HTTP/1.x broken with Tomcat 9, Java 11 and Http11NioProtocol
I'm trying to get the following configuration working: - Tomcat 9.0.17 (also tested with 9.0.16) - AdoptOpenJDK Java 11.0.2 on Linux (also tested on Windows) - Http11NioProtocol Connector - Http2Protocol ProtocolUpgrade I'm using the following connector config: With the UpgradeProtocol in place, HTTP/2.0 works fine, but when I attempt a pure HTTP/1.0 or HTTP/1.1 request the server closes the connection before responding. This breaks any non-HTTP2.0 client. My first question is: Should this configuration work? My second is: Why is it broken? :) Thanks! Output from curl for reference: Working: curl -kv --http2 https://127.0.0.1:8443/examples/ * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=Example; L=Example; O=Example; OU=Example; CN=Example * start date: Mar 13 13:39:10 2019 GMT * expire date: Jun 11 13:39:10 2019 GMT * issuer: C=US; ST=Example; L=Example; O=Example; OU=Example; CN=Example * SSL certificate verify result: self signed certificate (18), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x558883950900) > GET /examples/ HTTP/2 > Host: 127.0.0.1:8443 > User-Agent: curl/7.58.0 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! < HTTP/2 200 < accept-ranges: bytes < etag: W/"1156-1552393515275" < last-modified: Tue, 12 Mar 2019 12:25:15 GMT < content-type: text/html < content-length: 1156 < date: Wed, 27 Mar 2019 03:42:56 GMT < --snip-- * Connection #0 to host 127.0.0.1 left intact Not working: curl -kv --http1.0 https://127.0.0.1:8443/examples/ * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=US; ST=Example; L=Example; O=Example; OU=Example; CN=Example * start date: Mar 13 13:39:10 2019 GMT * expire date: Jun 11 13:39:10 2019 GMT * issuer: C=US; ST=Example; L=Example; O=Example; OU=Example; CN=Example * SSL certificate verify result: self signed certificate (18), continuing anyway. > GET /examples/ HTTP/1.0 > Host: 127.0.0.1:8443 > User-Agent: curl/7.58.0 > Accept: */* > * TLSv1.2 (IN), TLS alert, Client hello (1): * Empty reply from server * Connection #0 to host 127.0.0.1 left intact curl: (52) Empty reply from server - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ecj-4.6.3 no longer required?
which 8.5.x u were referring? i just checked 8.5.39 has ecj in lib directory. On Wed, Mar 27, 2019 at 1:58 AM David Cleary wrote: > > I'm current updating our server that is based on Tomcat 8.5.x and found that > ecj-4.6.3.jar is no longer in the distribution. The changelog does not note > that it has been removed. I just want to confirm that I should remove this > library as part of the Tomcat update. > > Thanks > Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ecj-4.6.3 no longer required?
вт, 26 мар. 2019 г. в 20:58, David Cleary : > > I'm current updating our server that is based on Tomcat 8.5.x and found that > ecj-4.6.3.jar is no longer in the distribution. The changelog does not note that it has been removed. I just want to confirm that I should remove this library as part of the Tomcat update. How did you install your copy of Apache Tomcat? Both the official apache-tomcat-8.5.39.zip and apache-tomcat-8.5.39.tar.gz files have ecj-4.6.3.jar in them. Technically, answering the topic of "whether it is required": 1) ECJ is not needed if your web applications do not have JSP pages. (If they contain only servlets, or where JSPs are pre-compiled). 2) ECJ is not needed if Tomcat is configured to compile JSPs with javac from JDK. It is possible, but it is a rare configuration. 3) The ecj.jar can be replaced with any newer version. This specific version (ecj-4.6.3.jar) is the latest one that can run on Java 7, thus it is bundled with the official release of Tomcat 8.5. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ecj-4.6.3 no longer required?
I'm current updating our server that is based on Tomcat 8.5.x and found that ecj-4.6.3.jar is no longer in the distribution. The changelog does not note that it has been removed. I just want to confirm that I should remove this library as part of the Tomcat update. Thanks Dave
RE: Setting headers in tomcat 9
Hi Yemi, You may implement servlet filters to insert these security headers before the responses reaches the client. I hope this helps. Ike -Original Message- From: Olayemi Olatunji Sent: Tuesday, March 26, 2019 3:37 AM To: users@tomcat.apache.org Subject: Setting headers in tomcat 9 ** This mail has been sent from an external source ** Hello, I'm deploying an application on Tomcat 9 which a client has requested we conduct vulnerability test on. The test came back with missing headers for the following: Content-Security-Policy, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy, Feature-Policy. How can this be resolved/patched? Kind regards Olayemi = Please refer to http://www.aricent.com/email-disclaimer for important disclosures regarding this electronic communication. = - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Resource Request - MySQL Data Pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Richard, On 3/25/19 14:15, Richard Huntrods wrote: > It's time to update my application to use "real" (i.e. > current best practices) data connection pooling. :) > My application is Java Servlets, no beans, no JSP. Database is > MySQL. > > System etc. details: Ubuntu live server 18.04.2, built March 6, > 2019. > > MySQL - latest installed via 'apt-get install mysql-server' after > system build. So... MariaDB, then? Or does Ubuntu still stock MySQL binaries? > OpenJVM - 11? - again, latest version installed via 'apt-get > install default-jdk' at same time. Should be pretty easy to determine this: $ java -version > Tomcat 8.5.39 - just updated the same day it came out. Sounds good so far. > This system has been running in production since the early 2001's. > OS has changed over the years from Sun Solaris 8.x to Solaris 10.x > and now to Ubuntu 18.04 (server). Java has been updated over the > years as well, as has Tomcat and MySQL. Through all that the system > works quite perfectly. > > Except... there are occasional hangs that implicate the 'home > grown' data connection pool. I wrote this by hand (in Java) back > in 2001 because there was nothing much available back then. Since > it kept working, I didn't have the time/inclination to change over > the years. You may find that your home-grown connection pool is actually okay, but it's being used incorrectly by client code (which is also your code). IF you have problems with the client code, the "real" connection-pool can help you tolerate them, but it won't magically fix them. > But the latest connector (mysql-connector-java-8.0.15.jar, a.k.a. > "com.mysql.cj.jdbc.Driver" is giving me some hiccups. I thought > rather than trying to debug my own connection pool, it was time to > switch over to a proper "modern" supported connection pooling > system. > > Which brings me to my question. > > Would the community please weigh in on the BEST tutorials / > documents regarding creating a Tomcat/MySQL database connection > pool for Servlets (not JSP or beans) with some good code examples > and server.xml examples? > > I've already done some extensive internet searches, but when you > are doing something for the first time it's hard to tell the > difference between "really really good" and "blogger who has not > really tried it". You will want Tomcat to create the connection pool for you. Anything else is a waste of time. Here's what happens: 1. During application startup, Tomcat creates a javax.sql.DataSource object and squirrels it away using a path in the JNDI space that you get to specify the tail-end of. 2. When your application needs a connection, you grab the DataSource from JNDI (it's like a singleton in-memory Map of URLs to objects) and ask it for a java.sql.Connection object. 3. When you are done with the connection, you call Connection.close on it and it goes back into the pool. So, fairly simple. It's all fairly easy, though changing all your code to work with it might not be. Here's basically what you need. 1. Tomcat configuration. This goes into META-INF/context.xml: You can look-up the meanings of all of the above settings here: https://commons.apache.org/proper/commons-dbcp/configuration.html Note that I have the above configured for "Development Mode" which means that there is exactly 1 connection in the pool, period. If you have bad code which fails to return the connection (leaks) or tries to check out more than one connection from the pool (potential deadlock), then your application will freeze in development. In production, feel free to crank-up the maxActive, maxIdle, and maxTotal settings. 2. Get a connection object in your code: import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; import javax.sql.DataSource; ... Connection conn = null; try { try { Context ctx = new InitialContext(); DataSource ds = (DataSource)ctx.lookup("java:/comp/env/jdbc/myDS"); // NOTE: Suffix matches https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlyaTIkACgkQHPApP6U8 pFjpEw/7BeomASCkf1O86Wlx8mz0DxIB09yCQxVw7VhsR41/oB5UHomBO9fTMQRg uOnLJjdy1SjSCPHUahB/AL+La9Vzx3+qmlfABCQmZ7SatQ7aocivUVzfI/ZYyAmO 9QcA3bdz+qHJdegD4t+jcqFM6lctjR0OE4CpO2Ik6OgizStk/oUOPDgoHvs25+Zd zWOVMdXtomjZ/dmIYvj0NNVqksGF/RNAz0JOQN2T/AT97U677y4rfO+cdhR+urOA aW4LmynPFdb2D+y3MCYgxerZkBQZluDtM3B2R0w1Hb0EL/7Ew8SKsBB1QA3CikeF qQFqlSDOZzpRoua6pP+r94ZKWXvAGULQJFFw4tgyYJka2BLxKOFr1paIa/E3SEcW io6OmLKn/m6iA7AI0G7peSdHPkc4byXWVEQAq9jN0boD3RKw6Sz1+HfM6mAxPEmh BDbtg2/m5lwb4jO4xNF5ybxR5sU065Pc4Su5polJ/c8QuLLiCJMmpGM5UuhTpQBV uUsl+cdsNud+ruoAu36au33YTIw3aImlEXXb3ZlntUpaGearXoV3vtJ5QmYVuKVm dyCTAZALgNiPFYGOr7PGvZZ7jD2w0l+9trCfzZE0JwnydIi8yhX2kUWqjl6N2bou C2iswKlBZp+wAwgSGa4+hAMLgUlpOjLiXvwLaE4idxWVjpAm7wY= =/swK -END PGP SIGNATURE-
Re: [EXTERNAL] Re: Could not find datasource: java:/comp/env/jdbc/TOPSDB when start Tomcat 9.0.13
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Gary, On 3/25/19 12:08, Hua, Gary - Saint Louis, MO - Contractor wrote: > Olaf: > > Thanks for the input.I removed jdbc2_0-stdext.jar and > tomcat-dbcp.jar from > /opt/TomCat/apache-tomcat-9.0.13/webapps/TOPS-WEB/WEB-INF/lib and > did some cleaning on /opt/TomCat/apache-tomcat-9.0.13/lib, now > that is my lib folder looks like: Wow, this must be a very old web application. You still have some cleaning-up to do. > atadmin@eagnmnmed1f45:/opt/TomCat/apache-tomcat-9.0.13/webapps/TOPS-WE B/WEB-INF/lib>ls > -l total 20648 -rwxrwxrwx 1 atadmin atadmin 433164 Dec 17 17:47 > antlr-2.7.5H3.jar -rwxrwxrwx 1 atadmin atadmin 281998 Dec 17 17:45 > cglib-2.1.jar Super old. [...] > -rwxrwxrwx 1 atadmin atadmin 16777 Dec 17 17:45 asm-attrs.jar > -rwxrwxrwx 1 atadmin atadmin 26360 Dec 17 17:45 asm.jar > -rwxrwxrwx 1 atadmin atadmin 188671 Dec 17 17:47 > commons-beanutils.jar -rwxrwxrwx 1 atadmin atadmin 165119 Dec 17 > 17:45 commons-collections.jar > -rwxrwxrwx 1 atadmin atadmin 168446 Dec 17 17:47 > commons-digester.jar -rwxrwxrwx 1 atadmin atadmin 26388 Dec 17 > 17:47 commons-logging.jar -rwxrwxrwx 1 atadmin atadmin 84462 Dec > 17 17:47 commons-validator.jar -rwxrwxrwx 1 atadmin atadmin > 153115 Dec 17 17:45 jdom.jar -rwxrwxrwx 1 atadmin atadmin8812 > Dec 17 17:45 jta.jar -rwxrwxrwx 1 atadmin atadmin 367444 Dec 17 > 17:45 log4j.jar I'm always suspicious of library JAR files that have no version number. You might want to take a look at what these are and re-name them appropriately. > -rwxrwxrwx 1 atadmin atadmin 1196109 Dec 17 17:47 classes12.jar classes12.jar is Oracle's JDBC driver written for Java 1.2. I'm fairly sure that was hand-coded by Hammurabi himself. If you are indeed using Oracle DB, you need to upgrade to a library version released during this century. > -rwxrwxrwx 1 atadmin atadmin 3698857 Mar 15 15:32 ojdbc7.jar This is a second Oracle JDBC driver. Do you need both of them? > -rwxrwxrwx 1 atadmin atadmin 4604132 Dec 17 17:45 > com.ibm.ws.webcontainer.jar This is a WebSphere library. Presumably, you have left WebSphere behind in favor of Tomcat? Or maybe you need some service that WS provides and you have taken it with you? > -rwxrwxrwx 1 atadmin atadmin 205318 Mar 19 11:20 > commons-dbcp2-2.6.0.jar -rwxrwxrwx 1 atadmin atadmin 70604 Dec 17 > 17:45 commons-fileupload-1.3.3.jar -rwxrwxrwx 1 atadmin atadmin > 214788 Dec 17 17:45 commons-io-2.6.jar -rwxrwxrwx 1 atadmin > atadmin 207723 Dec 17 17:47 commons-lang-2.1.jar -rwxrwxrwx 1 > atadmin atadmin 315805 Dec 17 17:47 commons-lang3-3.1.jar > -rwxrwxrwx 1 atadmin atadmin 210432 Dec 17 17:45 > displaytag-1.1.jar -rwxrwxrwx 1 atadmin atadmin 12590 Dec 17 > 17:45 displaytag-export-poi-1.1.jar -rwxrwxrwx 1 atadmin atadmin > 312509 Dec 17 17:45 dom4j-1.5.2.jar -rwxrwxrwx 1 atadmin atadmin > 47531 Dec 17 17:45ehcache-1.1.jar -rwxrwxrwx 1 atadmin atadmin > 1925498 Dec 17 17:45 hibernate3.jar -rwxrwxrwx 1 atadmin atadmin > 65425 Dec 17 17:45jakarta-oro.jar > -rwxrwxrwx 1 atadmin atadmin 1979523 Dec 17 17:41 > javaee-api-8.0.jar I'm fairly sure this should be removed. Tomcat provides all of the APIs that you need. While this may be a compile-time dependency, everything should be provided at runtime by Tomcat. > -rwxrwxrwx 1 atadmin atadmin 414240 Dec 17 16:29 jstl-1.2.jar > -rwxrwxrwx 1 atadmin atadmin 105355 Dec 17 17:45 > old_lcms-webtools.jar -rwxrwxrwx 1 atadmin atadmin 795231 Dec 17 > 17:45 poi-2.5-final-20040302.jar -rwxrwxrwx 1 atadmin atadmin > 55210 Dec 17 17:45poi-contrib-2.5-final-20040302.jar -rwxrwxrwx 1 > atadmin atadmin 188942 Dec 17 17:45 > poi-scratchpad-2.5-final-20040302.jar -rwxrwxrwx 1 atadmin atadmin > 475943 Dec 17 17:45 proxool-0.8.3.jar -rwxrwxrwx 1 atadmin atadmin > 543706 Dec 17 17:47 struts.jar Aha, I see. You are running Struts 1 which requires ancient versions of certain libraries. > -rwxrwxrwx 1 atadmin atadmin 495271 Dec 17 17:47 > Struts-Layout.jar -rwxrwxrwx 1 atadmin atadmin 68046 Dec 17 17:47 > struts-menu-2.4.3.jar -rwxrwxrwx 1 atadmin atadmin 39427 Dec 17 > 17:47 taglibs-request.jar -rwxrwxrwx 1 atadmin atadmin 44061 Dec > 17 17:45 USPS-Framework-1.0.8-alpha.jar -rwxrwxrwx 1 atadmin > atadmin 834966 Dec 17 17:45 xercesImpl.jar > > > atadmin@eagnmnmed1f45:/opt/TomCat/apache-tomcat-9.0.13/lib>ls -l > total 13308 -rwxrwxrwx 1 atadmin atadmin 12966 Nov 2 09:29 > annotations-api.jar -rwxrwxrwx 1 atadmin atadmin 54415 Nov 2 > 09:29 catalina-ant.jar -rwxrwxrwx 1 atadmin atadmin 120721 Nov 2 > 09:29 catalina-ha.jar -rwxrwxrwx 1 atadmin atadmin 1652907 Nov 15 > 10:49 catalina.jar -rwxrwxrwx 1 atadmin atadmin 1653788 Nov 2 > 09:29 catalina.jar.20181115-1049 Remove this. > -rwxrwxrwx 1 atadmin atadmin 78634 Nov 2 09:29 > catalina-storeconfig.jar -rwxrwxrwx 1 atadmin atadmin
Re: CVE-2019-0199 Apache Tomcat HTTP/2 DoS
On 26/03/2019 11:47, George Angeletos wrote: > Hello, > > Is an upgrade required for those who are not using the HTTP/2 protocol? No. CVE-2019-0199 only affects servers where HTTP/2 is enabled. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CVE-2019-0199 Apache Tomcat HTTP/2 DoS
Hello, Is an upgrade required for those who are not using the HTTP/2 protocol? Many thanks George Angeletos
Re: Setting headers in tomcat 9
Hi Olayemi, Am 26.03.2019 09:36, schrieb Olayemi Olatunji: Hello, I'm deploying an application on Tomcat 9 which a client has requested we conduct vulnerability test on. The test came back with missing headers for the following: Content-Security-Policy, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy, Feature-Policy. How can this be resolved/patched? Per se this can be done by enabling the org.apache.catalina.filters.HttpHeaderSecurityFilter in the global or your webapp‘s web.xml This will solve quite a few of the vulnerability scanner findings. For Content-Security-Policy (CSP) you should write your own Filter. The CSP finding is a pain for legacy applications. CSP is nothing that can be enabled without application knowhow, the right settings for your needs and intensive testing. You may really break inline Javascript in your pages (css too). Please check out the great websites of Scott Helme on the Headers https://Securityheaders.io or https://scotthelme.co.uk/csp-cheat-sheet/ Feature Policy is quite new and I would not deem that relevant for legacy applications (that don't use features like GPS, rotation, microphone). Kind regards Olayemi Best regards Peter BTW: may I suggest you use the search function on the user list (eg: https://tomcat.apache.org/lists.html#tomcat-users -> MARC, MarkMail, Nabble). This question has been asked before quite a few times. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Resource Request - MySQL Data Pool
Hello Richard, In my experience the best is to "start simple". I would have a look at the apache tomcat doc [1], configure your pool with a minimal setup and test. Everything depends on your application workload, how your queries looks like, etc, so I am afraid that there are no "silver bullets" in this domain. Hope it helps, Luis [1] https://tomcat.apache.org/tomcat-8.5-doc/jndi-datasource-examples-howto.html El lun., 25 mar. 2019 a las 19:15, Richard Huntrods () escribió: > It's time to update my application to use "real" (i.e. current > best practices) data connection pooling. > > My application is Java Servlets, no beans, no JSP. Database is MySQL. > > System etc. details: > Ubuntu live server 18.04.2, built March 6, 2019. > > MySQL - latest installed via 'apt-get install mysql-server' after system > build. > > OpenJVM - 11? - again, latest version installed via 'apt-get install > default-jdk' at same time. > > Tomcat 8.5.39 - just updated the same day it came out. > > This system has been running in production since the early 2001's. OS > has changed over the years from Sun Solaris 8.x to Solaris 10.x and now > to Ubuntu 18.04 (server). Java has been updated over the years as well, > as has Tomcat and MySQL. Through all that the system works quite perfectly. > > Except... there are occasional hangs that implicate the 'home grown' > data connection pool. I wrote this by hand (in Java) back in 2001 > because there was nothing much available back then. Since it kept > working, I didn't have the time/inclination to change over the years. > > But the latest connector (mysql-connector-java-8.0.15.jar, a.k.a. > "com.mysql.cj.jdbc.Driver" is giving me some hiccups. I thought rather > than trying to debug my own connection pool, it was time to switch over > to a proper "modern" supported connection pooling system. > > Which brings me to my question. > > Would the community please weigh in on the BEST tutorials / documents > regarding creating a Tomcat/MySQL database connection pool for Servlets > (not JSP or beans) with some good code examples and server.xml examples? > > I've already done some extensive internet searches, but when you are > doing something for the first time it's hard to tell the difference > between "really really good" and "blogger who has not really tried it". > > Thanks very much in advance. > > -Richard > > > --- > This email has been checked for viruses by Avast antivirus software. > https://www.avast.com/antivirus > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
Setting headers in tomcat 9
Hello, I'm deploying an application on Tomcat 9 which a client has requested we conduct vulnerability test on. The test came back with missing headers for the following: Content-Security-Policy, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy, Feature-Policy. How can this be resolved/patched? Kind regards Olayemi