RE: Accessing Credential handler inside the web application always returns null

[Усманов Азат Анварович]

Sorry for delayed response, Once I comment out the CredentialHandler in context 
xml both in my app's context.xml and in global context.xml, and add realm to 
server.xml. CredentialHandler returns null once again.

От: Christopher Schultz 
Отправлено: 5 ноября 2023 г. 18:16
Кому: users@tomcat.apache.org 
Тема: Re: Accessing Credential handler inside the web application always 
returns null

Азат,

On 10/31/23 13:53, Усманов Азат Анварович wrote:
> Hi everyone! CredentialHandler became not null, as soon as I
> transferred Realm definition from server.xml to context.xml(after
> checking the source code) .I've been able to see the new pbkdf2
> version of the given clear text password even with old  9.0.64
> version. I was wondering is the necessity to have realm defined
> inside context. xml for accessing CredentialHandler a design decision
> or a possible  bug in tomcat itself?. It wasn't mentioned in tomcat
> documentation. Perhaps it should be added in the docs.
Hmm... it shouldn't matter if you define your  in server.xml or
in app/META-INF/context.xml. Are you sure that was the only difference
between working/not-working configurations?

Thanks,
-chris

> ________
> От: Усманов Азат Анварович 
> Отправлено: 30 октября 2023 г. 20:25
> Кому: users@tomcat.apache.org 
> Тема: RE: Accessing Credential handler inside the web application always 
> returns null
>
> I did recheck using 9.0.82, unfortunately nothing has changed 
> CredentialHandler is still null
> 
> От: Christopher Schultz 
> Отправлено: 30 октября 2023 г. 18:52
> Кому: Tomcat Users List ; Усманов Азат Анварович 
> 
> Тема: Re: Accessing Credential handler inside the web application always 
> returns null
>
> Азат,
>
> On 10/29/23 20:45, Усманов Азат Анварович wrote:
>> Hi everyone!I'm trying to test CredentialHandeler functionality onour 
>> test server (Tomcat 9.0.64) inside the web-app
>> I Our realm is defined as follows( excerpt from server.xml
>> )
>>   > dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD" 
>> userNameCol="UserName" userRoleTable="educ.ad_UserRoles" 
>> userTable="educ.ad_Users">
>>  > className="org.apache.catalina.realm.NestedCredentialHandler">
>> > className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
>>> className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
>> algorithm="MD5" />
>>
>>  
>> Currently pwd  column defined as  Oracle (RAW) only stores md5 hashes, I was 
>> hoping to upgrade to PBKDF2 using tomcat ?so  here is the relevant part 
>> basic  login  controller code  (LoginCheckServlet)
>> LoginCheckServlet
>>
>>   protected void doGet(HttpServletRequest request, HttpServletResponse 
>> response) throws ServletException, IOException {
>> ...
>>   String userName = request.getParameter("j_username");
>> String password = request.getParameter("j_password");
>>   HttpSession session = request.getSession();
>> 
>> UserRecord user=... //load data from db
>> if 
>> (user.checkCorrectPassword(password,session.getServletContext())) {
>>   CredentialHandler 
>> cr=Security.getCredentialHandler(getServletContext());
>>   System.out.println(cr.mutate(password));// 
>> hoping to see my password displayed as pbkdf2 hash
>>
>> .
>> }
>>
>> Security.getCredentialHandler
>>
>>   public static CredentialHandler getCredentialHandler(final 
>> ServletContext context) {
>> System.out.println("context"+context) ;// prints 
>> contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
>> System.out.println("context vs"+context.getMajorVersion()); // 
>> prints 4
>> 
>> System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
>>   prints ATRIB null
>> return (CredentialHandler) 
>> context.getAttribute(Globals.CREDENTIAL_HANDLER);
>> }
>
> Your code and configuration looks reasonable to me.
>
>> So basically it always  return null  when trying to access
>> CredentialHandler attribute inside Security.getCredentialHandler
>> method,Any idea why it might be the case ?
> Are you able to re-try with Tomcat 9.0.70 or later? There is a
> changelog[1] entry which may be

RE: Accessing Credential handler inside the web application always returns null

[Усманов Азат Анварович]

Hi everyone! CredentialHandler became not null, as soon as I transferred Realm 
definition from server.xml to context.xml(after checking the source code) .I've 
been able to see the new pbkdf2 version of the given clear text password even 
with old  9.0.64  version. I was wondering is the necessity to have realm 
defined inside context. xml for accessing CredentialHandler a design decision 
or a possible  bug in tomcat itself?. It wasn't mentioned in tomcat 
documentation. Perhaps it should be added in the docs.

От: Усманов Азат Анварович 
Отправлено: 30 октября 2023 г. 20:25
Кому: users@tomcat.apache.org 
Тема: RE: Accessing Credential handler inside the web application always 
returns null

I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler 
is still null

От: Christopher Schultz 
Отправлено: 30 октября 2023 г. 18:52
Кому: Tomcat Users List ; Усманов Азат Анварович 

Тема: Re: Accessing Credential handler inside the web application always 
returns null

Азат,

On 10/29/23 20:45, Усманов Азат Анварович wrote:
> Hi everyone!I'm trying to test CredentialHandeler functionality onour 
> test server (Tomcat 9.0.64) inside the web-app
> I Our realm is defined as follows( excerpt from server.xml
> )
>   dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD" 
> userNameCol="UserName" userRoleTable="educ.ad_UserRoles" 
> userTable="educ.ad_Users">
>  className="org.apache.catalina.realm.NestedCredentialHandler">
>  className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
>className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
> algorithm="MD5" />
>   
> 
> Currently pwd  column defined as  Oracle (RAW) only stores md5 hashes, I was 
> hoping to upgrade to PBKDF2 using tomcat ?so  here is the relevant part basic 
>  login  controller code  (LoginCheckServlet)
> LoginCheckServlet
>
>   protected void doGet(HttpServletRequest request, HttpServletResponse 
> response) throws ServletException, IOException {
> ...
>   String userName = request.getParameter("j_username");
> String password = request.getParameter("j_password");
>   HttpSession session = request.getSession();
> 
>    UserRecord user=... //load data from db
> if 
> (user.checkCorrectPassword(password,session.getServletContext())) {
>   CredentialHandler 
> cr=Security.getCredentialHandler(getServletContext());
>   System.out.println(cr.mutate(password));// 
> hoping to see my password displayed as pbkdf2 hash
>
> .
> }
>
> Security.getCredentialHandler
>
>   public static CredentialHandler getCredentialHandler(final 
> ServletContext context) {
> System.out.println("context"+context) ;// prints 
> contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
> System.out.println("context vs"+context.getMajorVersion()); // 
> prints 4
> 
> System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
>   prints ATRIB null
> return (CredentialHandler) 
> context.getAttribute(Globals.CREDENTIAL_HANDLER);
> }

Your code and configuration looks reasonable to me.

> So basically it always  return null  when trying to access
> CredentialHandler attribute inside Security.getCredentialHandler
> method,Any idea why it might be the case ?
Are you able to re-try with Tomcat 9.0.70 or later? There is a
changelog[1] entry which may be important for you:

"
Fix: Improve the behavior of the credential handler attribute that is
set in the Servlet context so that it actually reflects what is used
during authentication. (remm)
"

There was a problem specifically with the NestedCredentialHandler, I
think, which was not working as expected. 9.0.70 includes a fix that
should improve things for you.

-chris


[1]
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)

RE: Accessing Credential handler inside the web application always returns null

[Усманов Азат Анварович]

I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler 
is still null

От: Christopher Schultz 
Отправлено: 30 октября 2023 г. 18:52
Кому: Tomcat Users List ; Усманов Азат Анварович 

Тема: Re: Accessing Credential handler inside the web application always 
returns null

Азат,

On 10/29/23 20:45, Усманов Азат Анварович wrote:
> Hi everyone!I'm trying to test CredentialHandeler functionality onour 
> test server (Tomcat 9.0.64) inside the web-app
> I Our realm is defined as follows( excerpt from server.xml
> )
>   dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD" 
> userNameCol="UserName" userRoleTable="educ.ad_UserRoles" 
> userTable="educ.ad_Users">
>  className="org.apache.catalina.realm.NestedCredentialHandler">
>  className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
>className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
> algorithm="MD5" />
>   
> 
> Currently pwd  column defined as  Oracle (RAW) only stores md5 hashes, I was 
> hoping to upgrade to PBKDF2 using tomcat ?so  here is the relevant part basic 
>  login  controller code  (LoginCheckServlet)
> LoginCheckServlet
>
>   protected void doGet(HttpServletRequest request, HttpServletResponse 
> response) throws ServletException, IOException {
> ...
>   String userName = request.getParameter("j_username");
> String password = request.getParameter("j_password");
>   HttpSession session = request.getSession();
> 
>    UserRecord user=... //load data from db
> if 
> (user.checkCorrectPassword(password,session.getServletContext())) {
>   CredentialHandler 
> cr=Security.getCredentialHandler(getServletContext());
>   System.out.println(cr.mutate(password));// 
> hoping to see my password displayed as pbkdf2 hash
>
> .
> }
>
> Security.getCredentialHandler
>
>   public static CredentialHandler getCredentialHandler(final 
> ServletContext context) {
> System.out.println("context"+context) ;// prints 
> contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
> System.out.println("context vs"+context.getMajorVersion()); // 
> prints 4
> 
> System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
>   prints ATRIB null
> return (CredentialHandler) 
> context.getAttribute(Globals.CREDENTIAL_HANDLER);
> }

Your code and configuration looks reasonable to me.

> So basically it always  return null  when trying to access
> CredentialHandler attribute inside Security.getCredentialHandler
> method,Any idea why it might be the case ?
Are you able to re-try with Tomcat 9.0.70 or later? There is a
changelog[1] entry which may be important for you:

"
Fix: Improve the behavior of the credential handler attribute that is
set in the Servlet context so that it actually reflects what is used
during authentication. (remm)
"

There was a problem specifically with the NestedCredentialHandler, I
think, which was not working as expected. 9.0.70 includes a fix that
should improve things for you.

-chris


[1]
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)

Accessing Credential handler inside the web application always returns null

[Усманов Азат Анварович]

Hi everyone!I'm trying to test CredentialHandeler functionality onour test 
server (Tomcat 9.0.64) inside the web-app
I Our realm is defined as follows( excerpt from server.xml
)

   

 
 
   
Currently pwd  column defined as  Oracle (RAW) only stores md5 hashes, I was 
hoping to upgrade to PBKDF2 using tomcat ?so  here is the relevant part basic  
login  controller code  (LoginCheckServlet)
LoginCheckServlet

  protected void doGet(HttpServletRequest request, HttpServletResponse 
response) throws ServletException, IOException {
...
  String userName = request.getParameter("j_username");
String password = request.getParameter("j_password");
  HttpSession session = request.getSession();

  UserRecord user=... //load data from db
if 
(user.checkCorrectPassword(password,session.getServletContext())) {
  CredentialHandler 
cr=Security.getCredentialHandler(getServletContext());
  System.out.println(cr.mutate(password));// hoping 
to see my password displayed as pbkdf2 hash

.
}

Security.getCredentialHandler

  public static CredentialHandler getCredentialHandler(final ServletContext 
context) {
System.out.println("context"+context) ;// prints 
contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
System.out.println("context vs"+context.getMajorVersion()); // 
prints 4

System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
  prints ATRIB null
return (CredentialHandler) 
context.getAttribute(Globals.CREDENTIAL_HANDLER);
}

UserRecord class

  public boolean checkCorrectPassword(String pwd,ServletContext ctx) {
try {
  System.out.println(ctx.getMajorVersion());
  BigInteger bigInt = new BigInteger(1,passwordHash);   
  CredentialHandler ch=Security.getCredentialHandler(ctx);
    boolean result=(ch.matches(pwd, bigInt.toString(16)));
  return result;
}
catch(Exception e) {
  e.printStackTrace();
  return false;
}
  }


So basically it always  return null  when trying to access CredentialHandler 
attribute inside Security.getCredentialHandler method,Any idea why it might be 
the case ?

RE: CredentialHandler tomcat 7

[Усманов Азат Анварович]

Hi Chris! Our app is happily running on Tomcat 9.0.64 on our test
server. The problem is that unlike our test server which faces the web 
directly, our production tomcat is behind nginx server which both acts as DDOS 
protection mechanism as well as SSO idp server, so our users can use two apps 
with same login credentials(both apps use same db for user info storage). When 
I tried to install 9.064 on production server about year ago, I discovered that 
all the static data from our app (jpg,js,css etc.)doesn't get loaded. The only 
static data which was available was the data inlined inside the jsp pages  
themselves. Since that meant that we have pretty much have an unusable app and 
I didn't have time to investigate the root cause at the time  I've reverted 
back to tomcat 7.0.92. Oddly enough nothing was actually changed on the nginx 
serverat the time of the switch. I'm hoping that next time I'll attempt the 
upgrade of our production server, installing latest version of 9.0 branch might 
fix the issue, although I'm not sure.(unfortunately nginx server is in the 
different department and not under my control)  Thank  you for the 
clarification and for all the help

От: Christopher Schultz 
Отправлено: 23 октября 2023 г. 19:24
Кому: users@tomcat.apache.org 
Тема: Re: CredentialHandler tomcat 7

Chuck,

On 10/22/23 13:55, Chuck Caldarale wrote:
>> On Oct 22, 2023, at 10:02, Усманов Азат Анварович  wrote:
>>
>> Hi everyone! I'm trying to use CredentialHandler with tomcat  to increase 
>> security since our db at $work still has pwd stored as md5 hashes. Some of 
>> our servers still use tomcat 7.092/ I was looking at this presentation by  
>> Christopher Shultz  
>> http://people.apache.org/~schultz/ApacheCon%20NA%202017/Seamless%20Upgrades%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf
>>   it mentions that Credention handler should be available to a web app in 
>> Tomcat 7.0.70+ But then I looked up source code for catalina.jar in 7.0.92 
>> and 7.0.109-src  I cant find class Named CredentialHandler.Am I looking at 
>> the wrong place or is it just not available in tomcat 7 ? Also tomcat docs 
>> for 7  doesn't seem to mention CredentialHandler at all..
>
>
>
> Looks like the CredentialHandler mechanism was introduced in 8.0.15 (November 
> 2014), with no indication that it would ever be retrofitted to any 7.0.x 
> version. (The footnote on slide 30 of the cited presentation appears to be in 
> error.)

Yeah, I have no idea where I got the 7.0.70 version number from. Maybe I
guessed it while drafting and never confirmed it. Sorry,
Азат, it looks like I got that one wrong.

> Given that Tomcat 7.0 has not been supported for over two years and numerous 
> issues have been addressed in the intervening time period, it might be time 
> to upgrade…

+1

At this point, 7.0 is essentially 2 versions back form the
currently-supported version of Tomcat (8.5.x) which itself is scheduled
to be retired at the end of this coming March -- a mere 5 months from now.

I don't see any appetite for anybody -- myself included -- working on a
back-port for this to Tomcat 7.

I would encourage you to upgrade to Tomcat 9. I suspect you'll find that
your application runs with very few if any issues if you just upgrade in
a development environment and run a test.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

CredentialHandler tomcat 7

[Усманов Азат Анварович]

Hi everyone! I'm trying to use CredentialHandler with tomcat  to increase 
security since our db at $work still has pwd stored as md5 hashes. Some of our 
servers still use tomcat 7.092/ I was looking at this presentation by  
Christopher Shultz  
http://people.apache.org/~schultz/ApacheCon%20NA%202017/Seamless%20Upgrades%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf
  it mentions that Credention handler should be available to a web app in 
Tomcat 7.0.70+ But then I looked up source code for catalina.jar in 7.0.92 and 
7.0.109-src  I cant find class Named CredentialHandler.Am I looking at the 
wrong place or is it just not available in tomcat 7 ? Also tomcat docs for 7  
doesn't seem to mention CredentialHandler at all..

Ответить: tomcat timeouts on startup and on context deployment

[Усманов Азат Анварович]

Hello everyone!  I use tomcat at $work, both on windows with Eclipse and on 
Linux without Eclipse. I believe that those timeouts  the OP is talking 
about,are   used for tomcat itself, not individual apps inside Tomcat. When 
such timeouts are reached Eclipse typically just ends tomcat java process, 
releases all the resources  , such as ports,files  etc. It is a useful thing to 
have for cases when tomcat is accessing the remote db.  So when db is down for 
some reason, you don't want to wait forever to figure something is wrong. 
Notice that on timeout eclipse just says unable to start tomcat in n number of 
seconds , please increase timeout., and outputs nothing about the termination 
in console window in eclipse, at least by default. I suspect its because these 
are purely eclipse timeouts. I usually keep them around 5 minutes for startup 
just in case., although tomcat usually starts in  no more than 50 seconds.


От: Ivano Luberti 
Отправлено: 19 августа 2023 г. 10:57
Кому: users@tomcat.apache.org 
Тема: Re: tomcat timeouts on startup and on context deployment

Christopher, Maxim

To clarify , I have never hit a timeout in production , but it happened
in Eclipse and since this timeout is configurable in Eclipse Tomcat
Launch configuration I have guessed such a timeout is a tomcat property
hidden somewhere.

AFAIK the list server doesn't allow attachment so I put here a dropbox
link of a picture of the Eclipse interface I'm talking about.

I hope this make me able to let you understand what I mean

https://www.dropbox.com/scl/fi/vg4ygu8pggkz3tpa1a0wo/EclipseTomcatTimeotConfig.PNG?rlkey=ztt0n6axy2hohi47ix3zjvzif=0

Il 19/08/2023 06:27, Maxim Solodovnik ha scritto:
> from mobile (sorry for typos ;)
>
>
> On Sat, Aug 19, 2023, 10:49 Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Ivano,
>>
>> On 8/18/23 18:17, Ivano Luberti wrote:
>>> It seems I had explained myself badly. I'll try again.
>>>
>>> I need to know if there is and it is configurable a timeout on tomcat
>>> startup (in Eclipse you can configure it in the server configuration
>>> interface)
>>>
>>> I need also to know if there is and it is configurable a timeout on
>>> application deployment when you use tomcat manager to deploy a war file
>>> or application start, fom tomcat manager interface as well
>> Tomcat doesn't wait for anything on startup except for the web
>> applications to deploy. If your application takes long to start, Tomcat
>> will take long to start. But Tomcat won't say "it's been 60 seconds,
>> sorry, I'm killing the application" or anything like that.
>>
>> If you use the Manager web application to deploy an application, it's
>> possible that the tool you use for deployment (e.g. curl, or whatever
>> makes the call to Tomcat's manager-deploy action) will have an HTTP
>> timeout. Tomcat will complete the deployment work, but the
>> deploying-client might not get a successful HTTP response within that
>> time period.
>>
>> But that's a timeout on the client end, not on Tomcat's end.
>>
>> I'm just guessing at what timeout you are talking about, here. I may be
>> totally off.
>>
>> You said that Eclipse had a configurable timeout. What is that for /
>> what is it called / what does it do?
>>
> Initializing of SecureRandom might cause long tomcat start
> You can switch to /dev/urandom (less secure)
>
>
>
>> -chris
>>
>>> Il 18/08/2023 22:57, Christopher Schultz ha scritto:
 Ivano,

 On 8/18/23 10:18, Ivano Luberti wrote:
> Hello eveybody, in one of my use case, when upgrading a web
> application it coult happen that on startup the application has to
> perform some database operation that could require some time, even
> some minutes.
>
> This happens typically when deploying the application via tomcat
> manager but could possibly happen when starting tomcat if the war
> file has been replaced while tomcat was down.
>
> Where can I configure these timeouts?
 What timeouts, specifically?

 -chris

 -
 To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail:users-h...@tomcat.apache.org

>> -
>> To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail:users-h...@tomcat.apache.org
>>
>>
--

Archimede Informatica tratta i dati personali in conformità a quanto
stabilito dal Regolamento UE n. 2016/679 (GDPR) e dal D. Lgs. 30 giugno
2003 n. 196
per come modificato dal D.Lgs. 10 agosto 2018 n. 101.
Informativa completa


dott. Ivano Mario Luberti

Archimede Informatica società cooperativa a r. l.
Via Gereschi 36, 56127 Pisa

tel.: +39 050/580959 | fax: +39 050/8932061

web: www.archicoop.it

any plans for tomcat-native 1.2.36

[Усманов Азат Анварович]

Hi Everyone!

I'm wondering if there are plans to release the next version of tomcat 
native 1.2 branch?I've scheduled a big server migration as well as 
tomcat upgrade 7.0.92 to -9.0.48   (everything seems to work  on 
test-enviroment) at $work on weekend(Oct 5th-6th) .I usually build  
openssl,tomcat-native  manually, currently using openssl 3.03 and tomcat 
native 1.2.33. it would be nice to upgrade both openssl and tomcat 
native at the same time during scheduled downtime. I did see a vote on a 
dev list for next release of 2.0 branch of tomcat native. any plans for 
tomcat -native 1.2.36?


Sincerely, Azat Usmanov

P.S. Our servers run on RHEL6


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

tomcat presentations on ApacheCon 2021

[Усманов Азат Анварович]

Hi everyone! Does anybody know where/when to find the  video/audio/slides (if 
any) from the last weeks's tomcat track on ApacheCon 2021?Because I completely 
missed it last week.
 I'm assuming all of these would be added to tomcat presentations page 
http://tomcat.apache.org/presentations.html or  
https://www.youtube.com/c/ApacheTomcatOfficial/videos at some point in time.I'm 
in no rush , just wanna make sure  I haven't missed anything which could be 
useful on a  daily basis. Especialy considering the fact that  I've had a few 
aha ("I wish I'd knew this earlier") type  moments after watching  tomcat 
presentations before.


С уважением,
Азат Усманов
Отдел разработки программного обеспечения
Казанский инновационный университет имени В.Г.Тимирясова

Ответить: Tomcat 10 and import org.apache.commons.fileupload.FileItem problem

[Усманов Азат Анварович]

Hi John! Current version of the migration tool available on Tomcat's website is 
1.0.0, not 0.2.0. .try using it,and see if that solves the issue.


С уважением,
Азат Усманов
Отдел разработки программного обеспечения
Казанский инновационный университет имени В.Г.Тимирясова



От: Orendt, John 
Отправлено: 15 мая 2021 г. 1:17
Кому: users@tomcat.apache.org 
Тема: Tomcat 10 and import org.apache.commons.fileupload.FileItem problem

Hi

I found sample code for an UploadServlet with these imports

import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;

This worked well with Tomcat 9.

However, when I switched to a new Windows 10 device, I installed Tomcat 10.05

After, replacing javax with jakara in imports most Servlets worked well, with 
the exception of UploadServlet Which uses the above imports.

I get a compile error :

The type javax.servlet.http.HttpServletRequest cannot be resolved. It is 
indirectly referenced from required .class files

Using import jakarta.servlet.http.HttpServletRequest also does not work.

I may be on the wrong path.

Is there a newer version of jakartaee-migration-0.2.0-shaded.jar available?

Your insights are appreciated.

John Orendt
john.p.ore...@medtronic.com

[CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is 
proprietary to Medtronic and is intended for use only by the individual or 
entity to which it is addressed, and may contain information that is private, 
privileged, confidential or exempt from disclosure under applicable law. If you 
are not the intended recipient or it appears that this mail has been forwarded 
to you without proper authority, you are notified that any use or dissemination 
of this information in any manner is strictly prohibited. In such cases, please 
delete this mail from your records. To view this notice in other languages you 
can either select the following link or manually copy and paste the link into 
the address bar of a web browser: http://emaildisclaimer.medtronic.com

RE: version change failure

[Усманов Азат Анварович]

Dana, Please see the migration -guide  
(https://tomcat.apache.org/migration-10.html)  here is a quote from it "


Apache Tomcat 10 supports the Jakarta Servlet 5.0, Jakarta Server Pages 3.0, 
Jakarta Expression Language 4.0, JakartaWebSocket 2.0 and Jakarta 
Authentication 2.0 
specifications.

There is a significant breaking change between Tomcat 9.0.x and Tomcat 10.0.x. 
The Java package used by the specification APIs has changed from javax... to 
jakarta It will be necessary to recompile web applications against the new 
APIs. Alternatively, users can convert an existing WAR file from Java EE 8 to 
Jakarta EE 9 using the Apache Tomcat migration tool for Jakarta 
EE."

С уважением,
Азат Усманов
Отдел разработки программного обеспечения
Казанский инновационный университет имени В.Г.Тимирясова


От: dana whitelow 
Отправлено: 10 апреля 2021 г. 22:08
Кому: users@tomcat.apache.org 
Тема: version change failure

Hi ,
I changed tomcat version
from
8.5.38
to
10.0.5

The setup was running without web.xml and it was picking up index.jsp 
automatically
but with the new version there is a connection refused error.

what has changed  ?

Thanks

danawhite...@aol.com

info: illegal access: this web application instance has been stopped already w/Parallel deployment

[Усманов Азат Анварович]

Hi everyone! About a year ago I asked the following question on the users-list 
about  getting a illegal state exception when using parallel deployment in 
tomcat 7
https://www.mail-archive.com/users@tomcat.apache.org/msg133549.html
since I wasn't able to find a solution we kinda avoided using parallel 
deployment on production enviroment.Recently I got back to that issue(which is 
also can be seen when using tomcat in eclipse w\o parallel deployment)
I've been able to fix the issue with eclipse by changing  to  ,but the question is how to 
fix the error  when using  regular(non eclipse ) tomcat with parallel 
deployment (just like I specified in the original question a year ago -link 
above)
Since the non eclipse tomcat config doesn't use reloadable attribute, and the 
default for reloadable is false I'm not sure what else to do?I wonder does 
reloadable attrubute even playing any role when using it with parallel 
deployment? Any help is appreciated.
С уважением,
Азат Усманов
Отдел разработки программного обеспечения
Казанский инновационный университет имени В.Г.Тимирясова

Tomcat nested

[Усманов Азат Анварович]

Hello everyone! I was recently  reading this mailing list and found the 
question by  
jonmcalexander
 about currently supported   digest algorithms, looking through replies,I found 
a great presentation by Cristopher Schultz about credential security, I have  
one question though
if I have  my credentials stored in a datasource Realm with old md5 digest set 
up like this
  
where pwd is the column name which stores md5 hash
 how do I specify column  where more secure PBKDF2   version of the  password 
(f  I want to keep old md5 as fall back option) is stored
with the more secure configuration example like this one (copied directly from 
presentation slides )



 
 
 
 


or do I  just need to increase the size of PWD column to fit the new pbkdf2  
hash and PWD would store either  md5 or pbkdf2 depending if user has changed 
their password or not?

Ilegal state excepton and parallel deployment

[Усманов Азат Анварович]

Ĺ
Hello everyone!I have only recently discovered a wonderful posibility of 
parallel deployment in tomcat 7 and it works great for jsp and most of the 
servlets . however there is a small problem .Amongs regular jsp and servlets we 
have around 300 different reports developed with BIRT designer and run under 
birt0runtime in Tomcat (some are more heavier in terms of memory consumtions 
than others)Problem is that after I parallel deploy a webapp some of yhese 
reports refuse to run throwing the following stack trace in the log




дек 13, 2019 8:44:26 PM org.apache.catalina.loader.WebappClassLoaderBase 
findResourceInternal
INFO: Illegal access: this web application instance has been stopped already. 
Could not load 
META-INF/services/org.apache.xerces.xni.parser.XMLParserConfiguration. The 
eventual following stack trace is caused by an error thrown for debugging 
purposes as well as to attempt to terminate the thread which caused the illegal 
access, and has no functional impact.
Birt engine error. Path: 
/opt/tomcat/webapps/Education##12846/birt/TeacherPlan.rptdesign, format: html, 
ErrorMessage:Error happened while running the report.
org.eclipse.birt.report.engine.api.EngineException: Error happened while 
running the report.
at 
org.eclipse.birt.report.engine.api.impl.EngineTask.handleFatalExceptions(EngineTask.java:2248)
at 
org.eclipse.birt.report.engine.api.impl.RunAndRenderTask.doRun(RunAndRenderTask.java:190)
at 
org.eclipse.birt.report.engine.api.impl.RunAndRenderTask.run(RunAndRenderTask.java:77)
at com.ieml.basedata.BirtService.runReport(BirtService.java:146)
at com.ieml.basedata.BIRTReportServlet.doPost(BIRTReportServlet.java:85)
at com.ieml.basedata.BIRTReportServlet.doGet(BIRTReportServlet.java:19)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.ExpiresFilter.doFilter(ExpiresFilter.java:1203)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at 
com.planetj.servlet.filter.compression.CompressingFilter.doFilter(CompressingFilter.java:222)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.ieml.filters.LogFilter.doFilter(LogFilter.java:33)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.ieml.filters.ProtectFilter.doFilter(ProtectFilter.java:92)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.ieml.filters.saml.SAMLSPFilter.doFilter(SAMLSPFilter.java:169)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.ieml.filters.CharsetFilter.doFilter(CharsetFilter.java:51)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at 
org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.ieml.filters.HeadersFilter.doFilter(HeadersFilter.java:19)
at

Азат Усманов, сегодня в 0:29
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:603)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1137)
at 

Add date and app name to catalina,out

[Усманов Азат Анварович]

Hello  everyone! Is it possible to add app name and error date to catalina.out 
in case of an exception ?(both in console and in catalina.out file)
I amd using follow logginng properties in tomcat

.handlers = 1catalina.org.apache.juli.FileHandler, 
java.util.logging.ConsoleHandler


# Handler specific properties.
# Describes specific configuration ALL for Handlers.


1catalina.org.apache.juli.FileHandler.level = ALL
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.FileHandler.prefix = catalina.
1catalina.org.apache.juli.FileHandler.formatter = 
java.util.logging.SimpleFormatter
1catalina.org.apache.juli.AsyncFileHandler.encoding = UTF-8
java.util.logging.SimpleFormatter.format=[%1$tF %1$tT] [%4$-7s] %5$s %n


2localhost.org.apache.juli.FileHandler.level = ALL
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.FileHandler.prefix = localhost.
2localhost.org.apache.juli.AsyncFileHandler.encoding = UTF-8



java.util.logging.ConsoleHandler.level = FINE
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.ConsoleHandler.encoding = UTF-8

currently I have the following  printed to  console on error in case app 
produces an error

[2019-12-06 11:24:34] [INFO   ] Loaded APR based Apache Tomcat Native library 
1.2.19 using APR version 1.6.5.
[2019-12-06 11:24:34] [INFO   ] APR capabilities: IPv6 [true], sendfile [true], 
accept filters [false], random [true].
[2019-12-06 11:24:34] [INFO   ] OpenSSL successfully initialized (OpenSSL 
1.1.1a  20 Nov 2018)
[2019-12-06 11:24:34] [INFO   ] Initializing ProtocolHandler ["http-apr-8080"]
[2019-12-06 11:24:34] [INFO   ] Initialization processed in 363 ms
[2019-12-06 11:24:34] [INFO   ] Starting service Catalina
[2019-12-06 11:24:34] [INFO   ] Starting Servlet Engine: Apache Tomcat/7.0.92
[2019-12-06 11:24:41] [INFO   ] Starting ProtocolHandler ["http-apr-8080"]
[2019-12-06 11:24:41] [INFO   ] Server startup in 6348 ms

java.lang.NumberFormatException: For input string: "ff"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:492)
at java.lang.Integer.valueOf(Integer.java:582)
at com.ieml.util.ServletUtilities.getIntParameter(ServletUtilities.java:224)
at 
com.ieml.servlets.contract.ContractsServlet.beforePrintPage(ContractsServlet.java:356)
at com.ieml.basedata.BaseDataServlet2.doPost(BaseDataServlet2.java:146)
at com.ieml.basedata.BaseDataServlet2.doGet(BaseDataServlet2.java:73)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
i want t it to be
[2019-12-06 11:24:42][Education] java.lang.NumberFormatException: For input 
string: "ff"
where  Education is app name
is that possible?

Re: Tomcat doesn't refreshes and still gives me an old error again and again

[Усманов Азат Анварович]

Hi Karen, I´m not sure if it's still valuable to you. But make sure to double 
click on your tomcat server in eclipse, and check the value od server location 
field. Should be something like [eclipse workspace 
location]\.metadata\.plugins\org.eclipse.wst.server.core\tmpX where X is any 
number starting from 0. Which is basically the path to tomcat work directory 
people  were talking about. From here navigate to wtpwebapps folder. You will 
see folders which correspond to your web apps[projects in eclipse]. You 
basically will find the copy content of your WebContent folder from Eclipse 
project. Eclipse usually copies files from your |Webcontent folder to here 
right after you make changes and save your project changes. Sometimes it 
doesn't do this and you end up with a situation like yours. Then you have to 
manualy copy the specific file you have problems with. I've had this happen to 
me a few times and the first time it happend it was so frustrating. Hope this 
helps you

С уважением,
Азат Усманов
Отдел разработки программного обеспечения
Институт экономики, управления и права (г. Казань)


От: Karen Goh 
Отправлено: 4 сентября 2019 г. 18:28:39
Кому: users@tomcat.apache.org 
Тема: Re: Tomcat doesn't refreshes and still gives me an old error again and 
again






On Wednesday, September 4, 2019, 10:50:17 PM GMT+8, Christopher Schultz 
 wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Karen,

On 9/4/19 10:45, Karen Goh wrote:
> On Wednesday, September 4, 2019, 9:32:43 PM GMT+8, Dave Thorn
>  wrote:
>
>
> On Wed, Sep 04, 2019 at 01:21:11PM +, Karen Goh wrote:
>
>
>> I am facing this problem - that Tomcat - 9.0.24 doesn't
>> refreshes and it will give ma an error, even after I commented
>> out a line. But, after several cleaning - using Tomcat Directory
>> clean, right-click on the project in Eclipse and do a run maven
>> force update and project built, it will still give me an error
>> that point out to a commented out line.
>
>
> Do you have a tomcat/work directory? ISTR sometimes having to
>
> rm -rf /var/cache/tomcat/work/Catalina/localhost/{webappname}
>
> Could you let me know how to do it Windows 10 way? Sorry for the
> trouble cos basically most of my stuff is still using Windows
> 10

C:> DEL /S %CATALINA_BASE%\work\Catalina\localhost\{webappname}

Or just navigate Windows Explorer to the "work" directory and press
the "DELETE" key on your keyboard.

Hi Chris,

Just to clarify, so instead of doing the clean, I will have to to to this place 
- C:\Program Files\Apache\apache-tomcat-9.0.24\webapps\webappname and delete 
weappname ?

I happened to read this 
https://stackoverflow.com/questions/763693/where-is-the-work-directory-located-for-a-tomcat-instance-running-in-eclipse

I checked the location when I right-clicked the Tomcat instance, it says meta 
data, so should I delete the metadata one ? My Tomcat configuration is take 
control of Tomcat installation.

Kindly advise. And thanks for your help.




- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1vzyQACgkQHPApP6U8
pFilXw//d6+V8jCdk7rsimcTHB7khA5G0ERSXISHZCbGRA+PHxa4wE2U6Z1HFZtv
7hoxx46PSNkcWr+wgIjWCcj87MRdZsOJOAOqByRH1fSPLmZzdJyUxafPPNjA0wxU
zT+T4CicFbBehjCi9rMbNI8tt/UOjQDcNJPuEIEXoLj2L4ybDSMcrTGjjDfhUuf8
+Z/1XefU7lBMiBDBGVGTmePm58P8cjLj8rq7nuXEbs3fcmA6udoHpWmoP7A4u+tx
bmF1L6UEL0V3DIAUPJrV+WONGUw6te4sRF4PmKCPLyWBqfClU6lRt0U3CFN/T2u8
RqjX/rsCio4oImLSbgzRQnYLdWwb5tvuZzhlRGTnJcrSHj8D8ECWq8GdL0ppOnZo
WoNf03NlaHniFUo6zW/LeMQUDjETH6/2qyvXC8fpjDDOn74yy6Zwk1ZMCwSmGS3e
D7Sdek0ZlzonaCRcOu0f+iHNU/2ZuGdwKrgIltPuRwG50Tkhjad780/Xt55v/vOL
kyqppaONZypXqNTkmDnIibzd1TyknRk7Y9UnCQIkgnBzhNuuG4MxzFh+2/BK8Qiy
fOVZUCEvm5DbFIMRE4QSc7b8edrrC3YDRuQecZnii5Lk7c9By3xLiGu1SfH673Jz
/is7giTMejiUzs2sb6JUYJN6RPyHPDFgI15ZRhgekt+OpN5jDXQ=
=EtCR
-END PGP SIGNATURE-


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help with image file location

[Усманов Азат Анварович]

Hi!

I believe that you are writing to the wrong mailing list.

"Apache" is an organisation, which groups together many different open-source 
software "products" or "projects". See : 
http://apache.org/index.html#projects-list

One of these is "Apache httpd", a webserver, and that seems to be the one you 
are mentioning below. See : http://httpd.apache.org/
Mailing lists for Apache httpd can be found here :
http://httpd.apache.org/lists.html

Another (totally different) one is "Apache Tomcat", a java servlet container. 
See : http://tomcat.apache.org/
This user's list (users@tomcat.apache.org) is for Apache Tomcat.

(note : you are always welcome on this Apache Tomcat mailing list, if your 
question/problem relates to Apache Tomcat in any way)


От: Barry Kimelman 
Отправлено: 14 июля 2019 г. 0:42:32
Кому: Tomcat Users List
Тема: Need help with image file location

I am running Apache2.4 on windows 10

I have apache installed under c:\Apache24

Everything has been working fine for quite some time. Today I tried to
display an image and no matter what I tried the image is not displayed. I
read in some documentation that all static content (HTML files, image
files, etc..) should go in the same place so I put my image file under
c:\Apache24\htdocs but the image file was not displayed. When I checked the
log files the errors.log file complained "script not found or unable to
stat" but the path was listed under "cgi-bin". So I tried to modify my
image tag to use a relative path but that also did not work.

Where should I put my image files ? How should I code my  tag ? Do I
need to make any changes to my httpd.conf file ?

Thanks.


==

Barry Kimelman
Winnipeg, Manitoba, Canada


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Ocsp must staple and bz 56148

[Усманов Азат Анварович]

Hello everyone! 
I was wondering if it is reasonable for me to expect ocsp stapling (bz56148 )to 
be fixed by the end of August. The reason I ask is that our corporate DV SSL 
certificate expires at the end of August.  And I was thinking about getting a 
new one with the ocsp must staple extension enabled. Obviously, it depends on 
by 56148  being fixed.   The bigger question is it worth it? And what are 
potential (browser) issues for running tomcat with must staple enabled 
certificate? Since we now know that ocsp stapling works on java9 +jsse tomcat, 
maybe someone here already has must staple enabled on their certificate running 
a tomcat server and could possibly share the experience here.
С уважением,
Азат Усманов
Отдел разработки программного обеспечения
Институт экономики, управления и права (г. Казань)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: OCSP with openSSL

[Усманов Азат Анварович]

Just a quick follow up , trying to get some answers, I added  include  
to sslutils.c (which has alll the ocsp functions )   to print some info.I  
added printf calls to every function defined in this file.  Interestingly 
enough  when I issue  the  openssl s_client -connect debug.ieml.ru:8443  
-tls1_2 -status -proxy 192.168.1.6:3131
both tls1_2 and tls 1_3  versions and when I access  the server from another 
machine via browser none of printf  calls are displayed,  however, when I issue 
ssllabs server test (which is also supposedly capable of detecting ocsp)   some 
of them start to appear.  sadly none of them are ocsp related. I did put basic  
ifdef  test for HAVE_OCSP_STAPLING, surprisingly  it  shows that ocsp support 
is indeed enabled . So here are  both   the modified  sslutils.c file and 
tomcat log snippet (not sure if attachments are allowed on  the list  so 
posting it  here )
Not sure where to go from here
/* Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/** SSL Utilities
 */

#include "tcn.h"
#include 
#ifdef HAVE_OPENSSL
#include "apr_poll.h"
#include "ssl_private.h"


#ifdef WIN32
extern int WIN32_SSL_password_prompt(tcn_pass_cb_t *data);
#endif

#ifdef HAVE_OCSP_STAPLING
#include 
#include 
/* defines with the values as seen by the asn1parse -dump openssl command */
#define ASN1_SEQUENCE 0x30
#define ASN1_OID  0x06
#define ASN1_STRING   0x86
static int ssl_verify_OCSP(X509_STORE_CTX *ctx);
static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx);
#endif

/*  _
**
**  Additional High-Level Functions for OpenSSL
**  _
*/

/* we initialize this index at startup time
 * and never write to it at request time,
 * so this static is thread safe.
 * also note that OpenSSL increments at static variable when
 * SSL_get_ex_new_index() is called, so we _must_ do this at startup.
 */
static int SSL_app_data2_idx = -1;
static int SSL_app_data3_idx = -1;
static int SSL_app_data4_idx = -1;

void SSL_init_app_data_idx(void)
{ printf(" SSL_init_app_data_idx\n");
   #ifdef HAVE_OCSP_STAPLING
printf("Hi OCSP \n");
#else
printf("Sorry no OCSP support\n");
#endif

int i;

if (SSL_app_data2_idx > -1) {
return;
}

/* we _do_ need to call this twice */
for (i = 0; i <= 1; i++) {
SSL_app_data2_idx =
SSL_get_ex_new_index(0,
 "Second Application Data for SSL",
 NULL, NULL, NULL);
}

if (SSL_app_data3_idx > -1) {
return;
}

SSL_app_data3_idx =
SSL_get_ex_new_index(0,
 "Third Application Data for SSL",
  NULL, NULL, NULL);

if (SSL_app_data4_idx > -1) {
return;
}

SSL_app_data4_idx =
SSL_get_ex_new_index(0,
 "Fourth Application Data for SSL",
  NULL, NULL, NULL);

}

void *SSL_get_app_data2(SSL *ssl)
{
 printf("ssl_get_app_data2 \n");
return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);
}

void SSL_set_app_data2(SSL *ssl, void *arg)
{
printf("ssl_set_app_data2 \n");

SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg);
return;
}


void *SSL_get_app_data3(const SSL *ssl)
{
printf("ssl_get_app_data3 \n");

return SSL_get_ex_data(ssl, SSL_app_data3_idx);
}

void SSL_set_app_data3(SSL *ssl, void *arg)
{
printf("ssl_set_app_data3 \n");
SSL_set_ex_data(ssl, SSL_app_data3_idx, arg);
}

void *SSL_get_app_data4(const SSL *ssl)
{
printf("ssl_get_app_data4 \n");
return SSL_get_ex_data(ssl, SSL_app_data4_idx);
}

void SSL_set_app_data4(SSL *ssl, void *arg)
{
printf("ssl_set_app_data4 \n");
SSL_set_ex_data(ssl, SSL_app_data4_idx, arg);
}

/* Simple echo password prompting */
int SSL_password_prompt(tcn_pass_cb_t *data)
{

printf(" SSL_password_prompt\n");
int rv = 0;
data->password[0] = '\0';
if (data->cb.obj) {
JNIEnv *e;
jobject  o;
jstring  prompt;
tcn_get_java_env();
prompt = AJP_TO_JSTRING(data->prompt);
if ((o = (*e)->CallObjectMethod(e, 

Re: OCSP with openSSL

[Усманов Азат Анварович]

Chris,
Yes the version is the same in
/usr/local/openssl/bin/openssl as well.
It is the same version Tomcat uses,I get this info in the logs

23-May-2019 12:55:42.145 INFO [main] org.apache.catalina.core.AprLife
cycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL
1.1.1a  20 Nov 2018]

От: Christopher Schultz 
Отправлено: 23 мая 2019 г. 18:04:29
Кому: Усманов Азат Анварович
Тема: Re: OCSP with openSSL

Азат,

On 5/22/19 14:02, Усманов Азат Анварович wrote:
> [root] ~# openssl version
> OpenSSL 1.1.1a  20 Nov 2018

Great. Is this also the same version in /usr/local/openssl/bin/openssl?

> [root] ~# openssl  ocsp -help
> Usage: ocsp [options]

Excellent.

When you launch Tomcat, are you getting a message about the version of
OpenSSL in use, and does it agree with above?

AFAIK, OCSP is enabled by default in libtcnative. There were some posts
a few months/years ago about someone trying to get it to work, and
having to edit the JVM's security.properties file and all kinds of weird
stuff. I must admit it didn't make any sense to me at the time. I'm
sorry, but I don't personally have any experience with dealing with
OCSP, but hopefully this additio0nal information will give someone else
some good info.

-chris

> 
> От: Christopher Schultz 
> Отправлено: 22 мая 2019 г. 19:45
> Кому: users@tomcat.apache.org
> Тема: Re: OCSP with openSSL
>
> Усманов,
>
> On 5/22/19 07:28, Усманов Азат Анварович wrote:
>> Mark,  I installed it  just   by  downloading  tcnative src  tar.gz
>> file from tomcat  website and issued  ./configure
>> --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79
>> -with-ssl=/usr/local/openssl && make && make install && make clean
>> I'm not sure  how to specify any ocsp related configure options
>> when building tomcat nativefrom source
>
> What is your OpenSSL version and capabilities?
>
> $ openssl version
>
> $ openssl -help
>
> $ openssl ocsp -help
>
> -chris
>
>>  От: Mark Thomas
>>  Отправлено: 22 мая 2019 г. 13:41 Кому:
>> users@tomcat.apache.org Тема: Re: OCSP with openSSL
>
>> On 22/05/2019 11:28, Усманов Азат Анварович wrote:
>>> Hi everyone! I have a web app running on tomcat and java 7 using
>>> apr for TLS related issues. I m still unable to have OCSP
>>> verification working with tomcat.
>
>> 
>
>>> I have tried running tcpdump on the server but don't' see any
>>> Comodo related IP addresses in the output when I access the
>>> server in question in the browser. At this point I don't know
>>> what else to do, If it was java I would just put some
>>> System.out.println statements in OCSP SSL related source code and
>>> recompile the tomcat source, but since in my case tomcat uses
>>> OpenSSL and tomcat native I'm not sure how/where to do that. the
>>> only places I found in the TC-native source that mentions OCSP
>>> is sslutils.c  source file. I'm not sure when/ if it is actually
>>> gets called in my case. Maybe be someone with more c experience
>>> c++ would help me with that.  I really want to get to the bottom
>>> of this. Any help is appreciated my tomcat version  is 8.5.39 APR
>>> based Apache Tomcat Native library [1.2.21] using APR version
>>> [1.6.5]. Openssl version is [OpenSSL 1.1.1a  20 Nov 2018 OS:
>>> Linux RHEL 6.6
>
>> How did you build the Tomcat Native library? Was OCSP enabled?
>
>> Mark
>
>> -
>
>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: OCSP with openSSL

[Усманов Азат Анварович]

Maximum status age in seconds
 -signkey valPrivate key to sign OCSP request with
 -reqout val Output file for the DER-encoded request
 -respout valOutput file for the DER-encoded response
 -path val   Path to use in OCSP request
 -issuer infile  Issuer certificate
 -cert infileCertificate to check
 -serial val Serial number to check
 -index infile   Certificate status index file
 -CA infile  CA certificate
 -nmin +int  Number of minutes before next update
 -nrequest +int  Number of requests to accept (default unlimited)
 -ndays +int Number of days before next update
 -rsigner infile Responder certificate to sign responses with
 -rkey infileResponder key to sign responses with
 -rother infile  Other certificates to include in response
 -rmd valDigest Algorithm to use in signature of OCSP response
 -rsigopt valOCSP response signature parameter in n:v form
 -header val key=value header to add
 -*  Any supported digest algorithm (sha1,sha256, ... )
 -policy val adds policy to the acceptable policy set
 -purpose valcertificate chain purpose
 -verify_name valverification policy name
 -verify_depth int   chain depth limit
 -auth_level int chain authentication security level
 -attime intmax  verification epoch time
 -verify_hostname valexpected peer hostname
 -verify_email val   expected peer email
 -verify_ip val  expected peer IP address
 -ignore_criticalpermit unhandled critical extensions
 -issuer_checks  (deprecated)
 -crl_check  check leaf certificate revocation
 -crl_check_all  check full chain revocation
 -policy_check   perform rfc5280 policy checks
 -explicit_policyset policy variable require-explicit-policy
 -inhibit_anyset policy variable inhibit-any-policy
 -inhibit_mapset policy variable inhibit-policy-mapping
 -x509_strictdisable certificate compatibility work-arounds
 -extended_crl   enable extended CRL features
 -use_deltas use delta CRLs
 -policy_print   print policy processing diagnostics
 -check_ss_sig   check root CA self-signatures
 -trusted_first  search trust store first (default)
 -suiteB_128_onlySuite B 128-bit-only mode
 -suiteB_128 Suite B 128-bit mode allowing 192-bit algorithms
 -suiteB_192 Suite B 192-bit-only mode
 -partial_chain  accept chains anchored by intermediate trust-store CAs
 -no_alt_chains  (deprecated)
 -no_check_time  ignore certificate validity time
 -allow_proxy_certs  allow the use of proxy certificates


От: Christopher Schultz 
Отправлено: 22 мая 2019 г. 19:45
Кому: users@tomcat.apache.org
Тема: Re: OCSP with openSSL

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Усманов,

On 5/22/19 07:28, Усманов Азат Анварович wrote:
> Mark,  I installed it  just   by  downloading  tcnative src  tar.gz
> file from tomcat  website and issued  ./configure
> --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79
> -with-ssl=/usr/local/openssl && make && make install && make clean
> I'm not sure  how to specify any ocsp related configure options
> when building tomcat nativefrom source

What is your OpenSSL version and capabilities?

$ openssl version

$ openssl -help

$ openssl ocsp -help

- -chris

>  От: Mark Thomas
>  Отправлено: 22 мая 2019 г. 13:41 Кому:
> users@tomcat.apache.org Тема: Re: OCSP with openSSL
>
> On 22/05/2019 11:28, Усманов Азат Анварович wrote:
>> Hi everyone! I have a web app running on tomcat and java 7 using
>> apr for TLS related issues. I m still unable to have OCSP
>> verification working with tomcat.
>
> 
>
>> I have tried running tcpdump on the server but don't' see any
>> Comodo related IP addresses in the output when I access the
>> server in question in the browser. At this point I don't know
>> what else to do, If it was java I would just put some
>> System.out.println statements in OCSP SSL related source code and
>> recompile the tomcat source, but since in my case tomcat uses
>> OpenSSL and tomcat native I'm not sure how/where to do that. the
>> only places I found in the TC-native source that mentions OCSP
>> is sslutils.c  source file. I'm not sure when/ if it is actually
>> gets called in my case. Maybe be someone with more c experience
>> c++ would help me with that.  I really want to get to the bottom
>> of this. Any help is appreciated my tomcat version  is 8.5.39 APR
>> based Apache Tomcat Native library [1.2.21] using APR ver

RE: OCSP with openSSL

[Усманов Азат Анварович]

Mark,  I installed it  just   by  downloading  tcnative src  tar.gz file from 
tomcat  website
and issued  ./configure --with-apr=/usr/local/apr 
--with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl && make && 
make install && make clean
I'm not sure  how to specify any ocsp related configure options  when building 
tomcat nativefrom source


От: Mark Thomas 
Отправлено: 22 мая 2019 г. 13:41
Кому: users@tomcat.apache.org
Тема: Re: OCSP with openSSL

On 22/05/2019 11:28, Усманов Азат Анварович wrote:
> Hi everyone! I have a web app running on tomcat and java 7 using apr for TLS 
> related issues. I m still unable to have OCSP verification working with 
> tomcat.



>  I have tried running tcpdump on the server but don't' see any Comodo related 
> IP addresses in the output when I access the server in question in the 
> browser.
> At this point I don't know what else to do, If it was java I would just put 
> some System.out.println statements in OCSP SSL related source code and 
> recompile the tomcat source, but since in my case tomcat uses OpenSSL and 
> tomcat native I'm not sure how/where to do that. the only places I found in 
> the TC-native source that mentions OCSP  is sslutils.c  source file. I'm not 
> sure when/ if it is actually gets called in my case. Maybe be someone with 
> more c experience c++ would help me with that.  I really want to get to the 
> bottom of this. Any help is appreciated
>  my tomcat version  is 8.5.39
>  APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.5].
> Openssl version is [OpenSSL 1.1.1a  20 Nov 2018
> OS: Linux RHEL 6.6

How did you build the Tomcat Native library? Was OCSP enabled?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

OCSP with openSSL

[Усманов Азат Анварович]

Hi everyone! I have a web app running on tomcat and java 7 using apr for TLS 
related issues. I m still unable to have OCSP verification working with tomcat. 
I'm  NOT  talking about the client- certificate based auth here,  just the 
opposite. I want tomcat to present it's OCSP  status to the client(browser) 
when it connects to the server.  Since the options on OCSP  section tomcat docs 
talk about client-auth I figured I don't need to add anything on my HTTPS 
connector to get OCSP working.  So here is my  https connector
   
 




our ocsp certificate has ocsp responder address  http://ocsp.comodoca.com
 I thought that my issues  were  caused by the fact the server in question  
sits behind a proxy but I just tested ocsp stapling  manually via OpenSSL ocsp 
utility and it working properly  when invoked through the command line
 openssl ocsp  -no_nonce  -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt  
  -url  http://ocsp.comodoca.com/ -text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
  Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
  Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Produced At: May 15 19:34:39 2019 GMT
Responses:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
  Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
  Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Cert Status: good
This Update: May 15 19:34:39 2019 GMT
Next Update: May 22 19:34:39 2019 GMT

Signature Algorithm: sha256WithRSAEncryption
 37:ee:ae:ed:35:ea:2f:f5:3c:d6:4e:4b:60:fd:5b:8b:f6:24:
 90:e4:da:11:d7:57:9c:22:d6:fe:53:2f:48:a3:cb:7a:1e:c0:
 82:70:28:c9:bb:d5:07:31:c3:33:d2:0b:09:12:96:68:ed:a1:
 3f:d7:d6:46:9d:dc:9a:d8:55:27:0b:5e:c2:56:fc:47:42:de:
 f0:e6:5f:75:f1:c0:b4:42:76:f4:e6:30:b9:a8:9a:75:8f:5f:
 0c:e6:5b:1e:6b:6d:8e:66:3c:7f:73:df:22:98:4d:40:aa:e1:
 d5:fb:27:8d:9b:e6:67:ae:40:3d:1f:29:da:23:7d:74:ad:b3:
 e6:76:f9:be:18:ad:df:be:ee:7d:1a:ab:26:5b:0c:4a:3b:d3:
 7e:f4:7d:c6:6d:f4:93:90:90:ec:25:b1:d1:4a:c8:1e:47:fb:
 67:5e:50:42:97:cf:26:2e:d4:21:9f:e1:4a:a9:a1:ba:8c:0a:
 0f:f6:1e:d8:2e:f7:25:32:89:c7:af:b7:81:39:9b:57:72:9c:
 28:1b:9d:b1:58:aa:e2:47:bc:f9:5b:23:d2:f2:cb:9d:ac:72:
 cf:d9:75:12:a2:94:c3:78:d6:59:f7:96:12:18:9a:3b:b8:84:
 d2:fd:b5:54:e7:4c:51:17:01:f2:0a:0d:fa:52:e7:5e:51:6a:
 d9:14:1a:e3
Response verify OK
/home/idis/STAR_ieml_ru.crt: good
This Update: May 15 19:34:39 2019 GMT
Next Update: May 22 19:34:39 2019 GMT
However, then I test the server both manually and via ssllabs  server test  
ocsp stapling   still shows no
openssl s_client -connect debug.ieml.ru:8443  -tls1_2 -status
CONNECTED(0004)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN 
= COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
OCSP response: no response sent
---
Certificate chain
 0 s:OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.ieml.ru
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = 
COMODO RSA Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = 
COMODO RSA Domain Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = 
COMODO RSA Certification Authority
 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = 
COMODO RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust 
External CA Root
---
Server certificate
-BEGIN CERTIFICATE-
MIIFQzCCBCugAwIBAgIRAPB4y44vTlpni/uQZalhG1cwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTcwNjI5MDAwMDAwWhcNMTkwODI5MjM1OTU5WjBWMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp
bGRjYXJkMRIwEAYDVQQDDAkqLmllbWwucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDDPvJ/lpxUzUyI6xAI4vm+fJG76JPJ3PjVPWshE6DQ8FSOX1tz
x/77d7DHH3o73I1fZL26o8feq1tscHg5Hn/L4S+N3pPAqz3Q6Q98O3r6lzJtK5Yz
gfWCEx6tFNvuQ96G2rN6b+wwpbo42e+Ml9HejTH3F3tdgkZ9++jq2/xge/82tRfm
F7OdKpOl0HJhjyKb4ehck032lACLLzKaiVXwuvm0PFeNVMfGli6esVjvf6qUvXIe
dxfgJu5emAdFwAWSwJYQ61sUPt/o4G5SLFx4xaDaA0W5cK8Wtd2BGe12kDVstVft
hP7KKj/giXFQSIrC5JmIE4wr8c4yiHBcrwdjAgMBAAGjggHPMIIByzAfBgNVHSME

session caching on tomcat 7 with APR

[Усманов Азат Анварович]

Hello everyone! I have a webapp running on tomcat 7.0.92 with java 7 with 
APR/tomcat native 1.2.19 on RHEL 6

I've tested website(debug.ieml.ru) on which my webapp is running  on ssllabs  
server test and one thing I've noticed is the  orange warning line saying
Session resumption (caching)No (IDs empty)
which obviously means that session caching is not enabled

So the question is how to enable it when using Apr

tomcat connector documentation has sessionCacheSize attribute  but it is for 
JSSE only and not APR

Am I missing some other attribute which enables on APR connector

or does this mean that APR doesn't use SSL session caching?

Here is  my connector from server.xml

Tomcat 9 ocsp via proxy

[Усманов Азат Анварович]

Hi everyone! Is it possible to specify proxy server address for server-side 
ocsp checking on tomcat when using apr /tomcat native for tls connections ? 
Something  apache-like

SSLStaplingForceURL http://internal-proxy.example.org:port

or  something  nginx-like directive
ssl_stapling_file file;
so the stapled OCSP response will be taken from the specified file instead of 
querying the OCSP responder specified in the server certificate.

I tried using

SSLStaplingForceURL="http://internal-proxy.example.org:port;

on both connector and Certificate element with latest tomcat 9.0.12 which 
resulted in  " {Server/Service/Connector/SSLHostConfig/Certificate} Setting 
property 'SSLStaplingForceURL' to 'http://192.168.1.6:3131' did not find a 
matching property" in logs. So it looks like tomcat doesn't support this (yet)

Should I put an enhancement request for that?

Re: OCSP stapling in tomcat 7 with APR

[Усманов Азат Анварович]

Hi Chris!My main goal is for Tomcat to connect to Cómodo ,to get server side 
OCSP stapling working,I was only testing with OpenSSL OCSP command to make sure 
that Cómodo OCSP is reachable in the first place.

От: Christopher Schultz 
Отправлено: 23 октября 2018 г. 23:28:14
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Усманов,

On 10/23/18 13:04, Усманов Азат Анварович wrote:
> Hi everyone! I did manage to run ocsp check manually without a
> proxy (some network issue),still no success with tomcat ocsp or
> ssllabs  however.
>
> openssl ocsp  -no_nonce -header Host=ocsp.comodoca.com -issuer
> issuer.crt  -cert /home/idis/STAR_ieml_ru.crt -url
> http://ocsp.comodoca.com/ -CAfile issuer.crt Response verify OK
> /home/idis/STAR_ieml_ru.crt: good This Update: Oct 21 07:35:07 2018
> GMT Next Update: Oct 28 07:35:07 2018 GMT

I'm a little lost: are you trying to get your local responder working
for testing, or are you trying to get your server to connect to
Comodo's OCSP service?

It looks like the above worked correctly.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPhF4ACgkQHPApP6U8
pFjmtQ//RciGyhtAFGuWlFxdCJy7OLzE1eZ0EfjE/9sRlI4UhtSqbG2eetrLGYDh
SOpBZ5HaWN6zIShGvy36TtViTtCqsldkFvg8WD51DtVz7Mv36bNm/uXXzn5mk7GQ
k7/AM22KWPewUWoyz8+XgVLnAbJw3zr3paBIBqqm5YXiNOONpK01UqGITs+kzrlr
n+dwpit4tAx3u1rYOOefQLoFqmSGx36hic4+SiQNHrqdzLCYkyoMjQ5sCTA/YEV8
22ev/86AjE9i3//+1k8yZDdtHo0dIbXhecvyyT6U3TCZVE5r8eBUMTc1U2oyGWYK
3exqAfUCg7TaGifV3haKCIGF0mwbt1zYRDwz0P2SMk4PvOTT5rnDwTAmaxJaT/Og
zeTM1lYgYGwNUFR67Iyfc5Yq9b5bjGjRWVymkS2cdH1q/IBPiIPtv8k7PqC72nEM
EvTvqWNTF5njhA/8wqFnOZEfmQtA3KJy+HXncH7SaJvq5DtIkivEsvleg5FZ4yR4
tZpU3bCcjq1ZfWvfd+XoEYMV+cq80I5Ypov0GFqa2wBiba8lhxa39KrMEC00Tvz7
/J9vtsCXO3baI2onTfEjRFIxDWkjip4VIJbvFWMAoNlnnJ4W5GoGXFax831Wczh/
0tVojP3fJ8FFD2rLSU99Y7Azp9r+NpM6KEDlmAoSJsB1snjZDDY=
=9Yca
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OCSP stapling in tomcat 7 with APR

[Усманов Азат Анварович]

c 07 dc 9e 98 9d 55 64   ...OR.Ud
0020 - bd 43 11 8d 8a bb 80 ee-0f ea dd 94 fc 95 76 08   .Cv.
0030 - 25 7c 3e dc 7a 2b 0c be-04 4e 56 13 0c 4d ae ef   %|>.z+...NV..M..
0040 - 8a 97 3a 60 dd 08 5c 04-78 32 cb ca 46 7a cb 1c   ..:`..\.x2..Fz..
0050 - f9 69 bc 85 d1 ac bc 7e-93 93 dd b9 02 dc f5 5a   .i.~...Z
0060 - df 4a 70 0c 34 e0 37 cd-09 a7 e4 3e 77 ce 93 e2   .Jp.4.7>w...
0070 - 9b cf a4 40 01 9f e2 36-6f 76 d1 6a 80 0f 4a 78   ...@...6ov.j..Jx
0080 - a4 ee 93 80 aa 4c 21 af-61 19 5b 6a 49 52 3d e0   .L!.a.[jIR=.
0090 - c2 6f f1 4e 9c 4e 3d e4-91 2e e3 6a ea 52 ea a9   .o.N.N=j.R..
00a0 - 8e cc 33 f4 e7 aa 2a 04-93 26 a8 36 4e 01 b0 12   ..3...*..&.6N...
00b0 - ca d2 df 64 0b 98 2b 57-7f be 68 8a 0d 43 26 06   ...d..+W..h..C&.

Start Time: 1540313457
Timeout   : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes


Any idea how to identify which command tomcat sends to ocsp_responder ?



От: Усманов Азат Анварович 
Отправлено: 19 октября 2018 г. 15:29:54
Кому: Tomcat Users List
Тема: Re: OCSP stapling in tomcat 7 with APR

Hi !turns out to be a proxy issue  because once I modify the openssl ocp 
command  to include my proxy 192.168.1.6 and port  I get the correct response

openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer issuer.crt -cert 
/home/idis/STAR_ieml_ru.crt  -CAfile issuer.crt -host 192.168.1.6:3131 -path 
http://ocsp.comodoca.com/ -text

OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
  Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
  Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Produced At: Oct 14 07:35:10 2018 GMT
Responses:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
  Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
  Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Cert Status: good
This Update: Oct 14 07:35:10 2018 GMT
Next Update: Oct 21 07:35:10 2018 GMT

Signature Algorithm: sha256WithRSAEncryption
 28:c0:93:7d:9b:4d:96:16:37:f4:1f:fc:ca:8c:32:b1:bb:22:
 be:d8:33:14:9b:e9:75:18:b2:a5:20:77:ef:f9:6c:48:1c:72:
 8f:db:87:4a:30:50:04:72:9d:75:0f:ce:09:82:b7:56:bf:aa:
 62:fe:50:b7:10:96:82:b6:53:0f:a0:c8:b1:49:bf:0e:88:19:
 bf:41:64:21:8f:8f:9a:f3:1a:e5:3b:36:d0:96:7e:01:89:c4:
 a2:c3:19:3c:fa:fa:e7:ad:df:4e:76:37:32:72:ba:95:23:4e:
 c6:09:c8:a6:a1:28:63:5f:e6:6a:62:55:e3:a2:a8:29:47:4b:
 70:a2:6b:e3:07:0a:a0:b2:28:79:61:24:f8:ab:9a:ff:bf:b6:
 ff:2b:ca:0e:f1:a8:cc:2a:ae:a5:4a:90:40:14:64:b1:ca:10:
 ca:44:a3:f9:00:af:d7:55:0b:5b:0e:0f:d9:8b:3a:c9:a2:41:
 4e:e5:23:23:9a:36:dc:28:c3:a8:4d:1c:08:c7:64:87:a5:0c:
 d7:08:57:a8:62:85:73:d5:f7:14:a2:c7:07:e9:57:e9:e1:1a:
 21:d0:d9:56:62:06:0f:05:bc:19:b7:c8:63:5a:a8:97:28:f3:
 1b:5b:30:3c:d6:31:ec:f5:cb:cd:f8:7e:61:cd:2b:ea:19:1c:
 17:8c:a4:9a
Response verify OK
/home/idis/STAR_ieml_ru.crt: good
This Update: Oct 14 07:35:10 2018 GMT
Next Update: Oct 21 07:35:10 2018 GMT


now the question is how to tell tomcat to use proxy when making ocsp requests
  I have  tried to put proxyName   and proxyPort to the Connector definition 
that didn't do anything to ocsp support (ssllabs still says no for ocsp  )
Any suggestions?






От: Mark Thomas 
Отправлено: 17 октября 2018 г. 18:43:39
Кому: Tomcat Users List
Тема: Re: OCSP stapling in tomcat 7 with APR

On 17/10/18 15:02, Усманов Азат Анварович wrote:
> Unfortunately, I still got the same issue with the slash
>  openssl ocsp -issuer /home/idis/authorities.crt  -cert 
> /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
> OCSP Request Data:
> Version: 1 (0x0)
> Requestor List:
> Certificate ID:
>   Hash Algorithm: sha1
>   Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>   Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>   Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
> Request Extensions:
> OCSP Nonce:
> 0410A42C073C3EA560D427D719BA3A8EC5FB
> Error querying OCSP responder
> 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response 
> error:crypto/ocsp/ocsp_ht.c:260:Code=301

That is http so you could use Wireshark or similar to do a network trace
and see exactly what is going on there.

Mark


>
>
>
> _

Re: OCSP stapling in tomcat 7 with APR

[Усманов Азат Анварович]

Hi !turns out to be a proxy issue  because once I modify the openssl ocp 
command  to include my proxy 192.168.1.6 and port  I get the correct response

openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer issuer.crt -cert 
/home/idis/STAR_ieml_ru.crt  -CAfile issuer.crt -host 192.168.1.6:3131 -path 
http://ocsp.comodoca.com/ -text

OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
  Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
  Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Produced At: Oct 14 07:35:10 2018 GMT
Responses:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
  Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
  Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Cert Status: good
This Update: Oct 14 07:35:10 2018 GMT
Next Update: Oct 21 07:35:10 2018 GMT

Signature Algorithm: sha256WithRSAEncryption
 28:c0:93:7d:9b:4d:96:16:37:f4:1f:fc:ca:8c:32:b1:bb:22:
 be:d8:33:14:9b:e9:75:18:b2:a5:20:77:ef:f9:6c:48:1c:72:
 8f:db:87:4a:30:50:04:72:9d:75:0f:ce:09:82:b7:56:bf:aa:
 62:fe:50:b7:10:96:82:b6:53:0f:a0:c8:b1:49:bf:0e:88:19:
 bf:41:64:21:8f:8f:9a:f3:1a:e5:3b:36:d0:96:7e:01:89:c4:
 a2:c3:19:3c:fa:fa:e7:ad:df:4e:76:37:32:72:ba:95:23:4e:
 c6:09:c8:a6:a1:28:63:5f:e6:6a:62:55:e3:a2:a8:29:47:4b:
 70:a2:6b:e3:07:0a:a0:b2:28:79:61:24:f8:ab:9a:ff:bf:b6:
 ff:2b:ca:0e:f1:a8:cc:2a:ae:a5:4a:90:40:14:64:b1:ca:10:
 ca:44:a3:f9:00:af:d7:55:0b:5b:0e:0f:d9:8b:3a:c9:a2:41:
 4e:e5:23:23:9a:36:dc:28:c3:a8:4d:1c:08:c7:64:87:a5:0c:
 d7:08:57:a8:62:85:73:d5:f7:14:a2:c7:07:e9:57:e9:e1:1a:
 21:d0:d9:56:62:06:0f:05:bc:19:b7:c8:63:5a:a8:97:28:f3:
 1b:5b:30:3c:d6:31:ec:f5:cb:cd:f8:7e:61:cd:2b:ea:19:1c:
 17:8c:a4:9a
Response verify OK
/home/idis/STAR_ieml_ru.crt: good
This Update: Oct 14 07:35:10 2018 GMT
Next Update: Oct 21 07:35:10 2018 GMT


now the question is how to tell tomcat to use proxy when making ocsp requests
  I have  tried to put proxyName   and proxyPort to the Connector definition 
that didn't do anything to ocsp support (ssllabs still says no for ocsp  )
Any suggestions?






От: Mark Thomas 
Отправлено: 17 октября 2018 г. 18:43:39
Кому: Tomcat Users List
Тема: Re: OCSP stapling in tomcat 7 with APR

On 17/10/18 15:02, Усманов Азат Анварович wrote:
> Unfortunately, I still got the same issue with the slash
>  openssl ocsp -issuer /home/idis/authorities.crt  -cert 
> /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
> OCSP Request Data:
> Version: 1 (0x0)
> Requestor List:
> Certificate ID:
>   Hash Algorithm: sha1
>   Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>   Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>   Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
> Request Extensions:
> OCSP Nonce:
> 0410A42C073C3EA560D427D719BA3A8EC5FB
> Error querying OCSP responder
> 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response 
> error:crypto/ocsp/ocsp_ht.c:260:Code=301

That is http so you could use Wireshark or similar to do a network trace
and see exactly what is going on there.

Mark


>
>
>
> 
> От: Rainer Jung 
> Отправлено: 17 октября 2018 г. 16:41:27
> Кому: Tomcat Users List; Усманов Азат Анварович
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> Redirect when accessing http://ocsp.comodoca.com could simply be a
> trailing slash redirect (Location: http://ocsp.comodoca.com/). You
> better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).
>
> Regards,
>
> Rainer
>
> Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:
>> SSLLabs  test still shows "OCSP stapling no" even with the latest version 
>> openssl
>>
>> I've tried to test it manually and got an error
>>
>>
>>   openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR 
>>  
>>
>> _ieml_ru.crt -text -url http://ocsp.comodoca.com
>> OCSP Request Data:
>>  Version: 1 (0x0)
>>  Requestor List:
>>  Certificate ID:
>>Hash Algorithm: sha1
>> 

Re: OCSP stapling in tomcat 7 with APR

[Усманов Азат Анварович]

Unfortunately, I still got the same issue with the slash
 openssl ocsp -issuer /home/idis/authorities.crt  -cert 
/home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
  Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
  Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Request Extensions:
OCSP Nonce:
0410A42C073C3EA560D427D719BA3A8EC5FB
Error querying OCSP responder
139868527687424:error:27076072:OCSP routines:parse_http_line1:server response 
error:crypto/ocsp/ocsp_ht.c:260:Code=301




От: Rainer Jung 
Отправлено: 17 октября 2018 г. 16:41:27
Кому: Tomcat Users List; Усманов Азат Анварович
Тема: Re: OCSP stapling in tomcat 7 with APR

Redirect when accessing http://ocsp.comodoca.com could simply be a
trailing slash redirect (Location: http://ocsp.comodoca.com/). You
better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).

Regards,

Rainer

Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:
> SSLLabs  test still shows "OCSP stapling no" even with the latest version 
> openssl
>
> I've tried to test it manually and got an error
>
>
>   openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR  
>   
>  
> _ieml_ru.crt -text -url http://ocsp.comodoca.com
> OCSP Request Data:
>  Version: 1 (0x0)
>  Requestor List:
>  Certificate ID:
>Hash Algorithm: sha1
>Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
>  Request Extensions:
>  OCSP Nonce:
>  041002914B015477EC5C503D4FD630D616F3
> Error querying OCSP responder
> 140179572442880:error:27076072:OCSP routines:parse_http_line1:server response 
> er
>   
>ror:crypto/ocsp/ocsp_ht.c:260:Code=301
>
> Not sure what might be the problem?
> 301 looks like a http error  Moved Permamently   which is strange  because
> i tried to access   http://ocsp.comodoca.com via wget
>
>   wget  http://ocsp.comodoca.com
> --2018-10-17 16:03:12--  http://ocsp.comodoca.com/
> Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
> Запрос Proxy послан, ожидается ответ... 200 OK
> Длина: 5 [application/ocsp-response]
> Saving to: «index.html.7»
>
> 100%[===>]
>  5   --.-K/s   в 0s
>
> 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
>
> [root] ~# less index.html.7
> 0^C
> ^A^A
> index.html.7 (END)
> any ideas what might be the problem?
>
>
> 
> От: Усманов Азат Анварович 
> Отправлено: 15 октября 2018 г. 18:20:14
> Кому: users@tomcat.apache.org
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> how do I make sure ocsp is enabled on tomcat native
>
> when I try to pass --enable-ocsp to tomcat native configure i get 
> unrecognized option warning
>
>
>./configure  --with-apr=/usr/local/apr 
> --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl 
> --enable-ocsp
> configure: WARNING: unrecognized options: --enable-ocsp
> checking build system type... x86_64-pc-linux-gnu
> checking host system type... x86_64-pc-linux-gnu
> checking target system type... x86_64-pc-linux-gnu
> checking for a BSD-compatible install... /usr/bin/install -c
> checking for working mkdir -p... yes
> Tomcat Native Version: 1.2.17
> checking for chosen layout... tcnative
> checking for APR... yes
> configure: APR 1.6.5 detected.
>setting CC to "gcc"
>setting CPP to "gcc -E"
>setting LIBTOOL to "/usr/local/apr/build-1/libtool"
> checking JAVA_HOME... /usr/java/jdk1.7.0_79
>adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
> checking for JDK os include directory...  linux
>adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
> checking for gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
&

Re: OCSP stapling in tomcat 7 with APR

[Усманов Азат Анварович]

SSLLabs  test still shows "OCSP stapling no" even with the latest version 
openssl

I've tried to test it manually and got an error


 openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR 


_ieml_ru.crt -text -url http://ocsp.comodoca.com
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
  Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
  Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Request Extensions:
OCSP Nonce:
041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response 
er  
   
ror:crypto/ocsp/ocsp_ht.c:260:Code=301

Not sure what might be the problem?
301 looks like a http error  Moved Permamently   which is strange  because
i tried to access   http://ocsp.comodoca.com via wget

 wget  http://ocsp.comodoca.com
--2018-10-17 16:03:12--  http://ocsp.comodoca.com/
Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
Запрос Proxy послан, ожидается ответ... 200 OK
Длина: 5 [application/ocsp-response]
Saving to: «index.html.7»

100%[===>]
 5   --.-K/s   в 0s

2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]

[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?


____
От: Усманов Азат Анварович 
Отправлено: 15 октября 2018 г. 18:20:14
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR

how do I make sure ocsp is enabled on tomcat native

when I try to pass --enable-ocsp to tomcat native configure i get unrecognized 
option warning


  ./configure  --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 
-with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
  setting CC to "gcc"
  setting CPP to "gcc -E"
  setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
  adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory...  linux
  adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from 
/usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
  adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
  setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib 
-Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
  adding "-DHAVE_OPENSSL" to CFLAGS
  setting TCNATIVE_LIBS to ""
  setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  
-lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
  adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp




От: Mark Thomas 
Отправлено: 15 октября 2018 г. 15:01:58
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR

On 14/10/18 18:45, Усманов Азат Анварович wrote:
> Hello everyone! I have  an java 7 web app running on tomcat 7 with 
> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP 
> stapling on tomcat
> so that
> When OCSP is enabled, a server will pre-fetch the OCSP res

Re: OCSP stapling in tomcat 7 with APR

[Усманов Азат Анварович]

how do I make sure ocsp is enabled on tomcat native

when I try to pass --enable-ocsp to tomcat native configure i get unrecognized 
option warning


  ./configure  --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 
-with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
  setting CC to "gcc"
  setting CPP to "gcc -E"
  setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
  adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory...  linux
  adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from 
/usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
  adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
  setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib 
-Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
  adding "-DHAVE_OPENSSL" to CFLAGS
  setting TCNATIVE_LIBS to ""
  setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  
-lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
  adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp




От: Mark Thomas 
Отправлено: 15 октября 2018 г. 15:01:58
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR

On 14/10/18 18:45, Усманов Азат Анварович wrote:
> Hello everyone! I have  an java 7 web app running on tomcat 7 with 
> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP 
> stapling on tomcat
> so that
> When OCSP is enabled, a server will pre-fetch the OCSP response for its own 
> certificate and deliver the response to the user's browser during the TLS 
> handshake. This eliminates the need to make a separate connection to the CA's 
> revocation service before the Web page is displayed, improving the page's 
> performance and reliability.
> I did search the mailing list and found this question
> https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html
> but that user  is using  JSSE implementation for TLS not APR
>  documentation for tomcat7 does have an example
>
> Connector port="8443"
>protocol="org.apache.coyote.http11.Http11AprProtocol"
>secure="true" scheme="https"
>SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>SSLCACertificateFile="/path/to/ca.pem"
>SSLVerifyClient="require"
>SSLVerifyDepth="10"
>clientAuth="true"/>
>
>
> but that is for client-cert verification, Can we do it on server side? or do 
> I miss something on how ocsp is supposed to work in the first place?

If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

OCSP stapling in tomcat 7 with APR

[Усманов Азат Анварович]

Hello everyone! I have  an java 7 web app running on tomcat 7 with 
APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP 
stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own 
certificate and deliver the response to the user's browser during the TLS 
handshake. This eliminates the need to make a separate connection to the CA's 
revocation service before the Web page is displayed, improving the page's 
performance and reliability.
I did search the mailing list and found this question
https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html
but that user  is using  JSSE implementation for TLS not APR
 documentation for tomcat7 does have an example

Connector port="8443"
   protocol="org.apache.coyote.http11.Http11AprProtocol"
   secure="true" scheme="https"
   SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
   SSLCertificateKeyFile="/path/to/ocsp-cert.key"
   SSLCACertificateFile="/path/to/ca.pem"
   SSLVerifyClient="require"
   SSLVerifyDepth="10"
   clientAuth="true"/>


but that is for client-cert verification, Can we do it on server side? or do I 
miss something on how ocsp is supposed to work in the first place?

Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

[Усманов Азат Анварович]

Thanks Cristopher, I already did. All that´s left is to get the latest patch 
backported to tomcat 7


От: Christopher Schultz 
Отправлено: 10 октября 2018 г. 17:47:47
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Усманов,

On 10/6/18 17:27, Усманов Азат Анварович wrote:
> I've been searching the web for any idea why Chrome can do throw
> empty response error with tls1.3 and found this bug
> https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it
> looks like the same sort of a problem,Interestingly enough it does
> have a fix. My knowledge of C  is quite  limited, so could anyone
> please  look at the patch provided by these guys and see if it  is
> of any use in case of tomcat-native ?
Have a look at the recent bug comments, especially Rainer's comment
about Chrome/ff versions.

- -chris

> ________ От: Усманов Азат Анварович
>  Отправлено: 25 сентября 2018 г. 11:39 Кому:
> Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with
> APR/tomcat-native
>
> Do I need to file a separate feature request for Tomcat itself? The
> one I already
> filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for
> tomcat-native component. I looked through Tomcat changelog, I've
> found that previously TLS1.2 support was added  via enhancement
> request to tomcat native .
> (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952)
>  От: Усманов Азат Анварович
>  Отправлено: 20 сентября 2018 г. 12:05:07 Кому:
> users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with
> APR/tomcat-native
>
> I did file  a feature -enhancement  in bugzilla
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
>
>  От: Christopher Schultz
>  Отправлено: 19 сентября 2018 г.
> 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for
> tomcat 7 with APR/tomcat-native
>
> Усманов,
>
> On 9/19/18 05:56, Усманов Азат Анварович wrote:
>> Hi Christopher! I did remove supportedProtocols attribute
>> entirely (SSL Labs server test confirms it ).
> You mean that SSL Labs then tells you that other protocols are
> available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3
> is available, so testing with e.g. Chrome shouldn't be necessary.
>
>> > maxPostSize="10485760 "  maxHttpHeaderSize="1048576"
>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>> connectionTimeout="2" redirectPort="8443"
>> SSLHonorCipherOrder="true"
>> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
>> SSLCertificateKeyFile="/home/idis/server.key"
>> SSLCertificateChainFile="/home/idis/authorities.crt"
>
>> maxThreads="350"  minSpareThreads="25" SSLEnabled="true"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true"
>> compression="force"
>> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,T
L
>
>>
S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC
> M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECD
HE
>
>
- -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,
>> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES25
6
>
>>
- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
>
>
> ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>
>
>> I did put
>> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_S
H
>
>>
A256
>> as tls 1.3 ciphers for tls 1.3 ,  so my guess is that  more work
>> is required for tls.1.3  to work in my case
>
> Yes, you will definitely have to mention the TLSv1.3 ciphers in
> order to allow a TLSv1.3 handshake to succeed.
>
> But yes, it does indeed look like Tomcat requires some work.
>
> Can you please file an enhancement request in Bugzilla?
>
> Thanks, -chris
>
>>  От: Christopher Schultz
>>  Отправлено: 18 сентября 2018 г.
>> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for
>> tomcat 7 with APR/tomcat-native
>
>> Усманов,
>
>> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote:
>>> I have a java7 web application that runs on tomcat 7.0.70 I'm
>>> using Apr/tomcat-native w OpenSSL for TLS connections
>>> .(Tomcat-native 1.2.17  APR 1.6,OpenSSL 1.1.1 RHEL 6  ) Latest
>>> stable OpenSSL release (1.1.1) has TLS 1.3 

Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

[Усманов Азат Анварович]

I've been searching the web for any idea why Chrome can do throw empty response 
error with tls1.3 and found this bug 
https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it looks like 
the same sort of a problem,Interestingly enough it does have a fix. My 
knowledge of C  is quite  limited, so could anyone please  look at the patch 
provided by these guys and see if it  is  of any use in case of tomcat-native ?



От: Усманов Азат Анварович 
Отправлено: 25 сентября 2018 г. 11:39
Кому: Tomcat Users List
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

Do I need to file a separate feature request for Tomcat itself?
 The one I already filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) 
is for tomcat-native component. I looked through Tomcat changelog, I've found 
that previously TLS1.2 support was added  via enhancement request to tomcat 
native . (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952)

От: Усманов Азат Анварович 
Отправлено: 20 сентября 2018 г. 12:05:07
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

I did file  a feature -enhancement  in bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=62748


От: Christopher Schultz 
Отправлено: 19 сентября 2018 г. 23:31:28
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Усманов,

On 9/19/18 05:56, Усманов Азат Анварович wrote:
> Hi Christopher! I did remove supportedProtocols attribute entirely
> (SSL Labs server test confirms it ).
You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is
available, so testing with e.g. Chrome shouldn't be necessary.

>  maxPostSize="10485760 "  maxHttpHeaderSize="1048576"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> connectionTimeout="2" redirectPort="8443"
> SSLHonorCipherOrder="true"
> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
> SSLCertificateKeyFile="/home/idis/server.key"
> SSLCertificateChainFile="/home/idis/authorities.crt"
>
> maxThreads="350"  minSpareThreads="25" SSLEnabled="true"
> enableLookups="false" disableUploadTimeout="true" acceptCount="100"
> scheme="https" secure="true" compression="force"
> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL
S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC
M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE
- -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,
> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256
- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
>
>
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>
>
> I did put
> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH
A256
> as tls 1.3 ciphers for tls 1.3 ,  so my guess is that  more work
> is required for tls.1.3  to work in my case

Yes, you will definitely have to mention the TLSv1.3 ciphers in order
to allow a TLSv1.3 handshake to succeed.

But yes, it does indeed look like Tomcat requires some work.

Can you please file an enhancement request in Bugzilla?

Thanks,
- -chris

>  От: Christopher Schultz
>  Отправлено: 18 сентября 2018 г.
> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for
> tomcat 7 with APR/tomcat-native
>
> Усманов,
>
> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote:
>> I have a java7 web application that runs on tomcat 7.0.70 I'm
>> using Apr/tomcat-native w OpenSSL for TLS connections
>> .(Tomcat-native 1.2.17  APR 1.6,OpenSSL 1.1.1 RHEL 6  ) Latest
>> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
>> upgraded to it  successfully. My question is  if and when
>> tomcat 7 will be upgraded to support TLS1.3  through w
>> APR/tomcat-native/OpenSSL? do such plans even exist?
>
> Try not specifying any "supported protocol" (e.g. allow all
> protocol flavors), and OpenSSL should allow TLSv1.3 to be
> negotiated.
>
>> I'm guessing it will not happen at least untill both Chrome and
>> firefox release theirbrowser updates for RFC8446 support
>> (which are  both scheduled for Mid october Crome 70 and firefox
>> 63) but would like to know more about it
>
> I for one would like to see TLSv1.3 supported as quickly as
> possible.
>
> The OpenSSL project states that 1.1.1 is a drop-in API- and
> ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should
> 

Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

[Усманов Азат Анварович]

Do I need to file a separate feature request for Tomcat itself?
 The one I already filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) 
is for tomcat-native component. I looked through Tomcat changelog, I've found 
that previously TLS1.2 support was added  via enhancement request to tomcat 
native . (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952)

От: Усманов Азат Анварович 
Отправлено: 20 сентября 2018 г. 12:05:07
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

I did file  a feature -enhancement  in bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=62748


От: Christopher Schultz 
Отправлено: 19 сентября 2018 г. 23:31:28
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Усманов,

On 9/19/18 05:56, Усманов Азат Анварович wrote:
> Hi Christopher! I did remove supportedProtocols attribute entirely
> (SSL Labs server test confirms it ).
You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is
available, so testing with e.g. Chrome shouldn't be necessary.

>  maxPostSize="10485760 "  maxHttpHeaderSize="1048576"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> connectionTimeout="2" redirectPort="8443"
> SSLHonorCipherOrder="true"
> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
> SSLCertificateKeyFile="/home/idis/server.key"
> SSLCertificateChainFile="/home/idis/authorities.crt"
>
> maxThreads="350"  minSpareThreads="25" SSLEnabled="true"
> enableLookups="false" disableUploadTimeout="true" acceptCount="100"
> scheme="https" secure="true" compression="force"
> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL
S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC
M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE
- -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,
> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256
- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
>
>
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>
>
> I did put
> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH
A256
> as tls 1.3 ciphers for tls 1.3 ,  so my guess is that  more work
> is required for tls.1.3  to work in my case

Yes, you will definitely have to mention the TLSv1.3 ciphers in order
to allow a TLSv1.3 handshake to succeed.

But yes, it does indeed look like Tomcat requires some work.

Can you please file an enhancement request in Bugzilla?

Thanks,
- -chris

>  От: Christopher Schultz
>  Отправлено: 18 сентября 2018 г.
> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for
> tomcat 7 with APR/tomcat-native
>
> Усманов,
>
> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote:
>> I have a java7 web application that runs on tomcat 7.0.70 I'm
>> using Apr/tomcat-native w OpenSSL for TLS connections
>> .(Tomcat-native 1.2.17  APR 1.6,OpenSSL 1.1.1 RHEL 6  ) Latest
>> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
>> upgraded to it  successfully. My question is  if and when
>> tomcat 7 will be upgraded to support TLS1.3  through w
>> APR/tomcat-native/OpenSSL? do such plans even exist?
>
> Try not specifying any "supported protocol" (e.g. allow all
> protocol flavors), and OpenSSL should allow TLSv1.3 to be
> negotiated.
>
>> I'm guessing it will not happen at least untill both Chrome and
>> firefox release theirbrowser updates for RFC8446 support
>> (which are  both scheduled for Mid october Crome 70 and firefox
>> 63) but would like to know more about it
>
> I for one would like to see TLSv1.3 supported as quickly as
> possible.
>
> The OpenSSL project states that 1.1.1 is a drop-in API- and
> ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should
> "just work" under certain conditions.
>
> Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3)
> by default which might make things tricky when trying to accept
> "all protocols" as described above.
>
> Please let me know if you have any success with an out-of-the-box
> Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in
> Tomcat that might *prevent* TLSv1.3 from being available.
>
> -chris
>
> -
>
>
To unsubscribe, e-mail: use

Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

[Усманов Азат Анварович]

I did file  a feature -enhancement  in bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=62748


От: Christopher Schultz 
Отправлено: 19 сентября 2018 г. 23:31:28
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Усманов,

On 9/19/18 05:56, Усманов Азат Анварович wrote:
> Hi Christopher! I did remove supportedProtocols attribute entirely
> (SSL Labs server test confirms it ).
You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is
available, so testing with e.g. Chrome shouldn't be necessary.

>  maxPostSize="10485760 "  maxHttpHeaderSize="1048576"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> connectionTimeout="2" redirectPort="8443"
> SSLHonorCipherOrder="true"
> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
> SSLCertificateKeyFile="/home/idis/server.key"
> SSLCertificateChainFile="/home/idis/authorities.crt"
>
> maxThreads="350"  minSpareThreads="25" SSLEnabled="true"
> enableLookups="false" disableUploadTimeout="true" acceptCount="100"
> scheme="https" secure="true" compression="force"
> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL
S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC
M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE
- -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,
> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256
- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
>
>
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>
>
> I did put
> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH
A256
> as tls 1.3 ciphers for tls 1.3 ,  so my guess is that  more work
> is required for tls.1.3  to work in my case

Yes, you will definitely have to mention the TLSv1.3 ciphers in order
to allow a TLSv1.3 handshake to succeed.

But yes, it does indeed look like Tomcat requires some work.

Can you please file an enhancement request in Bugzilla?

Thanks,
- -chris

>  От: Christopher Schultz
>  Отправлено: 18 сентября 2018 г.
> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for
> tomcat 7 with APR/tomcat-native
>
> Усманов,
>
> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote:
>> I have a java7 web application that runs on tomcat 7.0.70 I'm
>> using Apr/tomcat-native w OpenSSL for TLS connections
>> .(Tomcat-native 1.2.17  APR 1.6,OpenSSL 1.1.1 RHEL 6  ) Latest
>> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
>> upgraded to it  successfully. My question is  if and when
>> tomcat 7 will be upgraded to support TLS1.3  through w
>> APR/tomcat-native/OpenSSL? do such plans even exist?
>
> Try not specifying any "supported protocol" (e.g. allow all
> protocol flavors), and OpenSSL should allow TLSv1.3 to be
> negotiated.
>
>> I'm guessing it will not happen at least untill both Chrome and
>> firefox release theirbrowser updates for RFC8446 support
>> (which are  both scheduled for Mid october Crome 70 and firefox
>> 63) but would like to know more about it
>
> I for one would like to see TLSv1.3 supported as quickly as
> possible.
>
> The OpenSSL project states that 1.1.1 is a drop-in API- and
> ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should
> "just work" under certain conditions.
>
> Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3)
> by default which might make things tricky when trying to accept
> "all protocols" as described above.
>
> Please let me know if you have any success with an out-of-the-box
> Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in
> Tomcat that might *prevent* TLSv1.3 from being available.
>
> -chris
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluisiAACgkQHPApP6U8
pFiH3Q/+KWvdZpWPpR9SkJp9NCQFQHhxJjrgW++fXrdKb0ySj5eV8NvmSjb253GZ
BHwSlzLlG0QDAxHuL7Xux6EuO/W3OzibhS0V6touLZ0bSmO1uJ/cP/VIVDZTXw6P
z7Vs/hDYIlucCHf1ZJnYMPfSuk+t8YGToK8qYwFXnrZyHfDx4Wq+wqHLMltu+n/v
dX12V2OCw7XWrKeYjHvRxCffwoNkqkrJrUxekpEeTd39s5Vj6/Z/jveeRY3Yz2Zj
GGe+E

Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

[Усманов Азат Анварович]

Hi Chris!Yes,ssllabs test does show TLS 1.0,and TLS 1.1 enabled when I ommit 
supported protocols attribute.Current version of ssllabs server test uses draft 
28 version for TLS 1.3 testing, that is why I used the Chrome  beta test. What 
steps do I need to take to file a enhancement request in Bugzilla? I'm a newbie 
to the tomcat users list

От: Christopher Schultz 
Отправлено: 19 сентября 2018 г. 23:31:28
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Усманов,

On 9/19/18 05:56, Усманов Азат Анварович wrote:
> Hi Christopher! I did remove supportedProtocols attribute entirely
> (SSL Labs server test confirms it ).
You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is
available, so testing with e.g. Chrome shouldn't be necessary.

>  maxPostSize="10485760 "  maxHttpHeaderSize="1048576"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> connectionTimeout="2" redirectPort="8443"
> SSLHonorCipherOrder="true"
> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
> SSLCertificateKeyFile="/home/idis/server.key"
> SSLCertificateChainFile="/home/idis/authorities.crt"
>
> maxThreads="350"  minSpareThreads="25" SSLEnabled="true"
> enableLookups="false" disableUploadTimeout="true" acceptCount="100"
> scheme="https" secure="true" compression="force"
> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL
S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC
M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE
- -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,
> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256
- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
>
>
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>
>
> I did put
> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH
A256
> as tls 1.3 ciphers for tls 1.3 ,  so my guess is that  more work
> is required for tls.1.3  to work in my case

Yes, you will definitely have to mention the TLSv1.3 ciphers in order
to allow a TLSv1.3 handshake to succeed.

But yes, it does indeed look like Tomcat requires some work.

Can you please file an enhancement request in Bugzilla?

Thanks,
- -chris

>  От: Christopher Schultz
>  Отправлено: 18 сентября 2018 г.
> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for
> tomcat 7 with APR/tomcat-native
>
> Усманов,
>
> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote:
>> I have a java7 web application that runs on tomcat 7.0.70 I'm
>> using Apr/tomcat-native w OpenSSL for TLS connections
>> .(Tomcat-native 1.2.17  APR 1.6,OpenSSL 1.1.1 RHEL 6  ) Latest
>> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
>> upgraded to it  successfully. My question is  if and when
>> tomcat 7 will be upgraded to support TLS1.3  through w
>> APR/tomcat-native/OpenSSL? do such plans even exist?
>
> Try not specifying any "supported protocol" (e.g. allow all
> protocol flavors), and OpenSSL should allow TLSv1.3 to be
> negotiated.
>
>> I'm guessing it will not happen at least untill both Chrome and
>> firefox release theirbrowser updates for RFC8446 support
>> (which are  both scheduled for Mid october Crome 70 and firefox
>> 63) but would like to know more about it
>
> I for one would like to see TLSv1.3 supported as quickly as
> possible.
>
> The OpenSSL project states that 1.1.1 is a drop-in API- and
> ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should
> "just work" under certain conditions.
>
> Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3)
> by default which might make things tricky when trying to accept
> "all protocols" as described above.
>
> Please let me know if you have any success with an out-of-the-box
> Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in
> Tomcat that might *prevent* TLSv1.3 from being available.
>
> -chris
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluisiAACgkQHPApP6U8
pFiH3Q/+KWvdZpWPpR9SkJp9NCQFQHhxJjrgW++fXrdKb0ySj5eV8

Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

[Усманов Азат Анварович]

Hi Christopher! I did remove supportedProtocols attribute entirely (SSL Labs 
server test confirms it ).I also did install chrome 70 beta and did enable TLS 
1.3 final version in it ,but the security tab in chrome still shows tls 1.2 as 
my protocol and no tls 1.3. Here is my connectorf form the server.xml



  I did put 
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SHA256 as 
tls 1.3 ciphers for tls 1.3 ,  so my guess is that  more work   is required for 
tls.1.3  to work in my case


От: Christopher Schultz 
Отправлено: 18 сентября 2018 г. 23:27
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Усманов,

On 9/18/18 6:43 AM, Усманов Азат Анварович wrote:
> I have a java7 web application that runs on tomcat 7.0.70 I'm
> using Apr/tomcat-native w OpenSSL for TLS connections
> .(Tomcat-native 1.2.17  APR 1.6,OpenSSL 1.1.1 RHEL 6  ) Latest
> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have upgraded
> to it  successfully. My question is  if and whentomcat 7 will
> be upgraded to support TLS1.3  through w APR/tomcat-native/OpenSSL?
> do such plans even exist?

Try not specifying any "supported protocol" (e.g. allow all protocol
flavors), and OpenSSL should allow TLSv1.3 to be negotiated.

> I'm guessing it will not happen at least untill both Chrome and
> firefox release theirbrowser updates for RFC8446 support
> (which are  both scheduled for Mid october Crome 70 and firefox 63)
> but would like to know more about it

I for one would like to see TLSv1.3 supported as quickly as possible.

The OpenSSL project states that 1.1.1 is a drop-in API- and
ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should
"just work" under certain conditions.

Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) by
default which might make things tricky when trying to accept "all
protocols" as described above.

Please let me know if you have any success with an out-of-the-box
Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in Tomcat
that might *prevent* TLSv1.3 from being available.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
GPG Suite<http://gpgtools.org/>
gpgtools.org
Everything you need to get started with secure communication and encrypting 
files in one simple package leveraging the power of OpenPGP/GPG



Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluhX64ACgkQHPApP6U8
pFigRA//Un2OHvcVetuFicBs2Hncv7L7SkQyyldKUEZ1OK5l0GkNGxnZpWGrzSKv
64szQ8xjz1C1rgDSxsJF2VtELu9ZQ3zrLQ2kjBhfUG3sfRQ/Y7/dnFv3ia95XgUG
Pc1/G0Pb86FoKPJbB5TbsmZ0U/ABZ1nlsMOHJZJ9No+Si/UiNDeBsxObQr9z2PvC
AyYMq2Pavyl6FYr9pTSBaGlPyoL9pbr5tc5JiGOos7LG23mgnYYlXZqklsMsZ1gq
QG7h0Y7Z8CNybCq8EzWBz/WqIpUPdGZnvJpl0Q7K3Um8BYB05Ce78kXoYi5WYd1z
YruvC7DSMUzzI+uvj3fEQF/RLe5iUgxfBCys1XCrZ0EWj5JpQO7UySqera4mnFUq
vTz1H3UNkAnneVeOnZ+zpSbDx1sB24gI8fTbuHxg0760zH4dABGcxas+xhs7MpHl
5k5jrxkTsKuiypYPOg4cUXkERUh8FkVp+/MtsIWCnk+1UGo1dxbGeRejwL6ba8pD
Jbfoib7e3CcA2lAWDr3tx7TM8usWtx+IKByMHbdktX6Z++9pbSyVKY54I2dki6i3
Dc69nGGBbWWTQILKijxaZlru/wnN0nnIJQB5PmjxqMm6AkEHL8qlEGflnIA+xGNU
+2NX3i9oFNCk3ifGhgqWUIb8/a62y8xB1UGaMPkbj51YpijEIuo=
=uNao
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

TLS1.3 support for tomcat 7 with APR/tomcat-native

[Усманов Азат Анварович]

Hi everyone!

I have a java7 web application that runs on tomcat 7.0.70 I'm using 
Apr/tomcat-native w OpenSSL for TLS connections .(Tomcat-native 1.2.17  APR 
1.6,OpenSSL 1.1.1 RHEL 6  ) Latest stable OpenSSL release (1.1.1) has TLS 1.3 
support ,I have upgraded to it  successfully. My question is  if and when
tomcat 7 will be upgraded to support TLS1.3  through w 
APR/tomcat-native/OpenSSL? do such plans even exist?

I'm guessing it will not happen at least untill both Chrome and firefox release 
theirbrowser updates for RFC8446 support (which are  both scheduled for Mid 
october Crome 70 and firefox 63) but would like to know more about it