Re: [OT] Oracle Java 11 discussion?

2018-10-17 Thread Johan Compagner 
Op wo 17 okt. 2018 18:29 schreef Berneburg, Cris J. - US <
cberneb...@caci.com>:

>
>
> RAMBLE: However, if I try to look at it from a point of view of a large
> bureaucracy, of which I am largely ignorant, I would not be surprised if
> there is a policy against dev kits and IDE's on production servers for
> security sake.  Tomcat (whisper: with built-in compiler) is approved, but
> is the JDK allowed?  Guess I can ask.  Yeah, it's potentially a
> "distinction without a difference".  Well, unless there are other tools in
> the JDK that can pose security risks in addition to the Java compiler.
>

Java 11 I guess will be picked up by the package managers in Linux I guess
(like yum).

And if you look how they did it now with java 8 based on openjdk, then you
have the option to o install only the runtime or development package (and a
lot others, they split it up more)


>
>

Re: [OT] Oracle Java 11 discussion?

2018-10-17 Thread Igal Sapir 
Cris,

On Wed, Oct 17, 2018 at 9:28 AM Berneburg, Cris J. - US 
wrote:

> Thanks Mark
>
> mt> The argument for a JRE vs a JDK is that the JDK includes
> mt> a compiler. The only reason Tomcat can run on a JRE and
> mt> still support JSPs (which require compilation) is that
> mt> Tomcat includes a Java compiler. I don't think the
> mt> security argument holds much water.
>
> I had not thought of that, and you're right (literally technically
> speaking).
>
> RAMBLE: However, if I try to look at it from a point of view of a large
> bureaucracy, of which I am largely ignorant, I would not be surprised if
> there is a policy against dev kits and IDE's on production servers for
> security sake.  Tomcat (whisper: with built-in compiler) is approved, but
> is the JDK allowed?  Guess I can ask.  Yeah, it's potentially a
> "distinction without a difference".  Well, unless there are other tools in
> the JDK that can pose security risks in addition to the Java compiler.
>

As Mark pointed out Jasper compiles JSP into Java bytecode and it has been
like that for years.  Every other popular web technology works in a similar
way, be it ASP.NET, PHP, NodeJS, etc. so I really don't think that that's
an issue.

There is only a security vulnerability if a bad actor can inject code, or
upload malicious source code that will be compiled by your application, but
again, that has been the case since the beginning so deploying over JDK
doesn't change that.

I'm sure that there is a way to build OpenJDK without the javac component,
or at least it can be achieved with minor changes if needed.

Igal

p.s. So happy to see that you finally moved from Tomcat 6 to 8.5.  Perhaps
you can share that experience in a separate thread and let others know if
you ran into any major problems during that process.




>
> mt> OpenJDK is very close to the Oracle JDK these days. I
> mt> regularly run Tomcat's unit tests with the latest OpenJDK
> mt> and have yet to find an issue that is OpenJDK specific.
> mt>
> mt> Tomcat runs happily (and is supported) on a JRE.
> mt>
> mt> If the JRE has passed the Java TCK then Tomcat should run
> mt> on it. I don't think there is an official Tomcat position
> mt> but my expectation is if a Tomcat bug (as opposed to a
> mt> Java bug) appears when running on any Java implementation
> mt> that has passed the TCK then the Tomcat team would treat
> mt> that as a Tomcat bug and fix it.
>
> All good to know.
>
> cjb> I am imagining spending all my time being taken up by
> cjb> Java upgrades with subsequent builds, regression testing,
> cjb> red tape, and deployments
>
> mt> I'd plan to stick to the LTS releases.
>
> Meh, not my call.  Whatever the Powers That Be decide for the production
> environment, I'll probably match that in dev.  If they decide LT$ is the
> way to go, using the JDK will cost nothing for my dev environment anyway.
> But if OpenJDK and frequent updates are selected ... phooey.
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

RE: [OT] Oracle Java 11 discussion?

2018-10-17 Thread Berneburg, Cris J. - US 
Thanks Igal

mt> OpenJDK is very close to the Oracle JDK these days. I regularly run 
mt> Tomcat's unit tests with the latest OpenJDK and have yet to find an 
mt> issue that is OpenJDK specific.

is> I asked Gil Tene about this a couple of weeks ago.  Gil is a co-
is> founder of Azul Systems, an OpenJDK committer, and on the Executive
is> Committee of the JCP.  My understanding from him is that there is no
is> JDK development outside of the OpenJDK.  The Oracle developers that
is> work on the JDK commit directly to OpenJDK.  Oracle might add some
is> other things when they package their edition of the JDK for
is> distribution, but the JDK itself is the same one from OpenJDK.

Good to know.

is> The main problem with the rapid release cycle and six month support
is> is that due to late adoption, many of the bugs in a given Java
is> release are only discovered after more than six months of the release
is> date.  That means that the free support will end while bugs and
is> vulnerabilities are being discovered, forcing many organizations to
is> pay for support.

Or frequent Java installations.

RAMBLE: Too bad there can't be an Apache OpenJRE umbrella project, with 
specific Apache OpenJRE [version X] sub-projects, that maintain JRE [version 
X]'s indefinitely.  One source (Apache) for all the different JRE's for the 
Java community at large, rather than depending on a bunch of different 
companies.  The OpenJRE source code could pull from the OpenJDK repository.  A 
potential issue could be back-porting bug fixes from later versions into 
earlier ones when the source code base has shifted drastically, making merges 
difficult.

--
Cris Berneburg
CACI Lead Software Engineer

RE: [OT] Oracle Java 11 discussion?

2018-10-17 Thread Berneburg, Cris J. - US 
Thanks Mark

mt> The argument for a JRE vs a JDK is that the JDK includes
mt> a compiler. The only reason Tomcat can run on a JRE and
mt> still support JSPs (which require compilation) is that
mt> Tomcat includes a Java compiler. I don't think the
mt> security argument holds much water.

I had not thought of that, and you're right (literally technically speaking).

RAMBLE: However, if I try to look at it from a point of view of a large 
bureaucracy, of which I am largely ignorant, I would not be surprised if there 
is a policy against dev kits and IDE's on production servers for security sake. 
 Tomcat (whisper: with built-in compiler) is approved, but is the JDK allowed?  
Guess I can ask.  Yeah, it's potentially a "distinction without a difference".  
Well, unless there are other tools in the JDK that can pose security risks in 
addition to the Java compiler.

mt> OpenJDK is very close to the Oracle JDK these days. I
mt> regularly run Tomcat's unit tests with the latest OpenJDK
mt> and have yet to find an issue that is OpenJDK specific.
mt>
mt> Tomcat runs happily (and is supported) on a JRE.
mt>
mt> If the JRE has passed the Java TCK then Tomcat should run
mt> on it. I don't think there is an official Tomcat position
mt> but my expectation is if a Tomcat bug (as opposed to a
mt> Java bug) appears when running on any Java implementation
mt> that has passed the TCK then the Tomcat team would treat
mt> that as a Tomcat bug and fix it.

All good to know.

cjb> I am imagining spending all my time being taken up by
cjb> Java upgrades with subsequent builds, regression testing,
cjb> red tape, and deployments

mt> I'd plan to stick to the LTS releases.

Meh, not my call.  Whatever the Powers That Be decide for the production 
environment, I'll probably match that in dev.  If they decide LT$ is the way to 
go, using the JDK will cost nothing for my dev environment anyway.  But if 
OpenJDK and frequent updates are selected ... phooey.

--
Cris Berneburg
CACI Lead Software Engineer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OCSP stapling in tomcat 7 with APR

2018-10-17 Thread Mark Thomas 
On 17/10/18 15:02, Усманов Азат Анварович wrote:
> Unfortunately, I still got the same issue with the slash
>  openssl ocsp -issuer /home/idis/authorities.crt  -cert 
> /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
> OCSP Request Data:
> Version: 1 (0x0)
> Requestor List:
> Certificate ID:
>   Hash Algorithm: sha1
>   Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>   Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>   Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
> Request Extensions:
> OCSP Nonce:
> 0410A42C073C3EA560D427D719BA3A8EC5FB
> Error querying OCSP responder
> 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response 
> error:crypto/ocsp/ocsp_ht.c:260:Code=301

That is http so you could use Wireshark or similar to do a network trace
and see exactly what is going on there.

Mark


> 
> 
> 
> 
> От: Rainer Jung 
> Отправлено: 17 октября 2018 г. 16:41:27
> Кому: Tomcat Users List; Усманов Азат Анварович
> Тема: Re: OCSP stapling in tomcat 7 with APR
> 
> Redirect when accessing http://ocsp.comodoca.com could simply be a
> trailing slash redirect (Location: http://ocsp.comodoca.com/). You
> better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).
> 
> Regards,
> 
> Rainer
> 
> Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:
>> SSLLabs  test still shows "OCSP stapling no" even with the latest version 
>> openssl
>>
>> I've tried to test it manually and got an error
>>
>>
>>   openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR 
>>  
>>
>> _ieml_ru.crt -text -url http://ocsp.comodoca.com
>> OCSP Request Data:
>>  Version: 1 (0x0)
>>  Requestor List:
>>  Certificate ID:
>>Hash Algorithm: sha1
>>Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>>Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>>Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
>>  Request Extensions:
>>  OCSP Nonce:
>>  041002914B015477EC5C503D4FD630D616F3
>> Error querying OCSP responder
>> 140179572442880:error:27076072:OCSP routines:parse_http_line1:server 
>> response er  
>>  
>>   ror:crypto/ocsp/ocsp_ht.c:260:Code=301
>>
>> Not sure what might be the problem?
>> 301 looks like a http error  Moved Permamently   which is strange  because
>> i tried to access   http://ocsp.comodoca.com via wget
>>
>>   wget  http://ocsp.comodoca.com
>> --2018-10-17 16:03:12--  http://ocsp.comodoca.com/
>> Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
>> Запрос Proxy послан, ожидается ответ... 200 OK
>> Длина: 5 [application/ocsp-response]
>> Saving to: «index.html.7»
>>
>> 100%[===>]
>>  5   --.-K/s   в 0s
>>
>> 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
>>
>> [root] ~# less index.html.7
>> 0^C
>> ^A^A
>> index.html.7 (END)
>> any ideas what might be the problem?
>>
>>
>> 
>> От: Усманов Азат Анварович 
>> Отправлено: 15 октября 2018 г. 18:20:14
>> Кому: users@tomcat.apache.org
>> Тема: Re: OCSP stapling in tomcat 7 with APR
>>
>> how do I make sure ocsp is enabled on tomcat native
>>
>> when I try to pass --enable-ocsp to tomcat native configure i get 
>> unrecognized option warning
>>
>>
>>./configure  --with-apr=/usr/local/apr 
>> --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl 
>> --enable-ocsp
>> configure: WARNING: unrecognized options: --enable-ocsp
>> checking build system type... x86_64-pc-linux-gnu
>> checking host system type... x86_64-pc-linux-gnu
>> checking target system type... x86_64-pc-linux-gnu
>> checking for a BSD-compatible install... /usr/bin/install -c
>> checking for working mkdir -p... yes
>> Tomcat Native Version: 1.2.17
>> checking for chosen layout... tcnative
>> checking for APR... yes
>> configure: APR 1.6.5 detected.
>>setting CC to "gcc"
>>setting CPP to "gcc -E"
>>setting LIBTOOL to "/usr/local/apr/build-1/libtool"
>> checking JAVA_HOME... /usr/java/jdk1.7.0_79
>>adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
>> checking for JDK os include directory...  linux
>>adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
>> checking for gcc... gcc
>> checking whether the C compiler works... yes
>> checking for C compiler default output file name... a.out

Re: OCSP stapling in tomcat 7 with APR

2018-10-17 Thread Усманов Азат Анварович 
Unfortunately, I still got the same issue with the slash
 openssl ocsp -issuer /home/idis/authorities.crt  -cert 
/home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
  Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
  Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Request Extensions:
OCSP Nonce:
0410A42C073C3EA560D427D719BA3A8EC5FB
Error querying OCSP responder
139868527687424:error:27076072:OCSP routines:parse_http_line1:server response 
error:crypto/ocsp/ocsp_ht.c:260:Code=301




От: Rainer Jung 
Отправлено: 17 октября 2018 г. 16:41:27
Кому: Tomcat Users List; Усманов Азат Анварович
Тема: Re: OCSP stapling in tomcat 7 with APR

Redirect when accessing http://ocsp.comodoca.com could simply be a
trailing slash redirect (Location: http://ocsp.comodoca.com/). You
better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).

Regards,

Rainer

Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:
> SSLLabs  test still shows "OCSP stapling no" even with the latest version 
> openssl
>
> I've tried to test it manually and got an error
>
>
>   openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR  
>   
>  
> _ieml_ru.crt -text -url http://ocsp.comodoca.com
> OCSP Request Data:
>  Version: 1 (0x0)
>  Requestor List:
>  Certificate ID:
>Hash Algorithm: sha1
>Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
>  Request Extensions:
>  OCSP Nonce:
>  041002914B015477EC5C503D4FD630D616F3
> Error querying OCSP responder
> 140179572442880:error:27076072:OCSP routines:parse_http_line1:server response 
> er
>   
>ror:crypto/ocsp/ocsp_ht.c:260:Code=301
>
> Not sure what might be the problem?
> 301 looks like a http error  Moved Permamently   which is strange  because
> i tried to access   http://ocsp.comodoca.com via wget
>
>   wget  http://ocsp.comodoca.com
> --2018-10-17 16:03:12--  http://ocsp.comodoca.com/
> Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
> Запрос Proxy послан, ожидается ответ... 200 OK
> Длина: 5 [application/ocsp-response]
> Saving to: «index.html.7»
>
> 100%[===>]
>  5   --.-K/s   в 0s
>
> 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
>
> [root] ~# less index.html.7
> 0^C
> ^A^A
> index.html.7 (END)
> any ideas what might be the problem?
>
>
> 
> От: Усманов Азат Анварович 
> Отправлено: 15 октября 2018 г. 18:20:14
> Кому: users@tomcat.apache.org
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> how do I make sure ocsp is enabled on tomcat native
>
> when I try to pass --enable-ocsp to tomcat native configure i get 
> unrecognized option warning
>
>
>./configure  --with-apr=/usr/local/apr 
> --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl 
> --enable-ocsp
> configure: WARNING: unrecognized options: --enable-ocsp
> checking build system type... x86_64-pc-linux-gnu
> checking host system type... x86_64-pc-linux-gnu
> checking target system type... x86_64-pc-linux-gnu
> checking for a BSD-compatible install... /usr/bin/install -c
> checking for working mkdir -p... yes
> Tomcat Native Version: 1.2.17
> checking for chosen layout... tcnative
> checking for APR... yes
> configure: APR 1.6.5 detected.
>setting CC to "gcc"
>setting CPP to "gcc -E"
>setting LIBTOOL to "/usr/local/apr/build-1/libtool"
> checking JAVA_HOME... /usr/java/jdk1.7.0_79
>adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
> checking for JDK os include directory...  linux
>adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
> checking for gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking for OpenSSL library...

Re: OCSP stapling in tomcat 7 with APR

2018-10-17 Thread Rainer Jung 
Redirect when accessing http://ocsp.comodoca.com could simply be a 
trailing slash redirect (Location: http://ocsp.comodoca.com/). You 
better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).


Regards,

Rainer

Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:

SSLLabs  test still shows "OCSP stapling no" even with the latest version 
openssl

I've tried to test it manually and got an error


  openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR

 
_ieml_ru.crt -text -url http://ocsp.comodoca.com
OCSP Request Data:
 Version: 1 (0x0)
 Requestor List:
 Certificate ID:
   Hash Algorithm: sha1
   Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
   Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
   Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
 Request Extensions:
 OCSP Nonce:
 041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response 
er  
   
ror:crypto/ocsp/ocsp_ht.c:260:Code=301

Not sure what might be the problem?
301 looks like a http error  Moved Permamently   which is strange  because
i tried to access   http://ocsp.comodoca.com via wget

  wget  http://ocsp.comodoca.com
--2018-10-17 16:03:12--  http://ocsp.comodoca.com/
Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
Запрос Proxy послан, ожидается ответ... 200 OK
Длина: 5 [application/ocsp-response]
Saving to: «index.html.7»

100%[===>]
 5   --.-K/s   в 0s

2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]

[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?



От: Усманов Азат Анварович 
Отправлено: 15 октября 2018 г. 18:20:14
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR

how do I make sure ocsp is enabled on tomcat native

when I try to pass --enable-ocsp to tomcat native configure i get unrecognized 
option warning


   ./configure  --with-apr=/usr/local/apr 
--with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl 
--enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
   setting CC to "gcc"
   setting CPP to "gcc -E"
   setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
   adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory...  linux
   adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from 
/usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
   adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
   setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib 
-Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
   adding "-DHAVE_OPENSSL" to CFLAGS
   setting TCNATIVE_LIBS to ""
   setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  
-lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
   adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp




От: Mark Thomas 
Отправлено: 15 октября 2018 г. 15:01:58
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR

On 14/10/18 18:45, Усманов Азат Анварович wrote:

Hello everyone! I have  an java 7 web app running on tomcat 7 with

Re: OCSP stapling in tomcat 7 with APR

2018-10-17 Thread Усманов Азат Анварович 
SSLLabs  test still shows "OCSP stapling no" even with the latest version 
openssl

I've tried to test it manually and got an error


 openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR 


_ieml_ru.crt -text -url http://ocsp.comodoca.com
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
  Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
  Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Request Extensions:
OCSP Nonce:
041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response 
er  
   
ror:crypto/ocsp/ocsp_ht.c:260:Code=301

Not sure what might be the problem?
301 looks like a http error  Moved Permamently   which is strange  because
i tried to access   http://ocsp.comodoca.com via wget

 wget  http://ocsp.comodoca.com
--2018-10-17 16:03:12--  http://ocsp.comodoca.com/
Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
Запрос Proxy послан, ожидается ответ... 200 OK
Длина: 5 [application/ocsp-response]
Saving to: «index.html.7»

100%[===>]
 5   --.-K/s   в 0s

2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]

[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?



От: Усманов Азат Анварович 
Отправлено: 15 октября 2018 г. 18:20:14
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR

how do I make sure ocsp is enabled on tomcat native

when I try to pass --enable-ocsp to tomcat native configure i get unrecognized 
option warning


  ./configure  --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 
-with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
  setting CC to "gcc"
  setting CPP to "gcc -E"
  setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
  adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory...  linux
  adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from 
/usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
  adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
  setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib 
-Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
  adding "-DHAVE_OPENSSL" to CFLAGS
  setting TCNATIVE_LIBS to ""
  setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  
-lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
  adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp




От: Mark Thomas 
Отправлено: 15 октября 2018 г. 15:01:58
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR

On 14/10/18 18:45, Усманов Азат Анварович wrote:
> Hello everyone! I have  an java 7 web app running on tomcat 7 with 
> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP 
> stapling on tomcat
> so that
> When OCSP is enabled, a server will pre-fetch the OCSP response for its own 
> certificate and deliver the response to the user's browser during the TLS 
> handshake. This eliminates the need to make a

Re: RSS Feed for Markmail

2018-10-17 Thread Konstantin Kolinko 
Archives of the mailing list can be downloaded as mbox files.

http://mail-archives.apache.org/mod_mbox/tomcat-users/201810.mbox
201809, 201808 etc.

ср, 17 окт. 2018 г. в 15:53, Robert Shipway :
>
> Thank you for your help.   All fixed now.
>
> I recreated from scratch the RSS feed within the browser of Outlook 2016 and 
> it is now working again, but unfortunately have lost the history of the last 
> 6 months of e-mails.
>
> -Original Message-
> From: Robert Shipway
> Sent: 17 October 2018 12:32
> To: Tomcat Users List 
> Subject: RE: RSS Feed for Markmail
>
> Unfortunately, I am not allowed to be sending e-mails that are not HTML 
> e-mails from the company I work for and even if I try to send a non HTML 
> e-mail, our company firewall changes it to be an HTML e-mail.
>
> The error being received is
>
> 'Task 'RSS Feeds' reported error (0x800c0019): 'Unknown Error 0x800c0019'
> 'Task 'RSS Feeds' reported error (0x80070026): 'Synchronization to RSS Feed: 
> 'https://tomcat,markmail.org/atom/+list:org.apache.tomcat.users' has failed.'
>
> -Original Message-
> From: Robert Shipway 
> Sent: 17 October 2018 12:18
> To: Tomcat Users List 
> Subject: RE: RSS Feed for Markmail
>
> That is what I have been trying to do the last three days, with no response!!
>
> -Original Message-
> From: Konstantin Kolinko 
> Sent: 17 October 2018 12:15
> To: Tomcat Users List 
> Subject: Re: RSS Feed for Markmail
>
> ср, 17 окт. 2018 г. в 14:09, Robert Shipway :
> >
> > Hello,
> >
> > For the last 6 months, I have been getting the e-mails for Markmail on RSS 
> > feed but last Thursday that seem to stop for some reason and I get the 
> > following error:
> >
> > What is the best way to resolve this issue please?
>
> 1. Read the rules. You should not post HTML emails to this list and you 
> should not use attachments.
>
> http://tomcat.apache.org/lists.html#tomcat-users
>
> Your image has been filtered. Thus nobody knows what your error was.
>
> 2. Ask the owners of markmail.org site.
>
> https://markmail.org/docs/faq.xqy
>
> Best regards,
> Konstantin Kolinko
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: RSS Feed for Markmail

2018-10-17 Thread Robert Shipway 
Thank you for your help.   All fixed now.   

I recreated from scratch the RSS feed within the browser of Outlook 2016 and it 
is now working again, but unfortunately have lost the history of the last 6 
months of e-mails.

-Original Message-
From: Robert Shipway 
Sent: 17 October 2018 12:32
To: Tomcat Users List 
Subject: RE: RSS Feed for Markmail

Unfortunately, I am not allowed to be sending e-mails that are not HTML e-mails 
from the company I work for and even if I try to send a non HTML e-mail, our 
company firewall changes it to be an HTML e-mail.

The error being received is 

'Task 'RSS Feeds' reported error (0x800c0019): 'Unknown Error 0x800c0019'
'Task 'RSS Feeds' reported error (0x80070026): 'Synchronization to RSS Feed: 
'https://tomcat,markmail.org/atom/+list:org.apache.tomcat.users' has failed.'   

-Original Message-
From: Robert Shipway  
Sent: 17 October 2018 12:18
To: Tomcat Users List 
Subject: RE: RSS Feed for Markmail

That is what I have been trying to do the last three days, with no response!!  

-Original Message-
From: Konstantin Kolinko  
Sent: 17 October 2018 12:15
To: Tomcat Users List 
Subject: Re: RSS Feed for Markmail

ср, 17 окт. 2018 г. в 14:09, Robert Shipway :
>
> Hello,
>
> For the last 6 months, I have been getting the e-mails for Markmail on RSS 
> feed but last Thursday that seem to stop for some reason and I get the 
> following error:
>
> What is the best way to resolve this issue please?

1. Read the rules. You should not post HTML emails to this list and you should 
not use attachments.

http://tomcat.apache.org/lists.html#tomcat-users

Your image has been filtered. Thus nobody knows what your error was.

2. Ask the owners of markmail.org site.

https://markmail.org/docs/faq.xqy

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: RSS Feed for Markmail

2018-10-17 Thread Konstantin Kolinko 
ср, 17 окт. 2018 г. в 14:37, Konstantin Kolinko :
>
> ср, 17 окт. 2018 г. в 14:31, Robert Shipway :
> >
> > Unfortunately, I am not allowed to be sending e-mails that are not HTML 
> > e-mails from the company I work for and even if I try to send a non HTML 
> > e-mail, our company firewall changes it to be an HTML e-mail.
> >
> > The error being received is
> >
> > 'Task 'RSS Feeds' reported error (0x800c0019): 'Unknown Error 0x800c0019'
> > 'Task 'RSS Feeds' reported error (0x80070026): 'Synchronization to RSS 
> > Feed: 'https://tomcat,markmail.org/atom/+list:org.apache.tomcat.users' has 
> > failed.'
>
> I am able to access the above URL as well as [2] with a web browser.
> It displays correctly.
>
> [2] https://tomcat.markmail.org/atom/+list:org%2Eapache%2Etomcat%2Eusers
>
> Maybe your RSS Client has trouble establishing an HTTPS connection to that 
> site?

Your URL starts with "tomcat,"  with comma, instead of "tomcat."
Clicking it in browser redirected me to
[1] https://markmail.org/atom/+list:org.apache.tomcat.users


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: RSS Feed for Markmail

2018-10-17 Thread Konstantin Kolinko 
ср, 17 окт. 2018 г. в 14:31, Robert Shipway :
>
> Unfortunately, I am not allowed to be sending e-mails that are not HTML 
> e-mails from the company I work for and even if I try to send a non HTML 
> e-mail, our company firewall changes it to be an HTML e-mail.
>
> The error being received is
>
> 'Task 'RSS Feeds' reported error (0x800c0019): 'Unknown Error 0x800c0019'
> 'Task 'RSS Feeds' reported error (0x80070026): 'Synchronization to RSS Feed: 
> 'https://tomcat,markmail.org/atom/+list:org.apache.tomcat.users' has failed.'

I am able to access the above URL as well as [2] with a web browser.
It displays correctly.

[2] https://tomcat.markmail.org/atom/+list:org%2Eapache%2Etomcat%2Eusers

Maybe your RSS Client has trouble establishing an HTTPS connection to that site?

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: RSS Feed for Markmail

2018-10-17 Thread Robert Shipway 
Unfortunately, I am not allowed to be sending e-mails that are not HTML e-mails 
from the company I work for and even if I try to send a non HTML e-mail, our 
company firewall changes it to be an HTML e-mail.

The error being received is 

'Task 'RSS Feeds' reported error (0x800c0019): 'Unknown Error 0x800c0019'
'Task 'RSS Feeds' reported error (0x80070026): 'Synchronization to RSS Feed: 
'https://tomcat,markmail.org/atom/+list:org.apache.tomcat.users' has failed.'   

-Original Message-
From: Robert Shipway  
Sent: 17 October 2018 12:18
To: Tomcat Users List 
Subject: RE: RSS Feed for Markmail

That is what I have been trying to do the last three days, with no response!!  

-Original Message-
From: Konstantin Kolinko  
Sent: 17 October 2018 12:15
To: Tomcat Users List 
Subject: Re: RSS Feed for Markmail

ср, 17 окт. 2018 г. в 14:09, Robert Shipway :
>
> Hello,
>
> For the last 6 months, I have been getting the e-mails for Markmail on RSS 
> feed but last Thursday that seem to stop for some reason and I get the 
> following error:
>
> What is the best way to resolve this issue please?

1. Read the rules. You should not post HTML emails to this list and you should 
not use attachments.

http://tomcat.apache.org/lists.html#tomcat-users

Your image has been filtered. Thus nobody knows what your error was.

2. Ask the owners of markmail.org site.

https://markmail.org/docs/faq.xqy

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: RSS Feed for Markmail

2018-10-17 Thread Robert Shipway 
That is what I have been trying to do the last three days, with no response!!  

-Original Message-
From: Konstantin Kolinko  
Sent: 17 October 2018 12:15
To: Tomcat Users List 
Subject: Re: RSS Feed for Markmail

ср, 17 окт. 2018 г. в 14:09, Robert Shipway :
>
> Hello,
>
> For the last 6 months, I have been getting the e-mails for Markmail on RSS 
> feed but last Thursday that seem to stop for some reason and I get the 
> following error:
>
> What is the best way to resolve this issue please?

1. Read the rules. You should not post HTML emails to this list and you should 
not use attachments.

http://tomcat.apache.org/lists.html#tomcat-users

Your image has been filtered. Thus nobody knows what your error was.

2. Ask the owners of markmail.org site.

https://markmail.org/docs/faq.xqy

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: RSS Feed for Markmail

2018-10-17 Thread Konstantin Kolinko 
ср, 17 окт. 2018 г. в 14:09, Robert Shipway :
>
> Hello,
>
> For the last 6 months, I have been getting the e-mails for Markmail on RSS 
> feed but last Thursday that seem to stop for some reason and I get the 
> following error:
>
> What is the best way to resolve this issue please?

1. Read the rules. You should not post HTML emails to this list and
you should not use attachments.

http://tomcat.apache.org/lists.html#tomcat-users

Your image has been filtered. Thus nobody knows what your error was.

2. Ask the owners of markmail.org site.

https://markmail.org/docs/faq.xqy

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: RSS Feed for Markmail

2018-10-17 Thread Robert Shipway 


From: Robert Shipway 
Sent: 17 October 2018 12:09
To: users@tomcat.apache.org
Subject: RSS Feed for Markmail

Hello,

For the last 6 months, I have been getting the e-mails for Markmail on RSS feed 
but last Thursday that seem to stop for some reason and I get the following 
error:

[cid:image001.png@01D46612.2EFCF040]

What is the best way to resolve this issue please?

Regards
Rob Shipway | Technical Compliance Analyst
___
Panserve | Tel. +44 1273 964784 | Mobile.
| robert.ship...@panserve.co | 
www.panserve.co

[Copy of Panbet Signature (with Linkedin logo) (Robert 
Shipway)-Image01]
This message (and any associated files) is intended only for the use of the 
individual or entity to which it is addressed and may contain information that 
is confidential, subject to copyright or constitutes a trade secret. If you are 
not the intended recipient you are hereby notified that any dissemination, 
copying or distribution of this message, or files associated with this message, 
is strictly prohibited. If you have received this message in error, please 
notify us immediately by replying to the message and deleting it from your 
computer. Messages sent to and from us may be monitored.

Internet communications cannot be guaranteed to be secure or error-free as 
information could be intercepted, corrupted, lost, destroyed, arrive late or 
incomplete, or contain viruses. Therefore, we do not accept responsibility for 
any errors or omissions that are present in this message, or any attachment, 
that have arisen as a result of e-mail transmission. If verification is 
required, please request a hard-copy version. Any views or opinions presented 
are solely those of the author and do not necessarily represent those of the 
company.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RSS Feed for Markmail

2018-10-17 Thread Robert Shipway 
Hello,

For the last 6 months, I have been getting the e-mails for Markmail on RSS feed 
but last Thursday that seem to stop for some reason and I get the following 
error:

[cid:image001.png@01D46612.2EFCF040]

What is the best way to resolve this issue please?

Regards
Rob Shipway | Technical Compliance Analyst
___
Panserve | Tel. +44 1273 964784 | Mobile.
| robert.ship...@panserve.co | 
www.panserve.co

[Copy of Panbet Signature (with Linkedin logo) (Robert 
Shipway)-Image01]
This message (and any associated files) is intended only for the use of the 
individual or entity to which it is addressed and may contain information that 
is confidential, subject to copyright or constitutes a trade secret. If you are 
not the intended recipient you are hereby notified that any dissemination, 
copying or distribution of this message, or files associated with this message, 
is strictly prohibited. If you have received this message in error, please 
notify us immediately by replying to the message and deleting it from your 
computer. Messages sent to and from us may be monitored.

Internet communications cannot be guaranteed to be secure or error-free as 
information could be intercepted, corrupted, lost, destroyed, arrive late or 
incomplete, or contain viruses. Therefore, we do not accept responsibility for 
any errors or omissions that are present in this message, or any attachment, 
that have arisen as a result of e-mail transmission. If verification is 
required, please request a hard-copy version. Any views or opinions presented 
are solely those of the author and do not necessarily represent those of the 
company.

FW: Issue while configuring keystore/SSL for Tomcat 8.5.33

2018-10-17 Thread Sashidharan Ramamurthy 
Hi Tomcat user group,

We have installed and deployed Tomcat Version: 8.5.33 in our machine.

Software: AIX

We configured SSL at 8443 port using below command for creating keystore.

$JAVA_HOME/bin/keytool -genkey -alias iscpkey -keystore $outputfile 
-keyalg RSA -dname "CN=${site}, OU=Network Solutions, O=ISCP, L=Piscataway, 
C=US" -storepass "changeit" -keypass "changeit" -validity 1

Though 8443 port no has started, we are unable to connect from SSL client. We 
are getting SSLException in our client.

We enabled java.net.debug with SSL logs.

Client Hello and Server Hello is done but fails soon afterwards in SSL with 
internal_error.

*** ServerHelloDone
https-jsse-nio-8443-exec-4, WRITE: TLSv1 Handshake, length = 1736
https-jsse-nio-8443-exec-5, READ: TLSv1 Alert, length = 2
https-jsse-nio-8443-exec-5, RECV TLSv1 ALERT:  fatal, internal_error
https-jsse-nio-8443-exec-5, fatal: engine already closed.  Rethrowing 
javax.net.ssl.SSLException: Received fatal alert: internal_error
https-jsse-nio-8443-exec-5, fatal: engine already closed.  Rethrowing 
javax.net.ssl.SSLException: Received fatal alert: internal_error
https-jsse-nio-8443-exec-5, called closeOutbound()
https-jsse-nio-8443-exec-5, closeOutboundInternal()
https-jsse-nio-8443-exec-5, SEND TLSv1 ALERT:  warning, description = 
close_notify
https-jsse-nio-8443-exec-5, WRITE: TLSv1 Alert, length = 2

We are unable to proceed further.

Can you let me know what could be the reason?

Also, if this is not the correct tomcat group, can you point me to correct 
group?

Thanks and Regards,
Sashi