[GitHub] [tomcat] markt-asf commented on pull request #517: Fix BZ 66089
markt-asf commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1138227558 What is `CA.pl`? Can you point me towards that or provide an example cert/key Tomcat can't read? I'll add a test case for BZ 66089 to reduce the chances of similar regressions in the future. The patch looks right to me although I'd prefer to reverse the logic. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] jfclere commented on pull request #517: Fix BZ 66089
jfclere commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1138238940 CA.pl comes from openssl-perl. I think that EncryptedPrivateKeyInfo() doesn't detect the encryption algorithm correctly, may we have to give a value there. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] rainerjung commented on pull request #517: Fix BZ 66089
rainerjung commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1138241681 https://github.com/openssl/openssl/blob/master/apps/CA.pl.in -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix regression that broke support for unencrypted PKCS#1 keys
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 314c31ea1e Fix regression that broke support for unencrypted PKCS#1
keys
314c31ea1e is described below
commit 314c31ea1ec20daf3612409aabccd3c1bf0aad8c
Author: Mark Thomas
AuthorDate: Thu May 26 08:18:01 2022 +0100
Fix regression that broke support for unencrypted PKCS#1 keys
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 8 +++-
test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 6 ++
webapps/docs/changelog.xml| 5 +
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 80c585d3b8..03abf596d7 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -143,7 +143,13 @@ public class PEMFile {
privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS8);
break;
case Part.RSA_PRIVATE_KEY:
-privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS1);
+if (part.algorithm == null) {
+// If no encryption algorithm was detected, ignore any
+// (probably default) key password provided.
+privateKey = part.toPrivateKey(null, keyAlgorithm,
Format.PKCS1);
+} else {
+privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS1);
+}
break;
case Part.CERTIFICATE:
case Part.X509_CERTIFICATE:
diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
index afefdebd1b..272295c3ab 100644
--- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
+++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
@@ -40,6 +40,12 @@ public class TestPEMFile {
}
+@Test
+public void testKeyPkcs1WithUnnecessaryPassword() throws Exception {
+testKey(KEY_PKCS1, "ignore-me");
+}
+
+
@Test
public void testKeyEncryptedPkcs1DesEde3Cbc() throws Exception {
testKeyEncrypted(KEY_ENCRYPTED_PKCS1_DES_EDE3_CBC);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 89663f9cee..4236cc02a7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -142,6 +142,11 @@
66084: Correctly calculate bytes written to a response. Pull
request 516 provided by aooohan HanLi. (markt)
+
+Correct a regression in the support added for encrypted PKCS#1
formatted
+private keys in the previous release that broke support for unencrypted
+PKCS#1 formatted private keys. (jfclere/markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Fix regression that broke support for unencrypted PKCS#1 keys
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 39c4f5ee74 Fix regression that broke support for unencrypted PKCS#1
keys
39c4f5ee74 is described below
commit 39c4f5ee7412550a44ffe694f0bf2e3efa091212
Author: Mark Thomas
AuthorDate: Thu May 26 08:18:01 2022 +0100
Fix regression that broke support for unencrypted PKCS#1 keys
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 8 +++-
test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 6 ++
webapps/docs/changelog.xml| 5 +
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 80c585d3b8..03abf596d7 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -143,7 +143,13 @@ public class PEMFile {
privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS8);
break;
case Part.RSA_PRIVATE_KEY:
-privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS1);
+if (part.algorithm == null) {
+// If no encryption algorithm was detected, ignore any
+// (probably default) key password provided.
+privateKey = part.toPrivateKey(null, keyAlgorithm,
Format.PKCS1);
+} else {
+privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS1);
+}
break;
case Part.CERTIFICATE:
case Part.X509_CERTIFICATE:
diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
index 7adba1d6ab..2ee54e26e1 100644
--- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
+++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
@@ -40,6 +40,12 @@ public class TestPEMFile {
}
+@Test
+public void testKeyPkcs1WithUnnecessaryPassword() throws Exception {
+testKey(KEY_PKCS1, "ignore-me");
+}
+
+
@Test
public void testKeyEncryptedPkcs1DesEde3Cbc() throws Exception {
testKeyEncrypted(KEY_ENCRYPTED_PKCS1_DES_EDE3_CBC);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index bf63f17215..299e68b331 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -137,6 +137,11 @@
66084: Correctly calculate bytes written to a response. Pull
request 516 provided by aooohan HanLi. (markt)
+
+Correct a regression in the support added for encrypted PKCS#1
formatted
+private keys in the previous release that broke support for unencrypted
+PKCS#1 formatted private keys. (jfclere/markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix regression that broke support for unencrypted PKCS#1 keys
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new d2c5f957cf Fix regression that broke support for unencrypted PKCS#1
keys
d2c5f957cf is described below
commit d2c5f957cfa80a3c84b938756c0fd1050043ea27
Author: Mark Thomas
AuthorDate: Thu May 26 08:18:01 2022 +0100
Fix regression that broke support for unencrypted PKCS#1 keys
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 8 +++-
test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 6 ++
webapps/docs/changelog.xml| 5 +
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 80c585d3b8..03abf596d7 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -143,7 +143,13 @@ public class PEMFile {
privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS8);
break;
case Part.RSA_PRIVATE_KEY:
-privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS1);
+if (part.algorithm == null) {
+// If no encryption algorithm was detected, ignore any
+// (probably default) key password provided.
+privateKey = part.toPrivateKey(null, keyAlgorithm,
Format.PKCS1);
+} else {
+privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS1);
+}
break;
case Part.CERTIFICATE:
case Part.X509_CERTIFICATE:
diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
index 7adba1d6ab..2ee54e26e1 100644
--- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
+++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
@@ -40,6 +40,12 @@ public class TestPEMFile {
}
+@Test
+public void testKeyPkcs1WithUnnecessaryPassword() throws Exception {
+testKey(KEY_PKCS1, "ignore-me");
+}
+
+
@Test
public void testKeyEncryptedPkcs1DesEde3Cbc() throws Exception {
testKeyEncrypted(KEY_ENCRYPTED_PKCS1_DES_EDE3_CBC);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 504a56ad06..8d150c2a5e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -137,6 +137,11 @@
66084: Correctly calculate bytes written to a response. Pull
request 516 provided by aooohan HanLi. (markt)
+
+Correct a regression in the support added for encrypted PKCS#1
formatted
+private keys in the previous release that broke support for unencrypted
+PKCS#1 formatted private keys. (jfclere/markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix regression that broke support for unencrypted PKCS#1 keys
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 7de16c3460 Fix regression that broke support for unencrypted PKCS#1
keys
7de16c3460 is described below
commit 7de16c34600328642da8480f28882d5df37d1b45
Author: Mark Thomas
AuthorDate: Thu May 26 08:18:01 2022 +0100
Fix regression that broke support for unencrypted PKCS#1 keys
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 8 +++-
test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 6 ++
webapps/docs/changelog.xml| 5 +
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index d758bf43e8..0866fcf1ea 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -143,7 +143,13 @@ public class PEMFile {
privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS8);
break;
case Part.RSA_PRIVATE_KEY:
-privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS1);
+if (part.algorithm == null) {
+// If no encryption algorithm was detected, ignore any
+// (probably default) key password provided.
+privateKey = part.toPrivateKey(null, keyAlgorithm,
Format.PKCS1);
+} else {
+privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS1);
+}
break;
case Part.CERTIFICATE:
case Part.X509_CERTIFICATE:
diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
index 7adba1d6ab..2ee54e26e1 100644
--- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
+++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
@@ -40,6 +40,12 @@ public class TestPEMFile {
}
+@Test
+public void testKeyPkcs1WithUnnecessaryPassword() throws Exception {
+testKey(KEY_PKCS1, "ignore-me");
+}
+
+
@Test
public void testKeyEncryptedPkcs1DesEde3Cbc() throws Exception {
testKeyEncrypted(KEY_ENCRYPTED_PKCS1_DES_EDE3_CBC);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7d430b94bb..83a418b72c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -133,6 +133,11 @@
66084: Correctly calculate bytes written to a response. Pull
request 516 provided by aooohan HanLi. (markt)
+
+Correct a regression in the support added for encrypted PKCS#1
formatted
+private keys in the previous release that broke support for unencrypted
+PKCS#1 formatted private keys. (jfclere/markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66089] Tomcat 9.0.63 won't start when used with a SSL certificate containing a RSA Private Key
https://bz.apache.org/bugzilla/show_bug.cgi?id=66089 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #4 from Mark Thomas --- Thanks for reporting this. Fixed in: - 10.1.x for 10.1.0-M16 onwards - 10.0.x for 10.0.22 onwards - 9.0.x for 9.0.64 onwards - 8.5.x for 8.5.80 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #517: Fix BZ 66089
markt-asf commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1138244693 Have you got a test file (or files) that I can use to add to `TestPEMFile`? That would save me having to set up the test CA and figure out which options create the problematic cert(s). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #517: Fix BZ 66089
markt-asf commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1138257773 OK. I think I have a test key to work with. Investigating now. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] jfclere commented on pull request #517: Fix BZ 66089
jfclere commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1138257995 [jfclere@ovpn-113-163 SERVER]$ openssl asn1parse -i -in newkey.pem 0:d=0 hl=4 l=1308 cons: SEQUENCE 4:d=1 hl=2 l= 78 cons: SEQUENCE 6:d=2 hl=2 l= 9 prim: OBJECT:PBES2 17:d=2 hl=2 l= 65 cons: SEQUENCE 19:d=3 hl=2 l= 41 cons:SEQUENCE 21:d=4 hl=2 l= 9 prim: OBJECT:PBKDF2 32:d=4 hl=2 l= 28 cons: SEQUENCE 34:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:828AD2138778D5B1 44:d=5 hl=2 l= 2 prim: INTEGER :0800 48:d=5 hl=2 l= 12 cons: SEQUENCE 50:d=6 hl=2 l= 8 prim: OBJECT:hmacWithSHA256 60:d=6 hl=2 l= 0 prim: NULL 62:d=3 hl=2 l= 20 cons:SEQUENCE 64:d=4 hl=2 l= 8 prim: OBJECT:des-ede3-cbc 74:d=4 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:1EEB7F2CE426CE89 84:d=1 hl=4 l=1224 prim: OCTET STRING [HEX DUMP]:6506E6598C386F61268DDFA3A9ED485F1F3BF0B6BE9B2C8C540B4206997352483F8A8A1C38EA7CD91A0F800DA -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] rainerjung commented on pull request #517: Fix BZ 66089
rainerjung commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1138258790 Not sure that helps: an encrypted key file is for example: -BEGIN ENCRYPTED PRIVATE KEY- MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIpBQ9Ge734xsCAggA MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEeEyG41hDgNBIIEyEUGSpWeIQDD tPhN0sb8g0G88cBbwKrivMLZBPNDIAD5Y++8BNMfpbpZegU/w9rs5NbOSLEwzb2n +gFw0wE6VhZol7tzhlFDnQZG9dB9vL3cwZJ5ks6g9OmEAQbfKxasR85QZIu8hryo pmIBC86kD3cUrDdgX7hgJCscBebnKfYATXyBqat9xrvhfM1eFXyfL2g42odr4VsR YWX9zCeArnQFnGUi6LiCQ33GT/nuvg/lV0tLXSpsSTEiQSQDbaT+ba2ykySmF7Od mrNVl++JCz5LT6Hk28TGUEoPMVo/fbuCepfX0o4Kyy5Hic/AreS2eykCpaG31LdW Vov9/6nChrfH7Uo/N21mtG7LB0jJN2grBoP0PyOUA1sD6UsRePv7H16B/7fMO+6i IZ3bYRBKZr5xNKa3CeyWkvOuLsE0l62e5jzrzvlMtM+UvpIKhkc81Ft3S/+SLX56 deHwra8FfP/u4XisWIqiHpxpLacwfg/c8kHgweHbMOov46/mnkxSjmXsE1TTi7+z hH6s5EovXG2T3/O5sT+5GptNlknwgxLirxOU+vpO5YJt/068WAcga19Tho2Z5MLh I1glxPmTaciY53muCvueB9JMeG245d2PhLnu3f1GRWchpfpOYARIaY5SFUpJIyfz GgCe+4krp/snls6FbwxBwRRkBSJrClXpHvZlqxHuVgw5H225w4dZmCWL48/aPp8g pXUfWLTHSfS50euEu9xHgal7Oo/mDwAdH8NbOsdujKVqebcasGBgT8xuUCs++TvQ zaxt9oVRSva1OmQmuC1Dtqkn/q+VkSCBPBnaFSdfBr5eXGB6kRXjvU7SouaGbXRf 6QaZ94BOr2TJee9LJAPDf0CYHBSk9+6b+mSGl8UhME87NPqJ0uz8O84L95pay7zO CMjrF3K3S+xVgJ8y7CQH5CLUpfjQpYieeT2ipWvF8GSXT0AcTf6NxJwv7ZDb3Tge TPcoJN856Ch0ElgT9Qo+XCrykRgUsMAvKftShNGZzv8VeyqA83F4FbKzRe5eUsqx LC5ASYFcVddy7JL2HLCMJWA2hkk5/9at56/uuzPVtbUMIG1IL8tvWRucjSTUgT40 WNC5eRQkyRnT8EoKWdLQWKbvCoCf+6JHwDfUk7aXZOyYJxYZ3BINHMryP66MtXh3 JneE9fZJV4P3bZaupIjre/fXwVXcOmCaPROzw3buj04nl76PkI3fcdK9dWg/XaKz U+9gxPDTupzy1E0rQXZhtFsJ2e4jBZM20+b+5sONhDyl0UNlOGP6t0HIRIruStEp WWXjlVjJZ8A78ap3JoQgfcAhdyC95eE8MPMBaGW7fNNt2HIw/F1v3A28K3WNji3v Pw36PLan/5NGvlqhA8W5EAWGA1UHjgef5t4Q86YkwOPZBMJsSesVDJ2oOMpfvpyQ bbfvT+GvPUnzp2arvSOtXvyuOnujpr6lS/egX3+kbVa6f/HSQ2caVo6CcDBqqaXq 4kkY0uXJtxX71Ixni1IQG5Uyg4JWSkRM1RU96hMHV6TjLMFPXZYZuQAKl5aREfN8 t2Lb9wVTAVJHM22G4bptuCvvb7Bk+zQb/zaqtAno0nKdwWTh+pHi9FESjbmn4BEV VxMzITzBhxK7HwY5CPdU6Q== -END ENCRYPTED PRIVATE KEY- It can be read via "openssl pkey -in newkey.pem -text", pass is "changeit". CA.pl created it by calling openssl req -new -keyout newkey.pem -out newreq.pem -days 365 Ignoring -days; not generating a certificate Generating a RSA private key .+ ...+ writing new private key to 'newkey.pem' -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #517: Fix BZ 66089
markt-asf commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1138259389 Yes, we are looking at the same thing. Just started to debug things. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] rainerjung commented on pull request #517: Fix BZ 66089
rainerjung commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1138275372 Maybe unrelated, but the OpenSSL docs mention: "Make PKCS#8 the default write format for private keys, replacing the traditional format. This form is standardised, more secure and doesn't include an implicit MD5 dependency." So eg. "openssl pkey" has a "-traditional" flag to support the old PEM encoding. My example was generated with OpenSSL 3.0.3 Some info points at PKCS#1 to be the traditional format? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #517: Fix BZ 66089
markt-asf commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1138280071 The issue appears to be the cipher algorithm `des-ede3-cbc`. Java is expecting AES. I'm currently looking to see if I can find a way around this. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #517: Fix BZ 66089
markt-asf commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1138382006 The short answer is that there isn't a way around this that doesn't involve installing an additional JCE provider such as BouncyCastle. The built-in provider does not support this particular form of PBE. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf closed pull request #517: Fix BZ 66089
markt-asf closed pull request #517: Fix BZ 66089 URL: https://github.com/apache/tomcat/pull/517 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Make max HTTP header size descriptions more specific
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 8acd6e3c8f Make max HTTP header size descriptions more specific 8acd6e3c8f is described below commit 8acd6e3c8f045ff9f73f32d89b16883886b44c4d Author: Mark Thomas AuthorDate: Thu May 26 11:53:41 2022 +0100 Make max HTTP header size descriptions more specific --- webapps/docs/changelog.xml | 5 + webapps/docs/config/http.xml | 24 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 4236cc02a7..81da073f1b 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -180,6 +180,11 @@ application to reflect changes in required Java version and source repository. (markt) + +Documentation. Make the description of the HTTP/1.1 configuration +attributes that control the maximum allowed HTTP header size more +specific. (markt) + diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index ea10297737..7eb6a727d4 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -508,20 +508,28 @@ - The maximum size of the request and response HTTP header, specified - in bytes. If not specified, this attribute is set to 8192 (8 KB). + Provides the default value for + maxHttpRequestHeaderSize and + maxHttpResponseHeaderSize. If not specified, this + attribute is set to 8192 (8 KB). - The maximum size of the request HTTP header, specified - in bytes. If not specified, this attribute is set to the value of - the maxHttpHeaderSize attribute. + The maximum permitted size of the request line and headers associated + with an HTTP request, specified in bytes. This is compared to the number + of bytes received so includes line terminators and whitespace as well as + the request line, header names and header values. If not specified, this + attribute is set to the value of the maxHttpHeaderSize + attribute. - The maximum size of the response HTTP header, specified - in bytes. If not specified, this attribute is set to the value of - the maxHttpHeaderSize attribute. + The maximum permitted size of the response line and headers associated + with an HTTP response, specified in bytes. This is compared to the number + of bytes written so includes line terminators and whitespace as well as + the status line, header names and header values. If not specified, this + attribute is set to the value of the maxHttpHeaderSize + attribute. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Make max HTTP header size descriptions more specific
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new 5d2c505797 Make max HTTP header size descriptions more specific 5d2c505797 is described below commit 5d2c505797fc4eecf8388131777a6ed873ad9746 Author: Mark Thomas AuthorDate: Thu May 26 11:53:41 2022 +0100 Make max HTTP header size descriptions more specific --- webapps/docs/changelog.xml | 5 + webapps/docs/config/http.xml | 24 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 299e68b331..ed5149be66 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -159,6 +159,11 @@ application to reflect changes in required Java version and source repository. (markt) + +Documentation. Make the description of the HTTP/1.1 configuration +attributes that control the maximum allowed HTTP header size more +specific. (markt) + diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index 1eb51c9987..06283c7058 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -518,20 +518,28 @@ - The maximum size of the request and response HTTP header, specified - in bytes. If not specified, this attribute is set to 8192 (8 KB). + Provides the default value for + maxHttpRequestHeaderSize and + maxHttpResponseHeaderSize. If not specified, this + attribute is set to 8192 (8 KB). - The maximum size of the request HTTP header, specified - in bytes. If not specified, this attribute is set to the value of - the maxHttpHeaderSize attribute. + The maximum permitted size of the request line and headers associated + with an HTTP request, specified in bytes. This is compared to the number + of bytes received so includes line terminators and whitespace as well as + the request line, header names and header values. If not specified, this + attribute is set to the value of the maxHttpHeaderSize + attribute. - The maximum size of the response HTTP header, specified - in bytes. If not specified, this attribute is set to the value of - the maxHttpHeaderSize attribute. + The maximum permitted size of the response line and headers associated + with an HTTP response, specified in bytes. This is compared to the number + of bytes written so includes line terminators and whitespace as well as + the status line, header names and header values. If not specified, this + attribute is set to the value of the maxHttpHeaderSize + attribute. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Make max HTTP header size descriptions more specific
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new ae1e384073 Make max HTTP header size descriptions more specific ae1e384073 is described below commit ae1e384073cacd27d761b44bb6e29174bcfffa68 Author: Mark Thomas AuthorDate: Thu May 26 11:53:41 2022 +0100 Make max HTTP header size descriptions more specific --- webapps/docs/changelog.xml | 5 + webapps/docs/config/http.xml | 24 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 8d150c2a5e..0f63acc72c 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -159,6 +159,11 @@ application to reflect changes in required Java version and source repository. (markt) + +Documentation. Make the description of the HTTP/1.1 configuration +attributes that control the maximum allowed HTTP header size more +specific. (markt) + diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index e01a8666e3..fb311aa849 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -514,20 +514,28 @@ - The maximum size of the request and response HTTP header, specified - in bytes. If not specified, this attribute is set to 8192 (8 KB). + Provides the default value for + maxHttpRequestHeaderSize and + maxHttpResponseHeaderSize. If not specified, this + attribute is set to 8192 (8 KB). - The maximum size of the request HTTP header, specified - in bytes. If not specified, this attribute is set to the value of - the maxHttpHeaderSize attribute. + The maximum permitted size of the request line and headers associated + with an HTTP request, specified in bytes. This is compared to the number + of bytes received so includes line terminators and whitespace as well as + the request line, header names and header values. If not specified, this + attribute is set to the value of the maxHttpHeaderSize + attribute. - The maximum size of the response HTTP header, specified - in bytes. If not specified, this attribute is set to the value of - the maxHttpHeaderSize attribute. + The maximum permitted size of the response line and headers associated + with an HTTP response, specified in bytes. This is compared to the number + of bytes written so includes line terminators and whitespace as well as + the status line, header names and header values. If not specified, this + attribute is set to the value of the maxHttpHeaderSize + attribute. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Make max HTTP header size descriptions more specific
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 2b8b27b742 Make max HTTP header size descriptions more specific 2b8b27b742 is described below commit 2b8b27b74272a4fc280686cbc1133966d95fb861 Author: Mark Thomas AuthorDate: Thu May 26 11:53:41 2022 +0100 Make max HTTP header size descriptions more specific --- webapps/docs/changelog.xml | 5 + webapps/docs/config/http.xml | 24 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 83a418b72c..7908a14682 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -155,6 +155,11 @@ application to reflect changes in required Java version and source repository. (markt) + +Documentation. Make the description of the HTTP/1.1 configuration +attributes that control the maximum allowed HTTP header size more +specific. (markt) + diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index fd393a777c..412cf50ded 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -518,20 +518,28 @@ - The maximum size of the request and response HTTP header, specified - in bytes. If not specified, this attribute is set to 8192 (8 KB). + Provides the default value for + maxHttpRequestHeaderSize and + maxHttpResponseHeaderSize. If not specified, this + attribute is set to 8192 (8 KB). - The maximum size of the request HTTP header, specified - in bytes. If not specified, this attribute is set to the value of - the maxHttpHeaderSize attribute. + The maximum permitted size of the request line and headers associated + with an HTTP request, specified in bytes. This is compared to the number + of bytes received so includes line terminators and whitespace as well as + the request line, header names and header values. If not specified, this + attribute is set to the value of the maxHttpHeaderSize + attribute. - The maximum size of the response HTTP header, specified - in bytes. If not specified, this attribute is set to the value of - the maxHttpHeaderSize attribute. + The maximum permitted size of the response line and headers associated + with an HTTP response, specified in bytes. This is compared to the number + of bytes written so includes line terminators and whitespace as well as + the status line, header names and header values. If not specified, this + attribute is set to the value of the maxHttpHeaderSize + attribute. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix BZ 66068. Persist changes made by RemoteIpValve for async requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new c52e7f9d83 Fix BZ 66068. Persist changes made by RemoteIpValve for
async requests
c52e7f9d83 is described below
commit c52e7f9d830159d9933c2e301b58b4174c7dfcd3
Author: Mark Thomas
AuthorDate: Thu May 26 14:21:03 2022 +0100
Fix BZ 66068. Persist changes made by RemoteIpValve for async requests
---
java/org/apache/catalina/valves/RemoteIpValve.java | 44 +++---
webapps/docs/changelog.xml | 5 +++
2 files changed, 28 insertions(+), 21 deletions(-)
diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java
b/java/org/apache/catalina/valves/RemoteIpValve.java
index e2cd6d396a..7320acea3e 100644
--- a/java/org/apache/catalina/valves/RemoteIpValve.java
+++ b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -740,28 +740,30 @@ public class RemoteIpValve extends ValveBase {
try {
getNext().invoke(request, response);
} finally {
-request.setRemoteAddr(originalRemoteAddr);
-request.setRemoteHost(originalRemoteHost);
-request.setSecure(originalSecure);
-request.getCoyoteRequest().scheme().setString(originalScheme);
-
request.getCoyoteRequest().serverName().setString(originalServerName);
-if (isChangeLocalName()) {
-
request.getCoyoteRequest().localName().setString(originalLocalName);
-}
-request.setServerPort(originalServerPort);
-request.setLocalPort(originalLocalPort);
-
-MimeHeaders headers = request.getCoyoteRequest().getMimeHeaders();
-if (originalProxiesHeader == null ||
originalProxiesHeader.length() == 0) {
-headers.removeHeader(proxiesHeader);
-} else {
-
headers.setValue(proxiesHeader).setString(originalProxiesHeader);
-}
+if (!request.isAsync()) {
+request.setRemoteAddr(originalRemoteAddr);
+request.setRemoteHost(originalRemoteHost);
+request.setSecure(originalSecure);
+request.getCoyoteRequest().scheme().setString(originalScheme);
+
request.getCoyoteRequest().serverName().setString(originalServerName);
+if (isChangeLocalName()) {
+
request.getCoyoteRequest().localName().setString(originalLocalName);
+}
+request.setServerPort(originalServerPort);
+request.setLocalPort(originalLocalPort);
+
+MimeHeaders headers =
request.getCoyoteRequest().getMimeHeaders();
+if (originalProxiesHeader == null ||
originalProxiesHeader.length() == 0) {
+headers.removeHeader(proxiesHeader);
+} else {
+
headers.setValue(proxiesHeader).setString(originalProxiesHeader);
+}
-if (originalRemoteIpHeader == null ||
originalRemoteIpHeader.length() == 0) {
-headers.removeHeader(remoteIpHeader);
-} else {
-
headers.setValue(remoteIpHeader).setString(originalRemoteIpHeader);
+if (originalRemoteIpHeader == null ||
originalRemoteIpHeader.length() == 0) {
+headers.removeHeader(remoteIpHeader);
+} else {
+
headers.setValue(remoteIpHeader).setString(originalRemoteIpHeader);
+}
}
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 81da073f1b..c2dc7f7e38 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -124,6 +124,11 @@
515: Avoid deadlock on startup with some utility executor
configurations. Submitted by Han Li. (remm)
+
+66068: Ensure that the changes made to a request by the
+RemoteIPValve persist after the request is put into
+asynchronous mode. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Fix BZ 66068. Persist changes made by RemoteIpValve for async requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 95b9422d78 Fix BZ 66068. Persist changes made by RemoteIpValve for
async requests
95b9422d78 is described below
commit 95b9422d785a34232e3b1bb679b0f974e58382ae
Author: Mark Thomas
AuthorDate: Thu May 26 14:21:03 2022 +0100
Fix BZ 66068. Persist changes made by RemoteIpValve for async requests
---
java/org/apache/catalina/valves/RemoteIpValve.java | 44 +++---
webapps/docs/changelog.xml | 5 +++
2 files changed, 28 insertions(+), 21 deletions(-)
diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java
b/java/org/apache/catalina/valves/RemoteIpValve.java
index fcae2288e6..ea43c6ba71 100644
--- a/java/org/apache/catalina/valves/RemoteIpValve.java
+++ b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -768,28 +768,30 @@ public class RemoteIpValve extends ValveBase {
try {
getNext().invoke(request, response);
} finally {
-request.setRemoteAddr(originalRemoteAddr);
-request.setRemoteHost(originalRemoteHost);
-request.setSecure(originalSecure);
-request.getCoyoteRequest().scheme().setString(originalScheme);
-
request.getCoyoteRequest().serverName().setString(originalServerName);
-if (isChangeLocalName()) {
-
request.getCoyoteRequest().localName().setString(originalLocalName);
-}
-request.setServerPort(originalServerPort);
-request.setLocalPort(originalLocalPort);
-
-MimeHeaders headers = request.getCoyoteRequest().getMimeHeaders();
-if (originalProxiesHeader == null ||
originalProxiesHeader.length() == 0) {
-headers.removeHeader(proxiesHeader);
-} else {
-
headers.setValue(proxiesHeader).setString(originalProxiesHeader);
-}
+if (!request.isAsync()) {
+request.setRemoteAddr(originalRemoteAddr);
+request.setRemoteHost(originalRemoteHost);
+request.setSecure(originalSecure);
+request.getCoyoteRequest().scheme().setString(originalScheme);
+
request.getCoyoteRequest().serverName().setString(originalServerName);
+if (isChangeLocalName()) {
+
request.getCoyoteRequest().localName().setString(originalLocalName);
+}
+request.setServerPort(originalServerPort);
+request.setLocalPort(originalLocalPort);
+
+MimeHeaders headers =
request.getCoyoteRequest().getMimeHeaders();
+if (originalProxiesHeader == null ||
originalProxiesHeader.length() == 0) {
+headers.removeHeader(proxiesHeader);
+} else {
+
headers.setValue(proxiesHeader).setString(originalProxiesHeader);
+}
-if (originalRemoteIpHeader == null ||
originalRemoteIpHeader.length() == 0) {
-headers.removeHeader(remoteIpHeader);
-} else {
-
headers.setValue(remoteIpHeader).setString(originalRemoteIpHeader);
+if (originalRemoteIpHeader == null ||
originalRemoteIpHeader.length() == 0) {
+headers.removeHeader(remoteIpHeader);
+} else {
+
headers.setValue(remoteIpHeader).setString(originalRemoteIpHeader);
+}
}
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ed5149be66..30fcd1749c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -124,6 +124,11 @@
515: Avoid deadlock on startup with some utility executor
configurations. Submitted by Han Li. (remm)
+
+66068: Ensure that the changes made to a request by the
+RemoteIPValve persist after the request is put into
+asynchronous mode. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix BZ 66068. Persist changes made by RemoteIpValve for async requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 437b060c96 Fix BZ 66068. Persist changes made by RemoteIpValve for
async requests
437b060c96 is described below
commit 437b060c9661c293e36d5e3eba2738953920802e
Author: Mark Thomas
AuthorDate: Thu May 26 14:21:03 2022 +0100
Fix BZ 66068. Persist changes made by RemoteIpValve for async requests
---
java/org/apache/catalina/valves/RemoteIpValve.java | 44 +++---
webapps/docs/changelog.xml | 5 +++
2 files changed, 28 insertions(+), 21 deletions(-)
diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java
b/java/org/apache/catalina/valves/RemoteIpValve.java
index 8f85900398..45b99695ec 100644
--- a/java/org/apache/catalina/valves/RemoteIpValve.java
+++ b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -768,28 +768,30 @@ public class RemoteIpValve extends ValveBase {
try {
getNext().invoke(request, response);
} finally {
-request.setRemoteAddr(originalRemoteAddr);
-request.setRemoteHost(originalRemoteHost);
-request.setSecure(originalSecure);
-request.getCoyoteRequest().scheme().setString(originalScheme);
-
request.getCoyoteRequest().serverName().setString(originalServerName);
-if (isChangeLocalName()) {
-
request.getCoyoteRequest().localName().setString(originalLocalName);
-}
-request.setServerPort(originalServerPort);
-request.setLocalPort(originalLocalPort);
-
-MimeHeaders headers = request.getCoyoteRequest().getMimeHeaders();
-if (originalProxiesHeader == null ||
originalProxiesHeader.length() == 0) {
-headers.removeHeader(proxiesHeader);
-} else {
-
headers.setValue(proxiesHeader).setString(originalProxiesHeader);
-}
+if (!request.isAsync()) {
+request.setRemoteAddr(originalRemoteAddr);
+request.setRemoteHost(originalRemoteHost);
+request.setSecure(originalSecure);
+request.getCoyoteRequest().scheme().setString(originalScheme);
+
request.getCoyoteRequest().serverName().setString(originalServerName);
+if (isChangeLocalName()) {
+
request.getCoyoteRequest().localName().setString(originalLocalName);
+}
+request.setServerPort(originalServerPort);
+request.setLocalPort(originalLocalPort);
+
+MimeHeaders headers =
request.getCoyoteRequest().getMimeHeaders();
+if (originalProxiesHeader == null ||
originalProxiesHeader.length() == 0) {
+headers.removeHeader(proxiesHeader);
+} else {
+
headers.setValue(proxiesHeader).setString(originalProxiesHeader);
+}
-if (originalRemoteIpHeader == null ||
originalRemoteIpHeader.length() == 0) {
-headers.removeHeader(remoteIpHeader);
-} else {
-
headers.setValue(remoteIpHeader).setString(originalRemoteIpHeader);
+if (originalRemoteIpHeader == null ||
originalRemoteIpHeader.length() == 0) {
+headers.removeHeader(remoteIpHeader);
+} else {
+
headers.setValue(remoteIpHeader).setString(originalRemoteIpHeader);
+}
}
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0f63acc72c..5cce3330fb 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -124,6 +124,11 @@
515: Avoid deadlock on startup with some utility executor
configurations. Submitted by Han Li. (remm)
+
+66068: Ensure that the changes made to a request by the
+RemoteIPValve persist after the request is put into
+asynchronous mode. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix BZ 66068. Persist changes made by RemoteIpValve for async requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new bf8a434cab Fix BZ 66068. Persist changes made by RemoteIpValve for
async requests
bf8a434cab is described below
commit bf8a434cab67a45fa5e5c3a584753f0026b259d3
Author: Mark Thomas
AuthorDate: Thu May 26 14:21:03 2022 +0100
Fix BZ 66068. Persist changes made by RemoteIpValve for async requests
---
java/org/apache/catalina/valves/RemoteIpValve.java | 44 +++---
webapps/docs/changelog.xml | 5 +++
2 files changed, 28 insertions(+), 21 deletions(-)
diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java
b/java/org/apache/catalina/valves/RemoteIpValve.java
index 8f85900398..45b99695ec 100644
--- a/java/org/apache/catalina/valves/RemoteIpValve.java
+++ b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -768,28 +768,30 @@ public class RemoteIpValve extends ValveBase {
try {
getNext().invoke(request, response);
} finally {
-request.setRemoteAddr(originalRemoteAddr);
-request.setRemoteHost(originalRemoteHost);
-request.setSecure(originalSecure);
-request.getCoyoteRequest().scheme().setString(originalScheme);
-
request.getCoyoteRequest().serverName().setString(originalServerName);
-if (isChangeLocalName()) {
-
request.getCoyoteRequest().localName().setString(originalLocalName);
-}
-request.setServerPort(originalServerPort);
-request.setLocalPort(originalLocalPort);
-
-MimeHeaders headers = request.getCoyoteRequest().getMimeHeaders();
-if (originalProxiesHeader == null ||
originalProxiesHeader.length() == 0) {
-headers.removeHeader(proxiesHeader);
-} else {
-
headers.setValue(proxiesHeader).setString(originalProxiesHeader);
-}
+if (!request.isAsync()) {
+request.setRemoteAddr(originalRemoteAddr);
+request.setRemoteHost(originalRemoteHost);
+request.setSecure(originalSecure);
+request.getCoyoteRequest().scheme().setString(originalScheme);
+
request.getCoyoteRequest().serverName().setString(originalServerName);
+if (isChangeLocalName()) {
+
request.getCoyoteRequest().localName().setString(originalLocalName);
+}
+request.setServerPort(originalServerPort);
+request.setLocalPort(originalLocalPort);
+
+MimeHeaders headers =
request.getCoyoteRequest().getMimeHeaders();
+if (originalProxiesHeader == null ||
originalProxiesHeader.length() == 0) {
+headers.removeHeader(proxiesHeader);
+} else {
+
headers.setValue(proxiesHeader).setString(originalProxiesHeader);
+}
-if (originalRemoteIpHeader == null ||
originalRemoteIpHeader.length() == 0) {
-headers.removeHeader(remoteIpHeader);
-} else {
-
headers.setValue(remoteIpHeader).setString(originalRemoteIpHeader);
+if (originalRemoteIpHeader == null ||
originalRemoteIpHeader.length() == 0) {
+headers.removeHeader(remoteIpHeader);
+} else {
+
headers.setValue(remoteIpHeader).setString(originalRemoteIpHeader);
+}
}
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7908a14682..234fdadb3b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -120,6 +120,11 @@
clearReferencesObjectStreamClassCaches when running on a
JRE that includes a fix for the underlying memory leak. (markt)
+
+66068: Ensure that the changes made to a request by the
+RemoteIPValve persist after the request is put into
+asynchronous mode. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65951] ant package with custom tomcat.output fails in add-osgi
https://bz.apache.org/bugzilla/show_bug.cgi?id=65951 --- Comment #5 from Matt M --- The fix for 9.0.x is missing a fix to this file: res/bnd/tomcat-embed-el.jar.tmp.bnd The fix for 10.0.x has it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Missing fix for BZ 65951
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new def22ec972 Missing fix for BZ 65951
def22ec972 is described below
commit def22ec972f948560c8f2c07681130c0f97f1a19
Author: Mark Thomas
AuthorDate: Thu May 26 17:56:17 2022 +0100
Missing fix for BZ 65951
https://bz.apache.org/bugzilla/show_bug.cgi?id=65951
---
res/bnd/tomcat-embed-el.jar.tmp.bnd | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/res/bnd/tomcat-embed-el.jar.tmp.bnd
b/res/bnd/tomcat-embed-el.jar.tmp.bnd
index a2d63a2892..a7447cae0f 100644
--- a/res/bnd/tomcat-embed-el.jar.tmp.bnd
+++ b/res/bnd/tomcat-embed-el.jar.tmp.bnd
@@ -27,7 +27,7 @@ Export-Package: \
org.apache.el.stream,\
org.apache.el.util
--includeresource.meta-inf: /META-INF/=../../output/manifests/jasper-el.jar/
+-includeresource.meta-inf: /META-INF/=${tomcat.output}/manifests/jasper-el.jar/
Provide-Capability: \
osgi.contract;\
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65951] ant package with custom tomcat.output fails in add-osgi
https://bz.apache.org/bugzilla/show_bug.cgi?id=65951 --- Comment #6 from Mark Thomas --- Fixed in: - 9.0.x for 9.0.64 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66068] Asynchronous request processing changes IP behind RemoteIpValve
https://bz.apache.org/bugzilla/show_bug.cgi?id=66068 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #2 from Mark Thomas --- Fixed in: - 10.1.x for 10.1.0-M16 onwards - 10.0.x for 10.0.22 onwards - 9.0.x for 9.0.64 onwards - 8.5.x for 8.5.80 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] ChristopherSchultz commented on pull request #517: Fix BZ 66089
ChristopherSchultz commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1139158612 I believe I was able to decode these types of files without another provider. Have a look around https://github.com/ChristopherSchultz/pem-utils/blob/main/src/main/java/net/christopherschultz/pemutils/PEMFile.java#L410 and let me know if any of that would be helpful. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #517: Fix BZ 66089
markt-asf commented on PR #517: URL: https://github.com/apache/tomcat/pull/517#issuecomment-1139340297 @ChristopherSchultz The code you referenced is decoding PKCS#1 format keys. Tomcat already handles those. This issue is about PKCS#8 format keys. Take a look at the sub-classes of `com.sun.crypto.provider.PBEKeyFactory`. There is no support for the combination of `HmacSHA256` and `TripleDES`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
