-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tim,
I'm all ready for a back-port of the EncryptInterceptor to Tomcat 8.5 but I'd like to make sure things are working for you before I do it. Thanks, - -chris On 11/21/18 09:48, Christopher Schultz wrote: > Tim, > > On 11/20/18 13:36, Tim K wrote: >> On Tue, Nov 20, 2018, 12:19 PM Christopher Schultz < >> ch...@christopherschultz.net wrote: > >> Tim, > >> On 11/20/18 11:42, Tim K wrote: >>>>>> >>>>>> Ignore the secure port. The code behind that setting was >>>>>> never implemented. We really should remove it. >>>>>> >>>>>> You want: >>>>>> >>>>>> http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-intercepto r > >>>>>> .ht > >>>>>> > ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_At tr >> > <http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.ht > ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_At tr > > > > > ibutes >>>>>> >>>>>> >>>>>> >> Mark >>>>> >>>>> >>>>> I'm having some trouble getting it working. Can you >>>>> provide an example of the new EncryptInterceptor with an >>>>> algorithm and key? > >> Each node in the cluster needs an interceptor configured, like >> this: > >> <Interceptor >> className="org.apache.catalina.tribes.group.interceptors.EncryptInter c > >> ep > > > tor" >> encryptionKey="[the key]" /> > >> All nodes need the same key. The default algorithm >> (AES/CBC/PKCS12Padding) is sufficient. > >> To generate a key, just get some random garbage and convert it >> into hex, like this: > >> $ dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5 > >> That'll give you a 128-bit key you can use for encryption. You >> can also use a 256-bit key if you'd like, or a 192-bit key. For >> keys larger than 128 bite (32 bytes), you'll need to use a >> different signature algorithm such as sha1 or later. > >> I just chose MD5 because it generates the right number of output >> characters for a 128-bit key. You can get your random key from >> anywhere, including pounding on the keyboard. Remember that the >> key must be in hex-encoded binary (so only characters 0-9 and >> a-f). > >> -chris >>> >>> -------------------------------------------------------------------- - - >>> >>> > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> I tried this between 2 nodes but it fails with this error on >> each: > >> dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5sum >> e0f2cdf931e99fdce0453964294f97f3 - > >> <Interceptor >> className="org.apache.catalina.tribes.group.interceptors.EncryptInter c > >> eptor" > > > encryptionKey="e0f2cdf931e99fdce0453964294f97f3" /> > >> 20-Nov-2018 13:31:20.070 SEVERE >> [Tribes-Task-Receiver[Catalina-Channel]-1] >> org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.mess a > >> geReceived > > > Failed to decrypt message > >> javax.crypto.BadPaddingException: Given final block not properly >> padded. Such issues can arise if a bad key is used during >> decryption. > > Both nodes have the same encryption key, right? The key itself > looks fine. For example, I dropped that key into the unit test file > and it worked as expected. > > I've been working on a patch yesterday and today that uses random > IVs instead of re-using them. It really shouldn't change anything > about the config, etc. but both nodes will require the new code to > re-test. I've also expanded the unit tests to cover cipher block > modes other than CBC. > > I don't actually have a cluster here for testing, though, so > everything is being done with the unit tests. > > I thought I had reproduced your issue (BadPaddingException) except > it turned out that the test itself was wrong and the interceptor > code was correct. > > Are you able to build from source? I'm about to commit these > changes to the trunk (9.0.x), which really shouldn't change > anything for you, but it might fix some edge case that you are > hitting. > > -chris > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv1fqoACgkQHPApP6U8 pFhrVBAAiX1HKpmipHpunEQRZBW9JcWKjry+gyt2MyShjJHuui8KepIxcMkpI2TY HIuckUX4ZPoven6X1ehDjYpm48/wIuMWPoBcOOCKt+EJqWOH3jy7uHx5+zC/32FV ne8E7It/makhPYY9MbfUCkWgig41/rb/W5QtJQNaosB9/ZOLQzn04gD/JzWGicxJ uWTEvvxbjTR0NP94pCNWXGnbXUboWItfhqLtUd5C4uLiHAzGQT4sShZY1kK9Osps M/tHg/r3jhRFWmNxZJZ61jWnqvHShy0ZxU0aqrKbHbUhuCa5PZ1Y8eVkuuapZShy De65NqUrTwzjg5zxLnHS5euzAkPRdtSlvmkUdcPgbd/i/cMyQTBvxgrnnMiwrOfy bZT/GgjdEz8/E0dh10VTSBfwpwCg7GasEeEj98q8ndyUqbQymcs6Ddk243TZtqho NdwYNAvdnC7ShmwwLGKRv+JQiPfn0X2uG7NN58Qm1QORrIy0y4r1w9weUxp6UUP8 1asrBL5mxnBSOunZTszsCm9Q1kkInypLCBE7zWyITqKBrP/yJ9JEvQpZpECapH32 ZU7b+yzlgA/v7gMHtL8+SUNF9qs9F36Sg+DmhwiIxBXK8ywSf7OpkrIgw5L9cwUA NRg+jWRSUHKQ1IVhzgJfp6hB4jVKbZ+vEDXD5lAvCgKJL44d1HA= =xGF8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org