-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 11/21/18 15:11, Mark Thomas wrote: > On 21/11/2018 19:43, Christopher Schultz wrote: >> Mark, >> >> On 11/21/18 11:51, Mark Thomas wrote: >>> On 21/11/2018 16:36, Mark Thomas wrote: >>>> On 21/11/2018 15:37, Mark Thomas wrote: >>>>> On 21/11/2018 15:29, Christopher Schultz wrote: >>>>>> All, >>>>>> >>>>>> With this last patch, I'm ready for a back-port to >>>>>> tc8.5.x, but I'm waiting for a user who is trying to get >>>>>> this working on tc9.0 to be successful. >>>>>> >>>>>> If anyone else can confirm that this is all working in a >>>>>> real cluster (dev/test is okay) then I'll go ahead and >>>>>> back-port, assuming there is some kind of configuration >>>>>> error in that particular user's case. >>>>> >>>>> I'll fire up my 4 node test cluster and let you know. It >>>>> may take me a while - there are usually a bunch of OS >>>>> updates waiting for me when I start it up. >>>> >>>> I'm seeing lots of errors. >>>> >>>> I think the problem is that the interceptor is using one >>>> Cipher for all members but nodes don't send the same messages >>>> to every member so the members get out of sync and decryption >>>> starts failing. >> >>> Oh, and to add to the 'fun' messages may be processed out of >>> order. >> >> That should also be okay, since messages aren't related to each >> other. >> >> But it might be a problem with trying to prevent replay attacks. > > I thought you were using CBC so a missing block (a message being > one or more blocks) means that the next message can't be > decrypted. CBC *is* being used, but the cipher is reset after each message, and a new IV is being randomly generated for that purpose. There is no state-carryover between messages. At least, there shouldn't be. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv13pMACgkQHPApP6U8 pFjIog/9EWiyD2bo4ur6z5wdkMw1a3ZLwizItbHd6frnsfHzWFmpmlRo73rNdpiq kbRoC+eo2lm8r0yJHgVzldsovRx5wVoAie48tZuGudY20K/3GZ3YWWWwUTEeVFIZ 0xelerItAcKm2JCpUdH5J/j2FVoPzjUsxVezgSg1lc3Su2dEhyjMcska4gXlzUeV wwNekNlKMzjXGWJe9PzetIpmCw4Pu3XZDsboGr2pxyzayP+YpeaN2LxXsGaR+RKq B8jEpLRtj3TjjMy9LZPUJANXDOpqwSy8ajPpcZrlj70ULRaR3ByFg73AEG3R447Y GxBIa4bFs66b+eE3crrt3RaxEv3vcOwVpEuKweDx2vIligFAFKYbRmLcoXGtE3DK 3uvlJVycQ+D8YJ2uWeY+KpgdOp55vQSj1Y6TsiPF26QLk+9pUi8WHE10AOopmljf KITNVkW9nTsy9QLW7sGts5CUiTrqG/XS5xu442qs+VIVO9NJF1YzAxSW6NmMyIa8 08VR41d6Z424l3Fhy1y0OnixlJ2EjGGwGoyWqSToJMSWsvmhHJh6BNRMHIPlURvl QFbeC896WsBMgtj2f05907powLTs9XB2Dl/jgB17lfQb5JOxFE5DpqEWehYWx9Mn Byqk8xDzhm+Z+kkl31iG+2sUHYUUhsIehoPvRq5K+mhJbDrTv34= =3FAJ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
