Re: [Bug 60030] Run away CPU with JSSE / OpenSSL with IE8
On 27/06/2019 05:26, bugzi...@apache.org wrote: > https://bz.apache.org/bugzilla/show_bug.cgi?id=60030 > > --- Comment #5 from redball12345671211 --- Account disabled. Spam deleted. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Unit Tests and OpenSSL Ciphers
On 26/06/2019 23:01, Igal Sapir wrote: > While testing Tomcat Native 1.2.23 two unit tests failed on my system: > > TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.APR.txt > TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.APR.txt > > My build.properties includes the following: > test.openssl.unimplemented=ARIA,IDEA > > Which adds any ciphers with the substring ARIA or IDEA in the name to > the unimplemented list that should be ignored [1]. > > The failure message shows that the issue is with unexpected ciphers [2], > e.g. ECDHE-ARIA128-GCM-SHA256+TLSv1.2, so the next thing I did was to > check OpenSSL's version and ciphers. The version is the same as the > build process shows in the logs, but I don't see ARIA ciphers there: > > $ openssl version > OpenSSL 1.1.1 11 Sep 2018 > $ openssl ciphers -v | grep ARIA > > Any ideas? First impressions are that the ciphers supported by the latest OpenSSL versions have changed. However, I would have expected Gump to pick up on that and it hasn't. More research required... Mark > > Thanks, > > Igal > > [1] https://github.com/apache/tomcat/commit/a9c1a0661198 > [2] Testcase: testOpenSSLCipherAvailability took 0.043 sec > FAILED > Unexpected cipher suites: ECDHE-ARIA128-GCM-SHA256+TLSv1.2 > DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2 DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2 > ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2 ARIA256-GCM-SHA384+TLSv1.2 > ECDHE-ARIA256-GCM-SHA384+TLSv1.2 DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2 > RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2 > ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2 > RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2 DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2 > DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2 > DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2 > expected:<0> but was:<16> > junit.framework.AssertionFailedError: Unexpected cipher suites: > ECDHE-ARIA128-GCM-SHA256+TLSv1.2 DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2 > DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2 > ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2 ARIA256-GCM-SHA384+TLSv1.2 > ECDHE-ARIA256-GCM-SHA384+TLSv1.2 DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2 > RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2 > ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2 > RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2 DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2 > DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2 > DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2 > expected:<0> but was:<16> > at > org.apache.tomcat.util.net.openssl.ciphers.TestCipher.testOpenSSLCipherAvailability(TestCipher.java:108) > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Fix typo. Add comment on GOST ciphers
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit d67d4910b309afd6b12f46ba3d780d38b37e8b79
Author: Mark Thomas
AuthorDate: Thu Jun 27 16:44:57 2019 +0100
Fix typo. Add comment on GOST ciphers
---
java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
index 2a1fefc..e34fb61 100644
--- a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
+++ b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
@@ -1500,8 +1500,9 @@ public enum Cipher {
null,
null
),
-/* GOST Ciphersuites. Unsupported by Java. OpenSSl lists them with IDs
- * 0x380 to 0x383 */
+/* GOST Ciphersuites. Unsupported by Java. OpenSSL lists them with IDs
+ * 0x380 to 0x383
+ * The ciphers are not listed in the IANA registry. */
/*
// Cipher 80
TLS_GOSTR341094_WITH_28147_CNT_IMIT(
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Get tests passing with latest 1.0.2 code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 5fe84dedbd3038f0cfc9af723dcd303292e7da46
Author: Mark Thomas
AuthorDate: Thu Jun 27 16:45:16 2019 +0100
Get tests passing with latest 1.0.2 code
---
.../org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java | 8
1 file changed, 8 insertions(+)
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
index 91ac42e..95ab187 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
@@ -367,6 +367,14 @@ public class TesterOpenSSL {
// Standard command to list the ciphers
args.add("ciphers");
args.add("-v");
+if (VERSION < 10100) {
+// Need to exclude the GOST ciphers
+if (specification == null) {
+specification = "DEFAULT:!aGOST";
+} else {
+specification = "!aGOST:" + specification;
+}
+}
if (VERSION >= 10101) {
// Need to exclude the TLSv1.3 ciphers
args.add("-ciphersuites");
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated (c474b0d -> 5fe84de)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git. from c474b0d Fix space new d67d491 Fix typo. Add comment on GOST ciphers new 5fe84de Get tests passing with latest 1.0.2 code The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java | 5 +++-- .../org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java | 8 2 files changed, 11 insertions(+), 2 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Fix typo. Add comment on GOST ciphers
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a5b3215ddb873e4e8de6d0b1edfd28ee950ef283
Author: Mark Thomas
AuthorDate: Thu Jun 27 16:44:57 2019 +0100
Fix typo. Add comment on GOST ciphers
---
java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
index 2a1fefc..e34fb61 100644
--- a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
+++ b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
@@ -1500,8 +1500,9 @@ public enum Cipher {
null,
null
),
-/* GOST Ciphersuites. Unsupported by Java. OpenSSl lists them with IDs
- * 0x380 to 0x383 */
+/* GOST Ciphersuites. Unsupported by Java. OpenSSL lists them with IDs
+ * 0x380 to 0x383
+ * The ciphers are not listed in the IANA registry. */
/*
// Cipher 80
TLS_GOSTR341094_WITH_28147_CNT_IMIT(
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Get tests passing with latest 1.0.2 code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 756cce5d3898bed56ffc5c9fec5d08339560e5a0
Author: Mark Thomas
AuthorDate: Thu Jun 27 16:45:16 2019 +0100
Get tests passing with latest 1.0.2 code
---
.../org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java | 8
1 file changed, 8 insertions(+)
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
index 91ac42e..95ab187 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
@@ -367,6 +367,14 @@ public class TesterOpenSSL {
// Standard command to list the ciphers
args.add("ciphers");
args.add("-v");
+if (VERSION < 10100) {
+// Need to exclude the GOST ciphers
+if (specification == null) {
+specification = "DEFAULT:!aGOST";
+} else {
+specification = "!aGOST:" + specification;
+}
+}
if (VERSION >= 10101) {
// Need to exclude the TLSv1.3 ciphers
args.add("-ciphersuites");
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated (513e54c -> 756cce5)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. from 513e54c Obtain PEM files via ConfigFileLoader new a5b3215 Fix typo. Add comment on GOST ciphers new 756cce5 Get tests passing with latest 1.0.2 code The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java | 5 +++-- .../org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java | 8 2 files changed, 11 insertions(+), 2 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Unit Tests and OpenSSL Ciphers
On 27/06/2019 14:49, Mark Thomas wrote: > On 26/06/2019 23:01, Igal Sapir wrote: >> While testing Tomcat Native 1.2.23 two unit tests failed on my system: >> >> TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.APR.txt >> TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.APR.txt >> >> My build.properties includes the following: >> test.openssl.unimplemented=ARIA,IDEA >> >> Which adds any ciphers with the substring ARIA or IDEA in the name to >> the unimplemented list that should be ignored [1]. >> >> The failure message shows that the issue is with unexpected ciphers [2], >> e.g. ECDHE-ARIA128-GCM-SHA256+TLSv1.2, so the next thing I did was to >> check OpenSSL's version and ciphers. The version is the same as the >> build process shows in the logs, but I don't see ARIA ciphers there: >> >> $ openssl version >> OpenSSL 1.1.1 11 Sep 2018 >> $ openssl ciphers -v | grep ARIA >> >> Any ideas? > > First impressions are that the ciphers supported by the latest OpenSSL > versions have changed. However, I would have expected Gump to pick up on > that and it hasn't. > > More research required... The ciphers supported by Ubuntu have changed. You need to use: openssl ciphers -v ALL:eNULL to see all of them. The short version is that ARIA ciphers are now supported. test.openssl.unimplemented=IDEA should fix it. Mark > > Mark > >> >> Thanks, >> >> Igal >> >> [1] https://github.com/apache/tomcat/commit/a9c1a0661198 >> [2] Testcase: testOpenSSLCipherAvailability took 0.043 sec >> FAILED >> Unexpected cipher suites: ECDHE-ARIA128-GCM-SHA256+TLSv1.2 >> DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2 DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2 >> ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2 ARIA256-GCM-SHA384+TLSv1.2 >> ECDHE-ARIA256-GCM-SHA384+TLSv1.2 DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2 >> RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2 >> ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2 >> RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2 DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2 >> DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2 >> DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2 >> expected:<0> but was:<16> >> junit.framework.AssertionFailedError: Unexpected cipher suites: >> ECDHE-ARIA128-GCM-SHA256+TLSv1.2 DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2 >> DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2 >> ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2 ARIA256-GCM-SHA384+TLSv1.2 >> ECDHE-ARIA256-GCM-SHA384+TLSv1.2 DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2 >> RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2 >> ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2 >> RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2 DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2 >> DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2 >> DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2 >> expected:<0> but was:<16> >> at >> org.apache.tomcat.util.net.openssl.ciphers.TestCipher.testOpenSSLCipherAvailability(TestCipher.java:108) >> > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63524] Private key must be accompanied by certificate chain
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524 --- Comment #7 from Mark Thomas --- There should be lines of headers / footers in each file starting "---". Can you list all the headers and footers present in each file please (this should help to ID the format being used). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] zhanhb opened a new pull request #175: Apply the suggestion in rfc7233
zhanhb opened a new pull request #175: Apply the suggestion in rfc7233 URL: https://github.com/apache/tomcat/pull/175 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63524] Private key must be accompanied by certificate chain
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524 --- Comment #8 from Arnaud Kleinveld --- (In reply to Mark Thomas from comment #7) > There should be lines of headers / footers in each file starting "---". Can > you list all the headers and footers present in each file please (this > should help to ID the format being used). domain2.crt -BEGIN CERTIFICATE- -END CERTIFICATE- domain2.key -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Unit Tests and OpenSSL Ciphers
On 6/27/2019 8:56 AM, Mark Thomas wrote: The ciphers supported by Ubuntu have changed. You need to use: openssl ciphers -v ALL:eNULL to see all of them. The short version is that ARIA ciphers are now supported. test.openssl.unimplemented=IDEA should fix it. Thanks, Mark! The part that puzzled me was that `openssl ciphers -v` did not show those ciphers and yet they appeared in the `ant test` logs. Adding `ALL:eNULL` indeed shows the ARIA ciphers. Best, Igal - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63524] Private key must be accompanied by certificate chain
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524 --- Comment #9 from Mark Thomas --- Thanks. That looks like a PEM encoded PKCS#1 key and a PEM encoded X509 cert. When I start 8.5.40 with those I don't see the error you see. I've tested with the oldest and latest versions of OpenSSL. I think we are back to me asking you to provide a set of test files (key and cert(s)) that reproduce the issue. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63531] New: Session staying alive across different context paths
https://bz.apache.org/bugzilla/show_bug.cgi?id=63531
Bug ID: 63531
Summary: Session staying alive across different context paths
Product: Tomcat 7
Version: 7.0.91
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Servlet & JSP API
Assignee: dev@tomcat.apache.org
Reporter: malini.kesa...@workday.com
Target Milestone: ---
Session stays alive as it’s tickled by
org.apache.catalina.authenticator.AuthenticatoreBase.java
invoke(Request request , Response response) method, when calling
request.getSessionInternal(false).
I am using tomcat version 7.0.91 . This issue was reported in tomcat 7.0.14 as
well. Here is the case that was open to address this issue:
https://issues.apache.org/bugzilla/show_bug.cgi?id=51812
How to reproduce this issue:
We have 2 different context paths
• https://abc123.com:<1234>/contextPath-000 - context path contextPath-000
• https://abc123.com:<1234>/contextPath-999- context path contextPath-999
Context path - contextPath-000 is where all the user action is and the user
will be alive/active if user was active in the application
Context-path - contextPath-999 does not access user session at all. However
, every 30 second we make a GET request from this context-path for a certain
use case.
Note: We do not touch user session at all in this context path –No calls to
request.getSession(false). We get the JSESSIONID from cookie and use just
that.
When debugging the code, I see that the httpSession.getLastAccessTime () in -
context path contextPath-000 is always set to the timestamp when a (every 30
sec) GET call from - Context-path contextPath-999 occurs .
We made the following changes to
org.apache.catalina.authenticator.AuthenticatoreBase.java to fix this issue:
• Set cache=false ;
• With that the code that was tickling the session(please see below)
is not invoked if cache =false
//Code --
public void invoke(Request request, Response response) throws IOException,
ServletException {
if (this.log.isDebugEnabled()) {
this.log.debug("Security checking request " + request.getMethod() + " "
+
request.getRequestURI());
}
LoginConfig config = this.context.getLoginConfig();
if (this.cache) {
Principal principal = request.getUserPrincipal();
if (principal == null) {
Session session = request.getSessionInternal(false);
if (session != null) {
principal = session.getPrincipal();
if (principal != null) {
if (this.log.isDebugEnabled()) {
this.log.debug("We have cached auth type " +
session.getAuthType() + " for principal " +
session.getPrincipal());
}
request.setAuthType(session.getAuthType());
request.setUserPrincipal(principal);
}
}
}
}
• Also wrapped this block of code in if (cache) condition in the same method:
//Code--
// Special handling for form-based logins to deal with the case where
// a resource is protected for some HTTP methods but not protected for
// GET which is used after authentication when redirecting to the
// protected resource.
// TODO: This is similar to the FormAuthenticator.matchRequest() logic
// Is there a way to remove the duplication?
if (cache) {
Session session = request.getSessionInternal(false);
if (session != null) {
SavedRequest savedRequest =
(SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
if (savedRequest != null) {
String decodedRequestURI = request.getDecodedRequestURI();
if (decodedRequestURI != null &&
decodedRequestURI.equals(
savedRequest.getDecodedRequestURI())) {
if (!authenticate(request, response)) {
if (log.isDebugEnabled()) {
log.debug(" Failed authenticate() test");
}
/*
* ASSERT: Authenticator already set the appropriate
* HTTP status code, so we do not have to do anything
* special
*/
return;
}
}
}
}
}
These changes ensured that the access to session from different context paths
are not keeping it alive across.
(Browser assigns the same JSESSIONID to the sessions created from both the
requests (in spite of different context path), as it does for different tabs
on the same browser window.)
Please validate if this is a known issue and if there is a workaround to fix it
without having to modify tomcat src.
FYI, We did try adding and
that didn’t work. As not all relevant code is wrap
[Bug 63531] Session staying alive across different context paths
https://bz.apache.org/bugzilla/show_bug.cgi?id=63531 --- Comment #1 from Mark Thomas --- I think this report is using the term "context path" incorrectly. Web applications on the same host have unique context paths and completely separate session managers (and hence sessions). Therefore, if separate context paths - and hence web applications - were in use then the behaviour described in this report would be impossible. My working assumption is that, in terms of the Servlet spec, context path should be read as HttpServletRequest.getRequestURI(). This can be tested with a default Tomcat install using the examples web application for the requests and the manager web application to monitor session access time. I edited web.xml for the examples web application to use BASIC authentication to match this report. With the default configuration (cache="true") once the session is created, any request to the web application will update the session last accessed time. I'll note at this point that a strict reading of the Servlet specification requires that any access to a web application updates that last accessed time of the associated session irrespective of whether or not the web application explicitly accesses the session. See the org.apache.catalina.core.StandardHostValve.ACCESS_SESSION system property for more details. With cache="false" I can see the issue described. The special handling for FORM auth triggers an update of the session accessed time. It should be possible to refactor that so it only applies with FORM auth is being used. The proposed fix would break FORM authentication. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Space police
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new ae26dcc Space police ae26dcc is described below commit ae26dcc3ba71d62695b09ca79507bcb45a1bb1ad Author: Mark Thomas AuthorDate: Thu Jun 27 21:20:40 2019 +0100 Space police --- java/org/apache/catalina/authenticator/BasicAuthenticator.java | 5 - 1 file changed, 5 deletions(-) diff --git a/java/org/apache/catalina/authenticator/BasicAuthenticator.java b/java/org/apache/catalina/authenticator/BasicAuthenticator.java index 9596b7b..b661e35 100644 --- a/java/org/apache/catalina/authenticator/BasicAuthenticator.java +++ b/java/org/apache/catalina/authenticator/BasicAuthenticator.java @@ -14,11 +14,8 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - - package org.apache.catalina.authenticator; - import java.io.IOException; import java.nio.charset.Charset; import java.nio.charset.StandardCharsets; @@ -34,8 +31,6 @@ import org.apache.tomcat.util.buf.ByteChunk; import org.apache.tomcat.util.buf.MessageBytes; import org.apache.tomcat.util.codec.binary.Base64; - - /** * An Authenticator and Valve implementation of HTTP BASIC * Authentication, as outlined in RFC 2617: "HTTP Authentication: Basic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Align with 9.0.x. Better messages and code clean-up.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new b998926 Align with 9.0.x. Better messages and code clean-up.
b998926 is described below
commit b9989263bf43188b89b8d77d0e38f6b5b6df3826
Author: Mark Thomas
AuthorDate: Thu Jun 27 21:20:22 2019 +0100
Align with 9.0.x. Better messages and code clean-up.
---
.../catalina/authenticator/LocalStrings.properties | 4 +-
.../authenticator/LocalStrings_es.properties | 10 +++-
.../authenticator/LocalStrings_fr.properties | 58 --
.../authenticator/LocalStrings_ja.properties | 53 +++-
.../catalina/authenticator/SavedRequest.java | 18 ---
.../catalina/authenticator/SingleSignOn.java | 2 +-
.../authenticator/SpnegoAuthenticator.java | 1 -
.../LocalStrings_es.properties}| 8 ++-
.../jaspic/LocalStrings_fr.properties | 30 +++
.../jaspic/LocalStrings_ja.properties | 30 +++
.../LocalStrings_ru.properties}| 6 +--
11 files changed, 193 insertions(+), 27 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties
b/java/org/apache/catalina/authenticator/LocalStrings.properties
index d3c265f..0030ce3 100644
--- a/java/org/apache/catalina/authenticator/LocalStrings.properties
+++ b/java/org/apache/catalina/authenticator/LocalStrings.properties
@@ -15,7 +15,7 @@
authenticator.certificates=No client certificate chain in this request
authenticator.changeSessionId=Session ID changed on authentication from [{0}]
to [{1}]
-authenticator.check.authorize=Authorizing connector provided user [{0}] via
Tomcat Realm
+authenticator.check.authorize=User name [{0}] obtained from the Connector and
trusted to be valid. Obtaining roles for this user from the Tomcat Realm.
authenticator.check.authorizeFail=Realm did not recognise user [{0}]. Creating
a Principal with that name and no roles.
authenticator.check.found=Already authenticated [{0}]
authenticator.check.sso=Not authenticated but SSO session ID [{0}] found.
Attempting re-authentication.
@@ -34,7 +34,7 @@ authenticator.unauthorized=Cannot authenticate with the
provided credentials
basicAuthenticator.invalidCharset=The only permitted values are null, the
empty string or UTF-8
-digestAuthenticator.cacheRemove=A valid entry has been removed from client
nonce cache to make room for new entries. A replay attack is now possible. To
prevent the possibility of replay attacks, reduce nonceValidity or increase
cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
+digestAuthenticator.cacheRemove=A valid entry has been removed from client
nonce cache to make room for new entries. A replay attack is now possible. To
prevent the possibility of replay attacks, reduce nonceValidity or increase
nonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page
formAuthenticator.forwardLogin=Forwarding request for [{0}] made with method
[{1}] to login page [{2}] of context [{3}] using request method GET
diff --git a/java/org/apache/catalina/authenticator/LocalStrings_es.properties
b/java/org/apache/catalina/authenticator/LocalStrings_es.properties
index 5b0bab9..6cc945d 100644
--- a/java/org/apache/catalina/authenticator/LocalStrings_es.properties
+++ b/java/org/apache/catalina/authenticator/LocalStrings_es.properties
@@ -15,6 +15,8 @@
authenticator.certificates=No hay cadena de certificados del cliente en esta
petición
authenticator.formlogin=Referencia directa al formulario de conexión (página
de formulario de login) inválida
+authenticator.jaspicCleanSubjectFail=Fallo al limpiar el elemento JASPIC \n
+authenticator.jaspicServerAuthContextFail=Fallo al intentar obtener una
instancia JASPIC ServerAuthContext
authenticator.loginFail=No pude ingresar
authenticator.manager=Excepción inicializando administradores de confianza
authenticator.noAuthHeader=El cliente no ha enviado autorización de cabecera
@@ -23,13 +25,19 @@ authenticator.requestBodyTooBig=El cuerpo del requerimiento
era demasiado grande
authenticator.sessionExpired=El tiempo permitido para realizar login ha sido
excedido. Si deseas continuar, debes hacer clik dos veces y volver a hacer clik
otra vez o cerrar y reabrir tu navegador
authenticator.unauthorized=Imposible autenticar mediante las credenciales
suministradas
-digestAuthenticator.cacheRemove=Se ha quitado una entrada válida de la caché
"nonce" del cliente para hacer espacio a nuevas entradas.. Ahora es posible un
ataque de reinyección. Para prevenirlos, reduce "nonceValidity" o incrementa
"cnonceCacheSize". El resto de mensajes de este tipo serán suspendidos durante
5
[tomcat] branch 8.5.x updated: Polish
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 88db4aa Polish
88db4aa is described below
commit 88db4aa3924a9f44f3f681528fc1f5dd4cfc5d59
Author: Mark Thomas
AuthorDate: Thu Jun 27 22:06:07 2019 +0100
Polish
---
java/org/apache/catalina/authenticator/AuthenticatorBase.java | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 18b4bde..6c0e5b2 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -552,8 +552,8 @@ public abstract class AuthenticatorBase extends ValveBase
request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;
}
-if (!authRequired && context.getPreemptiveAuthentication()
-&&
HttpServletRequest.CLIENT_CERT_AUTH.equals(getAuthMethod())) {
+if (!authRequired && context.getPreemptiveAuthentication() &&
+HttpServletRequest.CLIENT_CERT_AUTH.equals(getAuthMethod())) {
X509Certificate[] certs = getRequestCertificates(request);
authRequired = certs != null && certs.length > 0;
}
@@ -1067,8 +1067,8 @@ public abstract class AuthenticatorBase extends ValveBase
// Configure httpOnly on SSO cookie using same rules as session
// cookies
-if
(request.getServletContext().getSessionCookieConfig().isHttpOnly()
-|| request.getContext().getUseHttpOnly()) {
+if
(request.getServletContext().getSessionCookieConfig().isHttpOnly() ||
+request.getContext().getUseHttpOnly()) {
cookie.setHttpOnly(true);
}
@@ -1285,4 +1285,4 @@ public abstract class AuthenticatorBase extends ValveBase
public void refresh() {
}
}
-}
\ No newline at end of file
+}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Polish
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 6744132 Polish
6744132 is described below
commit 67441328b40f267312f6becd36ff732416e2e624
Author: Mark Thomas
AuthorDate: Thu Jun 27 22:06:18 2019 +0100
Polish
---
java/org/apache/catalina/authenticator/AuthenticatorBase.java | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 8fbfea1..92cb4e2 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -549,8 +549,8 @@ public abstract class AuthenticatorBase extends ValveBase
request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;
}
-if (!authRequired && context.getPreemptiveAuthentication()
-&&
HttpServletRequest.CLIENT_CERT_AUTH.equals(getAuthMethod())) {
+if (!authRequired && context.getPreemptiveAuthentication() &&
+HttpServletRequest.CLIENT_CERT_AUTH.equals(getAuthMethod())) {
X509Certificate[] certs = getRequestCertificates(request);
authRequired = certs != null && certs.length > 0;
}
@@ -1064,8 +1064,8 @@ public abstract class AuthenticatorBase extends ValveBase
// Configure httpOnly on SSO cookie using same rules as session
// cookies
-if
(request.getServletContext().getSessionCookieConfig().isHttpOnly()
-|| request.getContext().getUseHttpOnly()) {
+if
(request.getServletContext().getSessionCookieConfig().isHttpOnly() ||
+request.getContext().getUseHttpOnly()) {
cookie.setHttpOnly(true);
}
@@ -1259,4 +1259,4 @@ public abstract class AuthenticatorBase extends ValveBase
public MessageInfo messageInfo = null;
public ServerAuthContext serverAuthContext = null;
}
-}
\ No newline at end of file
+}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 7.0.x updated: Align with 8.5.x. Code clean up and improved i18n messages
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/7.0.x by this push: new ecde67c Align with 8.5.x. Code clean up and improved i18n messages ecde67c is described below commit ecde67c45ceb3fb50fd92a848f4125aee0c96d33 Author: Mark Thomas AuthorDate: Thu Jun 27 22:05:51 2019 +0100 Align with 8.5.x. Code clean up and improved i18n messages --- .../catalina/authenticator/AuthenticatorBase.java | 384 +++-- .../catalina/authenticator/BasicAuthenticator.java | 4 +- .../apache/catalina/authenticator/Constants.java | 6 +- .../authenticator/DigestAuthenticator.java | 18 +- .../catalina/authenticator/FormAuthenticator.java | 102 +++--- .../catalina/authenticator/LocalStrings.properties | 9 +- .../authenticator/LocalStrings_es.properties | 14 +- .../authenticator/LocalStrings_fr.properties | 59 +++- .../authenticator/LocalStrings_ja.properties | 54 ++- .../authenticator/NonLoginAuthenticator.java | 10 +- .../catalina/authenticator/SSLAuthenticator.java | 22 +- .../catalina/authenticator/SavedRequest.java | 38 +- .../catalina/authenticator/SingleSignOn.java | 4 +- .../catalina/authenticator/SingleSignOnEntry.java | 1 + .../authenticator/SpnegoAuthenticator.java | 16 +- .../catalina/authenticator/mbeans-descriptors.xml | 2 +- .../org/apache/catalina/authenticator/package.html | 2 +- 17 files changed, 419 insertions(+), 326 deletions(-) diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java index 7a28e47..2bb4746 100644 --- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java +++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java @@ -14,11 +14,8 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - - package org.apache.catalina.authenticator; - import java.io.IOException; import java.security.Principal; import java.security.cert.X509Certificate; @@ -53,40 +50,42 @@ import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.ExceptionUtils; import org.apache.tomcat.util.res.StringManager; - /** * Basic implementation of the Valve interface that enforces the *elements in the web application - * deployment descriptor. This functionality is implemented as a Valve - * so that it can be omitted in environments that do not require these - * features. Individual implementations of each supported authentication - * method can subclass this base class as required. + * deployment descriptor. This functionality is implemented as a Valve so that + * it can be omitted in environments that do not require these features. + * Individual implementations of each supported authentication method can + * subclass this base class as required. * - * USAGE CONSTRAINT: When this class is utilized, the Context to - * which it is attached (or a parent Container in a hierarchy) must have an - * associated Realm that can be used for authenticating users and enumerating - * the roles to which they have been assigned. + * USAGE CONSTRAINT: When this class is utilized, the Context to which it + * is attached (or a parent Container in a hierarchy) must have an associated + * Realm that can be used for authenticating users and enumerating the roles to + * which they have been assigned. * - * USAGE CONSTRAINT: This Valve is only useful when processing HTTP - * requests. Requests of any other type will simply be passed through. + * USAGE CONSTRAINT: This Valve is only useful when processing HTTP + * requests. Requests of any other type will simply be passed through. * * @author Craig R. McClanahan */ - - public abstract class AuthenticatorBase extends ValveBase implements Authenticator { private final Log log = LogFactory.getLog(AuthenticatorBase.class); // must not be static +/** + * "Expires" header always set to Date(1), so generate once only + */ +private static final String DATE_ONE = ConcurrentDateFormat.formatRfc1123(new Date(1)); -//-- Constructor public AuthenticatorBase() { super(true); } -// - Instance Variables - +/** + * The string manager for this package. + */ +protected static final StringManager sm = StringManager.getManager(AuthenticatorBase.class); /** * Authentication header @@ -110,14 +109,12 @@ public abstract class AuthenticatorBase extends ValveBase */ protected boolean alwaysUseSession = false; - /** - * Should we cache authenticated Principals if the request is part of - * an HTT
[Bug 63524] Private key must be accompanied by certificate chain
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #10 from Christopher Schultz ---
I realize that this conversation is headed in another direction, but...
(In reply to Mark Thomas from comment #4)
> OpenSSL can handle DER quite happily but the code we added to enable you to
> switch seamlessly between OpenSSL and JSSE only works with PEM.
The hard part is detecting the DER file, not reading it. JSSE will happily read
a DER file in the same way it reads a PEM-encoded file:
FileInputStream fis = new FileInputStream("certificate.der");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(fis);
This will work either raw DER or PEM-encoded DER files. There are no hard and
fast rules for reading multiple certificates in DER format so I think that DER
files would have to be either single-cert only or we'd need to do some
digging-around to see how other software handles multiple certs without PEM
encoding.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] 01/03: Add equivalent of openssl ciphers command
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/26/19 12:11, ma...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > markt pushed a commit to branch 8.5.x in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > commit 44035e99349d7a5d8aa07e0a32aee30ee424ca66 Author: Mark Thomas > AuthorDate: Wed Jun 26 17:05:16 2019 +0100 > > Add equivalent of openssl ciphers command > > Backport of f8e8361 by schultz --- bin/ciphers.bat > | 58 + bin/ciphers.sh > | 60 ++ > .../ciphers/OpenSSLCipherConfigurationParser.java | 72 > ++ 3 files changed, 190 insertions(+) > > diff --git a/bin/ciphers.bat b/bin/ciphers.bat new file mode > 100755 index 000..914181b --- /dev/null +++ b/bin/ciphers.bat > @@ -0,0 +1,58 @@ +@echo off +rem Licensed to the Apache Software > Foundation (ASF) under one or more +rem contributor license > agreements. See the NOTICE file distributed with +rem this work > for additional information regarding copyright ownership. +rem The > ASF licenses this file to You under the Apache License, Version > 2.0 +rem (the "License"); you may not use this file except in > compliance with +rem the License. You may obtain a copy of the > License at +rem +rem > http://www.apache.org/licenses/LICENSE-2.0 +rem +rem Unless > required by applicable law or agreed to in writing, software +rem > distributed under the License is distributed on an "AS IS" BASIS, > +rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express > or implied. +rem See the License for the specific language > governing permissions and +rem limitations under the License. + > +rem > -- - - > > +rem Script to digest password using the algorithm specified > +rem > -- - - > > + I realize that this was originally my patch, but the above comment is incorrect. It's a copy/paste remnant of the original file (digest.bat). I'll fix it unless you get to it, first. [...] > diff --git a/bin/ciphers.sh b/bin/ciphers.sh [...] + +# > -- - --- > > +# Script to digest password using the algorithm specified > +# > -- - --- Same > here. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl0VccgACgkQHPApP6U8 pFgFFA//Ru4t+NBCtAWZfKmsgkufMAbL71+8/KOorMtRM5spw9BP36zv0bkH0Xy1 5JWry/NJY/917lI1hDg0lAxr30nHG+M7eItNta46CRyG2Cm7fSI/bEQRR1BraflE stx1BLVdAXx8LT9rC1bJY3ZsEJL/stIVgm4Qi09fmSywQQIAh/vk4vls5rQFCO8A MKFlEV1E+CwMhcpaS1dTvjUywnDLGQoxrb+FMAIC3sqjI+Wb5Q4diQXwsdGQ1eO2 GkeyIkbZqNV4oJx/Da3xolqw/O5kQNhqooJtptkDk0J65V6+Bo2DhF4+d4LYDTJL 7v8V/L2vS7Yvc53zblcCm2NIJeV/uU289WQFzPDvO78MaZ1OFaXINyJy2vY9aYZ0 d915S5BkoNktPtkgOc8mCo/Ndsy+HveIfSYq3ZNToSkDYDEFbI1J+C3FniTOIBiR uMoZ6eMfyimkFteonoG+JcDf9w8yspH4A5FeiVWnttFgT0EDELJjINVScxdVagix dSMjh44+rcbxuPBr3vgLQrIW6U6iZQ/aErvRmcRaAYVE0SAXik4IAQl6pq8Lgruw 1jQrMJ85s4nTiEaVfLsY3BHVVLyWXxnXyrpk96Fe7Tj4Mqp14Kv8I3/SJajXYIMs spVAywbx+9E71lGCg4/sHmFfJ609S0aDCHEkb6hgpNXYRCT0lRE= =Xw5Y -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
