Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored
Todd, Peter Kreuser Peter Kreuser > Am 26.06.2017 um 18:56 schrieb Christopher Schultz >: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Todd, > >> On 6/23/17 2:56 PM, Todd wrote: >> Thank you Peter - I tried that previously, and just to double check >> tried it again. No difference at all. a set of ciphers is being >> presented that do not match to the cipher list that I've included >> at all. >> >> Any other ideas as to what could be overriding this list? As >> mentioned, some things when edited do take effect, like the >> protocol selection (I can remove TLS, add SSL, etc.), if I have a >> syntax error, the server won't start and will give an error, but >> nothing I put in ciphers seems to work. > > Can you provide a clean configuration that exhibits this behavior? > > What are you using to test the effective configuration? Another question: are you sure that you hit the Connector that you configure? Tomcat should be reasonably configured in defaults with a current JDK... 8443 or the like are not scanned with ssllabs! So it may as well hit an apache on the same machine! Can you show detail on what ssllabs is complaining about? Best regards Peter > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllRPNcACgkQHPApP6U8 > pFiKXA/9F+2gPydxc19zOIEKnGbyxz/rSL2vzt7Liaxwt/tXQyGxRwmTAQ91NJIL > PKCKLWizMr9GfTvEPD2w4fLGw8QTdlcpMIbUmJh9QFjFThPBCl7IXrMeDYU8P38c > 0d8+KGBB/pwCJYoK7m+c0RHAungMRtvtdOrjSfwyP5T2a6AEcoY0tVg5IyFJOypW > +diAioM9u5Jtrj/ZYjTXrc6AZ5FvVX2lcD0tQqIuIsDZHz9WJHEs6LhDNdEGykPV > vN2Y42c9AoGesKRpY7p7ptHnG6igCcbMtfvKls7YYTpP+jc8aIO0tLvnG5IdUmH5 > XiqCbUnMkTk+ygjM4fk1Pel/Z4bHPjT8XZ3ZcuMMKBLfnKkjD2G0DesP9b7e355q > 0F6wm2vBL8b169RxeS5L4qcW9aLz7PLyo+nWjnhP6+Cgd9DrJzNxQa2M3RYC5L87 > KmJ1ImCf5JisXXWLLcK+hxAitD65ndGVzNcet7khJMsoKsk5O/TocQYdRpBNHi+7 > t/CefXFWskPmYVEG8ffYJQH8ZU+i02pmaXPagQJIorvaMNEBEebPkRfjzoMGOidx > L+dFde/tRn5gLWlESg7mMfT8y8UsSjw3xUKXmZ8fD/UPUVTOAsu0MpiVBURF4BXG > cXwdtY6Jk0Ox/UN+VziwSQgVNroEDriaoua1Vq8hYjeZOtkMkIk= > =WnIS > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Todd, On 6/23/17 2:56 PM, Todd wrote: > Thank you Peter - I tried that previously, and just to double check > tried it again. No difference at all. a set of ciphers is being > presented that do not match to the cipher list that I've included > at all. > > Any other ideas as to what could be overriding this list? As > mentioned, some things when edited do take effect, like the > protocol selection (I can remove TLS, add SSL, etc.), if I have a > syntax error, the server won't start and will give an error, but > nothing I put in ciphers seems to work. Can you provide a clean configuration that exhibits this behavior? What are you using to test the effective configuration? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllRPNcACgkQHPApP6U8 pFiKXA/9F+2gPydxc19zOIEKnGbyxz/rSL2vzt7Liaxwt/tXQyGxRwmTAQ91NJIL PKCKLWizMr9GfTvEPD2w4fLGw8QTdlcpMIbUmJh9QFjFThPBCl7IXrMeDYU8P38c 0d8+KGBB/pwCJYoK7m+c0RHAungMRtvtdOrjSfwyP5T2a6AEcoY0tVg5IyFJOypW +diAioM9u5Jtrj/ZYjTXrc6AZ5FvVX2lcD0tQqIuIsDZHz9WJHEs6LhDNdEGykPV vN2Y42c9AoGesKRpY7p7ptHnG6igCcbMtfvKls7YYTpP+jc8aIO0tLvnG5IdUmH5 XiqCbUnMkTk+ygjM4fk1Pel/Z4bHPjT8XZ3ZcuMMKBLfnKkjD2G0DesP9b7e355q 0F6wm2vBL8b169RxeS5L4qcW9aLz7PLyo+nWjnhP6+Cgd9DrJzNxQa2M3RYC5L87 KmJ1ImCf5JisXXWLLcK+hxAitD65ndGVzNcet7khJMsoKsk5O/TocQYdRpBNHi+7 t/CefXFWskPmYVEG8ffYJQH8ZU+i02pmaXPagQJIorvaMNEBEebPkRfjzoMGOidx L+dFde/tRn5gLWlESg7mMfT8y8UsSjw3xUKXmZ8fD/UPUVTOAsu0MpiVBURF4BXG cXwdtY6Jk0Ox/UN+VziwSQgVNroEDriaoua1Vq8hYjeZOtkMkIk= =WnIS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue between RewriteValve and DefaultServlet
On 26/06/17 11:22, Jérémie Barthés wrote: > Thank for your fast answer > > I would like to extend DefaultServlet to override doDirectoryRedirect > but the method is private, > private void doDirectoryRedirect(HttpServletRequest request, > HttpServletResponse response) > > May this method be protected in following versions ? Unlikely at this point. > i can't change a header on the way out, after server started to answer, > can i ? Correct. The way to handle this is to wrap the response and intercept the call that sets the location header and modify the value before calling the wrapped response. Mark > > Regard > > Jeremie > > PS : i added a custom valve just to put non-rewritten URI in a request > attribute, so i can use it if present when doDirectoryRedirect occurs > > > Le 26/06/2017 à 12:01, Mark Thomas a écrit : >> On 26/06/17 10:55, Jérémie Barthés wrote: >>> Hi, >>> >>> I have an issue between org.apache.catalina.valves.rewrite.RewriteValve >>> and org.apache.catalina.servlets.DefaultServlets >>> >>> If my request is forwarded by the RewriteValve and then pass into >>> doDirectoryRedirect in DefaultServlets to be redirected. The hidden >>> rewritten URI is displayed in the browser. >>> >>> To test it, try the following example (any tomcat 8, 8.5 or 9) >>> >>> add RewriteValve in conf/server.xml >>> >>> >>> add rewriteRule in conf/Catalina/localhost/rewrite.config >>> RewriteRule ^/iWantThisVisible/(.*) $/examples/$1/ >>> >>> start tomcat >>> >>> go to following URLs (any internet browser) : >>> http://localhost:8080/iWantThisVisible/servlets >>> http://localhost:8080/iWantThisVisible/servlets/ >> That behaviour is expected. >> >> If you want to stick with the RewriteValve you'll need to write a custom >> Valve or Filter to modify the HTTP headers on the way out. >> >> You might be better off writing a custom Servlet that does a forward. >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue between RewriteValve and DefaultServlet
Thank for your fast answer I would like to extend DefaultServlet to override doDirectoryRedirect but the method is private, private void doDirectoryRedirect(HttpServletRequest request, HttpServletResponse response) May this method be protected in following versions ? i can't change a header on the way out, after server started to answer, can i ? Regard Jeremie PS : i added a custom valve just to put non-rewritten URI in a request attribute, so i can use it if present when doDirectoryRedirect occurs Le 26/06/2017 à 12:01, Mark Thomas a écrit : On 26/06/17 10:55, Jérémie Barthés wrote: Hi, I have an issue between org.apache.catalina.valves.rewrite.RewriteValve and org.apache.catalina.servlets.DefaultServlets If my request is forwarded by the RewriteValve and then pass into doDirectoryRedirect in DefaultServlets to be redirected. The hidden rewritten URI is displayed in the browser. To test it, try the following example (any tomcat 8, 8.5 or 9) add RewriteValve in conf/server.xml add rewriteRule in conf/Catalina/localhost/rewrite.config RewriteRule ^/iWantThisVisible/(.*) $/examples/$1/ start tomcat go to following URLs (any internet browser) : http://localhost:8080/iWantThisVisible/servlets http://localhost:8080/iWantThisVisible/servlets/ That behaviour is expected. If you want to stick with the RewriteValve you'll need to write a custom Valve or Filter to modify the HTTP headers on the way out. You might be better off writing a custom Servlet that does a forward. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue between RewriteValve and DefaultServlet
On 26/06/17 10:55, Jérémie Barthés wrote: > Hi, > > I have an issue between org.apache.catalina.valves.rewrite.RewriteValve > and org.apache.catalina.servlets.DefaultServlets > > If my request is forwarded by the RewriteValve and then pass into > doDirectoryRedirect in DefaultServlets to be redirected. The hidden > rewritten URI is displayed in the browser. > > To test it, try the following example (any tomcat 8, 8.5 or 9) > > add RewriteValve in conf/server.xml > > > add rewriteRule in conf/Catalina/localhost/rewrite.config > RewriteRule ^/iWantThisVisible/(.*) $/examples/$1/ > > start tomcat > > go to following URLs (any internet browser) : > http://localhost:8080/iWantThisVisible/servlets > http://localhost:8080/iWantThisVisible/servlets/ That behaviour is expected. If you want to stick with the RewriteValve you'll need to write a custom Valve or Filter to modify the HTTP headers on the way out. You might be better off writing a custom Servlet that does a forward. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Issue between RewriteValve and DefaultServlet
Hi, I have an issue between org.apache.catalina.valves.rewrite.RewriteValve and org.apache.catalina.servlets.DefaultServlets If my request is forwarded by the RewriteValve and then pass into doDirectoryRedirect in DefaultServlets to be redirected. The hidden rewritten URI is displayed in the browser. To test it, try the following example (any tomcat 8, 8.5 or 9) add RewriteValve in conf/server.xml add rewriteRule in conf/Catalina/localhost/rewrite.config RewriteRule ^/iWantThisVisible/(.*)$/examples/$1/ start tomcat go to following URLs (any internet browser) : http://localhost:8080/iWantThisVisible/servlets http://localhost:8080/iWantThisVisible/servlets/ Regards Jeremie