RE: urgent problems with tomcat release 8.5.4

2017-12-22 Thread CYAG (Johnny Chao Yang) 
Hello Konstantin,

This is my first time to ask questions on this site, apologize I'm not sure why 
my reply been encrypt on tomcat official site, so I just send this reply to you 
separately to thanks for your help :)

Thank you so much for your kindly help, it definitely solved my problem:)

Gratitude & have a nice weekend. :)


Br/Johnny

-Original Message-
From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] 
Sent: 2017年12月22日 17:43
To: Tomcat Users List
Subject: Re: urgent problems with tomcat release 8.5.4

2017-12-22 5:28 GMT+03:00 CYAG (Johnny Chao Yang) :
> Hello team,
>
>
> Due to the tomcat 8.0 will closed to its support deadline, so we are going to 
> upgrade our tomcat version from 8.0 to 8.5.4, as Apache tomcat official 
> website announced 8.5.x will not stop support so far, but the support time 
> decides which tomcat version is better for us to choose and it really affect 
> our IT infrastructure, so could we know approximately how long will Apache 
> keep support Tomcat release 8.5.x ?
>
>
> Very appreciated for your help & will looking hearing for your feedback. :)
>


http://www.catb.org/~esr/faqs/smart-questions.html#urgent

The current version of Tomcat 8.5 is 8.5.24.
https://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5

http://markmail.org/message/c7mxxiokcmf665qy

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: urgent problems with tomcat release 8.5.4

2017-12-22 Thread CYAG (Johnny Chao Yang) 
Hello Konstantin,

This is my first time to ask questions on this site.

Thank you so much for your kindly help, it definitely solved my problem:)

Gratitude & have a nice weekend. :)

-Original Message-

> Hello team,
>
>
> Due to the tomcat 8.0 will closed to its support deadline, so we are going to 
> upgrade our tomcat version from 8.0 to 8.5.4, as Apache tomcat official 
> website announced 8.5.x will not stop support so far, but the support time 
> decides which tomcat version is better for us to choose and it really affect 
> our IT infrastructure, so could we know approximately how long will Apache 
> keep support Tomcat release 8.5.x ?
>
>
> Very appreciated for your help & will looking hearing for your feedback. :)
>


http://www.catb.org/~esr/faqs/smart-questions.html#urgent

The current version of Tomcat 8.5 is 8.5.24.
https://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5

http://markmail.org/message/c7mxxiokcmf665qy

RE: urgent problems with tomcat release 8.5.4

2017-12-22 Thread CYAG (Johnny Chao Yang) 
Hello Konstantin,

Thank you so much for your kindly help, it definitely solved my problem:)

Gratitude & have a nice weekend. :)


Br/Johnny

-Original Message-
From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] 
Sent: 2017年12月22日 17:43
To: Tomcat Users List
Subject: Re: urgent problems with tomcat release 8.5.4

2017-12-22 5:28 GMT+03:00 CYAG (Johnny Chao Yang) :
> Hello team,
>
>
> Due to the tomcat 8.0 will closed to its support deadline, so we are going to 
> upgrade our tomcat version from 8.0 to 8.5.4, as Apache tomcat official 
> website announced 8.5.x will not stop support so far, but the support time 
> decides which tomcat version is better for us to choose and it really affect 
> our IT infrastructure, so could we know approximately how long will Apache 
> keep support Tomcat release 8.5.x ?
>
>
> Very appreciated for your help & will looking hearing for your feedback. :)
>


http://www.catb.org/~esr/faqs/smart-questions.html#urgent

The current version of Tomcat 8.5 is 8.5.24.
https://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5

http://markmail.org/message/c7mxxiokcmf665qy

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

2017-12-22 Thread Olaf Kock 


On 22.12.2017 21:02, Eric Robinson wrote:
With the exact same Xms and Xmx settings, I get vastly different 
resident and virtual image sizes from the Linux ps command.


  tomcatA: jdk1.8.0_152, res: 694312, virt: 5045084
  tomcatB: jdk1.6.0_21, res: 332840, virt: 3922656

-Xmx is not all that's determining how much memory the JVM actually 
allocates. 
https://jguru.fi/why-is-my-java-process-taking-more-memory-than-i-gave-it.html 
gives some more hints on factors that have to be taken into account.


32 vs 64 bit architectures might do something to the sizes. And, now 
that you gave your JVM options in another answer, you're not specifying 
the GC algorithm and parameters, other than just logging. This means 
that most likely you're using another algorithm with different 
parameters, e.g. it might kick in later.


Coming back to the linked article: Tomcat might have different default 
thread pool sizes - I don't know if you explicitly configure them. And 
I've lost track if the default connectors are different ones between 
Tomcat 6 and 8, or if you have ex- or implicitly configured them 
differently (e.g. through using your Linux distribution's implementation 
and they might have changed it).


Unrelated: I like to configure my production servers with identical -Xms 
and -Xmx, so that they either start or don't start when I'm around (or 
when the server boots) and not fail to allocate more memory from the OS 
sunday night at 3am.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

2017-12-22 Thread Eric Robinson 
> Eric,
> 
> Just curious how much ram do you have in the server and cpu resources.
> 
> #free -m and # cat /proc/cpuinfo | egrep 'cores|processor'
> 
> (Not to insult your intelligence , I am just specifying what I was curious to 
> see)
> 
> And it's always easier to copy/paste than to think.
> 
> I see in another thread you went from Java 1.6_xxx to 1.8_xxx
> 
> That could be the whole story right there.
> 
> 

No offense taken. You're right, copy and paste is easier...

[root@app17 alley]# free -m
 total   used   free sharedbuffers cached
Mem: 64415  58110   6304  0   2938  18382
-/+ buffers/cache:  36789  27626
Swap:15999759  15240
[root@app17 alley]# cat /proc/cpuinfo | egrep 'cores|processor'
processor   : 0
cpu cores   : 6
processor   : 1
cpu cores   : 6
processor   : 2
cpu cores   : 6
processor   : 3
cpu cores   : 6
processor   : 4
cpu cores   : 6
processor   : 5
cpu cores   : 6
processor   : 6
cpu cores   : 6
processor   : 7
cpu cores   : 6
processor   : 8
cpu cores   : 6
processor   : 9
cpu cores   : 6
processor   : 10
cpu cores   : 6
processor   : 11
cpu cores   : 6

--Eric

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

2017-12-22 Thread Cheltenham, Chris 
Eric,

Just curious how much ram do you have in the server and cpu resources.

#free -m and # cat /proc/cpuinfo | egrep 'cores|processor'

(Not to insult your intelligence , I am just specifying what I was curious
to see)

And it's always easier to copy/paste than to think.

I see in another thread you went from Java 1.6_xxx to 1.8_xxx

That could be the whole story right there.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-Original Message-
From: Eric Robinson [mailto:eric.robin...@psmnv.com] 
Sent: Friday, December 22, 2017 2:59 PM
To: Tomcat Users List 
Subject: RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than
Tomcat 6?

> > From: Eric Robinson [mailto:eric.robin...@psmnv.com]
> > Subject: RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory 
> > Than
> Tomcat 6?
> 
> > if JVM instance "A" is configured as follows on server 1 under 
> > tomcat6/jdk
> 1.6, then
> > instance "A" on server 2 is configured the same, except it is 
> > running
> under tomcat
> > 8/jdk 1.8. Yet the tomcat 8 ones used 50% more memory, on average.
> 
> > JAVA_OPTS="-Xms16M -Xmx192M \
> > -XX:MaxPermSize=192M \
> 
> Note that PermGen is no longer used in Java 8, and the above should 
> log a
> warning:
> 
> Java HotSpot(TM) 64-Bit Server VM warning: ignoring option 
> MaxPermSize=192m; support was removed in 8.0

Great tip, thanks. 

Unfortunately, I don't think that explains why the exact same Xms and Xmx
settings produce vastly different resident and virtual running image sizes
under jdk1.8 versus jdk1.6.

> It might be leaking.

If that were the case, I assume it would manifest under tomcat6/jdk 1.6 as
well. Since it does not, I am inclined to think leakage is not the issue.

--Eric

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

2017-12-22 Thread Eric Robinson 
> 
> More heap or more native memory?
> 

With the exact same Xms and Xmx settings, I get vastly different resident and 
virtual image sizes from the Linux ps command.


 tomcatA: jdk1.8.0_152, res: 694312, virt: 5045084
 tomcatB: jdk1.6.0_21, res: 332840, virt: 3922656

--Eric



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

2017-12-22 Thread Eric Robinson 
> > From: Eric Robinson [mailto:eric.robin...@psmnv.com]
> > Subject: RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than
> Tomcat 6?
> 
> > if JVM instance "A" is configured as follows on server 1 under tomcat6/jdk
> 1.6, then
> > instance "A" on server 2 is configured the same, except it is running
> under tomcat
> > 8/jdk 1.8. Yet the tomcat 8 ones used 50% more memory, on average.
> 
> > JAVA_OPTS="-Xms16M -Xmx192M \
> > -XX:MaxPermSize=192M \
> 
> Note that PermGen is no longer used in Java 8, and the above should log a
> warning:
> 
> Java HotSpot(TM) 64-Bit Server VM warning: ignoring option
> MaxPermSize=192m;
> support was removed in 8.0

Great tip, thanks. 

Unfortunately, I don't think that explains why the exact same Xms and Xmx 
settings produce vastly different resident and virtual running image sizes 
under jdk1.8 versus jdk1.6.

> It might be leaking.

If that were the case, I assume it would manifest under tomcat6/jdk 1.6 as 
well. Since it does not, I am inclined to think leakage is not the issue.

--Eric

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

2017-12-22 Thread Caldarale, Charles R 
> From: Eric Robinson [mailto:eric.robin...@psmnv.com] 
> Subject: RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than
Tomcat 6?

> if JVM instance "A" is configured as follows on server 1 under tomcat6/jdk
1.6, then 
> instance "A" on server 2 is configured the same, except it is running
under tomcat 
> 8/jdk 1.8. Yet the tomcat 8 ones used 50% more memory, on average. 

> JAVA_OPTS="-Xms16M -Xmx192M \
> -XX:MaxPermSize=192M \

Note that PermGen is no longer used in Java 8, and the above should log a
warning:

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=192m;
support was removed in 8.0

Here's a brief overview:
https://blogs.oracle.com/poonam/about-g1-garbage-collector,-permanent-genera
tion-and-metaspace

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

2017-12-22 Thread Cheltenham, Chris 
Eric,



If you have upgraded java along with tomcat then yes that it is very 
probable.

You can restrict how much memory java can use however, if it is consuming 
too much memory.

-Xmx and –Xms startup parameters.

However, you may be jeopardizing performance.

In this case you can only add more memory.

It may also be leaking.

Java is a pig get used to it.









===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: Eric Robinson [mailto:eric.robin...@psmnv.com]
Sent: Friday, December 22, 2017 2:04 PM
To: Tomcat Users List 
Subject: RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 
6?

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

2017-12-22 Thread Eric Robinson 
> On 22.12.2017 13:48, Eric Robinson wrote:
> > We have multiple JVMs deployed on two identical Linux servers. Each server
> has 60 JVMs. Until today, both servers were running Tomcat6 with JDK 1.6.
> Today we upgraded one of the servers to Tomcat 8 with JDK 1.8. Now the JVMs
> on the Tomcat 8 server are each using between 20-80% more memory than the
> ones on Tomcat6 with JDK 1.6. Is that normal? Why would that be? Is it some
> kind of settings? Is it fixable?
> >
> It might be as simple as different thresholds for the garbage collector to 
> kick in.
> I'd start with an evaluation of how much memory is used right after a GC run -
> and in case this isn't satisfactory, which objects use the memory.
> Typically it's appropriate to just look at the top of the list.
> 
> Note that the GC algorithms (or just GC defaults) between the different JVM
> versions (sometimes even between minor upgrades) might differ significantly.
> One big question is: Did you explicitly configure memory consumption, GC
> algorithm and thresholds? If so, what's the difference between the two 
> options:
> I'd expect that you need to change the settings significantly in order to 
> achieve
> the same behavior. There's a lot of work that has been done in this world.
> 
> That being said, I'd also not rule out that tomcat's or other component's
> implementation changed - e.g. caches, or just memory use through upgraded
> libraries. But I'd recommend to look in both directions, with JDK and GC 
> tuning
> being the elephant in the room, giving you the biggest bang for your buck.
> 
> Olaf
> 

The following startup options are typical for our JVMs. The min, max, and 
permgen settings may differ from JVM to JVM on the same server, but the 
settings are always identical between servers. In other words, if JVM instance 
"A" is configured as follows on server 1 under tomcat6/jdk 1.6, then instance 
"A" on server 2 is configured the same, except it is running under tomcat 8/jdk 
1.8. Yet the tomcat 8 ones used 50% more memory, on average. 

JAVA_OPTS="-Xms16M -Xmx192M \
-XX:MaxPermSize=192M \
-Djvm=$JVM_ID \
-Djava.awt.headless=true \
-Djava.net.preferIPv4Stack=true \
-Duser.timezone=US/Pacific \
-Xloggc:/alley/site098/tomcat8/logs/gc.log -XX:+PrintGCDateStamps 
-XX:+PrintGCDetails

Re: Apache Tomcat 8.5.24 SSL Configuration

2017-12-22 Thread George S. 



On 12/21/2017 3:24 PM, Thomas Delaney wrote:

Thank you for the input so far!

I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
receive the same result

when running the openssl s_client command I recieved this as the Cipher and
SSL version
Protocol  : TLSv1.2
Cipher: DHE-RSA-AES256-GCM-SHA384

I also get a message saying  "verify error:num=20:unable to get local
issuer certificate"
"Verify return code: 20 (unable to get local issuer certificate)"


This may not be a meaningful error. Are you specifying the CAPath or 
CAFile arguments on the command line? See this page:


https://stackoverflow.com/questions/11548336/openssl-verify-return-code-20-unable-to-get-local-issuer-certificate.

You did double-check the path and permissions on your various 
certificate files right? Also, did you inspect your files using openssl? 
E.G.:


openssl x509 -in conf/CA_server_bundle.crt -text


You might try running Tomcat with:

|-Djavax.net.debug=ssl |

|to enable SSL Debugging. I'm not going to lie though, it can be pretty 
difficult to weed through the tons of content generated.|

||




On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 12/21/17 2:38 AM, l...@kreuser.name wrote:

Hi Thomas,


Am 21.12.2017 um 00:56 schrieb Thomas Delaney
:

Greetings,

I am having trouble regarding google chrome's behavior to Apache
Tomcat's SSL setup. I have been successful getting an ssl website
to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
on google chrome. Mozilla Firefox brings me to my site with no
problem.

When going to https://mydomain.com:8443 I recieve a message from
Google Chrome.

Google Chrome Error - This site can’t provide a secure
connection mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol The client and server don't support a common
SSL protocol version or cipher suite.

When checking Google Chrome's Browser console in the security tab
I recieve: Page is not secure Valid certificate secure resources

Here is the following background info I have for the
configuration I gave Apache Tomcat when setting up the 8443
connector

Chrome Version 63.0.3239.108 (Official Build) (64-bit)

Linux OS: SUSE Enterprise 12 sp1

Packages installed:

- OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79

That may be the culprit.

Apparently this (old) version of Java7 will not provide in the
default modern ciphers that Chrome requires. And the config is
using the JSSE SSL implementation. But as you have TC Native and
openssl 1.0.2 you should switch to openssl.

This probably isn't the problem since Thomas is using the APR
connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
not relevant.


- tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
tomcat-native-1.2.16-src

Server.xml apr connector (Certificates are signed from GoDaddy
and are placed in the conf directory of Apache Tomcat):

  
 

This looks okay to me. If you start Tomcat and then use "openssl
s_client -connect :", does openssl connect? It should
report the protocol and cipher suite being used to connect.

If you server is externally-accessible, consider using an external TLS
capabilities scanner such as that from Qualys,
https://www.ssllabs.com/ssltest/

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
/aq7VBV+GiEaWzZweAi8/k4R3wk=
=DEHk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Re: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

2017-12-22 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Eric,

On 12/22/17 7:48 AM, Eric Robinson wrote:
> We have multiple JVMs deployed on two identical Linux servers.
> Each server has 60 JVMs. Until today, both servers were running
> Tomcat6 with JDK 1.6. Today we upgraded one of the servers to
> Tomcat 8 with JDK 1.8. Now the JVMs on the Tomcat 8 server are each
> using between 20-80% more memory than the ones on Tomcat6 with JDK
> 1.6. Is that normal? Why would that be? Is it some kind of
> settings? Is it fixable?

More heap or more native memory?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo9STQdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgXQhAAnOCilGyuELDsZq+r
r25nW+9spA6ilZqB5fLMNJkBNj/93AB9tzVbtwZqMKPvPo2KD78FEBbrqok3UWBz
SoISB3EOCB+6dxfOcfm9i+/FRbSfbzd3H6+LcJOl1Fzyoc0/bZfM5BHcCaMkharZ
RYp0wfV2raUAiK8DI1xTTFyf380V1KG1MOa6z/jnfneW5sas05OumblbeiGQBV8q
8ZOcJ8qMCYGfw5DMeNjNXZC2MlQuCRkI0B3xr7kVYliZf7Tz2A5xAXC2W7cYAQDE
4VcD6CpYkGZx9/xG1pL4RGc+qUTgCRai9MXV3pVKIc+LAMYHVh4mhYp+iNHeR/8M
o8Wn+TueQOjOLp4PeVSTHIHoCRdAZAEySXAPpvmonEvHENgSecUhAEhwtNqqXSTA
xRelSG88bfT+LIRIiB4yCmpA/Wctz0D8naSk7VV7PgExKv8yxBswGo5gbXht2byp
4j9jhBn2RQQWDxIU4qoBaD717N0lhnZYtquDAFGSjjMddMK/Ut8TTBXj5/7qZhNQ
Gx6szkowKpg+elFbGHexAysT+HJ+rcbnvGtscvvsjmdZWY8FjtYmbChbbMATBDNM
FazT8CXqkivy2i/YbmLyLgUzTDo8SlayumAnZZemHZcPz/kfCk+ZT3sAZjtuw+Jy
RmqZ5APR9vpEW3Bkb3Hdmc2LqZo=
=nJ1T
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 8.5.24 SSL Configuration

2017-12-22 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Thomas,

On 12/21/17 5:24 PM, Thomas Delaney wrote:
> Thank you for the input so far!
> 
> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and
> still receive the same result
> 
> when running the openssl s_client command I recieved this as the
> Cipher and SSL version Protocol  : TLSv1.2 Cipher:
> DHE-RSA-AES256-GCM-SHA384

Good, OpenSSL can connect which means that TLS is at least set up
properly and running.

> I also get a message saying  "verify error:num=20:unable to get
> local issuer certificate" "Verify return code: 20 (unable to get
> local issuer certificate)"

That's not a problem, especially if you are using a self-signed
certificate or a CA that OpenSSL doesn't recognize.

If you can't use SSLLabs's test, you might be able to use this one:
https://wiki.apache.org/tomcat/tools/SSLTest.java
(and)
https://wiki.apache.org/tomcat/tools/SSLUtils.java

- -chris

> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Peter,
> 
> On 12/21/17 2:38 AM, l...@kreuser.name wrote:
 
 Hi Thomas,
 
> Am 21.12.2017 um 00:56 schrieb Thomas Delaney 
> :
> 
> Greetings,
> 
> I am having trouble regarding google chrome's behavior to
> Apache Tomcat's SSL setup. I have been successful getting
> an ssl website to work with Apache HTTP web server, but not
> Apache Tomcat 8.5.24 on google chrome. Mozilla Firefox
> brings me to my site with no problem.
> 
> When going to https://mydomain.com:8443 I recieve a message
> from Google Chrome.
> 
> Google Chrome Error - This site can’t provide a secure 
> connection mydomain.com uses an unsupported protocol. 
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> 
> Unsupported protocol The client and server don't support a
> common SSL protocol version or cipher suite.
> 
> When checking Google Chrome's Browser console in the
> security tab I recieve: Page is not secure Valid
> certificate secure resources
> 
> Here is the following background info I have for the 
> configuration I gave Apache Tomcat when setting up the
> 8443 connector
> 
> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
> 
> Linux OS: SUSE Enterprise 12 sp1
> 
> Packages installed:
> 
> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
 
 That may be the culprit.
 
 Apparently this (old) version of Java7 will not provide in
 the default modern ciphers that Chrome requires. And the
 config is using the JSSE SSL implementation. But as you have
 TC Native and openssl 1.0.2 you should switch to openssl.
> 
> This probably isn't the problem since Thomas is using the APR 
> connector. TLS cipher suite support (or lack thereof) from Java 1.7
> is not relevant.
> 
> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - 
> tomcat-native-1.2.16-src
> 
> Server.xml apr connector (Certificates are signed from
> GoDaddy and are placed in the conf directory of Apache
> Tomcat):
> 
>  protocol="org.apache.coyote.http11.Http11AprProtocol" 
> maxThreads="150" SSLEnabled="true"
> defaultSSLHostConfigName=" mydomain.com" >  hostName="mydomain.com" protocols="TLSv1,TLSv1.1,TLSv1.2">
>  certificateFile="conf/server.crt" 
> certificateChainFile="conf/CA_server_bundle.crt" type="RSA"
> />  
> 
> This looks okay to me. If you start Tomcat and then use "openssl 
> s_client -connect :", does openssl connect? It
> should report the protocol and cipher suite being used to connect.
> 
> If you server is externally-accessible, consider using an external
> TLS capabilities scanner such as that from Qualys, 
> https://www.ssllabs.com/ssltest/
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo9SQIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFinRxAAgr+i0PtFCGPAqWJ7
Y0VvfFSGPsQCiUz3qkp9mCiXCl87TLy5PrbpPT9avDyTjjtA1gbl16goc4jtB5zt
zcjZuasQkwz9cDMkmlJ4T0USd/TfepJXbssaqi7tLUxFM0dBChoP7uzprO7HF3hE
yqGD7nm1YEDcSgVqXrx8FkHA5D9hY1yP47djPkJL9/yxWunc1BqeoJ2JMoXLX7Sx
78LYywT1oYm1fj+UP6wacKDU/6gZINBQsLRmCVkpE4iYlyUnswdo4FChSQb9HTMp
pK0nyCVXG4RWPO90qCdSbuTZmIy0WvHxZL9O6CSkBdIycz09nYDVxTQQuyJusrYh
35BGCxzAgRfoj9bu04O6ezXoIpmWXLB48cFu5BrhX2I6/WXy/a9SSCzgaztj9rGS
X/9TFrI7DvOkMw0VCI162159QpuzcpRG0H13VGq36ldqdfrQ0DUYSqSwuS36I+2P
aIJ2vY6T0P7G5KBg4uqKyTDTwNq5zANRpJqMfQkQHD3fh0tHT35dBWj46aFBtXrq
YUT2O99eA459XMGKl6j85d4LU3aSU35EK7xSqUQmWGHpgjDXMcktcF9opV3Tdb1h

Re: getting "BindException: permission denied" exception when trying to change port 8080 to 8090

2017-12-22 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Coty,

On 12/21/17 3:49 PM, Coty Sutherland wrote:
> On Thu, Dec 21, 2017 at 2:45 PM, Alceu R. de Freitas Jr. 
>  wrote:
>> Hello Cristopher, I never saw something like that too. I also
>> search on Google, all occurrences happened with people trying to
>> run Tomcat on privileged ports (<1024). Here is a quick test,
>> with port 9090:
>> 
>> [root@localhost ~]# systemctl stop tomcat [root@localhost ~]# rm
>> -f /var/log/tomcat/* [root@localhost ~]# vi
>> /etc/tomcat/server.xml [root@localhost ~]# grep -A 2 'Connector
>> port="9090"' /etc/tomcat/server.xml > protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443"
>> /> [root@localhost ~]# systemctl start tomcat [root@localhost ~]#
>> systemctl status tomcat ● tomcat.service - Apache Tomcat Web
>> Application Container Loaded: loaded
>> (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset:
>> disabled) Active: active (running) since Qui 2017-12-21 17:39:57
>> -02; 6s ago Main PID: 4385 (java) CGroup:
>> /system.slice/tomcat.service └─4385 /usr/lib/jvm/jre/bin/java
>> -classpath
>> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli
.jar:/usr/share/java/commons-da...
>>
>>
>> 
Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03
PM org.apache.catalina.startup.HostConfig deployDirectory
>> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES:
>> Deployment of web application directory
>> /var/lib/tomcat/webapps/manager has finish… in 498 ms Dez 21
>> 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03
>> PM org.apache.catalina.startup.HostConfig deployDirectory Dez 21
>> 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES:
>> Deploying web application directory /var/lib/tomcat/webapps/ROOT 
>> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017
>> 5:40:03 PM org.apache.catalina.startup.TldConfig execute Dez 21
>> 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: At
>> least one JAR was scanned for TLDs yet contained no TLDs. Enable
>> debug logging …tion time. Dez 21 17:40:03 localhost.localdomain
>> server[4385]: dez 21, 2017 5:40:03 PM
>> org.apache.catalina.startup.HostConfig deployDirectory Dez 21
>> 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES:
>> Deployment of web application directory
>> /var/lib/tomcat/webapps/ROOT has finished in 534 ms Dez 21
>> 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03
>> PM org.apache.catalina.startup.HostConfig deployDirectory Dez 21
>> 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES:
>> Deploying web application directory
>> /var/lib/tomcat/webapps/examples Hint: Some lines were
>> ellipsized, use -l to show in full. [root@localhost ~]# less
>> /var/log/tomcat/catalina.2017-12-21.log GRAVE: Failed to
>> initialize end point associated with ProtocolHandler
>> ["http-bio-9090"] java.net.BindException: Permissão negada (Bind
>> failed) :9090 at
>> org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413)
>>
>> 
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:7
15)
>> at
>> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
>>
>> 
at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11J
sseProtocol.java:119)
>> at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:9
78)
>>
>> 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>> at
>> org.apache.catalina.core.StandardService.initInternal(StandardService
.java:560)
>>
>> 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>> at
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.j
ava:840)
>>
>> 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:642) 
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:667) 
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:62)
>>
>> 
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498) at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253) at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427) 
>> Caused by: java.net.BindException: Permissão negada (Bind
>> failed) at java.net.PlainSocketImpl.socketBind(Native Method) at
>> java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:38
7)
>>
>> 
at java.net.ServerSocket.bind(ServerSocket.java:375)
>> at java.net.ServerSocket.(ServerSocket.java:237) at
>> java.net.ServerSocket.(ServerSocket.java:181) at
>> org.apache.tomcat.util.net.DefaultServerSocketFactory.createSocket(De
faultServerSocketFactory.java:49)
>>
>> 
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)
>> ... 17 more dez 21,

Re: OutOfMemoryError when Uploading Files

2017-12-22 Thread Mark Thomas 
On 20/12/17 18:04, Igal @ Lucee.org wrote:
> Hello,
> 
> I am troubleshooting a servlet which is used to upload files. Small
> files under 25mb are processed properly.  Large files over 50mb are
> processed properly.  Files with size in the range of 25mb -- 50mb fail
> with OutOfMemoryError.

How consistently?

> Unfortunately I do not get a Stack Trace.  Instead of a Stack Trace I
> only get "Java heap space".
> 
> I know that the FileUpload component has a threshold with default of
> 10kb, so that files under 10kb are processed in memory, but files larger
> than that are processed using the disk to preserve memory.  I do not see
> anywhere in the code that the threshold is modified from its default value.
> 
> Is there anywhere else in Tomcat that might have a 50mb threshold for IO
> operations?

Not that I am aware of.

What, exactly, is performing this upload?

> Specifically in NioEndpoint since I see this in catalina.out:
> 
> Jul 11, 2017 1:23:29 PM
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor doRun
> SEVERE:
> java.lang.OutOfMemoryError: Java heap space
> 
> Running Tomcat 8.0.23 (and yes, I would love to upgrade it but this is
> for a large organization and I can not update it at this time).
> 
> Am I correct to assume that the error is logged from
> https://github.com/apache/tomcat80/blob/TOMCAT_8_0_23/java/org/apache/tomcat/util/net/NioEndpoint.java#L1563

Seems reasonable.

Maybe time to attach a profiler and see what happens during a single
upload on a test system?

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 8.5.24 SSL Configuration

2017-12-22 Thread Peter Kreuser 


Thomas,

> Am 22.12.2017 um 15:38 schrieb Thomas Delaney :
> 
> I apologize for the poor grammar in my last response and extra email. The
> site I have setup is internal only. I will not be able to test the site
> using SSL Labs.
> 

You may try https://testssl.sh and download the script from there.
That works in internal networks.

It even simulates connects with different clients (eg Chrome)

Peter

> On Fri, Dec 22, 2017 at 9:37 AM, Thomas Delaney 
> wrote:
> 
>> The site is internal so I won't not be able to check via ssllabs
>> 
>>> On Thu, Dec 21, 2017 at 5:36 PM, George S.  wrote:
>>> 
 On 12/21/2017 3:24 PM, Thomas Delaney wrote:
 
 Thank you for the input so far!
 
 I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
 receive the same result
 
 when running the openssl s_client command I recieved this as the Cipher
 and
 SSL version
 Protocol  : TLSv1.2
 Cipher: DHE-RSA-AES256-GCM-SHA384
 
 I also get a message saying  "verify error:num=20:unable to get local
 issuer certificate"
 "Verify return code: 20 (unable to get local issuer certificate)"
 
>>> 
>>> I second Chris Schultz's recommendation that you run the site through the
>>> SSL Labs testing site and see what it points out. It's going to check a lot
>>> more things right off the bat and display them in an easier format:
>>> 
>>> https://www.ssllabs.com/ssltest/
>>> 
>>> 
>>> 
>>> 
>>> 
 On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
 ch...@christopherschultz.net> wrote:
 
 -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Peter,
> 
>> On 12/21/17 2:38 AM, l...@kreuser.name wrote:
>> 
>> Hi Thomas,
>> 
>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>>> :
>>> 
>>> Greetings,
>>> 
>>> I am having trouble regarding google chrome's behavior to Apache
>>> Tomcat's SSL setup. I have been successful getting an ssl website
>>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>>> on google chrome. Mozilla Firefox brings me to my site with no
>>> problem.
>>> 
>>> When going to https://mydomain.com:8443 I recieve a message from
>>> Google Chrome.
>>> 
>>> Google Chrome Error - This site can’t provide a secure
>>> connection mydomain.com uses an unsupported protocol.
>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>> 
>>> Unsupported protocol The client and server don't support a common
>>> SSL protocol version or cipher suite.
>>> 
>>> When checking Google Chrome's Browser console in the security tab
>>> I recieve: Page is not secure Valid certificate secure resources
>>> 
>>> Here is the following background info I have for the
>>> configuration I gave Apache Tomcat when setting up the 8443
>>> connector
>>> 
>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>> 
>>> Linux OS: SUSE Enterprise 12 sp1
>>> 
>>> Packages installed:
>>> 
>>> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
>>> 
>> That may be the culprit.
>> 
>> Apparently this (old) version of Java7 will not provide in the
>> default modern ciphers that Chrome requires. And the config is
>> using the JSSE SSL implementation. But as you have TC Native and
>> openssl 1.0.2 you should switch to openssl.
>> 
> This probably isn't the problem since Thomas is using the APR
> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
> not relevant.
> 
> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>>> tomcat-native-1.2.16-src
>>> 
>>> Server.xml apr connector (Certificates are signed from GoDaddy
>>> and are placed in the conf directory of Apache Tomcat):
>>> 
>>> >> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
>>> mydomain.com" > >> protocols="TLSv1,TLSv1.1,TLSv1.2"> >> certificateKeyFile="conf/server.key"
>>> certificateFile="conf/server.crt"
>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>>>  
>>> 
>> This looks okay to me. If you start Tomcat and then use "openssl
> s_client -connect :", does openssl connect? It should
> report the protocol and cipher suite being used to connect.
> 
> If you server is externally-accessible, consider using an external TLS
> capabilities scanner such as that from Qualys,
> https://www.ssllabs.com/ssltest/
> 
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
>

Re: Apache Tomcat 8.5.24 SSL Configuration

2017-12-22 Thread Thomas Delaney 
I apologize for the poor grammar in my last response and extra email. The
site I have setup is internal only. I will not be able to test the site
using SSL Labs.

On Fri, Dec 22, 2017 at 9:37 AM, Thomas Delaney 
wrote:

> The site is internal so I won't not be able to check via ssllabs
>
> On Thu, Dec 21, 2017 at 5:36 PM, George S.  wrote:
>
>> On 12/21/2017 3:24 PM, Thomas Delaney wrote:
>>
>>> Thank you for the input so far!
>>>
>>> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
>>> receive the same result
>>>
>>> when running the openssl s_client command I recieved this as the Cipher
>>> and
>>> SSL version
>>> Protocol  : TLSv1.2
>>> Cipher: DHE-RSA-AES256-GCM-SHA384
>>>
>>> I also get a message saying  "verify error:num=20:unable to get local
>>> issuer certificate"
>>> "Verify return code: 20 (unable to get local issuer certificate)"
>>>
>>
>> I second Chris Schultz's recommendation that you run the site through the
>> SSL Labs testing site and see what it points out. It's going to check a lot
>> more things right off the bat and display them in an easier format:
>>
>> https://www.ssllabs.com/ssltest/
>>
>>
>>
>>
>>
>>> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
>>> ch...@christopherschultz.net> wrote:
>>>
>>> -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Peter,

 On 12/21/17 2:38 AM, l...@kreuser.name wrote:

> Hi Thomas,
>
> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>> :
>>
>> Greetings,
>>
>> I am having trouble regarding google chrome's behavior to Apache
>> Tomcat's SSL setup. I have been successful getting an ssl website
>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>> on google chrome. Mozilla Firefox brings me to my site with no
>> problem.
>>
>> When going to https://mydomain.com:8443 I recieve a message from
>> Google Chrome.
>>
>> Google Chrome Error - This site can’t provide a secure
>> connection mydomain.com uses an unsupported protocol.
>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>
>> Unsupported protocol The client and server don't support a common
>> SSL protocol version or cipher suite.
>>
>> When checking Google Chrome's Browser console in the security tab
>> I recieve: Page is not secure Valid certificate secure resources
>>
>> Here is the following background info I have for the
>> configuration I gave Apache Tomcat when setting up the 8443
>> connector
>>
>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>
>> Linux OS: SUSE Enterprise 12 sp1
>>
>> Packages installed:
>>
>> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
>>
> That may be the culprit.
>
> Apparently this (old) version of Java7 will not provide in the
> default modern ciphers that Chrome requires. And the config is
> using the JSSE SSL implementation. But as you have TC Native and
> openssl 1.0.2 you should switch to openssl.
>
 This probably isn't the problem since Thomas is using the APR
 connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
 not relevant.

 - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>> tomcat-native-1.2.16-src
>>
>> Server.xml apr connector (Certificates are signed from GoDaddy
>> and are placed in the conf directory of Apache Tomcat):
>>
>> > protocol="org.apache.coyote.http11.Http11AprProtocol"
>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
>> mydomain.com" > > protocols="TLSv1,TLSv1.1,TLSv1.2"> > certificateKeyFile="conf/server.key"
>> certificateFile="conf/server.crt"
>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>>  
>>
> This looks okay to me. If you start Tomcat and then use "openssl
 s_client -connect :", does openssl connect? It should
 report the protocol and cipher suite being used to connect.

 If you server is externally-accessible, consider using an external TLS
 capabilities scanner such as that from Qualys,
 https://www.ssllabs.com/ssltest/

 - -chris
 -BEGIN PGP SIGNATURE-
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
 cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
 eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
 W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
 ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
 noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY

Re: Apache Tomcat 8.5.24 SSL Configuration

2017-12-22 Thread Thomas Delaney 
The site is internal so I won't not be able to check via ssllabs

On Thu, Dec 21, 2017 at 5:36 PM, George S.  wrote:

> On 12/21/2017 3:24 PM, Thomas Delaney wrote:
>
>> Thank you for the input so far!
>>
>> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
>> receive the same result
>>
>> when running the openssl s_client command I recieved this as the Cipher
>> and
>> SSL version
>> Protocol  : TLSv1.2
>> Cipher: DHE-RSA-AES256-GCM-SHA384
>>
>> I also get a message saying  "verify error:num=20:unable to get local
>> issuer certificate"
>> "Verify return code: 20 (unable to get local issuer certificate)"
>>
>
> I second Chris Schultz's recommendation that you run the site through the
> SSL Labs testing site and see what it points out. It's going to check a lot
> more things right off the bat and display them in an easier format:
>
> https://www.ssllabs.com/ssltest/
>
>
>
>
>
>> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA256
>>>
>>> Peter,
>>>
>>> On 12/21/17 2:38 AM, l...@kreuser.name wrote:
>>>
 Hi Thomas,

 Am 21.12.2017 um 00:56 schrieb Thomas Delaney
> :
>
> Greetings,
>
> I am having trouble regarding google chrome's behavior to Apache
> Tomcat's SSL setup. I have been successful getting an ssl website
> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
> on google chrome. Mozilla Firefox brings me to my site with no
> problem.
>
> When going to https://mydomain.com:8443 I recieve a message from
> Google Chrome.
>
> Google Chrome Error - This site can’t provide a secure
> connection mydomain.com uses an unsupported protocol.
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>
> Unsupported protocol The client and server don't support a common
> SSL protocol version or cipher suite.
>
> When checking Google Chrome's Browser console in the security tab
> I recieve: Page is not secure Valid certificate secure resources
>
> Here is the following background info I have for the
> configuration I gave Apache Tomcat when setting up the 8443
> connector
>
> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>
> Linux OS: SUSE Enterprise 12 sp1
>
> Packages installed:
>
> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
>
 That may be the culprit.

 Apparently this (old) version of Java7 will not provide in the
 default modern ciphers that Chrome requires. And the config is
 using the JSSE SSL implementation. But as you have TC Native and
 openssl 1.0.2 you should switch to openssl.

>>> This probably isn't the problem since Thomas is using the APR
>>> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
>>> not relevant.
>>>
>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
> tomcat-native-1.2.16-src
>
> Server.xml apr connector (Certificates are signed from GoDaddy
> and are placed in the conf directory of Apache Tomcat):
>
>  protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> mydomain.com" >  protocols="TLSv1,TLSv1.1,TLSv1.2">  certificateKeyFile="conf/server.key"
> certificateFile="conf/server.crt"
> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>  
>
 This looks okay to me. If you start Tomcat and then use "openssl
>>> s_client -connect :", does openssl connect? It should
>>> report the protocol and cipher suite being used to connect.
>>>
>>> If you server is externally-accessible, consider using an external TLS
>>> capabilities scanner such as that from Qualys,
>>> https://www.ssllabs.com/ssltest/
>>>
>>> - -chris
>>> -BEGIN PGP SIGNATURE-
>>> Comment: GPGTools - http://gpgtools.org
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
>>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
>>> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
>>> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
>>> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
>>> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
>>> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
>>> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
>>> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
>>> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
>>> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
>>> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
>>> /aq7VBV+GiEaWzZweAi8/k4R3wk=
>>> =DEHk
>>> -END PGP SIGNATURE-
>>>
>>>

Re: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

2017-12-22 Thread Olaf Kock 


On 22.12.2017 13:48, Eric Robinson wrote:

We have multiple JVMs deployed on two identical Linux servers. Each server has 
60 JVMs. Until today, both servers were running Tomcat6 with JDK 1.6. Today we 
upgraded one of the servers to Tomcat 8 with JDK 1.8. Now the JVMs on the 
Tomcat 8 server are each using between 20-80% more memory than the ones on 
Tomcat6 with JDK 1.6. Is that normal? Why would that be? Is it some kind of 
settings? Is it fixable?

It might be as simple as different thresholds for the garbage collector 
to kick in.
I'd start with an evaluation of how much memory is used right after a GC 
run - and in case this isn't satisfactory, which objects use the memory. 
Typically it's appropriate to just look at the top of the list.


Note that the GC algorithms (or just GC defaults) between the different 
JVM versions (sometimes even between minor upgrades) might differ 
significantly. One big question is: Did you explicitly configure memory 
consumption, GC algorithm and thresholds? If so, what's the difference 
between the two options: I'd expect that you need to change the settings 
significantly in order to achieve the same behavior. There's a lot of 
work that has been done in this world.


That being said, I'd also not rule out that tomcat's or other 
component's implementation changed - e.g. caches, or just memory use 
through upgraded libraries. But I'd recommend to look in both 
directions, with JDK and GC tuning being the elephant in the room, 
giving you the biggest bang for your buck.


Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

2017-12-22 Thread Eric Robinson 
We have multiple JVMs deployed on two identical Linux servers. Each server has 
60 JVMs. Until today, both servers were running Tomcat6 with JDK 1.6. Today we 
upgraded one of the servers to Tomcat 8 with JDK 1.8. Now the JVMs on the 
Tomcat 8 server are each using between 20-80% more memory than the ones on 
Tomcat6 with JDK 1.6. Is that normal? Why would that be? Is it some kind of 
settings? Is it fixable?

--Eric



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: urgent problems with tomcat release 8.5.4

2017-12-22 Thread Konstantin Kolinko 
2017-12-22 5:28 GMT+03:00 CYAG (Johnny Chao Yang) :
> Hello team,
>
>
> Due to the tomcat 8.0 will closed to its support deadline, so we are going to 
> upgrade our tomcat version from 8.0 to 8.5.4, as Apache tomcat official 
> website announced 8.5.x will not stop support so far, but the support time 
> decides which tomcat version is better for us to choose and it really affect 
> our IT infrastructure, so could we know approximately how long will Apache 
> keep support Tomcat release 8.5.x ?
>
>
> Very appreciated for your help & will looking hearing for your feedback. :)
>


http://www.catb.org/~esr/faqs/smart-questions.html#urgent

The current version of Tomcat 8.5 is 8.5.24.
https://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5

http://markmail.org/message/c7mxxiokcmf665qy

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org