[Bug 67628] OpenSSLCipherConfigurationParser#parse() produces misleading false positive cipher warnings

https://bz.apache.org/bugzilla/show_bug.cgi?id=67628 --- Comment #10 from Markus Schlegel --- We are also facing this strange log entry since we upgraded Tomcat recently. I have read through this issue's description and comments, but the changed text in 8.5.96 alone does not help in my opinion. I

[Bug 67628] OpenSSLCipherConfigurationParser#parse() produces misleading false positive cipher warnings

https://bz.apache.org/bugzilla/show_bug.cgi?id=67628 --- Comment #11 from Michael Osipov --- (In reply to Markus Schlegel from comment #10) > We are also facing this strange log entry since we upgraded Tomcat recently. > I have read through this issue's description and comments, but the changed >

Re: (tomcat) 04/04: Fix BZ 68119 - Refactor for improved performance during type conversion

On 27/11/2023 19:38, Rémy Maucherat wrote: On Mon, Nov 27, 2023 at 7:29 PM wrote: This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 8df7a3a95babb12fc38b8efa7eb938877ef3

(tomcat) branch 8.5.x updated: Remove Graal resolver as it is not present in 8.5.x

This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 632d0e996e Remove Graal resolver as it is not prese

[Bug 67628] OpenSSLCipherConfigurationParser#parse() produces misleading false positive cipher warnings

https://bz.apache.org/bugzilla/show_bug.cgi?id=67628 --- Comment #12 from Mark Thomas --- @Markus - suggestions on improving the text of the docs and or the message welcome. I don't think logging this at debug is an option. That the actual ciphers used change depending on which TLS implementatio

[Bug 67628] OpenSSLCipherConfigurationParser#parse() produces misleading false positive cipher warnings

https://bz.apache.org/bugzilla/show_bug.cgi?id=67628 --- Comment #13 from Markus Schlegel --- > I haven't run the default Tomcat TLS configuration against the SSL Labs > scanner > for a while. I'll do that and see if adjustments are required. SSL-Labs still gives rating "B" if DH ciphers are en

Re: (tomcat) 03/08: Code clean - formatting. No functional change.

Mark, On 11/25/23 08:40, Mark Thomas wrote: On 25/11/2023 07:59, Rémy Maucherat wrote: On Fri, Nov 24, 2023 at 6:17 PM wrote: This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git

Re: (tomcat) 03/08: Code clean - formatting. No functional change.

On 28/11/2023 14:17, Christopher Schultz wrote: Mark, On 11/25/23 08:40, Mark Thomas wrote: On 25/11/2023 07:59, Rémy Maucherat wrote: On Fri, Nov 24, 2023 at 6:17 PM wrote: This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in reposito

Re: (tomcat) 03/08: Code clean - formatting. No functional change.

On Tue, Nov 28, 2023 at 3:18 PM Christopher Schultz wrote: > > Mark, > > On 11/25/23 08:40, Mark Thomas wrote: > > On 25/11/2023 07:59, Rémy Maucherat wrote: > >> On Fri, Nov 24, 2023 at 6:17 PM wrote: > >>> > >>> This is an automated email from the ASF dual-hosted git repository. > >>> > >>> mar

svn commit: r1914181 - in /tomcat/site/trunk: docs/security-10.html docs/security-11.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-11.xml xdocs/security-8.xml xdo

Author: markt Date: Tue Nov 28 15:26:33 2023 New Revision: 1914181 URL: http://svn.apache.org/viewvc?rev=1914181&view=rev Log: Add CVE-2023-46589 Modified: tomcat/site/trunk/docs/security-10.html tomcat/site/trunk/docs/security-11.html tomcat/site/trunk/docs/security-8.html tomcat

[SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling

CVE-2023-46589 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 Description: Tomcat did not cor

[Bug 68119] Significant overhead in javax.el.CompositeELResolver.convertToType

https://bz.apache.org/bugzilla/show_bug.cgi?id=68119 --- Comment #2 from John Engebretson --- Thanks, I was indeed able to build from source, and 9.84 shows a *dramatic* decrease in latency under high cpu. The data is from a low-quality test in the development environment but I'm quite happy. W

[Bug 67628] OpenSSLCipherConfigurationParser#parse() produces misleading false positive cipher warnings

https://bz.apache.org/bugzilla/show_bug.cgi?id=67628 --- Comment #14 from Mark Thomas --- Hmm. I think we need to move the ciphers part of this discussion to the users list. With a recent version of OpenSSL, Tomcat's default returns 112 ciphers. Adding ":-DH" reduces that to 83 and adding ":-DH:

svn commit: r1914188 - in /tomcat/site/trunk: docs/security-8.html xdocs/security-8.xml

Author: markt Date: Tue Nov 28 18:44:02 2023 New Revision: 1914188 URL: http://svn.apache.org/viewvc?rev=1914188&view=rev Log: Fix typo Modified: tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-8.html URL: http://sv