Error setting socket options
Hello, I'm using spring boot with eureka and openfeign to communicate between services A and B. When a send a request from A to B getting: 2022-12-06 22:30:26.634 ERROR 6352 --- [o-8081-Acceptor] org.apache.tomcat.util.net.NioEndpoint : Error setting socket options java.net.SocketException: Invalid argument at java.base/sun.nio.ch.Net.setIntOption0(Native Method) ~[na:na] at java.base/sun.nio.ch.Net.setSocketOption(Net.java:455) ~[na:na] at java.base/sun.nio.ch.Net.setSocketOption(Net.java:393) ~[na:na] at java.base/sun.nio.ch.SocketChannelImpl.setOption(SocketChannelImpl.java:280) ~[na:na] at java.base/sun.nio.ch.SocketAdaptor.setIntOption(SocketAdaptor.java:247) ~[na:na] at java.base/sun.nio.ch.SocketAdaptor.setSoLinger(SocketAdaptor.java:285) ~[na:na] at org.apache.tomcat.util.net.SocketProperties.setProperties(SocketProperties.java:219) ~[tomcat-embed-core-9.0.55.jar:9.0.55] at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:495) ~[tomcat-embed-core-9.0.55.jar:9.0.55] at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:78) ~[tomcat-embed-core-9.0.55.jar:9.0.55] at org.apache.tomcat.util.net.Acceptor.run(Acceptor.java:149) ~[tomcat-embed-core-9.0.55.jar:9.0.55] at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na] I'm using Spring boot 2.5.7 and Spring Cloud 2020.0.3. java version "17.0.5" 2022-10-18 LTS Java(TM) SE Runtime Environment (build 17.0.5+9-LTS-191) Java HotSpot(TM) 64-Bit Server VM (build 17.0.5+9-LTS-191, mixed mode, sharing)
RE: Mod_JK vs Mod_Proxy
What, pray tell, is an encrypted AJP connection? Are you talking AJP over an SSH Tunnel (Stunnel)? Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Christopher Schultz > Sent: Tuesday, December 6, 2022 3:01 PM > To: users@tomcat.apache.org > Subject: Re: Mod_JK vs Mod_Proxy > > Jon, > > On 12/6/22 12:36, jonmcalexan...@wellsfargo.com.INVALID wrote: > > IMHO, switching to mod_proxy, and using it over SSL, is by far better than > using mod_jk or mod_ajp, primarily as mod_proxy allows for secure proxy > connection, whereas mod_jk and mod_ajp aren't "secure" as they are not > encrypted channels. > > While this is true (and supports my assertion that everyone should migrate), > it doesn't preclude the use of encrypted AJP connections. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mod_JK vs Mod_Proxy
Jon, On 12/6/22 12:36, jonmcalexan...@wellsfargo.com.INVALID wrote: IMHO, switching to mod_proxy, and using it over SSL, is by far better than using mod_jk or mod_ajp, primarily as mod_proxy allows for secure proxy connection, whereas mod_jk and mod_ajp aren't "secure" as they are not encrypted channels. While this is true (and supports my assertion that everyone should migrate), it doesn't preclude the use of encrypted AJP connections. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 and CVE-2022-42920 (bcel vulnerability)
On 06/12/2022 19:07, Jerry Lampi wrote: Hi all. We use Tomcat 9.0.63 and are wondering if it's vulnerable to CVE-2022-42920? Tomcat is not exposed to this vulnerability. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 9 and CVE-2022-42920 (bcel vulnerability)
Hi all. We use Tomcat 9.0.63 and are wondering if it's vulnerable to CVE-2022-42920? I don't see any bcel jar files, like bcel-6.0.jar, but when I scanned all jars for bcel, I found the following 22 classes with bcel in their package name in tomcat-coyote.jar: org/apache/tomcat/util/bcel/Const.class org/apache/tomcat/util/bcel/classfile/AnnotationElementValue.class org/apache/tomcat/util/bcel/classfile/AnnotationEntry.class org/apache/tomcat/util/bcel/classfile/Annotations.class org/apache/tomcat/util/bcel/classfile/ArrayElementValue.class org/apache/tomcat/util/bcel/classfile/ClassElementValue.class org/apache/tomcat/util/bcel/classfile/ClassFormatException.class org/apache/tomcat/util/bcel/classfile/ClassParser.class org/apache/tomcat/util/bcel/classfile/Constant.class org/apache/tomcat/util/bcel/classfile/ConstantClass.class org/apache/tomcat/util/bcel/classfile/ConstantDouble.class org/apache/tomcat/util/bcel/classfile/ConstantFloat.class org/apache/tomcat/util/bcel/classfile/ConstantInteger.class org/apache/tomcat/util/bcel/classfile/ConstantLong.class org/apache/tomcat/util/bcel/classfile/ConstantPool.class org/apache/tomcat/util/bcel/classfile/ConstantUtf8.class org/apache/tomcat/util/bcel/classfile/ElementValue.class org/apache/tomcat/util/bcel/classfile/ElementValuePair.class org/apache/tomcat/util/bcel/classfile/EnumElementValue.class org/apache/tomcat/util/bcel/classfile/JavaClass.class org/apache/tomcat/util/bcel/classfile/SimpleElementValue.class org/apache/tomcat/util/bcel/classfile/Utility.class Are these classes implicated in CVE-2022-42920? Does Tomcat 9 need to be updated? Thank you in advance, Jerry
RE: Mod_JK vs Mod_Proxy
IMHO, switching to mod_proxy, and using it over SSL, is by far better than using mod_jk or mod_ajp, primarily as mod_proxy allows for secure proxy connection, whereas mod_jk and mod_ajp aren't "secure" as they are not encrypted channels. Again, just my .02 worth. Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Christopher Schultz > Sent: Tuesday, December 6, 2022 11:21 AM > To: Tomcat Users List ; Mark H. Wood > > Subject: Re: Mod_JK vs Mod_Proxy > > Mark, > > On 12/6/22 08:48, Mark H. Wood wrote: > > On Mon, Dec 05, 2022 at 03:37:59PM -0500, Christopher Schultz wrote: > >> On 12/5/22 15:03, Cathy Spears wrote: > >>> Using Tomcat 8.5 and 9.0 with 32-bit Apache 2.4 and mod_jk. Are > >>> there benefits to using mod_proxy instead of mod_jk? Also, is there > >>> a planned end of life for mod_jk or will it continue to be supported > >>> for now? > >> Hopefully this will be helpful: > >> > >> > https://urldefense.com/v3/__https://tomcat.apache.org/presentations.h > >> tml*latest-migrate-ajp-http__;Iw!!F9svGWnIaVPGSwU!pPfhr06Y5US- > 4xynUlu > >> > 8MkDyH2IZQTGO7ONWfErKJXwgn3RbLTJLgtoDj19eKsXfa65gU91ozXFiavI > nikky > >> ekiHowkw$ > > > > I read this as a question about mod_proxy_ajp vs. mod_jk. > > I think I make the case that mod_proxy_ajp is a (slightly) better choice than > mod_jk in that presentation. > > > Happily using mod_proxy_ajp here for some years. Both work well but I > > very much prefer the way mod_proxy_ajp integrates with the proxy > > configuration in HTTPD. > > +1 > > And it doesn't require a custom-built add-on. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mod_JK vs Mod_Proxy
Mark, On 12/6/22 08:48, Mark H. Wood wrote: On Mon, Dec 05, 2022 at 03:37:59PM -0500, Christopher Schultz wrote: On 12/5/22 15:03, Cathy Spears wrote: Using Tomcat 8.5 and 9.0 with 32-bit Apache 2.4 and mod_jk. Are there benefits to using mod_proxy instead of mod_jk? Also, is there a planned end of life for mod_jk or will it continue to be supported for now? Hopefully this will be helpful: https://tomcat.apache.org/presentations.html#latest-migrate-ajp-http I read this as a question about mod_proxy_ajp vs. mod_jk. I think I make the case that mod_proxy_ajp is a (slightly) better choice than mod_jk in that presentation. Happily using mod_proxy_ajp here for some years. Both work well but I very much prefer the way mod_proxy_ajp integrates with the proxy configuration in HTTPD. +1 And it doesn't require a custom-built add-on. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mod_JK vs Mod_Proxy
On Mon, Dec 05, 2022 at 03:37:59PM -0500, Christopher Schultz wrote: > On 12/5/22 15:03, Cathy Spears wrote: > > Using Tomcat 8.5 and 9.0 with 32-bit Apache 2.4 and mod_jk. Are there > > benefits to using mod_proxy instead of mod_jk? Also, is there a > > planned end of life for mod_jk or will it continue to be supported > > for now? > Hopefully this will be helpful: > > https://tomcat.apache.org/presentations.html#latest-migrate-ajp-http I read this as a question about mod_proxy_ajp vs. mod_jk. Happily using mod_proxy_ajp here for some years. Both work well but I very much prefer the way mod_proxy_ajp integrates with the proxy configuration in HTTPD. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: tomcat-embedded 9.x -> 10.1.x - how to set ssl honor cipher order option now
> Now there is a single method. This should
> do what you need:
>
> SSLHostConfig[] sslHostConfigs = httpHandler.findSslHostConfigs();
>
> for (SSLHostConfig sslHostConfig : sslHostConfigs) {
> sslHostConfig.setHonorCipherOrder(true);
> }
That is even better now, thanks.
>
>
> Mark
Torsten
--
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat-embedded 9.x -> 10.1.x - how to set ssl honor cipher order option now
On 06/12/2022 08:50, Torsten Krah wrote:
Hi,
using tomcat-embed 9.x I was able to customize my protocol handler like
this:
AbstractHttp11Protocol httpHandler = ((AbstractHttp11Protocol)
connector.getProtocolHandler());
httpHandler.setSSLHonorCipherOrder(true);
httpHandler.setUseServerCipherSuitesOrder(true);
Switched to 10.1.1 now and those 2 methods are gone and I am wondering
where they are now and how to access them when coming from the
connector.
Those two methods do the same thing. One was for JSSE based connectors,
one for APR/Native (OpenSSL). Now there is a single method. This should
do what you need:
SSLHostConfig[] sslHostConfigs = httpHandler.findSslHostConfigs();
for (SSLHostConfig sslHostConfig : sslHostConfigs) {
sslHostConfig.setHonorCipherOrder(true);
}
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat-embedded 9.x -> 10.1.x - how to set ssl honor cipher order option now
Hi, using tomcat-embed 9.x I was able to customize my protocol handler like this: AbstractHttp11Protocol httpHandler = ((AbstractHttp11Protocol) connector.getProtocolHandler()); httpHandler.setSSLHonorCipherOrder(true); httpHandler.setUseServerCipherSuitesOrder(true); Switched to 10.1.1 now and those 2 methods are gone and I am wondering where they are now and how to access them when coming from the connector. Any help appreciated. kind regards Torsten -- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
