[jira] [Commented] (MTOMCAT-263) tomcat7:exec-war can't create .extract/webapps

2016-03-31 Thread Magnus Skoglund (JIRA) 

[ 
https://issues.apache.org/jira/browse/MTOMCAT-263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15221193#comment-15221193
 ] 

Magnus Skoglund commented on MTOMCAT-263:
-

The 2.3-SNAPSHOT runs fine on Windows as well. There were problems building it, 
but -DskipTests made it.

> tomcat7:exec-war can't create .extract/webapps
> --
>
> Key: MTOMCAT-263
> URL: https://issues.apache.org/jira/browse/MTOMCAT-263
> Project: Apache Tomcat Maven Plugin
>  Issue Type: Bug
>Affects Versions: 2.1, 2.2
>Reporter: jieryn
>Assignee: Olivier Lamy (*$^¨%`£)
> Fix For: 3.0
>
> Attachments: MTOMCAT-263_1.patch
>
>
> bash$ java -jar target/app-1.0-SNAPSHOT-war-exec.jar
> Exception in thread "main" java.lang.Exception: FATAL: impossible to create 
> directories:.extract/webapps
> at 
> org.apache.tomcat.maven.runner.Tomcat7Runner.extract(Tomcat7Runner.java:586)
> at 
> org.apache.tomcat.maven.runner.Tomcat7Runner.run(Tomcat7Runner.java:204)
> at 
> org.apache.tomcat.maven.runner.Tomcat7RunnerCli.main(Tomcat7RunnerCli.java:212)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GUMP@vmgump]: Project tomcat-tc8.0.x-test-nio (in module tomcat-8.0.x) failed

2016-03-31 Thread Bill Barker 
To whom it may engage...

This is an automated request, but not an unsolicited one. For 
more information please visit http://gump.apache.org/nagged.html, 
and/or contact the folk at gene...@gump.apache.org.

Project tomcat-tc8.0.x-test-nio has an issue affecting its community 
integration.
This issue affects 1 projects.
The current state of this project is 'Failed', with reason 'Build Failed'.
For reference only, the following projects are affected by this:
- tomcat-tc8.0.x-test-nio :  Tomcat 8.x, a web server implementing the Java 
Servlet 3.1,
...


Full details are available at:

http://vmgump.apache.org/gump/public/tomcat-8.0.x/tomcat-tc8.0.x-test-nio/index.html

That said, some information snippets are provided here.

The following annotations (debug/informational/warning/error messages) were 
provided:
 -DEBUG- Dependency on commons-daemon exists, no need to add for property 
commons-daemon.native.src.tgz.
 -DEBUG- Dependency on commons-daemon exists, no need to add for property 
tomcat-native.tar.gz.
 -INFO- Failed with reason build failed
 -INFO- Project Reports in: 
/srv/gump/public/workspace/tomcat-8.0.x/output/logs-NIO
 -INFO- Project Reports in: 
/srv/gump/public/workspace/tomcat-8.0.x/output/test-tmp-NIO/logs
 -WARNING- No directory 
[/srv/gump/public/workspace/tomcat-8.0.x/output/test-tmp-NIO/logs]



The following work was performed:
http://vmgump.apache.org/gump/public/tomcat-8.0.x/tomcat-tc8.0.x-test-nio/gump_work/build_tomcat-8.0.x_tomcat-tc8.0.x-test-nio.html
Work Name: build_tomcat-8.0.x_tomcat-tc8.0.x-test-nio (Type: Build)
Work ended in a state of : Failed
Elapsed: 50 mins 21 secs
Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true 
-Dbuild.sysclasspath=only org.apache.tools.ant.Main 
-Dgump.merge=/srv/gump/public/gump/work/merge.xml 
-Djunit.jar=/srv/gump/public/workspace/junit/target/junit-4.13-SNAPSHOT.jar 
-Dobjenesis.jar=/srv/gump/public/workspace/objenesis/main/target/objenesis-2.3-SNAPSHOT.jar
 -Dtest.reports=output/logs-NIO 
-Dtomcat-native.tar.gz=/srv/gump/public/workspace/apache-commons/daemon/dist/bin/commons-daemon-20160331-native-src.tar.gz
 -Dexamples.sources.skip=true 
-Dbase.path=/srv/gump/public/workspace/tomcat-8.0.x/tomcat-build-libs 
-Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.5-201506032000/ecj-4.5.jar 
-Dcommons-daemon.jar=/srv/gump/public/workspace/apache-commons/daemon/dist/commons-daemon-20160331.jar
 
-Dcommons-daemon.native.src.tgz=/srv/gump/public/workspace/apache-commons/daemon/dist/bin/commons-daemon-20160331-native-src.tar.gz
 -Dtest.temp=output/test-tmp-NIO -Dtest.accesslog=true -Dexecute.test.nio=true 
-Dtest.open
 ssl.path=/srv/gump/public/workspace/openssl-1.0.2/dest-20160331/bin/openssl 
-Dexecute.test.bio=false -Dexecute.test.apr=false 
-Dtest.excludePerformance=true -Dexecute.test.nio2=false 
-Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-3.5-SNAPSHOT.jar
 -Dhamcrest.jar=/srv/gump/packages/hamcrest/hamcrest-core-1.3.jar 
-Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test 
[Working Directory: /srv/gump/public/workspace/tomcat-8.0.x]
CLASSPATH: 
/usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/webapps/examples/WEB-INF/classes:/srv/gump/public/workspace/tomcat-8.0.x/output/testclasses:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/bin/bootstrap.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/bin/tomcat-juli.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/annotations-api.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/servlet-api.ja
 
r:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/jsp-api.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/el-api.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/websocket-api.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/catalina.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/catalina-ant.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/catalina-storeconfig.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/tomcat-coyote.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/jasper.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/jasper-el.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/catalina-tribes.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/catalina-ha.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/tomcat

[Bug 59253] Read/Write errors

2016-03-31 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59253

Remy Maucherat  changed:

   What|Removed |Added

 Status|NEW |NEEDINFO

--- Comment #1 from Remy Maucherat  ---
Some IO errors are considered "normal" and will be returned as an EOF (= the
code returns -1). But the APR error code has to match, and here the 32, 104 and
113 are not in that category so they get a more general IOException.

I failed to find what these codes correspond to.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Apache Wiki 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=18=19

Comment:
Add results for Tomcat 6 and APR/native

  == APR with OpenSSL Results (Default) ==
  
  |||| Java 5 || Java 6 || Java 7 || Java 8 ||
- || Tomcat 6   ||  TBD   ||  TBD   ||  TBD   ||  TBD   ||
+ || Tomcat 6   ||   A||   A||   A||   A||
  || Tomcat 7   ||  N/A   ||   A||   A||   A||
  || Tomcat 8   ||  N/A   ||  N/A   ||   A||   A||
  || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
  || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
  
  The OpenSSL cipher configuration used was 
'''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of 
secure cipher suites in OpenSSL format is available at 
[[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]].
- 
- 
- == JSSE (BIO/NIO/NIO2) Results (Improved) ==
- 
- ||  || Java 5 || Java 6 || Java 7 || Java 8 ||
- || Tomcat 6 ||   B||   B||   A-   ||   A||
- 
- == JSSE Settings for Improved Results ==
- 
- To use these settings:
- 
-  1. Pass JVM parameter '''-Djdk.tls.ephemeralDHKeySize=2048''' to JVM running 
Tomcat.
- 
-  1. Set the ciphers attribute on your secure connector to the list of ciphers 
shown below. The list should be comma separated.
- 
-   * Java 5
-* TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-   * Java 6
-* TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA
-   * Java 7
- * TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-   * Java 8
-* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  
  == Environment ==
  
@@ -79, +56 @@

   * Java 6, 64-bit, update 45
   * Java 7, 64-bit, update 80
   * Java 8, 64-bit, update 77
-  * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled 
SSLv2 and SSLv3.
+  * Apache Tomcat 6.0.46-dev, r1737284.
   * Apache Tomcat 7.0.69-dev, r1737253.
   * Apache Tomcat 8.0.34-dev, r1737224.
   * Apache Tomcat 8.5.1-dev, r1737241.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737284 - in /tomcat/tc6.0.x/trunk: ./ java/org/apache/tomcat/util/net/AprEndpoint.java webapps/docs/apr.xml webapps/docs/changelog.xml

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 20:46:45 2016
New Revision: 1737284

URL: http://svn.apache.org/viewvc?rev=1737284=rev
Log:
Better default ciphers for APR/OpenSSL

Modified:
tomcat/tc6.0.x/trunk/   (props changed)
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc6.0.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 20:46:45 2016
@@ -1,4 +1,4 @@
-/tomcat/tc7.0.x/trunk:1190476,1224802,1243045,1298635,1304471,1311997,1312007,1331772,1333164,1333176,1348992,1354866,1371298,1371302,1371620,1402110,1409014,1413553,1413557,1413563,1430083,1438415,1446641-1446660,1447013,1453106,1453119,1484919,1486877,1500065,1503852,1505844,1513151,1521040,1526470,1536524,1539176-1539177,1544469,1544473,1552805,1558894,1558917,1561368,1561382,1561386,1561552,1561561,1561636,1561641,1561643,1561737,1562748,1564317,1568922,1570163,1577328,1577464-1577465,1578814,1586659,1586897,1586960,1588199,1588997,1589740,1589851,1589997,1590019,1590028,1590337,1590492,1590651,1590838,1590845,1590848,1590912,1593262,1593288,1593371,1593835,1594230,1595174,1595366,1600956,1601333,1601856,1601909,1609079,1609606,1617364,1617374,1617433,1617457-1617458,1624249,1626579,1627420,1627469,1632586,1637686,1637711,1640675,1642045,1643515,1643540,1643572,1643585-1643586,1643642,1643647,1644019,1648817,1656301,1658815,1659523,1659564,1664001,1664176,1665087,1666968,1666989
 
,1668541,1668635,1669802,1676557,1681183,1681841,1681865,1681867,1685829,1693109,1694293,1694433,1694875,1696381,1701945,1710353,1712656,1713873,1714000,1714005,1714540,1715213,1716221,1716417,1717107,1717210,1717212,1720236,1720398,1720443,1720464,1721814,1721883,1722645,1722801,1723151,1724435,1724553,1724675,1724797,1724806,1725931,1726631,1726808,1726813,1726815,1726817,1726819,1726917,1726919,1726922-1726924,1727031,1727034,1727043,1727158,1727672,1727903,1728450,1729363,1731010,1731119,1731956,1731978,1732362,1732674-1732675,1733942,1734116,1734134,1734532,1737249
+/tomcat/tc7.0.x/trunk:1190476,1224802,1243045,1298635,1304471,1311997,1312007,1331772,1333164,1333176,1348992,1354866,1371298,1371302,1371620,1402110,1409014,1413553,1413557,1413563,1430083,1438415,1446641-1446660,1447013,1453106,1453119,1484919,1486877,1500065,1503852,1505844,1513151,1521040,1526470,1536524,1539176-1539177,1544469,1544473,1552805,1558894,1558917,1561368,1561382,1561386,1561552,1561561,1561636,1561641,1561643,1561737,1562748,1564317,1568922,1570163,1577328,1577464-1577465,1578814,1586659,1586897,1586960,1588199,1588997,1589740,1589851,1589997,1590019,1590028,1590337,1590492,1590651,1590838,1590845,1590848,1590912,1593262,1593288,1593371,1593835,1594230,1595174,1595366,1600956,1601333,1601856,1601909,1609079,1609606,1617364,1617374,1617433,1617457-1617458,1624249,1626579,1627420,1627469,1632586,1637686,1637711,1640675,1642045,1643515,1643540,1643572,1643585-1643586,1643642,1643647,1644019,1648817,1656301,1658815,1659523,1659564,1664001,1664176,1665087,1666968,1666989
 
,1668541,1668635,1669802,1676557,1681183,1681841,1681865,1681867,1685829,1693109,1694293,1694433,1694875,1696381,1701945,1710353,1712656,1713873,1714000,1714005,1714540,1715213,1716221,1716417,1717107,1717210,1717212,1720236,1720398,1720443,1720464,1721814,1721883,1722645,1722801,1723151,1724435,1724553,1724675,1724797,1724806,1725931,1726631,1726808,1726813,1726815,1726817,1726819,1726917,1726919,1726922-1726924,1727031,1727034,1727043,1727158,1727672,1727903,1728450,1729363,1731010,1731119,1731956,1731978,1732362,1732674-1732675,1733942,1734116,1734134,1734532,1737249,1737253
 
/tomcat/tc8.0.x/trunk:1637685,1637709,1640674,1641726,1641729-1641730,1643513,1643539,1643571,1643581-1643582,1644018,1648816,1656300,1658801-1658803,1658811,1659522,1663997,1664175,1665086,1666967,1666988,1668634,1669801,1676556,1681182,1681840,1681864,1685827,1689921,1693108,1694291,1694427,1694873,1696379,1701944,1710347,1712618,1712655,1713872,1713998,1714004,1714538,1715207,1716216-1716217,1716414,1717208-1717209,1720235,1720396,1720442,1720463,1721813,1721882,1722800,1723130,1724434,1724674,1724792,1724803,1725929,1725963-1725965,1725970,1725974,1726172,1726175,1726179-1726182,1726195-1726198,1726200,1726203,1726226,1726576,1726630,1727029,1727037,1727671,1727900,1728449,1729362,1731009,1731955,1731977,1732360,1732672,1733941,1734115,1734133,1734531
 /tomcat/tc8.5.x/trunk:1737199

[Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Apache Wiki 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=17=18

Comment:
Add the results for Tomcat 6 and JSSE

  == BIO/NIO/NIO2 with JSSE Results (Default) ==
  
  |||| Java 5 || Java 6 || Java 7 || Java 8 ||
- || Tomcat 6   ||   C||   C||   C||   B||
+ || Tomcat 6   ||   C||   C||   A||   A||
  || Tomcat 7   ||  N/A   ||   C||   A||   A||
  || Tomcat 8   ||  N/A   ||  N/A   ||   A||   A||
  || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
@@ -15, +15 @@

  
  Note: These results were obtained using the JCE Unlimited Strength 
Jurisdiction Policy Files
  
- Note: The Java 6 results are capped at C because Java 6 does not support TLS 
1.1 or 1.2.
+ Note: The Java 5 and 6 results are capped at C because neither Java 5 nor 6 
support TLS 1.1 or 1.2.
  
  The equivalent OpenSSL cipher configurations used to obtain the above results 
are:
  
+ || Java 5 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!DHE ||
  || Java 6 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!DHE ||
  || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE ||
  || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA ||
@@ -33, +34 @@

  || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
  || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
  
+ The OpenSSL cipher configuration used was 
'''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of 
secure cipher suites in OpenSSL format is available at 
[[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]].
  
  Note: JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native release to 
achieve an A since, without it, the full certificate chain is not presented to 
the client.
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737283 - in /tomcat/tc6.0.x/trunk: ./ bin/ java/org/apache/tomcat/util/compat/ java/org/apache/tomcat/util/net/jsse/ java/org/apache/tomcat/util/net/jsse/res/ webapps/docs/ webapps/docs/

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 20:31:55 2016
New Revision: 1737283

URL: http://svn.apache.org/viewvc?rev=1737283=rev
Log:
TLS improvements
- enable stronger ephemeral DH keys by default
- filter out known weak ciphers from default list

Added:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/
  - copied from r1737248, 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/compat/
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre6Compat.java   
(with props)
Removed:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/JreVendor.java
Modified:
tomcat/tc6.0.x/trunk/   (props changed)
tomcat/tc6.0.x/trunk/bin/catalina.bat
tomcat/tc6.0.x/trunk/bin/catalina.sh
tomcat/tc6.0.x/trunk/build.xml
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre7Compat.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java

tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml

Propchange: tomcat/tc6.0.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 20:31:55 2016
@@ -1,3 +1,4 @@
-/tomcat/tc7.0.x/trunk:1190476,1224802,1243045,1298635,1304471,1311997,1312007,1331772,1333164,1333176,1348992,1354866,1371298,1371302,1371620,1402110,1409014,1413553,1413557,1413563,1430083,1438415,1446641-1446660,1447013,1453106,1453119,1484919,1486877,1500065,1503852,1505844,1513151,1521040,1526470,1536524,1539176-1539177,1544469,1544473,1552805,1558894,1558917,1561368,1561382,1561386,1561552,1561561,1561636,1561641,1561643,1561737,1562748,1564317,1568922,1570163,1577328,1577464-1577465,1578814,1586659,1586897,1586960,1588199,1588997,1589740,1589851,1589997,1590019,1590028,1590337,1590492,1590651,1590838,1590845,1590848,1590912,1593262,1593288,1593371,1593835,1594230,1595174,1595366,1600956,1601333,1601856,1601909,1609079,1609606,1617364,1617374,1617433,1617457-1617458,1624249,1626579,1627420,1627469,1632586,1637686,1637711,1640675,1642045,1643515,1643540,1643572,1643585-1643586,1643642,1643647,1644019,1648817,1656301,1658815,1659523,1659564,1664001,1664176,1665087,1666968,1666989
 
,1668541,1668635,1669802,1676557,1681183,1681841,1681865,1681867,1685829,1693109,1694293,1694433,1694875,1696381,1701945,1710353,1712656,1713873,1714000,1714005,1714540,1715213,1716221,1716417,1717107,1717210,1717212,1720236,1720398,1720443,1720464,1721814,1721883,1722645,1722801,1723151,1724435,1724553,1724675,1724797,1724806,1725931,1726631,1726808,1726813,1726815,1726817,1726819,1726917,1726919,1726922-1726924,1727031,1727034,1727043,1727158,1727672,1727903,1728450,1729363,1731010,1731119,1731956,1731978,1732362,1732674-1732675,1733942,1734116,1734134,1734532
+/tomcat/tc7.0.x/trunk:1190476,1224802,1243045,1298635,1304471,1311997,1312007,1331772,1333164,1333176,1348992,1354866,1371298,1371302,1371620,1402110,1409014,1413553,1413557,1413563,1430083,1438415,1446641-1446660,1447013,1453106,1453119,1484919,1486877,1500065,1503852,1505844,1513151,1521040,1526470,1536524,1539176-1539177,1544469,1544473,1552805,1558894,1558917,1561368,1561382,1561386,1561552,1561561,1561636,1561641,1561643,1561737,1562748,1564317,1568922,1570163,1577328,1577464-1577465,1578814,1586659,1586897,1586960,1588199,1588997,1589740,1589851,1589997,1590019,1590028,1590337,1590492,1590651,1590838,1590845,1590848,1590912,1593262,1593288,1593371,1593835,1594230,1595174,1595366,1600956,1601333,1601856,1601909,1609079,1609606,1617364,1617374,1617433,1617457-1617458,1624249,1626579,1627420,1627469,1632586,1637686,1637711,1640675,1642045,1643515,1643540,1643572,1643585-1643586,1643642,1643647,1644019,1648817,1656301,1658815,1659523,1659564,1664001,1664176,1665087,1666968,1666989
 
,1668541,1668635,1669802,1676557,1681183,1681841,1681865,1681867,1685829,1693109,1694293,1694433,1694875,1696381,1701945,1710353,1712656,1713873,1714000,1714005,1714540,1715213,1716221,1716417,1717107,1717210,1717212,1720236,1720398,1720443,1720464,1721814,1721883,1722645,1722801,1723151,1724435,1724553,1724675,1724797,1724806,1725931,1726631,1726808,1726813,1726815,1726817,1726819,1726917,1726919,1726922-1726924,1727031,1727034,1727043,1727158,1727672,1727903,1728450,1729363,1731010,1731119,1731956,1731978,1732362,1732674-1732675,1733942,1734116,1734134,1734532,1737249

Re: svn commit: r1737280 - /tomcat/trunk/webapps/docs/changelog.xml

2016-03-31 Thread Rémy Maucherat 
2016-03-31 14:43 GMT-05:00 :

> Author: violetagg
> Date: Thu Mar 31 19:43:45 2016
> New Revision: 1737280
>
> URL: http://svn.apache.org/viewvc?rev=1737280=rev
> Log:
> fix typo
>

Woops. Thanks.

Rémy

>
> Modified:
> tomcat/trunk/webapps/docs/changelog.xml
>
> Modified: tomcat/trunk/webapps/docs/changelog.xml
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1737280=1737279=1737280=diff
>
> ==
> --- tomcat/trunk/webapps/docs/changelog.xml (original)
> +++ tomcat/trunk/webapps/docs/changelog.xml Thu Mar 31 19:43:45 2016
> @@ -85,7 +85,7 @@
>  (remm)
>
>
> -59255: Fix posible NPE in mapper. (kkolinko/remm)
> +59255: Fix possible NPE in mapper. (kkolinko/remm)
>
>  
>
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

svn commit: r1737282 - in /tomcat/tc8.0.x/trunk: ./ webapps/docs/changelog.xml

2016-03-31 Thread violetagg 
Author: violetagg
Date: Thu Mar 31 19:48:34 2016
New Revision: 1737282

URL: http://svn.apache.org/viewvc?rev=1737282=rev
Log:
fix typo

Modified:
tomcat/tc8.0.x/trunk/   (props changed)
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc8.0.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 19:48:34 2016
@@ -1,2 +1,2 @@
 /tomcat/tc8.5.x/trunk:1735042
-/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1637890,1637892,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886
 
,1644890,1644892,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1649973,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655351,1655438,1655441,1655454,168,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657
 
592,1657607,1657609,1657682,1657907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659174,1659184,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661770,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662696,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1
 
666387,1666494,1666496,1666552,1666569,1666579,137,149,1666757,1666966,1666972,1666985,1666995,1666997,1667292,1667402,1667406,1667546,1667615,1667630,1667636,1667688,1667764,1667871,1668026,1668135,1668193,1668593,1668596,1668630,1668639,1668843,1669353,1669370,1669451,1669800,1669838,1669876,1669882,1670394,1670433,1670591,1670598-1670600,1670610,1670631,1670719,1670724,1670726,1670730,1670940,1671112,1672272,1672284,1673754,1674294,1675461,1675486,1675594,1675830,1676231,1676250-1676251,1676364,1676381,1676393,1676479,1676525,1676552,1676615,1676630,1676634,1676721,1676926,1676943,1677140,1677802,1678011,1678162,1678174,1678339,1678426-1678427,1678694,1678701,1679534,1679708,1679710,1679716,1680034,1680246,1681056,1681123,1681138,1681280,1681283,1681286,1681450,1681697,1681699,1681701,1681729,1681770,1681779,1681793,1681807,1681837-1681838,1681854,1681862,1681958,1682028,1682033,1682311,1682315,1682317,1682320,1682324,1682330,1682842,1684172,1684366,1684383,1684526-168452

svn commit: r1737281 - in /tomcat/tc8.5.x/trunk: ./ webapps/docs/changelog.xml

2016-03-31 Thread violetagg 
Author: violetagg
Date: Thu Mar 31 19:45:57 2016
New Revision: 1737281

URL: http://svn.apache.org/viewvc?rev=1737281=rev
Log:
fix typo

Modified:
tomcat/tc8.5.x/trunk/   (props changed)
tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc8.5.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 19:45:57 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1737281=1737280=1737281=diff
==
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Thu Mar 31 19:45:57 2016
@@ -75,7 +75,7 @@
 (violetagg)
   
   
-59255: Fix posible NPE in mapper. (kkolinko/remm)
+59255: Fix possible NPE in mapper. (kkolinko/remm)
   
 
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737280 - /tomcat/trunk/webapps/docs/changelog.xml

2016-03-31 Thread violetagg 
Author: violetagg
Date: Thu Mar 31 19:43:45 2016
New Revision: 1737280

URL: http://svn.apache.org/viewvc?rev=1737280=rev
Log:
fix typo

Modified:
tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1737280=1737279=1737280=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Mar 31 19:43:45 2016
@@ -85,7 +85,7 @@
 (remm)
   
   
-59255: Fix posible NPE in mapper. (kkolinko/remm)
+59255: Fix possible NPE in mapper. (kkolinko/remm)
   
 
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59255] 404 due to NullPointer in Mapper.java

2016-03-31 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59255

Remy Maucherat  changed:

   What|Removed |Added

 Status|REOPENED|RESOLVED
 Resolution|--- |FIXED

--- Comment #5 from Remy Maucherat  ---
Ok, I applied this for 9M5, 8.5.1, 8.0.34.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737278 - in /tomcat/tc8.0.x/trunk: java/org/apache/catalina/mapper/Mapper.java webapps/docs/changelog.xml

2016-03-31 Thread remm 
Author: remm
Date: Thu Mar 31 19:22:04 2016
New Revision: 1737278

URL: http://svn.apache.org/viewvc?rev=1737278=rev
Log:
59255: Fix posible NPE in mapper, using Konstantin Kolinko's idea.

Modified:
tomcat/tc8.0.x/trunk/java/org/apache/catalina/mapper/Mapper.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/mapper/Mapper.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/mapper/Mapper.java?rev=1737278=1737277=1737278=diff
==
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/mapper/Mapper.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/mapper/Mapper.java Thu Mar 31 
19:22:04 2016
@@ -878,7 +878,7 @@ public final class Mapper {
 }
 
 if(mappingData.wrapper == null && noServletPath &&
-mappingData.context.getMapperContextRootRedirectEnabled()) {
+contextVersion.object.getMapperContextRootRedirectEnabled()) {
 // The path is empty, redirect to "/"
 path.append('/');
 pathEnd = path.getEnd();
@@ -1006,7 +1006,7 @@ public final class Mapper {
 file = contextVersion.resources.getResource(pathStr);
 }
 if (file != null && file.isDirectory() &&
-
mappingData.context.getMapperDirectoryRedirectEnabled()) {
+
contextVersion.object.getMapperDirectoryRedirectEnabled()) {
 // Note: this mutates the path: do not do any processing
 // after this (since we set the redirectPath, there
 // shouldn't be any)

Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1737278=1737277=1737278=diff
==
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Thu Mar 31 19:22:04 2016
@@ -69,6 +69,9 @@
 and javax.servlet.AsyncEvent.getSuppliedResponse
 (violetagg)
   
+  
+59255: Fix posible NPE in mapper. (kkolinko/remm)
+  
 
   
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737276 - in /tomcat/tc8.5.x/trunk: java/org/apache/catalina/mapper/Mapper.java webapps/docs/changelog.xml

2016-03-31 Thread remm 
Author: remm
Date: Thu Mar 31 19:16:19 2016
New Revision: 1737276

URL: http://svn.apache.org/viewvc?rev=1737276=rev
Log:
59255: Fix posible NPE in mapper, using Konstantin Kolinko's idea.

Modified:
tomcat/tc8.5.x/trunk/java/org/apache/catalina/mapper/Mapper.java
tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/mapper/Mapper.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/mapper/Mapper.java?rev=1737276=1737275=1737276=diff
==
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/mapper/Mapper.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/mapper/Mapper.java Thu Mar 31 
19:16:19 2016
@@ -877,7 +877,7 @@ public final class Mapper {
 }
 
 if(mappingData.wrapper == null && noServletPath &&
-mappingData.context.getMapperContextRootRedirectEnabled()) {
+contextVersion.object.getMapperContextRootRedirectEnabled()) {
 // The path is empty, redirect to "/"
 path.append('/');
 pathEnd = path.getEnd();
@@ -1005,7 +1005,7 @@ public final class Mapper {
 file = contextVersion.resources.getResource(pathStr);
 }
 if (file != null && file.isDirectory() &&
-
mappingData.context.getMapperDirectoryRedirectEnabled()) {
+
contextVersion.object.getMapperDirectoryRedirectEnabled()) {
 // Note: this mutates the path: do not do any processing
 // after this (since we set the redirectPath, there
 // shouldn't be any)

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1737276=1737275=1737276=diff
==
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Thu Mar 31 19:16:19 2016
@@ -74,6 +74,9 @@
 and javax.servlet.AsyncEvent.getSuppliedResponse
 (violetagg)
   
+  
+59255: Fix posible NPE in mapper. (kkolinko/remm)
+  
 
   
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737270 - in /tomcat/trunk: java/org/apache/catalina/mapper/Mapper.java webapps/docs/changelog.xml

2016-03-31 Thread remm 
Author: remm
Date: Thu Mar 31 18:55:22 2016
New Revision: 1737270

URL: http://svn.apache.org/viewvc?rev=1737270=rev
Log:
59255: Fix posible NPE in mapper, using Konstantin Kolinko's idea.

Modified:
tomcat/trunk/java/org/apache/catalina/mapper/Mapper.java
tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/mapper/Mapper.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/mapper/Mapper.java?rev=1737270=1737269=1737270=diff
==
--- tomcat/trunk/java/org/apache/catalina/mapper/Mapper.java (original)
+++ tomcat/trunk/java/org/apache/catalina/mapper/Mapper.java Thu Mar 31 
18:55:22 2016
@@ -879,7 +879,7 @@ public final class Mapper {
 }
 
 if(mappingData.wrapper == null && noServletPath &&
-mappingData.context.getMapperContextRootRedirectEnabled()) {
+contextVersion.object.getMapperContextRootRedirectEnabled()) {
 // The path is empty, redirect to "/"
 path.append('/');
 pathEnd = path.getEnd();
@@ -1008,7 +1008,7 @@ public final class Mapper {
 file = contextVersion.resources.getResource(pathStr);
 }
 if (file != null && file.isDirectory() &&
-
mappingData.context.getMapperDirectoryRedirectEnabled()) {
+
contextVersion.object.getMapperDirectoryRedirectEnabled()) {
 // Note: this mutates the path: do not do any processing
 // after this (since we set the redirectPath, there
 // shouldn't be any)

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1737270=1737269=1737270=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Mar 31 18:55:22 2016
@@ -84,6 +84,9 @@
 Based on a patch submitted by Coty Sutherland.
 (remm)
   
+  
+59255: Fix posible NPE in mapper. (kkolinko/remm)
+  
 
   
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Project Jigsaw: The module system was integrated into JDK 9 and is now available for testing in early-access, build 111.

2016-03-31 Thread Rory O'Donnell 


Hi Mark/Mladen,

Project Jigsaw  is an enormous 
effort, encompassing six JEPs 
 implemented by dozens of 
engineers over many years.
So far we’ve defined a modular structure for the JDK (JEP 200 
), reorganized the source code 
according to that structure
(JEP 201 ), and restructured the JDK 
and JRE run-time images to support modules (JEP 220 
). The last major component,
the module system itself (JSR 376 
 and JEP 261 
), was integrated into JDK 9 earlier 
this week and is now available for testing

in early-access build 111 - here. 

More information on Mark Reinhold's blog [1]

Rgds, Rory

Project Jigsaw  is an enormous 
effort, encompassing six JEPs 
 implemented by dozens of 
engineers over many years. So far we’ve defined a modular structure for 
the JDK (JEP 200 ), reorganized the 
source code according to that structure (JEP 201 
), and restructured the JDK and JRE 
run-time images to support modules (JEP 220 
). The last major component, the 
module system itself (JSR 376 
 and JEP 261 
), was integrated into JDK 9 
 earlier this week and is now 
available for testing in early-access build 111 
.

[1] http://mreinhold.org/blog/jigsaw-module-system
Project Jigsaw  is an enormous 
effort, encompassing six JEPs 
 implemented by dozens of 
engineers over many years. So far we’ve defined a modular structure for 
the JDK (JEP 200 ), reorganized the 
source code according to that structure (JEP 201 
), and restructured the JDK and JRE 
run-time images to support modules (JEP 220 
). The last major component, the 
module system itself (JSR 376 
 and JEP 261 
), was integrated into JDK 9 
 earlier this week and is now 
available for testing in early-access build 111 
.
Project Jigsaw  is an enormous 
effort, encompassing six JEPs 
 implemented by dozens of 
engineers over many years. So far we’ve defined a modular structure for 
the JDK (JEP 200 ), reorganized the 
source code according to that structure (JEP 201 
), and restructured the JDK and JRE 
run-time images to support modules (JEP 220 
). The last major component, the 
module system itself (JSR 376 
 and JEP 261 
), was integrated into JDK 9 
 earlier this week and is now 
available for testing in early-access build 111 
.




--
Rgds,Rory O'Donnell
Quality Engineering Manager
Oracle EMEA, Dublin,Ireland

[Bug 59255] 404 due to NullPointer in Mapper.java

2016-03-31 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59255

--- Comment #4 from Remy Maucherat  ---
Ok, so mappingData.context -> contextVersion.object. No problem.

Since I don't see how mappingData.context becomes null, mappingData.wrapper
probably also gets reset as well which will randomly mess up the mapping
algorithm.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Apache Wiki 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=16=17

Comment:
Update Tomcat 7 APR/native results

  
  |||| Java 5 || Java 6 || Java 7 || Java 8 ||
  || Tomcat 6   ||  TBD   ||  TBD   ||  TBD   ||  TBD   ||
- || Tomcat 7   ||  N/A   ||  TBD   ||  TBD   ||  TBD   ||
+ || Tomcat 7   ||  N/A   ||   A||   A||   A||
  || Tomcat 8   ||  N/A   ||  N/A   ||   A||   A||
  || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
  || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
@@ -52, +52 @@

  
  ||  || Java 5 || Java 6 || Java 7 || Java 8 ||
  || Tomcat 6 ||   B||   B||   A-   ||   A||
- 
- 
  
  == JSSE Settings for Improved Results ==
  
@@ -80, +78 @@

   * Java 7, 64-bit, update 80
   * Java 8, 64-bit, update 77
   * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled 
SSLv2 and SSLv3.
-  * Apache Tomcat 7.0.69-dev, r1737249.
+  * Apache Tomcat 7.0.69-dev, r1737253.
   * Apache Tomcat 8.0.34-dev, r1737224.
   * Apache Tomcat 8.5.1-dev, r1737241.
   * Apache Tomcat 9.0.0.M5-dev, r1737193.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737253 - in /tomcat/tc7.0.x/trunk: java/org/apache/tomcat/util/net/AprEndpoint.java webapps/docs/changelog.xml webapps/docs/config/http.xml

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 15:52:41 2016
New Revision: 1737253

URL: http://svn.apache.org/viewvc?rev=1737253=rev
Log:
Better default ciphers for APR/OpenSSL

Modified:
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml

Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1737253=1737252=1737253=diff
==
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java 
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu 
Mar 31 15:52:41 2016
@@ -243,7 +243,7 @@ public class AprEndpoint extends Abstrac
 /**
  * SSL cipher suite.
  */
-protected String SSLCipherSuite = "ALL";
+protected String SSLCipherSuite = 
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
 public String getSSLCipherSuite() { return SSLCipherSuite; }
 public void setSSLCipherSuite(String SSLCipherSuite) { this.SSLCipherSuite 
= SSLCipherSuite; }
 

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1737253=1737252=1737253=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Mar 31 15:52:41 2016
@@ -164,8 +164,8 @@
 (markt)
   
   
-Limit the default TLS ciphers to those currently considered secure.
-(markt) 
+Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL (APR) to
+those currently considered secure. (markt) 
   
   
 Add a new environment variable JSSE_OPTS that is intended

Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1737253=1737252=1737253=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Thu Mar 31 15:52:41 2016
@@ -1259,9 +1259,8 @@
 
 
   Ciphers which may be used for communicating with clients. The default
-  is "ALL", with other acceptable values being a list of ciphers, with ":"
-  used as the delimiter (see OpenSSL documentation for the list of ciphers
-  supported).
+  is "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA". See the OpenSSL
+  documentation for details of the cipher configuration options.
 
 
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59255] 404 due to NullPointer in Mapper.java

2016-03-31 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59255

Konstantin Kolinko  changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|INVALID |---

--- Comment #3 from Konstantin Kolinko  ---
Looking at 8.0.x Mapper.java, I think that in both mentioned places

mappingData.context.getMapperContextRootRedirectEnabled()

has be replaced with obtaining the context from ContextVersion object. Both
places have it, so I see no reason why context is retrieved from mappingData.

A test case is TBD.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59255] 404 due to NullPointer in Mapper.java

2016-03-31 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59255

--- Comment #2 from Konstantin Kolinko  ---
1. Sample configuration / steps to reproduce the issue = ?

2. Diffs are preferred in Unified Diff format
http://tomcat.apache.org/bugreport.html#How_to_submit_patches_and_enhancement_requests

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Apache Wiki 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=15=16

Comment:
Fill in Tomcat 7 JSSE 

  
  |||| Java 5 || Java 6 || Java 7 || Java 8 ||
  || Tomcat 6   ||   C||   C||   C||   B||
- || Tomcat 7   ||  N/A   ||   C||   C||   B||
+ || Tomcat 7   ||  N/A   ||   C||   A||   A||
  || Tomcat 8   ||  N/A   ||  N/A   ||   A||   A||
  || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
  || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
  
  Note: These results were obtained using the JCE Unlimited Strength 
Jurisdiction Policy Files
+ 
+ Note: The Java 6 results are capped at C because Java 6 does not support TLS 
1.1 or 1.2.
+ 
+ The equivalent OpenSSL cipher configurations used to obtain the above results 
are:
+ 
+ || Java 6 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!DHE ||
+ || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE ||
+ || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA ||
+ 
+ Note: kRSA ciphers are not excluded in Java 6 and earlier since they are 
likely to be the only ones left
+ 
+ Note: In Java 7 and earlier DHE ciphers use insecure DH keys with no means to 
configure longer keys which is why DHE ciphers are excluded in those Java 
versions.
  
  == NIO/NIO2 with JSSE+OpenSSL Results (Default) ==
  
@@ -23, +35 @@

  
  
  Note: JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native release to 
achieve an A since, without it, the full certificate chain is not presented to 
the client.
- 
- The equivalent OpenSSL cipher configurations used to obtain the above results 
are:
- 
- || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE ||
- || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA ||
- 
- Note: Java 7 DHE ciphers sue a 768 bit DH key which is considered insecure 
which is why those ciphers are excluded only for Java 7.
  
  == APR with OpenSSL Results (Default) ==
  
@@ -47, +52 @@

  
  ||  || Java 5 || Java 6 || Java 7 || Java 8 ||
  || Tomcat 6 ||   B||   B||   A-   ||   A||
- || Tomcat 7 ||  N/A   ||   B||   A-   ||   A||
  
  
  
@@ -76, +80 @@

   * Java 7, 64-bit, update 80
   * Java 8, 64-bit, update 77
   * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled 
SSLv2 and SSLv3.
-  * Apache Tomcat 7.0.60-dev, r1664373.
+  * Apache Tomcat 7.0.69-dev, r1737249.
   * Apache Tomcat 8.0.34-dev, r1737224.
   * Apache Tomcat 8.5.1-dev, r1737241.
   * Apache Tomcat 9.0.0.M5-dev, r1737193.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737249 - in /tomcat/tc7.0.x/trunk: ./ bin/ java/org/apache/tomcat/util/net/jsse/ java/org/apache/tomcat/util/net/jsse/res/ webapps/docs/ webapps/docs/config/

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 15:27:31 2016
New Revision: 1737249

URL: http://svn.apache.org/viewvc?rev=1737249=rev
Log:
TLS improvements
- enable stronger ephemeral DH keys by default
- filter out known weak ciphers from default list

Modified:
tomcat/tc7.0.x/trunk/   (props changed)
tomcat/tc7.0.x/trunk/bin/catalina.bat
tomcat/tc7.0.x/trunk/bin/catalina.sh

tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml

Propchange: tomcat/tc7.0.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 15:27:31 2016
@@ -1,3 +1,3 @@
 
/tomcat/tc8.0.x/trunk:1636525,1637336,1637685,1637709,1638726,1640089,1640276,1640349,1640363,1640366,1640642,1640672,1640674,1640689,1640884,1641001,1641065,1641067,1641375,1641638,1641723,1641726,1641729-1641730,1641736,1641988,1642669-1642670,1642698,1642701,1643205,1643215,1643217,1643230,1643232,1643273,1643285,1643329-1643330,1643511,1643513,1643521,1643539,1643571,1643581-1643582,1643635,1643655,1643738,1643964,1644018,1644333,1644954,1644992,1645014,1645360,1645456,1645627,1645642,1645686,1645903-1645904,1645908-1645909,1645913,1645920,1646458,1646460-1646462,1646735,1646738-1646741,1646744,1646746,1646748-1646755,1646757,1646759-1646760,1647043,1648816,1651420-1651422,1651844,1652926,1652939-1652940,1652973,1653798,1653817,1653841,1654042,1654161,1654736,1654767,1654787,1656592,1659907,1662986,1663265,1663278,1663325,1663535,1663567,1663679,1663997,1664175,1664321,1664872,1665061,1665086,1666027,1666395,1666503,1666506,1666560,1666570,1666581,1666759,1666967,1666988,1667553
 
-1667555,1667558,1667617,1667633,1667637,1667747,1667767,1667873,1668028,1668137,1668634,1669432,1669801,1669840,1669895-1669896,1670398,1670435,1670592,1670605-1670607,1670609,1670632,1670720,1670725,1670727,1670731,1671114,1672273,1672285,1673759,1674220,1674295,1675469,1675488,1675595,1675831,1676232,1676367-1676369,1676382,1676394,1676483,1676556,1676635,1678178,1679536,1679988,1680256,1681124,1681182,1681730,1681840,1681864,1681869,1682010,1682034,1682047,1682052-1682053,1682062,1682064,1682070,1682312,1682325,1682331,1682386,1684367,1684385,1685759,1685774,1685827,1685892,1687341,1688904,1689358,1689657,1689921,1692850,1693093,1693108,1693324,1694060,1694115,1694291,1694427,1694431,1694503,1694549,1694789,1694873,1694881,1695356,1695372,1695823-1695825,1696200,1696281,1696379,1696468,1700608,1700871,1700897,1700978,1701094,1701124,1701608,1701668,1701676,1701766,1701944,1702248,1702252,1702314,1702390,1702723,1702725,1702728,1702730,1702733,1702735,1702737,1702739,1702742,1702
 
744,1702748,1702751,1702754,1702758,1702760,1702763,1702766,1708779,1708782,1708806,1709314,1709670,1710347,1710442,1710448,1710490,1710574,1710578,1712226,1712229,1712235,1712255,1712618,1712649,1712655,1712860,1712899,1712903,1712906,1712913,1712926,1712975,1713185,1713262,1713287,1713613,1713621,1713872,1713976,1713994,1713998,1714004,1714013,1714059,1714538,1714580,1715189,1715207,1715544,1715549,1715637,1715639-1715645,1715667,1715683,1715978,1715981,1716216-1716217,1716355,1716414,1716421,1717208-1717209,1717257,1717283,1717288,1717291,1717421,1717517,1717529,1718797,1718840-1718843,1719348,1719357-1719358,1719400,1719491,1719737,1720235,1720396,1720442,1720446,1720450,1720463,1720658-1720660,1720756,1720816,1721813,1721818,1721831,1721861,1721867,1721882,1722523,1722527,1722800,1722926,1722941,1722997,1723130,1723440,1723488,1723890,1724434,1724674,1724792,1724803,1724902,1725128,1725131,1725154,1725167,1725911,1725921,1725929,1725963-1725965,1725970,1725974,1726171-1726173,1
 
726175,1726179-1726182,1726190-1726191,1726195-1726200,1726203,1726226,1726576,1726630,1726992,1727029,1727037,1727671,1727676,1727900,1728028,1728092,1728439,1728449,1729186,1729362,1731009,1731303,1731867,1731872,1731874,1731876,1731885,1731947,1731955,1731959,1731977,1731984,1732360,1732490,1732672,1732902,1733166,1733603,1733619,1733735,1733752,1733764,1733915,1733941,1733964,1734115,1734133,1734261,1734421,1734531,1736286
-/tomcat/tc8.5.x/trunk:1735579,1736839

[Bug 59256] SLF4J in default jarsToSkip value in catalina.properties too broad

2016-03-31 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59256

--- Comment #1 from Violeta Georgieva  ---
Hi,

What do you think about including this specific jar to
tomcat.util.scan.StandardJarScanFilter.jarsToScan instead of modifying
tomcat.util.scan.StandardJarScanFilter.jarsToSkip?

Regards,
Violeta

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59256] New: SLF4J in default jarsToSkip value in catalina.properties too broad

2016-03-31 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59256

Bug ID: 59256
   Summary: SLF4J in default jarsToSkip value in
catalina.properties too broad
   Product: Tomcat 8
   Version: 8.0.33
  Hardware: PC
OS: All
Status: NEW
  Severity: trivial
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: david.scourfi...@llynfi.co.uk

The default value for jarsToSkip in catalina.properties includes the following:

slf4j*.jar

However, SLF4J has a taglib contained in a jar called "slf4j-taglib-0.1RC.jar"
which matches the pattern above.  Therefore, this taglib cannot be used within
a Tomcat container without editing the container configuration files.

Suggest amending the default slf4j*.jar pattern to slf4j-api-*.jar instead.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Mark Thomas 
On 31/03/2016 15:49, Konstantin Kolinko wrote:
> 2016-03-31 17:16 GMT+03:00 Apache Wiki :
>> Dear Wiki user,
>>
>> You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for 
>> change notification.
>>
>> The "Security/Ciphers" page has been changed by markt:
>> https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=14=15
>>
>> Comment:
>> Update the Tomcat 8.5 results. Split out JSSE, JSSE+OpenSSL and OpenSSL into 
>> separate tables
>>
>>
>>   There is no right choice since there are always trade-offs to make between 
>> better security better interoperability, better performance etc.. Where you 
>> choose to draw that line is a choice you need to make. The following 
>> information is provided to help you make that choice. The ratings provided 
>> are those calculated by the excellent [[https://www.ssllabs.com/ssltest|SSL 
>> Labs Test]]. Keep in mind that, as more vulnerabilities are discovered, 
>> these ratings are only ever going to get worse over time. The results shown 
>> on this page were correct at the time they were generated.
>>
>> - As of May 2015, 1024-bit DHE is 
>> [[https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html|considered]]
>>  [[https://weakdh.org/imperfect-forward-secrecy.pdf|breakable]] by 
>> nation-state adversaries. 2048-bit DHE is recommended. 2048-bit DHE may be 
>> configured with JSSE connectors (BIO, NIO, NIO2) using JVM parameter, and 
>> for APR connector Apache Tomcat Native Library 1.2.2 (or later) should be 
>> used.
> 
> 
> 1). The above note was removed...

That was deliberate. We don't explain the reason for any of the other
exclusions and DHE key size, where it matters, is referenced in the notes.

>> + == BIO/NIO/NIO2 with JSSE Results (Default) ==
>>
>>
>> + == NIO/NIO2 with JSSE+OpenSSL Results (Default) ==
>> +
>> + |||| Java 5 || Java 6 || Java 7 || Java 8 ||
>> + || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
>> + || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
>> +
>> +
>> - Note: Tomcat 9 with JSSE/OpenSSL and JSSE config requires a 1.2.6 
>> tc-native release to achieve an A since, without it, the full certificate 
>> chain is not presented to the client.
>> + Note: JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native release to 
>> achieve an A since, without it, the full certificate chain is not presented 
>> to the client.
>> +
>> + The equivalent OpenSSL cipher configurations used to obtain the above 
>> results are:
>> +
>> + || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE ||
>> + || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA ||
>> +
>> + Note: Java 7 DHE ciphers sue a 768 bit DH key which is considered insecure 
>> which is why those ciphers are excluded only for Java 7.
> 
> 2). Typo: s/ sue / use /

Will be fixed in the next commit.

> 3). I do not understand the above Note. This section is
> "JSSE+OpenSSL",  so it uses OpenSSL ciphers. The Java SSE
> implementation of those should not matter.

That note was in the wrong section. With so much editing going on I
missed that. Will be fixed in the next commit.

> To add here:
> Oracle Java 8 documentation to change size of a EDH key:
> 
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys
> 
> The system property name is "jdk.tls.ephemeralDHKeySize".

Tomcat now sets this by default (at least it does for 8, 8.5 and 9 and
will be 7 and 6 by the time I have finished this exercise) so I don't
think it is worthy of an explicit mention here.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59255] 404 due to NullPointer in Mapper.java

2016-03-31 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59255

Remy Maucherat  changed:

   What|Removed |Added

 Resolution|--- |INVALID
 Status|NEW |RESOLVED

--- Comment #1 from Remy Maucherat  ---
Certainly this sort of occurrence is not going to be logged. Besides concurrent
recycling, I don't really see what could cause it as mappingData.context is set
right before calling internalMapWrapper, so it's really something that is up to
you to debug.

IMO this should be INVALID until you demonstrate some reasonably legitimate
course of action that leads to the NPE.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Konstantin Kolinko 
2016-03-31 17:16 GMT+03:00 Apache Wiki :
> Dear Wiki user,
>
> You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for 
> change notification.
>
> The "Security/Ciphers" page has been changed by markt:
> https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=14=15
>
> Comment:
> Update the Tomcat 8.5 results. Split out JSSE, JSSE+OpenSSL and OpenSSL into 
> separate tables
>
>
>   There is no right choice since there are always trade-offs to make between 
> better security better interoperability, better performance etc.. Where you 
> choose to draw that line is a choice you need to make. The following 
> information is provided to help you make that choice. The ratings provided 
> are those calculated by the excellent [[https://www.ssllabs.com/ssltest|SSL 
> Labs Test]]. Keep in mind that, as more vulnerabilities are discovered, these 
> ratings are only ever going to get worse over time. The results shown on this 
> page were correct at the time they were generated.
>
> - As of May 2015, 1024-bit DHE is 
> [[https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html|considered]]
>  [[https://weakdh.org/imperfect-forward-secrecy.pdf|breakable]] by 
> nation-state adversaries. 2048-bit DHE is recommended. 2048-bit DHE may be 
> configured with JSSE connectors (BIO, NIO, NIO2) using JVM parameter, and for 
> APR connector Apache Tomcat Native Library 1.2.2 (or later) should be used.


1). The above note was removed...

> + == BIO/NIO/NIO2 with JSSE Results (Default) ==
>
>
> + == NIO/NIO2 with JSSE+OpenSSL Results (Default) ==
> +
> + |||| Java 5 || Java 6 || Java 7 || Java 8 ||
> + || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
> + || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
> +
> +
> - Note: Tomcat 9 with JSSE/OpenSSL and JSSE config requires a 1.2.6 tc-native 
> release to achieve an A since, without it, the full certificate chain is not 
> presented to the client.
> + Note: JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native release to 
> achieve an A since, without it, the full certificate chain is not presented 
> to the client.
> +
> + The equivalent OpenSSL cipher configurations used to obtain the above 
> results are:
> +
> + || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE ||
> + || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA ||
> +
> + Note: Java 7 DHE ciphers sue a 768 bit DH key which is considered insecure 
> which is why those ciphers are excluded only for Java 7.

2). Typo: s/ sue / use /

3). I do not understand the above Note. This section is
"JSSE+OpenSSL",  so it uses OpenSSL ciphers. The Java SSE
implementation of those should not matter.


To add here:
Oracle Java 8 documentation to change size of a EDH key:

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys

The system property name is "jdk.tls.ephemeralDHKeySize".


> + == APR with OpenSSL Results (Default) ==

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Apache Wiki 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=14=15

Comment:
Update the Tomcat 8.5 results. Split out JSSE, JSSE+OpenSSL and OpenSSL into 
separate tables

  
  There is no right choice since there are always trade-offs to make between 
better security better interoperability, better performance etc.. Where you 
choose to draw that line is a choice you need to make. The following 
information is provided to help you make that choice. The ratings provided are 
those calculated by the excellent [[https://www.ssllabs.com/ssltest|SSL Labs 
Test]]. Keep in mind that, as more vulnerabilities are discovered, these 
ratings are only ever going to get worse over time. The results shown on this 
page were correct at the time they were generated.
  
- As of May 2015, 1024-bit DHE is 
[[https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html|considered]]
 [[https://weakdh.org/imperfect-forward-secrecy.pdf|breakable]] by nation-state 
adversaries. 2048-bit DHE is recommended. 2048-bit DHE may be configured with 
JSSE connectors (BIO, NIO, NIO2) using JVM parameter, and for APR connector 
Apache Tomcat Native Library 1.2.2 (or later) should be used.
+ == BIO/NIO/NIO2 with JSSE Results (Default) ==
  
- 
- == JSSE (BIO/NIO/NIO2) Results (Default) ==
- 
- ||   || Java 5 || Java 6 || Java 7 || Java 8 ||
+ |||| Java 5 || Java 6 || Java 7 || Java 8 ||
- || Tomcat 6 (JSSE)   ||   C||   C||   C||   B||
+ || Tomcat 6   ||   C||   C||   C||   B||
- || Tomcat 7 (JSSE)   ||  N/A   ||   C||   C||   B||
+ || Tomcat 7   ||  N/A   ||   C||   C||   B||
- || Tomcat 8 (JSSE)   ||  N/A   ||  N/A   ||   A||   A||
+ || Tomcat 8   ||  N/A   ||  N/A   ||   A||   A||
- || Tomcat 8 (APR/OpenSSL)||  N/A   ||  N/A   ||   A||   A||
+ || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
- || Tomcat 8.5 (JSSE) ||  N/A   ||  N/A   ||  TBD   ||  TBD   ||
- || Tomcat 8.5 (JSSE/OpenSSL) ||  N/A   ||  N/A   ||  TBD   ||  TBD   ||
- || Tomcat 8.5 (APR/OpenSSL)  ||  N/A   ||  N/A   ||  TBD   ||  TBD   ||
- || Tomcat 9 (JSSE)   ||  N/A   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
- || Tomcat 9 (JSSE/OpenSSL)   ||  N/A   ||  N/A   ||  N/A   ||   A||
- || Tomcat 9 (APR/OpenSSL)||  N/A   ||  N/A   ||  N/A   ||   A||
  
  Note: These results were obtained using the JCE Unlimited Strength 
Jurisdiction Policy Files
  
+ == NIO/NIO2 with JSSE+OpenSSL Results (Default) ==
+ 
+ |||| Java 5 || Java 6 || Java 7 || Java 8 ||
+ || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
+ || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
+ 
+ 
- Note: Tomcat 9 with JSSE/OpenSSL and JSSE config requires a 1.2.6 tc-native 
release to achieve an A since, without it, the full certificate chain is not 
presented to the client.
+ Note: JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native release to 
achieve an A since, without it, the full certificate chain is not presented to 
the client.
+ 
+ The equivalent OpenSSL cipher configurations used to obtain the above results 
are:
+ 
+ || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE ||
+ || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA ||
+ 
+ Note: Java 7 DHE ciphers sue a 768 bit DH key which is considered insecure 
which is why those ciphers are excluded only for Java 7.
+ 
+ == APR with OpenSSL Results (Default) ==
+ 
+ |||| Java 5 || Java 6 || Java 7 || Java 8 ||
+ || Tomcat 6   ||  TBD   ||  TBD   ||  TBD   ||  TBD   ||
+ || Tomcat 7   ||  N/A   ||  TBD   ||  TBD   ||  TBD   ||
+ || Tomcat 8   ||  N/A   ||  N/A   ||   A||   A||
+ || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
+ || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
+ 
+ The OpenSSL cipher configuration used was 
'''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of 
secure cipher suites in OpenSSL format is available at 
[[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]].
+ 
  
  == JSSE (BIO/NIO/NIO2) Results (Improved) ==
  
@@ -50, +68 @@

* Java 8
 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  
- ''(It might be nice to provide the OpenSSL-style cipher suites arcana for the 
versions of Tomcat that support it)''
- 
  == Environment ==
  
  The results above were generated with:
@@ -62, +78 @@

   * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled 
SSLv2 and SSLv3.
   * Apache Tomcat 7.0.60-dev, r1664373.
   * Apache Tomcat 8.0.34-dev, r1737224.
-  * Apache Tomcat 8.5.1-dev,

svn commit: r1737241 - in /tomcat/tc8.5.x/trunk: java/org/apache/tomcat/util/compat/ java/org/apache/tomcat/util/net/ webapps/docs/

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 13:47:30 2016
New Revision: 1737241

URL: http://svn.apache.org/viewvc?rev=1737241=rev
Log:
Exclude weak DH keys for JSSE when running on Java 7.
This improves the SSL Labs score for the default config to A.

Added:
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
  - copied unchanged from r1737212, 
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java
  - copied unchanged from r1737212, 
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java

tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/LocalStrings.properties
  - copied unchanged from r1737212, 
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/LocalStrings.properties
Modified:
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1737241=1737240=1737241=diff
==
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java 
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Thu 
Mar 31 13:47:30 2016
@@ -30,6 +30,7 @@ import javax.net.ssl.TrustManagerFactory
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
 import 
org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
 import org.apache.tomcat.util.res.StringManager;
@@ -42,6 +43,8 @@ public class SSLHostConfig {
 private static final Log log = LogFactory.getLog(SSLHostConfig.class);
 private static final StringManager sm = 
StringManager.getManager(SSLHostConfig.class);
 
+private static final String DEFAULT_CIPHERS = 
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+
 protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
 protected static final Set SSL_PROTO_ALL = new HashSet<>();
 
@@ -81,7 +84,7 @@ public class SSLHostConfig {
 private String certificateRevocationListFile;
 private CertificateVerification certificateVerification = 
CertificateVerification.NONE;
 private int certificateVerificationDepth = 10;
-private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+private String ciphers;
 private LinkedHashSet cipherList = null;
 private List jsseCipherNames = null;
 private boolean honorCipherOrder = false;
@@ -320,13 +323,21 @@ public class SSLHostConfig {
  * @return An OpenSSL cipher string for the current configuration.
  */
 public String getCiphers() {
+if (ciphers == null) {
+if (!JreCompat.isJre8Available() && Type.JSSE.equals(configType)) {
+ciphers = DEFAULT_CIPHERS + ":!DHE";
+} else {
+ciphers = DEFAULT_CIPHERS;
+}
+
+}
 return ciphers;
 }
 
 
 public LinkedHashSet getCipherList() {
 if (cipherList == null) {
-cipherList = OpenSSLCipherConfigurationParser.parse(ciphers);
+cipherList = OpenSSLCipherConfigurationParser.parse(getCiphers());
 }
 return cipherList;
 }

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1737241=1737240=1737241=diff
==
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Thu Mar 31 13:47:30 2016
@@ -93,6 +93,11 @@
 The default value is -Djdk.tls.ephemeralDHKeySize=2048
 which protects against weak Diffie-Hellman keys. (markt)
   
+  
+When running on Java 7, exclude DHE ciphers from the default cipher 
list
+for JSSE connectors since they use weak 768 bit DH keys and cannot be
+configured to use more secure keys. (markt)
+  
 
   
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

buildbot success in on tomcat-8-trunk

2016-03-31 Thread buildbot 
The Buildbot has detected a restored build on builder tomcat-8-trunk while 
building . Full details are available at:
https://ci.apache.org/builders/tomcat-8-trunk/builds/528

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: silvanus_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-8-commit' 
triggered this build
Build Source Stamp: [branch tomcat/tc8.0.x/trunk] 1737224
Blamelist: markt

Build succeeded!

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[jira] [Commented] (MTOMCAT-263) tomcat7:exec-war can't create .extract/webapps

2016-03-31 Thread JIRA 

[ 
https://issues.apache.org/jira/browse/MTOMCAT-263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15219761#comment-15219761
 ] 

Sergio Fernández commented on MTOMCAT-263:
--

Sorry, it actually works, so ignore the first line of my previous comment. The 
two questions remain valid.

> tomcat7:exec-war can't create .extract/webapps
> --
>
> Key: MTOMCAT-263
> URL: https://issues.apache.org/jira/browse/MTOMCAT-263
> Project: Apache Tomcat Maven Plugin
>  Issue Type: Bug
>Affects Versions: 2.1, 2.2
>Reporter: jieryn
>Assignee: Olivier Lamy (*$^¨%`£)
> Fix For: 3.0
>
> Attachments: MTOMCAT-263_1.patch
>
>
> bash$ java -jar target/app-1.0-SNAPSHOT-war-exec.jar
> Exception in thread "main" java.lang.Exception: FATAL: impossible to create 
> directories:.extract/webapps
> at 
> org.apache.tomcat.maven.runner.Tomcat7Runner.extract(Tomcat7Runner.java:586)
> at 
> org.apache.tomcat.maven.runner.Tomcat7Runner.run(Tomcat7Runner.java:204)
> at 
> org.apache.tomcat.maven.runner.Tomcat7RunnerCli.main(Tomcat7RunnerCli.java:212)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Apache Wiki 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=13=14

Comment:
Update Tomcat 8 results. No longer need the improved results for Tomcat 8.

  ||   || Java 5 || Java 6 || Java 7 || Java 8 ||
  || Tomcat 6 (JSSE)   ||   C||   C||   C||   B||
  || Tomcat 7 (JSSE)   ||  N/A   ||   C||   C||   B||
- || Tomcat 8 (JSSE)   ||  N/A   ||  N/A   ||   A-   ||   A-   ||
+ || Tomcat 8 (JSSE)   ||  N/A   ||  N/A   ||   A||   A||
- || Tomcat 8 (APR/OpenSSL)||  N/A   ||  N/A   ||   A-   ||   A-   ||
+ || Tomcat 8 (APR/OpenSSL)||  N/A   ||  N/A   ||   A||   A||
- || Tomcat 8.5 (JSSE) ||  N/A   ||  N/A   ||  N/A   ||  TBD   ||
+ || Tomcat 8.5 (JSSE) ||  N/A   ||  N/A   ||  TBD   ||  TBD   ||
- || Tomcat 8.5 (JSSE/OpenSSL) ||  N/A   ||  N/A   ||  N/A   ||  TBD   ||
+ || Tomcat 8.5 (JSSE/OpenSSL) ||  N/A   ||  N/A   ||  TBD   ||  TBD   ||
- || Tomcat 8.5 (APR/OpenSSL)  ||  N/A   ||  N/A   ||  N/A   ||  TBD   ||
+ || Tomcat 8.5 (APR/OpenSSL)  ||  N/A   ||  N/A   ||  TBD   ||  TBD   ||
  || Tomcat 9 (JSSE)   ||  N/A   ||  N/A   ||  N/A   ||   A||
  || Tomcat 9 (JSSE/OpenSSL)   ||  N/A   ||  N/A   ||  N/A   ||   A||
  || Tomcat 9 (APR/OpenSSL)||  N/A   ||  N/A   ||  N/A   ||   A||
@@ -30, +30 @@

  ||  || Java 5 || Java 6 || Java 7 || Java 8 ||
  || Tomcat 6 ||   B||   B||   A-   ||   A||
  || Tomcat 7 ||  N/A   ||   B||   A-   ||   A||
- || Tomcat 8 ||  N/A   ||  N/A   ||   A-   ||   A||
  
  
  
@@ -62, +61 @@

   * Java 8, 64-bit, update 77
   * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled 
SSLv2 and SSLv3.
   * Apache Tomcat 7.0.60-dev, r1664373.
-  * Apache Tomcat 8.0.34-dev, r1737213.
+  * Apache Tomcat 8.0.34-dev, r1737224.
   * Apache Tomcat 8.5.1-dev, r1737213.
   * Apache Tomcat 9.0.0.M5-dev, r1737193.
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59255] New: 404 due to NullPointer in Mapper.java

2016-03-31 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59255

Bug ID: 59255
   Summary: 404 due to NullPointer in Mapper.java
   Product: Tomcat 8
   Version: 8.0.29
  Hardware: PC
OS: Linux
Status: NEW
  Severity: major
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: mmikolajc...@xtm-intl.com

Since update to Tomcat 8.0.29 we noticed problems in our Struts based
application. Some actions in random moments returned 404 errors without any
log. The same problem appeared in 8.0.30-33. We analyzed changes made between
versions 8.0.28 and 8.0.29 and by adding them one by one we found that the
problem is caused by org.apache.catalina.mapper.Mapper and new properties in
Context: mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled.
mappingData.context.getMapper...RedirectEnabled() throws in some situations
null pointer exception because mappingData.context in null. 

After changing code of Mapper.java in Tomcat 8.0.33 and recompiling we
confirmed that
changes:879c879,883
< if(mappingData.wrapper == null && noServletPath) {
---
>   if (mappingData.wrapper == null && noServletPath && mappingData.context 
> == null){
>   log.error("Kaboom:  " + mappingData.toString());
>   } else {
> if(mappingData.wrapper == null && noServletPath &&
> mappingData.context.getMapperContextRootRedirectEnabled()) {
887a892
>   }
1006c1011,1015
< if (file != null && file.isDirectory()) {
---
>   if (file != null && file.isDirectory() && mappingData.context 
> == null){
>   log.error("Kaboom:   " + mappingData.toString());
>   } else {
> if (file != null && file.isDirectory() &&
> 
> mappingData.context.getMapperDirectoryRedirectEnabled()) {
1017a1027
>   }

logs in catalina.out:
31-Mar-2016 10:23:28.633 SEVERE [ajp-nio-0.0.0.0-8009-exec-1]
org.apache.catalina.mapper.Mapper.internalMapWrapper Kaboom:  
org.apache.catalina.mapper.MappingData@6443d97d
31-Mar-2016 10:24:40.946 SEVERE [ajp-nio-0.0.0.0-8009-exec-1]
org.apache.catalina.mapper.Mapper.internalMapWrapper Kaboom:  
org.apache.catalina.mapper.MappingData@6443d97d
31-Mar-2016 10:25:26.272 SEVERE [ajp-nio-0.0.0.0-8009-exec-3]
org.apache.catalina.mapper.Mapper.internalMapWrapper Kaboom:  
org.apache.catalina.mapper.MappingData@14a421a8

If there is anything that we can do to help you solve this problem please send
us information how we can help.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737224 - in /tomcat/tc8.0.x/trunk: java/org/apache/tomcat/util/net/AbstractEndpoint.java webapps/docs/changelog.xml webapps/docs/config/http.xml

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 11:08:11 2016
New Revision: 1737224

URL: http://svn.apache.org/viewvc?rev=1737224=rev
Log:
Default ciphers +="!kRSA"
SSL Labs now reports a A grade for the default TLS config for JSSE and 
APR/native with Jaav 7 and 8.

Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml

Modified: 
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1737224=1737223=1737224=diff
==
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java 
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java 
Thu Mar 31 11:08:11 2016
@@ -53,7 +53,7 @@ public abstract class AbstractEndpointhttp://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1737224=1737223=1737224=diff
==
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Thu Mar 31 11:08:11 2016
@@ -84,6 +84,10 @@
 The default value is -Djdk.tls.ephemeralDHKeySize=2048
 which protects against weak Diffie-Hellman keys with Java 8. (markt)
   
+  
+Exclude ciphers that use RSA keys from the default cipher list since
+they do not support forward secrecy. (markt)
+  
 
   
   

Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml?rev=1737224=1737223=1737224=diff
==
--- tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml Thu Mar 31 11:08:11 2016
@@ -1121,7 +1121,9 @@
   of ciphers supported and the syntax). The behaviour of this filtering is
   kept aligned with the behaviour of the OpenSSL 1.0.2 stable branch.
   If not specified, a default (using the OpenSSL notation) of
-  HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5 will be used.
+  HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA will be used
+  when running on Java 8 or later. On Java 7, !DHE will be
+  added to this default when using a JSSE based connector.
   Note that Java does not treat the order in which ciphers are defined 
as
   an order of preference. See useServerCipherSuitesOrder.
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[jira] [Commented] (MTOMCAT-263) tomcat7:exec-war can't create .extract/webapps

2016-03-31 Thread JIRA 

[ 
https://issues.apache.org/jira/browse/MTOMCAT-263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15219736#comment-15219736
 ] 

Sergio Fernández commented on MTOMCAT-263:
--

I'm still getting the same issue with {{2.3-SNAPSHOT}} available in the ASF 
snapshot repo... 

So two questions:
1. When do you plan to have {{2.3}} out?
2. Is there any pre-release build available?

> tomcat7:exec-war can't create .extract/webapps
> --
>
> Key: MTOMCAT-263
> URL: https://issues.apache.org/jira/browse/MTOMCAT-263
> Project: Apache Tomcat Maven Plugin
>  Issue Type: Bug
>Affects Versions: 2.1, 2.2
>Reporter: jieryn
>Assignee: Olivier Lamy (*$^¨%`£)
> Fix For: 3.0
>
> Attachments: MTOMCAT-263_1.patch
>
>
> bash$ java -jar target/app-1.0-SNAPSHOT-war-exec.jar
> Exception in thread "main" java.lang.Exception: FATAL: impossible to create 
> directories:.extract/webapps
> at 
> org.apache.tomcat.maven.runner.Tomcat7Runner.extract(Tomcat7Runner.java:586)
> at 
> org.apache.tomcat.maven.runner.Tomcat7Runner.run(Tomcat7Runner.java:204)
> at 
> org.apache.tomcat.maven.runner.Tomcat7RunnerCli.main(Tomcat7RunnerCli.java:212)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Apache Wiki 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=12=13

Comment:
Add placeholders for 8.5.x

  
  == JSSE (BIO/NIO/NIO2) Results (Default) ==
  
- || || Java 5 || Java 6 || Java 7 || Java 8 ||
+ ||   || Java 5 || Java 6 || Java 7 || Java 8 ||
- || Tomcat 6 (JSSE) ||   C||   C||   C||   B||
+ || Tomcat 6 (JSSE)   ||   C||   C||   C||   B||
- || Tomcat 7 (JSSE) ||  N/A   ||   C||   C||   B||
+ || Tomcat 7 (JSSE)   ||  N/A   ||   C||   C||   B||
+ || Tomcat 8 (JSSE)   ||  N/A   ||  N/A   ||   A-   ||   A-   ||
+ || Tomcat 8 (APR/OpenSSL)||  N/A   ||  N/A   ||   A-   ||   A-   ||
- || Tomcat 8 (JSSE) ||  N/A   ||  N/A   ||   A-   ||  TBD   ||
+ || Tomcat 8.5 (JSSE) ||  N/A   ||  N/A   ||  N/A   ||  TBD   ||
+ || Tomcat 8.5 (JSSE/OpenSSL) ||  N/A   ||  N/A   ||  N/A   ||  TBD   ||
- || Tomcat 8 (APR/OpenSSL)  ||  N/A   ||  N/A   ||  TBD   ||  TBD   ||
+ || Tomcat 8.5 (APR/OpenSSL)  ||  N/A   ||  N/A   ||  N/A   ||  TBD   ||
- || Tomcat 9 (JSSE) ||  N/A   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9 (JSSE)   ||  N/A   ||  N/A   ||  N/A   ||   A||
- || Tomcat 9 (JSSE/OpenSSL) ||  N/A   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9 (JSSE/OpenSSL)   ||  N/A   ||  N/A   ||  N/A   ||   A||
- || Tomcat 9 (APR/OpenSSL)  ||  N/A   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9 (APR/OpenSSL)||  N/A   ||  N/A   ||  N/A   ||   A||
  
  Note: These results were obtained using the JCE Unlimited Strength 
Jurisdiction Policy Files
  
- Note: Tomcat 9 with JSSE/OpenSSL and JSSE config requires a 1.2.6 tc-native 
release to achieve an A since without it the full certificate chain is not 
presented to the client.
+ Note: Tomcat 9 with JSSE/OpenSSL and JSSE config requires a 1.2.6 tc-native 
release to achieve an A since, without it, the full certificate chain is not 
presented to the client.
  
  == JSSE (BIO/NIO/NIO2) Results (Improved) ==
  
@@ -59, +62 @@

   * Java 8, 64-bit, update 77
   * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled 
SSLv2 and SSLv3.
   * Apache Tomcat 7.0.60-dev, r1664373.
-  * Apache Tomcat 8.0.34-dev, r1737212.
+  * Apache Tomcat 8.0.34-dev, r1737213.
+  * Apache Tomcat 8.5.1-dev, r1737213.
   * Apache Tomcat 9.0.0.M5-dev, r1737193.
  
  == APR/native ==

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

buildbot failure in on tomcat-8-trunk

2016-03-31 Thread buildbot 
The Buildbot has detected a new failure on builder tomcat-8-trunk while 
building . Full details are available at:
https://ci.apache.org/builders/tomcat-8-trunk/builds/527

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: silvanus_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-8-commit' 
triggered this build
Build Source Stamp: [branch tomcat/tc8.0.x/trunk] 1737213
Blamelist: markt

BUILD FAILED: failed compile_1

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737213 - in /tomcat/tc8.0.x/trunk: ./ bin/catalina.bat bin/catalina.sh webapps/docs/changelog.xml

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 10:12:48 2016
New Revision: 1737213

URL: http://svn.apache.org/viewvc?rev=1737213=rev
Log:
Enable strong DH keys by default with Java 8

Modified:
tomcat/tc8.0.x/trunk/   (props changed)
tomcat/tc8.0.x/trunk/bin/catalina.bat
tomcat/tc8.0.x/trunk/bin/catalina.sh
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc8.0.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 10:12:48 2016
@@ -1,2 +1,2 @@
 /tomcat/tc8.5.x/trunk:1735042
-/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1637890,1637892,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886
 
,1644890,1644892,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1649973,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655351,1655438,1655441,1655454,168,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657
 
592,1657607,1657609,1657682,1657907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659174,1659184,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661770,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662696,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1
 
666387,1666494,1666496,1666552,1666569,1666579,137,149,1666757,1666966,1666972,1666985,1666995,1666997,1667292,1667402,1667406,1667546,1667615,1667630,1667636,1667688,1667764,1667871,1668026,1668135,1668193,1668593,1668596,1668630,1668639,1668843,1669353,1669370,1669451,1669800,1669838,1669876,1669882,1670394,1670433,1670591,1670598-1670600,1670610,1670631,1670719,1670724,1670726,1670730,1670940,1671112,1672272,1672284,1673754,1674294,1675461,1675486,1675594,1675830,1676231,1676250-1676251,1676364,1676381,1676393,1676479,1676525,1676552,1676615,1676630,1676634,1676721,1676926,1676943,1677140,1677802,1678011,1678162,1678174,1678339,1678426-1678427,1678694,1678701,1679534,1679708,1679710,1679716,1680034,1680246,1681056,1681123,1681138,1681280,1681283,1681286,1681450,1681697,1681699,1681701,1681729,1681770,1681779,1681793,1681807,1681837-1681838,1681854,1681862,1681958,1682028,1682033,1682311,1682315,1682317,1682320,1682324,1682330,1682842,1684172,1684366,1684383,1684526-168452

[Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Apache Wiki 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=11=12

Comment:
Update Tomcat 8 results

  || || Java 5 || Java 6 || Java 7 || Java 8 ||
  || Tomcat 6 (JSSE) ||   C||   C||   C||   B||
  || Tomcat 7 (JSSE) ||  N/A   ||   C||   C||   B||
- || Tomcat 8 (JSSE) ||  N/A   ||  N/A   ||   C||   B||
+ || Tomcat 8 (JSSE) ||  N/A   ||  N/A   ||   A-   ||  TBD   ||
+ || Tomcat 8 (APR/OpenSSL)  ||  N/A   ||  N/A   ||  TBD   ||  TBD   ||
  || Tomcat 9 (JSSE) ||  N/A   ||  N/A   ||  N/A   ||   A||
  || Tomcat 9 (JSSE/OpenSSL) ||  N/A   ||  N/A   ||  N/A   ||   A||
  || Tomcat 9 (APR/OpenSSL)  ||  N/A   ||  N/A   ||  N/A   ||   A||
@@ -54, +55 @@

  The results above were generated with:
   * Java 5, 64-bit, update 22
   * Java 6, 64-bit, update 45
-  * Java 7, 64-bit, update 76
+  * Java 7, 64-bit, update 80
   * Java 8, 64-bit, update 77
   * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled 
SSLv2 and SSLv3.
   * Apache Tomcat 7.0.60-dev, r1664373.
-  * Apache Tomcat 8.0.21-dev, r1664594.
+  * Apache Tomcat 8.0.34-dev, r1737212.
   * Apache Tomcat 9.0.0.M5-dev, r1737193.
  
  == APR/native ==

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

buildbot success in on tomcat-8-trunk

2016-03-31 Thread buildbot 
The Buildbot has detected a restored build on builder tomcat-8-trunk while 
building . Full details are available at:
https://ci.apache.org/builders/tomcat-8-trunk/builds/525

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: silvanus_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-8-commit' 
triggered this build
Build Source Stamp: [branch tomcat/tc8.0.x/trunk] 1737211
Blamelist: markt

Build succeeded!

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737212 - in /tomcat/tc8.0.x/trunk: java/org/apache/tomcat/util/net/JIoEndpoint.java java/org/apache/tomcat/util/net/Nio2Endpoint.java java/org/apache/tomcat/util/net/NioEndpoint.java web

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 09:57:37 2016
New Revision: 1737212

URL: http://svn.apache.org/viewvc?rev=1737212=rev
Log:
Exclude weak DH keys for JSSE when running on Java 7.
This improves the SSL Labs score for the default config to A-.

Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java?rev=1737212=1737211=1737212=diff
==
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java 
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java Thu 
Mar 31 09:57:37 2016
@@ -27,6 +27,7 @@ import java.util.concurrent.RejectedExec
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
 import org.apache.tomcat.util.net.jsse.JSSESocketFactory;
 
@@ -71,6 +72,11 @@ public class JIoEndpoint extends Abstrac
 // Reduce the executor timeout for BIO as threads in keep-alive will 
not
 // terminate when the executor interrupts them.
 setExecutorTerminationTimeoutMillis(0);
+// If running on Java 7, the insecure DHE ciphers need to be excluded 
by
+// default
+if (!JreCompat.isJre8Available()) {
+setCiphers(DEFAULT_CIPHERS + ":!DHE");
+}
 }
 
 // - Properties

Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java?rev=1737212=1737211=1737212=diff
==
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java 
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java Thu 
Mar 31 09:57:37 2016
@@ -46,6 +46,7 @@ import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.ExceptionUtils;
 import org.apache.tomcat.util.collections.SynchronizedStack;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
 import org.apache.tomcat.util.net.SecureNio2Channel.ApplicationBufferHandler;
 import org.apache.tomcat.util.net.jsse.NioX509KeyManager;
@@ -120,9 +121,19 @@ public class Nio2Endpoint extends Abstra
 private SynchronizedStack nioChannels;
 
 
-// - Properties
+//  Constructor
+
+public Nio2Endpoint() {
+// If running on Java 7, the insecure DHE ciphers need to be excluded 
by
+// default
+if (!JreCompat.isJre8Available()) {
+setCiphers(DEFAULT_CIPHERS + ":!DHE");
+}
+}
 
 
+// - Properties
+
 /**
  * Use the object caches to reduce GC at the expense of additional memory 
use.
  */

Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1737212=1737211=1737212=diff
==
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java 
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Thu 
Mar 31 09:57:37 2016
@@ -55,6 +55,7 @@ import org.apache.tomcat.util.ExceptionU
 import org.apache.tomcat.util.IntrospectionUtils;
 import org.apache.tomcat.util.collections.SynchronizedQueue;
 import org.apache.tomcat.util.collections.SynchronizedStack;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
 import org.apache.tomcat.util.net.SecureNioChannel.ApplicationBufferHandler;
 import org.apache.tomcat.util.net.jsse.NioX509KeyManager;
@@ -143,9 +144,19 @@ public class NioEndpoint extends Abstrac
 private SynchronizedStack nioChannels;
 
 
-// - Properties
+//  Constructor
+
+public NioEndpoint() {
+// If running on Java 7, the insecure DHE ciphers need to be excluded 
by
+// default
+if

svn commit: r1737211 - in /tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat: Jre7Compat.java Jre8Compat.java JreCompat.java

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 09:41:24 2016
New Revision: 1737211

URL: http://svn.apache.org/viewvc?rev=1737211=rev
Log:
Tomcat 8 has a minimum Java version of 7 so the Jre7Compat class can be removed

Removed:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/Jre7Compat.java
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java

Modified: 
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java?rev=1737211=1737210=1737211=diff
==
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java 
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java Thu 
Mar 31 09:41:24 2016
@@ -23,7 +23,7 @@ import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLServerSocket;
 
-class Jre8Compat extends Jre7Compat {
+class Jre8Compat extends JreCompat {
 
 private static final Method getSSLParametersMethod;
 private static final Method setUseCipherSuitesOrderMethod;
@@ -45,7 +45,7 @@ class Jre8Compat extends Jre7Compat {
 } catch (NoSuchMethodException e) {
 // Expected on Java < 8
 } catch (ClassNotFoundException e) {
-// Expected on Java < 7
+// Should never happen
 }
 getSSLParametersMethod = m1;
 setUseCipherSuitesOrderMethod = m2;

Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java?rev=1737211=1737210=1737211=diff
==
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java 
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java Thu 
Mar 31 09:41:24 2016
@@ -16,8 +16,6 @@
  */
 package org.apache.tomcat.util.compat;
 
-import java.util.Locale;
-
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLServerSocket;
 
@@ -25,7 +23,7 @@ import org.apache.tomcat.util.res.String
 
 /**
  * This is the base implementation class for JRE compatibility and provides an
- * implementation based on Java 6. Sub-classes may extend this class and 
provide
+ * implementation based on Java 7. Sub-classes may extend this class and 
provide
  * alternative implementations for later JRE versions
  */
 public class JreCompat {
@@ -33,97 +31,42 @@ public class JreCompat {
 private static final JreCompat instance;
 private static StringManager sm =
 StringManager.getManager(JreCompat.class.getPackage().getName());
-private static final boolean jre7Available;
 private static final boolean jre8Available;
-
-
+
+
 static {
-// This is Tomcat 7 with a minimum Java version of Java 6. The latest
+// This is Tomcat 8 with a minimum Java version of Java 7. The latest
 // Java version the optional features require is Java 8.
 // Look for the highest supported JVM first
 if (Jre8Compat.isSupported()) {
 instance = new Jre8Compat();
-jre7Available = true;
 jre8Available = true;
-} else if (Jre7Compat.isSupported()) {
-instance = new Jre7Compat();
-jre7Available = true;
-jre8Available = false;
 } else {
 instance = new JreCompat();
-jre7Available = false;
 jre8Available = false;
 }
 }
-
-
+
+
 public static JreCompat getInstance() {
 return instance;
 }
-
-
-// Java 6 implementation of Java 7 methods
-
-public static boolean isJre7Available() {
-return jre7Available;
-}
-
-
-public Locale forLanguageTag(String languageTag) {
-// Extract the language and country for this entry
-String language = null;
-String country = null;
-String variant = null;
-int dash = languageTag.indexOf('-');
-if (dash < 0) {
-language = languageTag;
-country = "";
-variant = "";
-} else {
-language = languageTag.substring(0, dash);
-country = languageTag.substring(dash + 1);
-int vDash = country.indexOf('-');
-if (vDash > 0) {
-String cTemp = country.substring(0, vDash);
-variant = country.substring(vDash + 1);
-country = cTemp;
-} else {
-variant = "";
-}
-}
-if (!isAlpha(language) || !isAlpha(country) || !isAlpha(variant)) {
-return null;
-}
 
-return new Locale(language, country, variant);
-

svn commit: r1737210 - /tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/LocalStrings.properties

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 09:36:40 2016
New Revision: 1737210

URL: http://svn.apache.org/viewvc?rev=1737210=rev
Log:
Copy JreCompat code from Tomcat 7

Added:

tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/LocalStrings.properties
  - copied unchanged from r1737099, 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/compat/LocalStrings.properties


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737209 - in /tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat: Jre7Compat.java Jre8Compat.java JreCompat.java

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 09:36:00 2016
New Revision: 1737209

URL: http://svn.apache.org/viewvc?rev=1737209=rev
Log:
Copy JreCompat code from Tomcat 7

Added:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/Jre7Compat.java
  - copied unchanged from r1737099, 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/compat/Jre7Compat.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
  - copied unchanged from r1737099, 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java
  - copied unchanged from r1737099, 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Apache Wiki 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=10=11

Comment:
Add note about JCE policy files

  || Tomcat 9 (JSSE/OpenSSL) ||  N/A   ||  N/A   ||  N/A   ||   A||
  || Tomcat 9 (APR/OpenSSL)  ||  N/A   ||  N/A   ||  N/A   ||   A||
  
+ Note: These results were obtained using the JCE Unlimited Strength 
Jurisdiction Policy Files
  
  Note: Tomcat 9 with JSSE/OpenSSL and JSSE config requires a 1.2.6 tc-native 
release to achieve an A since without it the full certificate chain is not 
presented to the client.
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737202 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 08:56:42 2016
New Revision: 1737202

URL: http://svn.apache.org/viewvc?rev=1737202=rev
Log:
Remove unused code

Modified:
tomcat/tc8.5.x/trunk/   (props changed)

tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

Propchange: tomcat/tc8.5.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 08:56:42 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1737202=1737201=1737202=diff
==
--- 
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
 (original)
+++ 
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
 Thu Mar 31 08:56:42 2016
@@ -112,11 +112,6 @@ public class OpenSSLContext implements o
 aprPool = Pool.create(0);
 boolean success = false;
 try {
-if 
(SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()) == null) {
-// This is required
-// throw new 
Exception(netSm.getString("endpoint.apr.noSslCertFile"));
-}
-
 // SSL protocol
 int value = SSL.SSL_PROTOCOL_NONE;
 if (sslHostConfig.getProtocols().size() == 0) {



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737201 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/tomcat/jni/SSLContext.java java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 08:56:08 2016
New Revision: 1737201

URL: http://svn.apache.org/viewvc?rev=1737201=rev
Log:
Add hooks ready for new tc-native so cert chain can be set from keystore

Modified:
tomcat/tc8.5.x/trunk/   (props changed)
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java

tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

Propchange: tomcat/tc8.5.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 08:56:08 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1737201=1737200=1737201=diff
==
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java Thu Mar 31 
08:56:08 2016
@@ -549,4 +549,17 @@ public final class SSLContext {
  * @return {@code true} if success, {@code false} otherwise.
  */
 public static native boolean setCertificateRaw(long ctx, byte[] cert, 
byte[] key, int sslAidxRsa);
+
+/**
+ * Add a certificate to the certificate chain. Certs should be added in
+ * order starting with the issuer of the host certs and working up the
+ * certificate chain to the CA.
+ *
+ * 
+ * Use keystore a certificate chain to fill the BIOP
+ * @param ctx Server or Client context to use.
+ * @param cert Byte array with the certificate in DER encoding.
+ * @return {@code true} if success, {@code false} otherwise.
+ */
+public static native boolean addChainCertificateRaw(long ctx, byte[] cert);
 }

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1737201=1737200=1737201=diff
==
--- 
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
 (original)
+++ 
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
 Thu Mar 31 08:56:08 2016
@@ -324,7 +324,7 @@ public class OpenSSLContext implements o
 } else {
 X509KeyManager keyManager = chooseKeyManager(kms);
 String alias = certificate.getCertificateKeyAlias();
-X509Certificate certificate = 
keyManager.getCertificateChain(alias)[0];
+X509Certificate[] chain = 
keyManager.getCertificateChain(alias);
 PrivateKey key = keyManager.getPrivateKey(alias);
 StringBuilder sb = new StringBuilder(BEGIN_KEY);
 String encoded = 
BASE64_ENCODER.encodeToString(key.getEncoded());
@@ -333,7 +333,15 @@ public class OpenSSLContext implements o
 }
 sb.append(encoded);
 sb.append(END_KEY);
-SSLContext.setCertificateRaw(ctx, certificate.getEncoded(), 
sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA);
+SSLContext.setCertificateRaw(ctx, chain[0].getEncoded(), 
sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA);
+/*
+ * Uncomment the code block below once there has been a 
tc-native
+ * release with this method and the minimum tc-native version
+ * has been incremented.
+for (int i = 1; i < chain.length; i++) {
+SSLContext.addChainCertificateRaw(ctx, 
chain[i].getEncoded());
+}
+*/
 }
 // Client certificate verification
 int value = 0;



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737200 - in /tomcat/tc8.5.x/trunk: ./ conf/server.xml

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 08:54:36 2016
New Revision: 1737200

URL: http://svn.apache.org/viewvc?rev=1737200=rev
Log:
Align with file name patterns used elsewhere

Modified:
tomcat/tc8.5.x/trunk/   (props changed)
tomcat/tc8.5.x/trunk/conf/server.xml

Propchange: tomcat/tc8.5.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 08:54:36 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120

Modified: tomcat/tc8.5.x/trunk/conf/server.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/conf/server.xml?rev=1737200=1737199=1737200=diff
==
--- tomcat/tc8.5.x/trunk/conf/server.xml (original)
+++ tomcat/tc8.5.x/trunk/conf/server.xml Thu Mar 31 08:54:36 2016
@@ -84,7 +84,7 @@
 
 
-
 
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737199 - in /tomcat/tc8.5.x/trunk: ./ bin/catalina.bat bin/catalina.sh webapps/docs/changelog.xml

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 08:54:13 2016
New Revision: 1737199

URL: http://svn.apache.org/viewvc?rev=1737199=rev
Log:
Enable strong DH keys by default

Modified:
tomcat/tc8.5.x/trunk/   (props changed)
tomcat/tc8.5.x/trunk/bin/catalina.bat
tomcat/tc8.5.x/trunk/bin/catalina.sh
tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc8.5.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 08:54:13 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119

Modified: tomcat/tc8.5.x/trunk/bin/catalina.bat
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/bin/catalina.bat?rev=1737199=1737198=1737199=diff
==
--- tomcat/tc8.5.x/trunk/bin/catalina.bat (original)
+++ tomcat/tc8.5.x/trunk/bin/catalina.bat Thu Mar 31 08:54:13 2016
@@ -71,6 +71,10 @@ rem
 rem   -agentlib:jdwp=transport=%JPDA_TRANSPORT%,
 rem   
address=%JPDA_ADDRESS%,server=y,suspend=%JPDA_SUSPEND%
 rem
+rem   JSSE_OPTS   (Optional) Java runtime options used to control the TLS
+rem   implementation when JSSE is used. Default is:
+rem   "-Djdk.tls.ephemeralDHKeySize=2048"
+rem
 rem   LOGGING_CONFIG  (Optional) Override Tomcat's logging config file
 rem   Example (all one line)
 rem   set 
LOGGING_CONFIG="-Djava.util.logging.config.file=%CATALINA_BASE%\conf\logging.properties"
@@ -182,6 +186,11 @@ goto juliClasspathDone
 set "CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\tomcat-juli.jar"
 :juliClasspathDone
 
+if not "%JSSE_OPTS%" == "" goto gotJsseOpts
+set JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
+:gotJsseOpts
+set "JAVA_OPTS=%JAVA_OPTS% %JSSE_OPTS%"
+
 if not "%LOGGING_CONFIG%" == "" goto noJuliConfig
 set LOGGING_CONFIG=-Dnop
 if not exist "%CATALINA_BASE%\conf\logging.properties" goto noJuliConfig

Modified: tomcat/tc8.5.x/trunk/bin/catalina.sh
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/bin/catalina.sh?rev=1737199=1737198=1737199=diff
==
--- tomcat/tc8.5.x/trunk/bin/catalina.sh (original)
+++ tomcat/tc8.5.x/trunk/bin/catalina.sh Thu Mar 31 08:54:13 2016
@@ -76,6 +76,10 @@
 #   -agentlib:jdwp=transport=$JPDA_TRANSPORT,
 #   address=$JPDA_ADDRESS,server=y,suspend=$JPDA_SUSPEND
 #
+#   JSSE_OPTS   (Optional) Java runtime options used to control the TLS
+#   implementation when JSSE is used. Default is:
+#   "-Djdk.tls.ephemeralDHKeySize=2048"
+#
 #   CATALINA_PID(Optional) Path of the file which should contains the pid
 #   of the catalina startup java process, when start (fork) is
 #   used
@@ -224,6 +228,11 @@ if $cygwin; then
   CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
 fi
 
+if [ -z "$JSSE_OPTS" ] ; then
+  JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
+fi
+JAVA_OPTS="$JAVA_OPTS $JSSE_OPTS"
+
 # Set juli LogManager config file if it is present and an override has not 
been issued
 if [ -z "$LOGGING_CONFIG" ]; then
   if [ -r "$CATALINA_BASE"/conf/logging.properties ]; then

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1737199=1737198=1737199=diff
==
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Thu Mar 31 08:54:13 2016
@@ -87,6 +87,12 @@
 longer necessary for this to be true for a reasonably
 secure configuration. (markt)
   
+  
+Add a new environment variable JSSE_OPTS that is intended
+to be used to pass JVM wide configuration to the JSSE implementation.
+The default value is -Djdk.tls.ephemeralDHKeySize=2048
+which protects against weak Diffie-Hellman keys. (markt)
+  
 
   
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737198 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/coyote/http2/Http2UpgradeHandler.java webapps/docs/changelog.xml

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 08:53:38 2016
New Revision: 1737198

URL: http://svn.apache.org/viewvc?rev=1737198=rev
Log:
honorCipherOrder default has been changed to false

Modified:
tomcat/tc8.5.x/trunk/   (props changed)
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java
tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc8.5.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 08:53:38 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java?rev=1737198=1737197=1737198=diff
==
--- tomcat/tc8.5.x/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java 
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java 
Thu Mar 31 08:53:38 2016
@@ -66,8 +66,6 @@ import org.apache.tomcat.util.res.String
  * 
  * Note:
  * 
- * Tomcat needs to be configured with honorCipherOrder="false" otherwise
- * Tomcat will prefer a cipher suite that is blacklisted by HTTP/2.
  * You will need to nest an UpgradeProtocol
  * className="org.apache.coyote.http2.Http2Protocol" / element inside
  * a TLS enabled Connector element in server.xml to enable HTTP/2 support.

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1737198=1737197=1737198=diff
==
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Thu Mar 31 08:53:38 2016
@@ -81,6 +81,12 @@
   
 Align cipher configuration parsing with current OpenSSL master. (markt)
   
+  
+Change the default for honorCipherOrder to
+false. With the current default TLS configuration, it is 
no
+longer necessary for this to be true for a reasonably
+secure configuration. (markt)
+  
 
   
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737196 - /tomcat/trunk/conf/server.xml

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 08:48:10 2016
New Revision: 1737196

URL: http://svn.apache.org/viewvc?rev=1737196=rev
Log:
Fix syntax

Modified:
tomcat/trunk/conf/server.xml

Modified: tomcat/trunk/conf/server.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/conf/server.xml?rev=1737196=1737195=1737196=diff
==
--- tomcat/trunk/conf/server.xml (original)
+++ tomcat/trunk/conf/server.xml Thu Mar 31 08:48:10 2016
@@ -98,6 +98,7 @@
 
 
+

svn commit: r1737195 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/coyote/http11/

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 08:46:22 2016
New Revision: 1737195

URL: http://svn.apache.org/viewvc?rev=1737195=rev
Log:
Include TLS implementation name in connector

Modified:
tomcat/tc8.5.x/trunk/   (props changed)

tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java

Propchange: tomcat/tc8.5.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 08:46:22 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1737195=1737194=1737195=diff
==
--- 
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
 (original)
+++ 
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
 Thu Mar 31 08:46:22 2016
@@ -17,6 +17,7 @@
 package org.apache.coyote.http11;
 
 import org.apache.tomcat.util.net.AbstractJsseEndpoint;
+import org.apache.tomcat.util.net.openssl.OpenSSLImplementation;
 
 public abstract class AbstractHttp11JsseProtocol
 extends AbstractHttp11Protocol {
@@ -33,6 +34,13 @@ public abstract class AbstractHttp11Jsse
 }
 
 
+protected String getSslImplemenationShortName() {
+if 
(OpenSSLImplementation.class.getName().equals(getSslImplementationName())) {
+return "openssl";
+}
+return "jsse";
+}
+
 public String getSslImplementationName() { return 
getEndpoint().getSslImplementationName(); }
 public void setSslImplementationName(String s) { 
getEndpoint().setSslImplementationName(s); }
 

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1737195=1737194=1737195=diff
==
--- tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java 
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java 
Thu Mar 31 08:46:22 2016
@@ -63,7 +63,7 @@ public class Http11AprProtocol extends A
 @Override
 protected String getNamePrefix() {
 if (isSSLEnabled()) {
-return ("https-apr");
+return ("https-openssl-apr");
 } else {
 return ("http-apr");
 }

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java?rev=1737195=1737194=1737195=diff
==
--- tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java 
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Nio2Protocol.java 
Thu Mar 31 08:46:22 2016
@@ -44,7 +44,7 @@ public class Http11Nio2Protocol extends
 @Override
 protected String getNamePrefix() {
 if (isSSLEnabled()) {
-return ("https-nio2");
+return ("https-" + getSslImplemenationShortName()+ "-nio2");
 } else {
 return ("http-nio2");
 }

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java?rev=1737195=1737194=1737195=diff
==
--- tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java 
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java 
Thu Mar 31 08:46:22 2016
@@ -76,7 +76,7 @@ public class Http11NioProtocol extends A
 @Override
 protected String getNamePrefix() {
 if (isSSLEnabled()) {
-return ("https-nio");
+return ("https-" + getSslImplemenationShortName()+ "-nio");
 } else {
 return ("http-nio");
 }



-
To unsubscribe,

svn commit: r1737194 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/catalina/core/AprLifecycleListener.java java/org/apache/catalina/core/LocalStrings.properties

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 08:41:47 2016
New Revision: 1737194

URL: http://svn.apache.org/viewvc?rev=1737194=rev
Log:
Log key APRListener config values at start

Modified:
tomcat/tc8.5.x/trunk/   (props changed)
tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/LocalStrings.properties

Propchange: tomcat/tc8.5.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 08:41:47 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=1737194=1737193=1737194=diff
==
--- 
tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java 
(original)
+++ 
tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java 
Thu Mar 31 08:41:47 2016
@@ -253,6 +253,11 @@ public class AprLifecycleListener
 Boolean.valueOf(Library.APR_HAS_SENDFILE),
 Boolean.valueOf(Library.APR_HAS_SO_ACCEPTFILTER),
 Boolean.valueOf(Library.APR_HAS_RANDOM)));
+
+initInfoLogMessages.add(sm.getString("aprListener.config",
+Boolean.valueOf(useAprConnector),
+Boolean.valueOf(useOpenSSL)));
+
 aprAvailable = true;
 }
 

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1737194=1737193=1737194=diff
==
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/LocalStrings.properties 
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/LocalStrings.properties 
Thu Mar 31 08:41:47 2016
@@ -65,6 +65,7 @@ aprListener.sslInit=Failed to initialize
 aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0} using 
APR version {1}.
 aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters 
[{2}], random [{3}].
 aprListener.currentFIPSMode=Current FIPS mode: {0}
+aprListener.config=APR/OpenSSL configuration: useAprConnector [{0}], 
useOpenSSL [{1}]
 aprListener.skipFIPSInitialization=Already in FIPS mode; skipping FIPS 
initialization.
 aprListener.enterAlreadyInFIPSMode=AprLifecycleListener is configured to force 
entering FIPS mode, but library is already in FIPS mode ({0})
 aprListener.requireNotInFIPSMode=AprLifecycleListener is configured to require 
the library to already be in FIPS mode, but it was not in FIPS mode



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

2016-03-31 Thread Apache Wiki 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=9=10

Comment:
Add APR/native results for Tomcat 9

  
  == JSSE (BIO/NIO/NIO2) Results (Default) ==
  
- |||| Java 5 || Java 6 || Java 7 || Java 8 ||
+ || || Java 5 || Java 6 || Java 7 || Java 8 ||
- || Tomcat 6 (JSSE)||   C||   C||   C||   B||
+ || Tomcat 6 (JSSE) ||   C||   C||   C||   B||
- || Tomcat 7 (JSSE)||  N/A   ||   C||   C||   B||
+ || Tomcat 7 (JSSE) ||  N/A   ||   C||   C||   B||
- || Tomcat 8 (JSSE)||  N/A   ||  N/A   ||   C||   B||
+ || Tomcat 8 (JSSE) ||  N/A   ||  N/A   ||   C||   B||
- || Tomcat 9 (JSSE)||  N/A   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9 (JSSE) ||  N/A   ||  N/A   ||  N/A   ||   A||
- || Tomcat 9 (OpenSSL) ||  N/A   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9 (JSSE/OpenSSL) ||  N/A   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9 (APR/OpenSSL)  ||  N/A   ||  N/A   ||  N/A   ||   A||
  
+ 
- Note: Tomcat 9 with JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native 
release to achieve an A since without it the full certificate chain is not 
presented to the client.
+ Note: Tomcat 9 with JSSE/OpenSSL and JSSE config requires a 1.2.6 tc-native 
release to achieve an A since without it the full certificate chain is not 
presented to the client.
  
  == JSSE (BIO/NIO/NIO2) Results (Improved) ==
  
@@ -56, +58 @@

   * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled 
SSLv2 and SSLv3.
   * Apache Tomcat 7.0.60-dev, r1664373.
   * Apache Tomcat 8.0.21-dev, r1664594.
-  * Apache Tomcat 9.0.0.M5-dev r1737119
+  * Apache Tomcat 9.0.0.M5-dev, r1737193.
  
  == APR/native ==
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737192 - /tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 08:28:55 2016
New Revision: 1737192

URL: http://svn.apache.org/viewvc?rev=1737192=rev
Log:
Remove unused code

Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1737192=1737191=1737192=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
Thu Mar 31 08:28:55 2016
@@ -110,11 +110,6 @@ public class OpenSSLContext implements o
 aprPool = Pool.create(0);
 boolean success = false;
 try {
-if 
(SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()) == null) {
-// This is required
-// throw new 
Exception(netSm.getString("endpoint.apr.noSslCertFile"));
-}
-
 // SSL protocol
 int value = SSL.SSL_PROTOCOL_NONE;
 if (sslHostConfig.getProtocols().size() == 0) {



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59253] Read/Write errors

2016-03-31 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59253

Violeta Georgieva  changed:

   What|Removed |Added

Version|8.0.32  |8.0.33

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59238] WebSocket gets messages after closing

2016-03-31 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59238

Violeta Georgieva  changed:

   What|Removed |Added

 Status|NEW |NEEDINFO

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737187 - /tomcat/native/trunk/native/src/sslcontext.c

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 07:57:16 2016
New Revision: 1737187

URL: http://svn.apache.org/viewvc?rev=1737187=rev
Log:
Fix copy/paste error message
Remove unused code
Review from kkolinko

Modified:
tomcat/native/trunk/native/src/sslcontext.c

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737187=1737186=1737187=diff
==
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Thu Mar 31 07:57:16 2016
@@ -1126,9 +1126,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
 jsize lengthOfCert;
 unsigned char* cert;
 X509 * certs;
-EVP_PKEY * evp;
 const unsigned char *tmp;
-BIO * bio;
 
 tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
 jboolean rv = JNI_TRUE;
@@ -1152,7 +1150,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
 rv = JNI_FALSE;
 } else if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
 ERR_error_string(ERR_get_error(), err);
-tcn_Throw(e, "Error setting certificate (%s)", err);
+tcn_Throw(e, "Error adding certificate to chain (%s)", err);
 rv = JNI_FALSE;
 }
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml

2016-03-31 Thread Mark Thomas 
On 31/03/2016 00:37, Christopher Schultz wrote:
> Chuck,
> 
> On 3/30/16 5:10 PM, Caldarale, Charles R wrote:
>>> From: Christopher Schultz
>>> Subject: RE: svn commit: r1737154 - in /tomcat/native/trunk: 
>>> native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
>>
>>> Since bufferPtr is the byte array you want to use, you can probably just
>>> use that directly for the call to d2i_x509(). I think the
>>> malloc/memcpy/free is not necessary.
>>
>> Does calling d2i_X509() have the potential to block for any
>> significant length of time?  If so, the byte array would be pinned in
>> the heap for the duration, which may impact GC.
> 
> Good question. I assumed it was a conversion routine (foo2bar) and was
> just going to be converting from byte array to an internal
> representation of the X509 certificate.
> 
> My justification for avoiding the malloc/memcpy/free was to reduce
> memory churn and improve performance, but you're right: if d2i_X509 is
> likely to take any significant amount of time, that outstanding pined
> array can cause a slowdown in other areas.
> 
> In either case, I believe correctness is maintained so it will all come
> down to performance. I'll have to read about d2i_X509 and maybe read the
> implementation (which is likely to cause nightmares) to see.

I tried - and failed - to find the implementation. Since I have no
better information that the method I copied, I'm going to leave this as
is for now.

Mark


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737184 - /tomcat/native/trunk/native/src/sslcontext.c

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 07:19:00 2016
New Revision: 1737184

URL: http://svn.apache.org/viewvc?rev=1737184=rev
Log:
Simplify / remove goto
Review from Chuck

Modified:
tomcat/native/trunk/native/src/sslcontext.c

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737184=1737183=1737184=diff
==
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Thu Mar 31 07:19:00 2016
@@ -1150,10 +1150,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
 ERR_error_string(ERR_get_error(), err);
 tcn_Throw(e, "Error reading certificate (%s)", err);
 rv = JNI_FALSE;
-goto cleanup;
-}
-
-if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
+} else if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
 ERR_error_string(ERR_get_error(), err);
 tcn_Throw(e, "Error setting certificate (%s)", err);
 rv = JNI_FALSE;



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml

2016-03-31 Thread Mark Thomas 
On 30/03/2016 21:43, Mark Thomas wrote:
> On 30/03/2016 21:31, Caldarale, Charles R wrote:
>>> From: Mark Thomas [mailto:ma...@apache.org] 
>>> Subject: Re: svn commit: r1737154 - in /tomcat/native/trunk: 
>>> native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
>>
>>> The implementation is essentially a copy/paste of setCertificateRaw with
>>> what looked to be the right changes to remove the unnecessary private
>>> key code and to call the right OpenSSL method to set the chain.
>>
>>> It does work - in that SSL Labs sees the full chain - but the code may
>>> well be terrible. I wouldn't be surprised if it leaked memory.
>>
>> I don't see any obvious leaks (although I'm unfamiliar with OpenSSL 
>> semantics),
> 
> ACK. Thanks.
> 
>> but using a goto is generally frowned upon.  Better code might be something 
>> like this:
> 
> My defence is that I was copying the style of the previous method. If we
> fix one, we should fix both. I'll see what I can do.

It is easy to drop the goto in this method. The previous method not so
much so I did just fix the one.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737183 - /tomcat/native/trunk/native/src/sslcontext.c

2016-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 07:13:38 2016
New Revision: 1737183

URL: http://svn.apache.org/viewvc?rev=1737183=rev
Log:
Add missing stub methods for when OpenSSL is not available
Review from kkolinko

Modified:
tomcat/native/trunk/native/src/sslcontext.c

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737183=1737182=1737183=diff
==
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Thu Mar 31 07:13:38 2016
@@ -2018,6 +2018,27 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
 return JNI_FALSE;
 }
 
+TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateRaw)(TCN_STDARGS, jlong 
ctx,
+ jbyteArray javaCert, 
jbyteArray javaKey,
+ jint idx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+UNREFERENCED(javaCert);
+UNREFERENCED(javaKey);
+UNREFERENCED(idx);
+return JNI_FALSE;
+}
+
+TCN_IMPLEMENT_CALL(jboolean, SSLContext, addChainCertificateRaw)(TCN_STDARGS, 
jlong ctx,
+ jbyteArray 
javaCert)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+UNREFERENCED(javaCert);
+return JNI_FALSE;
+}
+
 TCN_IMPLEMENT_CALL(jint, SSLContext, setALPN)(TCN_STDARGS, jlong ctx,
   jbyteArray buf, jint len)
 {



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org