[Bug 54324] Support is required to disable TLS compression to prevent against CRIME attacks

https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 --- Comment #4 from Rainer Jung --- Note also, that as a short time workaround you can compile OpenSSL without compression support. -- You are receiving this mail because: You are the assignee for the bug. ---

Re: SSL compression / bug 54324

On 21.12.2012 16:37, Christopher Schultz wrote: > All, > > https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 > > The enhancement request (marked MAJOR) is to allow the APR connector to > configure SSL_OP_NO_COMPRESSION in OpenSSL, disabling SSL compression > even when it is supported by th

Re: WebSocket progress report

On 12/12/2012 21:23, Mark Thomas wrote: > The next step is to implement support for outgoing messages from server > endpoints. Done. > Once that is in place, I will update the examples to use the > new implementation and fix any issues that identifies. Done. > After that, I > intend to run the A

svn commit: r1425178 - /tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpoint.java

Author: markt Date: Fri Dec 21 23:07:29 2012 New Revision: 1425178 URL: http://svn.apache.org/viewvc?rev=1425178&view=rev Log: Make sure buffer is flipped before sending Modified: tomcat/trunk/java/org/apache/tomcat/websocket/WsRemoteEndpoint.java Modified: tomcat/trunk/java/org/apache/tomca

svn commit: r1425175 - in /tomcat/trunk/java/org/apache/tomcat/websocket: WsFrame.java WsRemoteEndpoint.java

Author: markt Date: Fri Dec 21 23:02:35 2012 New Revision: 1425175 URL: http://svn.apache.org/viewvc?rev=1425175&view=rev Log: Send a close frame telling the client why the connection is being closed if the server buffers can't cope. Modified: tomcat/trunk/java/org/apache/tomcat/websocket/Ws

svn commit: r1425145 - in /tomcat/trunk: java/javax/websocket/ java/org/apache/tomcat/websocket/ webapps/examples/WEB-INF/classes/websocket/chat/ webapps/examples/WEB-INF/classes/websocket/echo/

Author: markt Date: Fri Dec 21 21:04:07 2012 New Revision: 1425145 URL: http://svn.apache.org/viewvc?rev=1425145&view=rev Log: Improve close behaviour - fixes various issues highlighted by the Autobahn WebSocket test suite Modified: tomcat/trunk/java/javax/websocket/Session.java tomcat/t

svn commit: r1425143 - /tomcat/trunk/java/org/apache/coyote/http11/upgrade/AbstractServletInputStream.java

Author: markt Date: Fri Dec 21 21:02:34 2012 New Revision: 1425143 URL: http://svn.apache.org/viewvc?rev=1425143&view=rev Log: Avoid NPE Modified: tomcat/trunk/java/org/apache/coyote/http11/upgrade/AbstractServletInputStream.java Modified: tomcat/trunk/java/org/apache/coyote/http11/upgrade

svn commit: r1425142 - /tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAnnotation.java

Author: markt Date: Fri Dec 21 21:01:58 2012 New Revision: 1425142 URL: http://svn.apache.org/viewvc?rev=1425142&view=rev Log: Echo binary messages as well as text messages. Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAnnotation.java Modified: tomcat/trunk/we

svn commit: r1425141 - /tomcat/trunk/java/org/apache/tomcat/websocket/Util.java

Author: markt Date: Fri Dec 21 21:00:52 2012 New Revision: 1425141 URL: http://svn.apache.org/viewvc?rev=1425141&view=rev Log: int -> CloseCode Modified: tomcat/trunk/java/org/apache/tomcat/websocket/Util.java Modified: tomcat/trunk/java/org/apache/tomcat/websocket/Util.java URL: http://svn

Time for tcnative 1.1.25?

All, There is a particular fix in tcnative-trunk ant the 1.1.x branch to the ssl.c::hasOp function that I'd like to get out there in the wild: there are now two Tomcat enhancements (one committed, one not yet committed) that rely upon it: https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 h

[Bug 53969] JNI method hasOp only supports SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION and should support others

https://issues.apache.org/bugzilla/show_bug.cgi?id=53969 Christopher Schultz changed: What|Removed |Added Blocks||54324 -- You are receiving

[Bug 54324] Support is required to disable TLS compression to prevent against CRIME attacks

https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 Christopher Schultz changed: What|Removed |Added Depends on||53969 -- You are receiving

svn commit: r1425136 - /tomcat/trunk/java/org/apache/coyote/http11/upgrade/

Author: markt Date: Fri Dec 21 20:49:59 2012 New Revision: 1425136 URL: http://svn.apache.org/viewvc?rev=1425136&view=rev Log: Need to be able to close the upgraded input/output streams Modified: tomcat/trunk/java/org/apache/coyote/http11/upgrade/AbstractServletInputStream.java tomcat/t

svn commit: r1425135 - in /tomcat/native/branches/1.1.x: ./ native/src/ssl.c

Author: schultz Date: Fri Dec 21 20:45:32 2012 New Revision: 1425135 URL: http://svn.apache.org/viewvc?rev=1425135&view=rev Log: Back-port r1424947, r1424971 from trunk. Add new SSL_OP_* constants to OpenSSL option-detection. Modified: tomcat/native/branches/1.1.x/ (props changed) tom

[Bug 54324] Support is required to disable TLS compression to prevent against CRIME attacks

https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 --- Comment #3 from Christopher Schultz --- tcnative is independent from Apache httpd, though it does depend upon the Apache Portable Runtime library which is "part" of Apache httpd. In this case, we're only relying on support from OpenSSL

[Bug 54324] Support is required to disable TLS compression to prevent against CRIME attacks

https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 --- Comment #2 from Maik Hemani --- Is there a road map for releases available for TC Native/Apache/Tomcat in general? Perhaps this is related? https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 -- You are receiving this mail becau

[Bug 54330] Patch with some refactoring of Member.java

https://issues.apache.org/bugzilla/show_bug.cgi?id=54330 Greg Turnquist changed: What|Removed |Added OS||All --- Comment #2 from Greg Turn

[Bug 54340] Form-based authentication + url rewriting does not work

https://issues.apache.org/bugzilla/show_bug.cgi?id=54340 --- Comment #1 from Konstantin Kolinko --- 1. Tomcat version = ? I'd guess that you are facing bug 53584, which was fixed in 7.0.30. > On top of this (and perhaps related to these problems), in the actual web > application a different se

[Bug 54340] New: Form-based authentication + url rewriting does not work

https://issues.apache.org/bugzilla/show_bug.cgi?id=54340 Bug ID: 54340 Summary: Form-based authentication + url rewriting does not work Product: Tomcat 7 Version: unspecified Hardware: PC OS: Linux

[jira] [Updated] (MTOMCAT-195) Plugin uploads WAR file twice

[ https://issues.apache.org/jira/browse/MTOMCAT-195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] George Smith updated MTOMCAT-195: - Description: When I deploy my WAR using maven, the target war (exact the same one) is being upl

[jira] [Created] (MTOMCAT-195) Plugin uploads WAR file twice

George Smith created MTOMCAT-195: Summary: Plugin uploads WAR file twice Key: MTOMCAT-195 URL: https://issues.apache.org/jira/browse/MTOMCAT-195 Project: Apache Tomcat Maven Plugin Issue Type

Re: SSL compression / bug 54324

All, On 12/21/12 10:37 AM, Christopher Schultz wrote: > Since this is security-related, my preference is to disable SSL > compression /by default/ and allow users to specifically enable it if > necessary. But, this represents a change in default so I figured I'd ask. One more note which reverses

SSL compression / bug 54324

All, https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 The enhancement request (marked MAJOR) is to allow the APR connector to configure SSL_OP_NO_COMPRESSION in OpenSSL, disabling SSL compression even when it is supported by the client. This prevents CRIME attacks. My question is whether

svn commit: r1424974 - /tomcat/trunk/test/org/apache/catalina/tribes/demos/ChannelCreator.java

Author: markt Date: Fri Dec 21 15:37:24 2012 New Revision: 1424974 URL: http://svn.apache.org/viewvc?rev=1424974&view=rev Log: Use interface Modified: tomcat/trunk/test/org/apache/catalina/tribes/demos/ChannelCreator.java Modified: tomcat/trunk/test/org/apache/catalina/tribes/demos/ChannelCr

[Bug 54330] Patch with some refactoring of Member.java

https://issues.apache.org/bugzilla/show_bug.cgi?id=54330 Mark Thomas changed: What|Removed |Added Attachment #29779|0 |1 is patch|

svn commit: r1424971 - /tomcat/native/trunk/native/src/ssl.c

Author: schultz Date: Fri Dec 21 15:26:51 2012 New Revision: 1424971 URL: http://svn.apache.org/viewvc?rev=1424971&view=rev Log: Added missing relevant SSL_OP_ constants from OpenSSL 1.0. Modified: tomcat/native/trunk/native/src/ssl.c Modified: tomcat/native/trunk/native/src/ssl.c URL: http

svn commit: r1424947 - /tomcat/native/trunk/native/src/ssl.c

Author: schultz Date: Fri Dec 21 15:13:27 2012 New Revision: 1424947 URL: http://svn.apache.org/viewvc?rev=1424947&view=rev Log: Partial fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 Add SSL_OP_NO_COMPRESSION to the set of OpenSSL options recognized by ssl.c::hasOp. Modified:

[Bug 54324] Support is required to disable TLS compression to prevent against CRIME attacks

https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 --- Comment #1 from Christopher Schultz --- I'm looking at OpenSSL to see how to do this. Any proper solution will likely depend on bug 53969 in tcnative, and therefore require tcnative 1.1.25 which has not yet been released. -- You are r

Re: Heads up: comments coming to live TC 7 docs

On 20.12.2012 19:41, Christopher Schultz wrote: > Rainer, > > On 12/15/12 6:04 AM, Rainer Jung wrote: >> André, Chris, Chuck and Pid have moderator status. Every ASF committer >> is also a moderator if she logs in using her LDAP credentials. > > D'oh. I wish I had known that -- I wouldn't have cr

svn commit: r1424904 - in /tomcat/tc7.0.x/trunk: ./ modules/jdbc-pool/doc/jdbc-pool.xml

Author: kkolinko Date: Fri Dec 21 12:57:28 2012 New Revision: 1424904 URL: http://svn.apache.org/viewvc?rev=1424904&view=rev Log: Merged revision 1424894 from tomcat/trunk: Correct a pair of typos Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/modules/jdbc-pool/doc

svn commit: r1424894 - /tomcat/trunk/modules/jdbc-pool/doc/jdbc-pool.xml

Author: kkolinko Date: Fri Dec 21 12:31:14 2012 New Revision: 1424894 URL: http://svn.apache.org/viewvc?rev=1424894&view=rev Log: Correct a pair of typos Modified: tomcat/trunk/modules/jdbc-pool/doc/jdbc-pool.xml Modified: tomcat/trunk/modules/jdbc-pool/doc/jdbc-pool.xml URL: http://svn.apa

[Bug 54338] Class cast exception in tagPlugin Set generated code

https://issues.apache.org/bugzilla/show_bug.cgi?id=54338 --- Comment #1 from Sheldon Shao --- Created attachment 29787 --> https://issues.apache.org/bugzilla/attachment.cgi?id=29787&action=edit Patch for Set.java -- You are receiving this mail because: You are the assignee for the bug. -

[Bug 54338] New: Class cast exception in tagPlugin Set generated code

https://issues.apache.org/bugzilla/show_bug.cgi?id=54338 Bug ID: 54338 Summary: Class cast exception in tagPlugin Set generated code Product: Tomcat 7 Version: trunk Hardware: PC OS: All Status: NEW Severi

[Bug 54337] New: StatementCache leaks statements/cursors

https://issues.apache.org/bugzilla/show_bug.cgi?id=54337 Bug ID: 54337 Summary: StatementCache leaks statements/cursors Product: Tomcat Modules Version: unspecified Hardware: PC Status: NEW Severity: normal Prio

[Bug 54336] New: connection may not close in JDBCRealm when some exception happen

https://issues.apache.org/bugzilla/show_bug.cgi?id=54336 Bug ID: 54336 Summary: connection may not close in JDBCRealm when some exception happen Product: Tomcat 7 Version: 7.0.34 Hardware: PC Status: NEW