Re: JVM crashing with caCertificatePath in server.xml

2024-05-16 Thread Michael Osipov 
On 2024/05/15 20:35:08 Michael Osipov wrote:
> On 2024/05/15 14:41:43 Michael Osipov wrote:
> > Good news. I can reproduce on Windows:
> > 15-May-2024 16:40:31.092 INFORMATION [main] 
> > org.apache.coyote.AbstractProtocol.init Initialisiere 
> > ProtocolHandler["https-openssl-apr-18444"]
> > 15-May-2024 16:40:31.144 WARNUNG [main] 
> > org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the 
> > [ciphers] attribute in a manner consistent with the latest OpenSSL 
> > development branch. Some of the specified [ciphers] are not supported by 
> > the configured SSL engine for this connector (which may use JSSE or an 
> > older OpenSSL version) and have been skipped: 
> > [[TLS_DH_DSS_WITH_AES_256_GCM_SHA384, TLS_DH_RSA_WITH_AES_256_GCM_SHA384, 
> > TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 
> > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_AES_128_CCM_SHA256, 
> > TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, 
> > TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 
> > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256]]
> > #
> > # A fatal error has been detected by the Java Runtime Environment:
> > #
> > #  EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x024928d5cd10, 
> > pid=33136, tid=0x55b8
> > #
> > # JRE version: OpenJDK Runtime Environment (Zulu 8.68.0.21-CA-win64) 
> > (8.0_362-b09) (build 1.8.0_362-b09)
> > # Java VM: OpenJDK 64-Bit Server VM (25.362-b09 mixed mode windows-amd64 
> > compressed oops)
> > # Problematic frame:
> > # C  [tcnative-1.dll+0xccd10]
> > #
> > # Failed to write core dump. Minidumps are not enabled by default on client 
> > versions of Windows
> > #
> > # An error report file with more information is saved as:
> > # C:\Temp\apache-tomcat-9.0.89\hs_err_pid33136.log
> > #
> > # If you would like to submit a bug report, please visit:
> > #   http://www.azul.com/support/
> > # The crash happened outside the Java Virtual Machine in native code.
> > # See problematic frame for where to report the bug.
> > #
> > 
> > I will do a custom build of Tomcat Native and see where it crashes. Stay 
> > tuned.
> 
> Found the bug: It is either a flaw or uncertainty in OpenSSL. Details follow 
> tomorrow.

Details:

Reported the issue upstream: https://github.com/openssl/openssl/issues/24416
I will push a temporary fix until upstream does properly handle NULL input.

Partially OT: After testing here in and out I am convinced that the code after 
SSL_CTX_load_verify_locations() does absolutely not that what the author 
intended to do. The code block messes up CA certification for client 
verification with the request DNs for client cert auth. I will report a 
separate issue because it is unrelated.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

2024-05-16 Thread Andy Arismendi 
Ok great! Thank you for taking the time and making the effort to look into this 
Michael, much appreciated!

-Andy
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

2024-05-16 Thread Michael Osipov 
On 2024/05/16 15:55:04 Andy Arismendi wrote:
> Ok great! Thank you for taking the time and making the effort to look into 
> this Michael, much appreciated!

Here is a dynamically linked, patched version until there is an official 
release: http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/

Please give it a try.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

2024-05-16 Thread Christopher Schultz 

Michael,

On 5/16/24 12:00, Michael Osipov wrote:

On 2024/05/16 15:55:04 Andy Arismendi wrote:

Ok great! Thank you for taking the time and making the effort to look into this 
Michael, much appreciated!


Here is a dynamically linked, patched version until there is an official 
release: http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/

Please give it a try.


Since you have produced a debug build of tcnative (and other 
components?) could you post the debug trace of the native stack?


Ghidra has been *most* unhelpful, here, starting with the fact that it 
doesn't even get the file-offset correct when trying to jump.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Regarding Tomcat url redirection

2024-05-16 Thread Christopher Schultz 

Lavanya,

On 5/15/24 09:09, lavanya tech wrote:

Hi Chris,





If i remove this from server.xml file i have the below error.

Message java.lang.NoClassDefFoundError: org/towl/indexer/web/Prefix

Description The server encountered an unexpected condition that prevented
it from fulfilling the request.

Exception

jakarta.servlet.ServletException: java.lang.NoClassDefFoundError:
org/towl/indexer/web/Prefix
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:333)
jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)


That smells like a CLASSPATH problem where your application is not 
actually packaged properly. It could be something else, but it looks 
suspicious.



The "aliasing" will always be weird. IMO it's better to redirect. If you
change to redirect, does everything *work*, even if you don't like how
the browser's URL bar displays?
   --> I tried but it didnot work
ok apart from this tpic , we have one more issue found.


Actually application team, they are deploying two applications one with
towl (which you are already aware) the other one is (towl-app) they have
defined seperate server.xml for both.


Separate server.xml files means that you have to have two separate 
Tomcat processes.



Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example.lbg.com


Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example-app.lbg.com

which means we have two aliases for server.lbg.com , earlier we were
concentrating only on one example.lbg.com , now i wanted to somehow enable
access as the same for the other one also
https://example-app.lbg.com --> https://server.lbg.com:8444/towl-app

So i created iptable rule in the sameway as before redirect 443 to 8444 and
i have the urls working same as example.lbg.com

Both the server.xml files are here

/git/towl/apachetomcat/conf/server.xml
/git/towl-app/apachetomcat/conf/server.xml --> I changed the port of
connectors and everything

But now when i try to access https://example.lbg.com --> I get webpage of
https://example-app.lbg.com and sometimes i get webpage of
https://example.lbg.com after refresh itself which is wierd

May i know why this is happening. If we fix this then I am thinking to
disable the unwated urls leaving the required ones. for example the below
ones. I think that would be easier ? rather than redirecting or aliasing-->
Because we noticed that towl application is already pointing with
https://example.lbg.com

https://server.lbg.com:8443
   https://example-lbg.com:8443
   

https://server.lbg.com:8444
   https://example-lbg.com:8444
   


kindly suggest us a fix.


The best fix is to deploy the two applications normally without any 
funny business. Put both applications into webapps/ with no  
elements in server.xml and let them deploy. Use the correct URLs to 
access them. It's obviously some internal thing to your company because 
nobody is going to use :8443 in the real world.


I'm sorry, but it seems like you are being given arbitrary and weird 
requirements almost as a game.


I'm not sure I can help you any further at this point.

-chris


On Wed, May 15, 2024 at 2:16 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 5/15/24 04:43, lavanya tech wrote:

Though to write you privately, regaridng the tomcat url redirection as
the mail chain is getting more big big


It's better to post to the list, so anyone in your situation can learn
from it.


Let me know if its fine for you and here is what I did.

1)  



Don't do this. Just put towl.war into webapps/ and let it auto-deploy.
What you are doing here is double-deploying your "towl" application:
once as "" (ROOT) and once as "/towl". Remove this from server.xml.






Okay.


2) I have towl application and towl.war under webapps directory
3) added  proxy port and proxyname to connector

  
 proxyPort="8443" proxyName="server.lbg.com
">
  
  
  
  
  


Okay.


4) added rewrite.config under conf directory
  > # Redirect everything that is not server.lbg.com
 to
  > # server.lbg.com . Don't worry about /towl

yet.

  > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
  > RewriteRule ^/(.*) https://server.lbg.com:8443/$1
 [L]
  >
  > # Redirect anything that isn't already going to /towl
  > # to go to /towl
  > RewriteCond %{REQUEST_URI} !^/towl
  > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1
 [L]

5) restarted tomcat
6) can access all the urls https://server.lbg.com:8443
, https://server.lbg.com

Re: Regarding Tomcat url redirection

2024-05-16 Thread Christopher Schultz 

Lavanya,

On 5/15/24 09:09, lavanya tech wrote:

Hi Chris,





If i remove this from server.xml file i have the below error.

Message java.lang.NoClassDefFoundError: org/towl/indexer/web/Prefix

Description The server encountered an unexpected condition that prevented
it from fulfilling the request.

Exception

jakarta.servlet.ServletException: java.lang.NoClassDefFoundError:
org/towl/indexer/web/Prefix
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:333)
jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)


That smells like a CLASSPATH problem where your application is not 
actually packaged properly. It could be something else, but it looks 
suspicious.



The "aliasing" will always be weird. IMO it's better to redirect. If you
change to redirect, does everything *work*, even if you don't like how
the browser's URL bar displays?
   --> I tried but it didnot work
ok apart from this tpic , we have one more issue found.


Actually application team, they are deploying two applications one with
towl (which you are already aware) the other one is (towl-app) they have
defined seperate server.xml for both.


Separate server.xml files means that you have to have two separate 
Tomcat processes.



Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example.lbg.com


Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example-app.lbg.com

which means we have two aliases for server.lbg.com , earlier we were
concentrating only on one example.lbg.com , now i wanted to somehow enable
access as the same for the other one also
https://example-app.lbg.com --> https://server.lbg.com:8444/towl-app

So i created iptable rule in the sameway as before redirect 443 to 8444 and
i have the urls working same as example.lbg.com

Both the server.xml files are here

/git/towl/apachetomcat/conf/server.xml
/git/towl-app/apachetomcat/conf/server.xml --> I changed the port of
connectors and everything

But now when i try to access https://example.lbg.com --> I get webpage of
https://example-app.lbg.com and sometimes i get webpage of
https://example.lbg.com after refresh itself which is wierd

May i know why this is happening. If we fix this then I am thinking to
disable the unwated urls leaving the required ones. for example the below
ones. I think that would be easier ? rather than redirecting or aliasing-->
Because we noticed that towl application is already pointing with
https://example.lbg.com

https://server.lbg.com:8443
   https://example-lbg.com:8443
   

https://server.lbg.com:8444
   https://example-lbg.com:8444
   


kindly suggest us a fix.


The best fix is to deploy the two applications normally without any 
funny business. Put both applications into webapps/ with no  
elements in server.xml and let them deploy. Use the correct URLs to 
access them. It's obviously some internal thing to your company because 
nobody is going to use :8443 in the real world.


I'm sorry, but it seems like you are being given arbitrary and weird 
requirements almost as a game.


I'm not sure I can help you any further at this point.

-chris


On Wed, May 15, 2024 at 2:16 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 5/15/24 04:43, lavanya tech wrote:

Though to write you privately, regaridng the tomcat url redirection as
the mail chain is getting more big big


It's better to post to the list, so anyone in your situation can learn
from it.


Let me know if its fine for you and here is what I did.

1)  



Don't do this. Just put towl.war into webapps/ and let it auto-deploy.
What you are doing here is double-deploying your "towl" application:
once as "" (ROOT) and once as "/towl". Remove this from server.xml.






Okay.


2) I have towl application and towl.war under webapps directory
3) added  proxy port and proxyname to connector

  
 proxyPort="8443" proxyName="server.lbg.com
">
  
  
  
  
  


Okay.


4) added rewrite.config under conf directory
  > # Redirect everything that is not server.lbg.com
 to
  > # server.lbg.com . Don't worry about /towl

yet.

  > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
  > RewriteRule ^/(.*) https://server.lbg.com:8443/$1
 [L]
  >
  > # Redirect anything that isn't already going to /towl
  > # to go to /towl
  > RewriteCond %{REQUEST_URI} !^/towl
  > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1
 [L]

5) restarted tomcat
6) can access all the urls https://server.lbg.com:8443
, https://server.lbg.com