42 @@ public final class OpenSSLEngine extends
return SSLEngineResult.HandshakeStatus.NEED_WRAP;
}
+/*
+ * Tomcat Native stores a count of the completed handshakes in the
+ * SSL instance and increments it every time a handshake is
+ * completed. Comparing the handshake count when the handshake
+ * started to the current handshake count enables this code to
+ * detect when the handshake has completed.
+ *
+ * Obtaining client certificates after the connection has been
+ * established requires additional checks. We need to trigger
+ * additional reads until the certificates have been read but we
+ * don't know how many reads we will need as it depends on both
+ * client and network behaviour.
+ *
+ * The additional reads are triggered by returning NEED_UNWRAP
+ * rather than FINISHED. This allows the standard I/O code to be
+ * used.
+ *
+ * For TLSv1.2 and below, the handshake completes before the
+ * renegotiation. We therefore use SSL.renegotiatePending() to
+ * check on the current status of the renegotiation and return
+ * NEED_UNWRAP until it completes which means the client
+ * certificates will have been read from the client.
+ *
+ * For TLSv1.3, Tomcat Native sets a flag when post handshake
+ * authentication is started and updates it once the client
+ * certificate has been received. We therefore use
+ * SSL.getPostHandshakeAuthInProgress() to check the current status
+ * and return NEED_UNWRAP until that methods indicates that PHA is
+ * no longer in progress.
+ */
+
// No pending data to be sent to the peer
// Check to see if we have finished handshaking
int handshakeCount = SSL.getHandshakeCount(ssl);
-if (handshakeCount != currentHandshake &&
SSL.renegotiatePending(ssl) == 0) {
+if (handshakeCount != currentHandshake &&
SSL.renegotiatePending(ssl) == 0 &&
+(SSL.getPostHandshakeAuthInProgress(ssl) == 0)) {
if (alpn) {
selectedProtocol = SSL.getAlpnSelected(ssl);
if (selectedP
[Bug 62748] Add support for TLS 1.3 (RFC 8446)
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 --- Comment #28 from Mark Thomas --- Once I figured out how to do it, it was fairly simple. Essentially, we now use the same approach for NIO[2]+OpenSSL for TLSv1.2 and TLS1.3. Requesting the client certificate triggers a re-handshake with extra bits depending on the protocol. We artificially extend the handshake until the client certificates have been provided. That way we piggy-back on the existing I/O code. Next up - back-ports. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
TLSv1.3 and 9.0.next
Hi, As you probably noticed I've been working on TLS 1.3 support, building on Chris's work in BZ 62748. The current status is the Tomcat Native 1.2.x and Tomcat 9.0.x support TLSv1.3 in any of the following combinations: - NIO[2]+JSSE on Java 11 - NIO[2]+OpenSSL on Java 8 onwards - APR/Native on Java 8 onwards All combinations support server initiated requests for client certificates apart from NIO[2]+JSSE on Java 11 as the Java 11 TLSv1.3 implementation does not include post handshake authentication. I have made quite a few changes to the Native code to support this. My plan going forwards is as follows: - give folks until early next week to review the native changes - tag 1.2.18 early next week - hopefully release 1.2.18 late next week - update 9.0.x to require 1.2.18 or later - tag / release 9.0.x Alongside the above, I'll be backporting the TLSv1.3 support to 8.5.x and 9.0.x. Thoughts, comments and especially code reviews welcome. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62748] Add support for TLS 1.3 (RFC 8446)
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 --- Comment #29 from Remy Maucherat --- Excellent, nothing changes from TLS 1.2 basically ! That's awesome given how annoying it is to get the thing to work (BTW, instead of the weird handshakeCount trick, there's also a callback that can be used; the downside is that it's not worth it at all, it's just better to just get the int). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GUMP@vmgump-vm3]: Project tomcat-trunk-test-nio2 (in module tomcat-trunk) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-trunk-test-nio2 has an issue affecting its community integration. This issue affects 1 projects. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-trunk-test-nio2 : Tomcat 9.x, a web server implementing the Java Servlet 4.0, ... Full details are available at: http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-test-nio2/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -DEBUG- Dependency on bnd exists, no need to add for property bndlib.jar. -INFO- Failed with reason build failed -INFO- Project Reports in: /srv/gump/public/workspace/tomcat-trunk/output/logs-NIO2 -INFO- Project Reports in: /srv/gump/public/workspace/tomcat-trunk/output/test-tmp-NIO2/logs -WARNING- No directory [/srv/gump/public/workspace/tomcat-trunk/output/test-tmp-NIO2/logs] The following work was performed: http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-test-nio2/gump_work/build_tomcat-trunk_tomcat-trunk-test-nio2.html Work Name: build_tomcat-trunk_tomcat-trunk-test-nio2 (Type: Build) Work ended in a state of : Failed Elapsed: 24 mins 48 secs Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true -Dbuild.sysclasspath=only -Dsun.zip.disableMemoryMapping=true org.apache.tools.ant.Main -Dgump.merge=/srv/gump/public/gump/work/merge.xml -Djunit.jar=/srv/gump/public/workspace/junit/target/junit-4.13-SNAPSHOT.jar -Djava.net.preferIPv4Stack=/srv/gump/public/workspace/tomcat-trunk/true -Dobjenesis.jar=/srv/gump/public/workspace/objenesis/main/target/objenesis-3.1-SNAPSHOT.jar -Dtest.reports=output/logs-NIO2 -Dexecute.test.nio2=true -Dexamples.sources.skip=true -Dbase.path=/srv/gump/public/workspace/tomcat-trunk/tomcat-build-libs -Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.7.3a-201803300640/ecj-4.7.3a.jar -Dbndlib.jar=/srv/gump/packages/bnd/bndlib-4.0.0/biz.aQute.bndlib-4.0.0.jar -Dcommons-daemon.jar=/srv/gump/public/workspace/apache-commons/daemon/target/commons-daemon-1.1.1-SNAPSHOT.jar -Dtest.openssl.path=/srv/gump/public/workspace/openssl-master/dest-20181011/bin/openssl -Dtest.temp=output/test-tmp-NIO2 -Dtest.accesslog=true -Dexecute.test.nio=false -Dbnd.jar=/srv/gump/packages/bnd/bnd-4.0.0/biz.aQute.bnd-4.0.0.jar -Dexecute.test.apr=false -Dtest.excludePerformance=true -Dtest.relaxTiming=true -Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-3.7-SNAPSHOT.jar -Dhamcrest.jar=/srv/gump/packages/hamcrest/hamcrest-core-1.3.jar -Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test [Working Directory: /srv/gump/public/workspace/tomcat-trunk] CLASSPATH: /usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/webapps/examples/WEB-INF/classes:/srv/gump/public/workspace/tomcat-trunk/output/testclasses:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/bin/bootstrap.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/bin/tomcat-juli.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/annotations-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/servlet-api.ja r:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jsp-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/el-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/websocket-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jaspic-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-ant.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-storeconfig.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/tomcat-coyote.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jasper.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jasper-el.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-tribes.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-ha.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/tomcat-api.jar:/srv/gump/public/workspace/tomcat-t
svn commit: r1843609 - /tomcat/native/trunk/native/src/ssl.c
Author: remm
Date: Thu Oct 11 22:25:41 2018
New Revision: 1843609
URL: http://svn.apache.org/viewvc?rev=1843609&view=rev
Log:
Make my old OpenSSL happier.
Modified:
tomcat/native/trunk/native/src/ssl.c
Modified: tomcat/native/trunk/native/src/ssl.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1843609&r1=1843608&r2=1843609&view=diff
==
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Thu Oct 11 22:25:41 2018
@@ -1542,6 +1542,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, renegotiat
TCN_IMPLEMENT_CALL(jint, SSL, verifyClientPostHandshake)(TCN_STDARGS,
jlong ssl /* SSL *
*/) {
+#if defined(SSL_OP_NO_TLSv1_3)
SSL *ssl_ = J2P(ssl, SSL *);
tcn_ssl_conn_t *con;
@@ -1556,10 +1557,14 @@ TCN_IMPLEMENT_CALL(jint, SSL, verifyClie
con->pha_state = PHA_STARTED;
return SSL_verify_client_post_handshake(ssl_);
+#else
+return 0;
+#endif
}
TCN_IMPLEMENT_CALL(jint, SSL, getPostHandshakeAuthInProgress)(TCN_STDARGS,
jlong ssl /* SSL
* */) {
+#if defined(SSL_OP_NO_TLSv1_3)
SSL *ssl_ = J2P(ssl, SSL *);
tcn_ssl_conn_t *con;
@@ -1573,6 +1578,9 @@ TCN_IMPLEMENT_CALL(jint, SSL, getPostHan
con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl_);
return (con->pha_state == PHA_STARTED);
+#else
+return 0;
+#endif
}
/* Read which protocol was negotiated for the given SSL *. */
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62791] SecureNioChannel fails with "IllegalArgumentException: You can only read using the application read buffer provided by the handler."
https://bz.apache.org/bugzilla/show_bug.cgi?id=62791 --- Comment #9 from Maksym --- Thank you for fixing it! Does it make sense to backport this fix to tomcat 8.0.x as well (especially taking into account that it was fixed in 7.0.x)? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62791] SecureNioChannel fails with "IllegalArgumentException: You can only read using the application read buffer provided by the handler."
https://bz.apache.org/bugzilla/show_bug.cgi?id=62791 --- Comment #10 from Remy Maucherat --- The Tomcat 8.0 branch is EOL. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
