Discouraging Rogue Users In Tomcat
Hello, I have recently developed code for Tomcat 8.5 that defends against black-hats probing Tomcat and the website apps for vulnerabilities. This coding effort started a year ago, and the latest code has been running successfully on Tomcat 8.5.49 (Linux server) for about 3 months. I feel that Tomcat is less vulnerable now and I would be rather uncomfortable running a production system without this new feature. I am happy to provide design details and donate this code to Apache, but I am unsure of your process to introduce new Tomcat features for review by your dev team, and to submit code. Let me know if you have questions. Thanks. Alan Basche - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: First impressions from OpenSSL 3.0.0 and TC 10.0.0-M7 plus tcnative 1.2.24
Chris, Am 03.08.20 um 18:26 schrieb Christopher Schultz: > Rainer, > > On 8/3/20 07:03, Rainer Jung wrote: > > Hi Chris, hi all, > > > I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and > > compared them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches. > > APR was always 1.7.0. > > Thanks for trying this out. What is "OpenSSL 1.1.1 + patches?" Which > patches are you applying? > > > - build warnings for tcnative using OpenSSL 3.0.0alpha5: > > > src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated > > [-Wdeprecated-declarations] src/ssl.c:424:9: warning: > > 'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations] > > src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated > > [-Wdeprecated-declarations] src/ssl.c:426:13: warning: > > 'ENGINE_free' is deprecated [-Wdeprecated-declarations] > > src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is > > deprecated [-Wdeprecated-declarations] src/ssl.c:809:13: warning: > > 'ENGINE_by_id' is deprecated [-Wdeprecated-declarations] > > src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated > > [-Wdeprecated-declarations] src/ssl.c:817:17: warning: > > 'ENGINE_set_default' is deprecated [-Wdeprecated-declarations] > > src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated > > [-Wdeprecated-declarations] src/ssl.c:422: warning: 'ENGINE_by_id' > > is deprecated (declared at /path/to/include/openssl/engine.h:327) > > src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated > > (declared at /path/to/include/openssl/engine.h:462) src/ssl.c:425: > > warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared at > > /path/to/include/openssl/engine.h:462) src/ssl.c:426: warning: > > 'ENGINE_free' is deprecated (declared at > > /path/to/include/openssl/engine.h:474) src/ssl.c:806: warning: > > 'ENGINE_register_all_complete' is deprecated (declared at > > /path/to/include/openssl/engine.h:407) src/ssl.c:809: warning: > > 'ENGINE_by_id' is deprecated (declared at > > /path/to/include/openssl/engine.h:327) src/ssl.c:815: warning: > > 'ENGINE_ctrl' is deprecated (declared at > > /path/to/include/openssl/engine.h:419) src/ssl.c:817: warning: > > 'ENGINE_set_default' is deprecated (declared at > > /path/to/include/openssl/engine.h:652) src/ssl.c:822: warning: > > 'ENGINE_free' is deprecated (declared at > > /path/to/include/openssl/engine.h:474) > > I spot-checked ENGINE_ctrl_cmd_string and I can't seem to find any > indication of what replacement exists for this function. It seems that > a huge number of functions have been deprecated in 3.0.x with very > little explanation for how to update client code to be 3.0-compliant. Have you seen the design document for 3.0 https://www.openssl.org/docs/OpenSSL300Design.html#the-engine-api Looks like they want to explain later how to upgrade old code Felix - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: First impressions from OpenSSL 3.0.0 and TC 10.0.0-M7 plus tcnative 1.2.24
Hi Chris, hi all, I can't currently analyze the observed few failures that also happen in 1.1.1 due to time constraints. The patches for 1.1.1 I mentioned are just that I typically use a slightly newer version than the released one, because OpenSSL often accumulates quite a few patches before doing a release. Not saying this is good to do, it's just what is most easily available to me. In the case here it was 1.1.1g plus everything that was committed to the 1.1.1 branch until 2020-07-11. There's noting specifically needed for tcnative. I think the concept of ENGINE was mostly replaced by providers in OpenSSL 3.0.0. I haven't checked the details, but some info is available here https://wiki.openssl.org/index.php/OpenSSL_3.0 and here https://www.openssl.org/docs/OpenSSL300Design.html I mostly wanted to provide a short notice, that currently it seems we can support 3.0.0 once it gets a GA release with only very little effort, hopefully with out code as-is. Best regards, Rainer Am 03.08.2020 um 18:26 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rainer, On 8/3/20 07:03, Rainer Jung wrote: Hi Chris, hi all, I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and compared them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches. APR was always 1.7.0. Thanks for trying this out. What is "OpenSSL 1.1.1 + patches?" Which patches are you applying? - build warnings for tcnative using OpenSSL 3.0.0alpha5: src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated [-Wdeprecated-declarations] src/ssl.c:424:9: warning: 'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations] src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations] src/ssl.c:426:13: warning: 'ENGINE_free' is deprecated [-Wdeprecated-declarations] src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is deprecated [-Wdeprecated-declarations] src/ssl.c:809:13: warning: 'ENGINE_by_id' is deprecated [-Wdeprecated-declarations] src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated [-Wdeprecated-declarations] src/ssl.c:817:17: warning: 'ENGINE_set_default' is deprecated [-Wdeprecated-declarations] src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated [-Wdeprecated-declarations] src/ssl.c:422: warning: 'ENGINE_by_id' is deprecated (declared at /path/to/include/openssl/engine.h:327) src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared at /path/to/include/openssl/engine.h:462) src/ssl.c:425: warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared at /path/to/include/openssl/engine.h:462) src/ssl.c:426: warning: 'ENGINE_free' is deprecated (declared at /path/to/include/openssl/engine.h:474) src/ssl.c:806: warning: 'ENGINE_register_all_complete' is deprecated (declared at /path/to/include/openssl/engine.h:407) src/ssl.c:809: warning: 'ENGINE_by_id' is deprecated (declared at /path/to/include/openssl/engine.h:327) src/ssl.c:815: warning: 'ENGINE_ctrl' is deprecated (declared at /path/to/include/openssl/engine.h:419) src/ssl.c:817: warning: 'ENGINE_set_default' is deprecated (declared at /path/to/include/openssl/engine.h:652) src/ssl.c:822: warning: 'ENGINE_free' is deprecated (declared at /path/to/include/openssl/engine.h:474) I spot-checked ENGINE_ctrl_cmd_string and I can't seem to find any indication of what replacement exists for this function. It seems that a huge number of functions have been deprecated in 3.0.x with very little explanation for how to update client code to be 3.0-compliant. - test results: Only tested NIO and NIO2 connectors (couldn't easily do it for APR for local reasons independent of OpenSSL). The tests have been run on RedHat Enterprise Linux 8 using the following JVMs: - OpenJDK 1.8.0_262-b10 - OpenJDK 11.0.8+10 - OpenJDK 14.0.2+12-46 - OpenJDK 15-ea+31-1502 - Adopt OpenJDK 1.8.0_262-b10 - Adopt OpenJDK 11.0.8+10 - Adopt OpenJDK 14.0.2+12 - RedHat OpenJDK 1.8.0_201-b09 - RedHat OpenJDK 11.0.2+7-LTS - Azul Zulu 1.8.0_262-b18 - Azul Zulu 11.0.8+10-LTS - Azul 14.0.2+12 Alle tests succeeed with the follwoing exceptions. These do not differ between OpenSSL 1.1.1g plus patches and 3.0.0alpha5: - zulu JDK 1.8.0 2 errors for NIO and NIO2 in org.apache.tomcat.util.net.TestClientCertTls13: Testcase: testClientCertPost took 2.327 sec Caused an ERROR Received fatal alert: protocol_version javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.Alert.createSSLException(Alert.java:117) at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java: 1106)
Re: First impressions from OpenSSL 3.0.0 and TC 10.0.0-M7 plus tcnative 1.2.24
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rainer, On 8/3/20 07:03, Rainer Jung wrote: > Hi Chris, hi all, > > I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and > compared them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches. > APR was always 1.7.0. Thanks for trying this out. What is "OpenSSL 1.1.1 + patches?" Which patches are you applying? > - build warnings for tcnative using OpenSSL 3.0.0alpha5: > > src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated > [-Wdeprecated-declarations] src/ssl.c:424:9: warning: > 'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations] > src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated > [-Wdeprecated-declarations] src/ssl.c:426:13: warning: > 'ENGINE_free' is deprecated [-Wdeprecated-declarations] > src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is > deprecated [-Wdeprecated-declarations] src/ssl.c:809:13: warning: > 'ENGINE_by_id' is deprecated [-Wdeprecated-declarations] > src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated > [-Wdeprecated-declarations] src/ssl.c:817:17: warning: > 'ENGINE_set_default' is deprecated [-Wdeprecated-declarations] > src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated > [-Wdeprecated-declarations] src/ssl.c:422: warning: 'ENGINE_by_id' > is deprecated (declared at /path/to/include/openssl/engine.h:327) > src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated > (declared at /path/to/include/openssl/engine.h:462) src/ssl.c:425: > warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared at > /path/to/include/openssl/engine.h:462) src/ssl.c:426: warning: > 'ENGINE_free' is deprecated (declared at > /path/to/include/openssl/engine.h:474) src/ssl.c:806: warning: > 'ENGINE_register_all_complete' is deprecated (declared at > /path/to/include/openssl/engine.h:407) src/ssl.c:809: warning: > 'ENGINE_by_id' is deprecated (declared at > /path/to/include/openssl/engine.h:327) src/ssl.c:815: warning: > 'ENGINE_ctrl' is deprecated (declared at > /path/to/include/openssl/engine.h:419) src/ssl.c:817: warning: > 'ENGINE_set_default' is deprecated (declared at > /path/to/include/openssl/engine.h:652) src/ssl.c:822: warning: > 'ENGINE_free' is deprecated (declared at > /path/to/include/openssl/engine.h:474) I spot-checked ENGINE_ctrl_cmd_string and I can't seem to find any indication of what replacement exists for this function. It seems that a huge number of functions have been deprecated in 3.0.x with very little explanation for how to update client code to be 3.0-compliant. > - test results: > > Only tested NIO and NIO2 connectors (couldn't easily do it for APR > for local reasons independent of OpenSSL). > > The tests have been run on RedHat Enterprise Linux 8 using the > following JVMs: > > - OpenJDK 1.8.0_262-b10 - OpenJDK 11.0.8+10 - OpenJDK 14.0.2+12-46 > - OpenJDK 15-ea+31-1502 - Adopt OpenJDK 1.8.0_262-b10 - Adopt > OpenJDK 11.0.8+10 - Adopt OpenJDK 14.0.2+12 - RedHat OpenJDK > 1.8.0_201-b09 - RedHat OpenJDK 11.0.2+7-LTS - Azul Zulu > 1.8.0_262-b18 - Azul Zulu 11.0.8+10-LTS - Azul 14.0.2+12 > > Alle tests succeeed with the follwoing exceptions. These do not > differ between OpenSSL 1.1.1g plus patches and 3.0.0alpha5: > > - zulu JDK 1.8.0 > > 2 errors for NIO and NIO2 in > org.apache.tomcat.util.net.TestClientCertTls13: > > Testcase: testClientCertPost took 2.327 sec Caused an ERROR > Received fatal alert: protocol_version > javax.net.ssl.SSLHandshakeException: Received fatal alert: > protocol_version at > sun.security.ssl.Alert.createSSLException(Alert.java:131) at > sun.security.ssl.Alert.createSSLException(Alert.java:117) at > sun.security.ssl.TransportContext.fatal(TransportContext.java:311) > at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at > sun.security.ssl.TransportContext.dispatch(TransportContext.java:185) > > at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156) > at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197) > at > sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java: 1106) > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398) > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370) > > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5 59) > > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect( AbstractDelegateHttpsURLConnection.java:185) > > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn ectionImpl.java:167) > > at > org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java :789) > > at > org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java :755) > > at > org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java :729) > > at > org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(Test ClientCertTls13.java:61) Interesting. > > Testcase: testClientCertGet took 0.169 sec > Caused an ERROR Received fatal alert: p
First impressions from OpenSSL 3.0.0 and TC 10.0.0-M7 plus tcnative 1.2.24
Hi Chris, hi all, I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and compared them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches. APR was always 1.7.0. - build warnings for tcnative using OpenSSL 3.0.0alpha5: src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated [-Wdeprecated-declarations] src/ssl.c:424:9: warning: 'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations] src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations] src/ssl.c:426:13: warning: 'ENGINE_free' is deprecated [-Wdeprecated-declarations] src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is deprecated [-Wdeprecated-declarations] src/ssl.c:809:13: warning: 'ENGINE_by_id' is deprecated [-Wdeprecated-declarations] src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated [-Wdeprecated-declarations] src/ssl.c:817:17: warning: 'ENGINE_set_default' is deprecated [-Wdeprecated-declarations] src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated [-Wdeprecated-declarations] src/ssl.c:422: warning: 'ENGINE_by_id' is deprecated (declared at /path/to/include/openssl/engine.h:327) src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared at /path/to/include/openssl/engine.h:462) src/ssl.c:425: warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared at /path/to/include/openssl/engine.h:462) src/ssl.c:426: warning: 'ENGINE_free' is deprecated (declared at /path/to/include/openssl/engine.h:474) src/ssl.c:806: warning: 'ENGINE_register_all_complete' is deprecated (declared at /path/to/include/openssl/engine.h:407) src/ssl.c:809: warning: 'ENGINE_by_id' is deprecated (declared at /path/to/include/openssl/engine.h:327) src/ssl.c:815: warning: 'ENGINE_ctrl' is deprecated (declared at /path/to/include/openssl/engine.h:419) src/ssl.c:817: warning: 'ENGINE_set_default' is deprecated (declared at /path/to/include/openssl/engine.h:652) src/ssl.c:822: warning: 'ENGINE_free' is deprecated (declared at /path/to/include/openssl/engine.h:474) - test results: Only tested NIO and NIO2 connectors (couldn't easily do it for APR for local reasons independent of OpenSSL). The tests have been run on RedHat Enterprise Linux 8 using the following JVMs: - OpenJDK 1.8.0_262-b10 - OpenJDK 11.0.8+10 - OpenJDK 14.0.2+12-46 - OpenJDK 15-ea+31-1502 - Adopt OpenJDK 1.8.0_262-b10 - Adopt OpenJDK 11.0.8+10 - Adopt OpenJDK 14.0.2+12 - RedHat OpenJDK 1.8.0_201-b09 - RedHat OpenJDK 11.0.2+7-LTS - Azul Zulu 1.8.0_262-b18 - Azul Zulu 11.0.8+10-LTS - Azul 14.0.2+12 Alle tests succeeed with the follwoing exceptions. These do not differ between OpenSSL 1.1.1g plus patches and 3.0.0alpha5: - zulu JDK 1.8.0 2 errors for NIO and NIO2 in org.apache.tomcat.util.net.TestClientCertTls13: Testcase: testClientCertPost took 2.327 sec Caused an ERROR Received fatal alert: protocol_version javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.Alert.createSSLException(Alert.java:117) at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1106) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167) at org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:789) at org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:755) at org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:729) at org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(TestClientCertTls13.java:61) Testcase: testClientCertGet took 0.169 sec Caused an ERROR Received fatal alert: protocol_version javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.Alert.createSSLException(Alert.java:117) at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185) at sun.security.ssl.SS
svn commit: r1880531 - in /tomcat/site/trunk: docs/whoweare.html xdocs/whoweare.xml
Author: remm Date: Mon Aug 3 09:19:16 2020 New Revision: 1880531 URL: http://svn.apache.org/viewvc?rev=1880531&view=rev Log: Fix Rajiv's first name. Modified: tomcat/site/trunk/docs/whoweare.html tomcat/site/trunk/xdocs/whoweare.xml Modified: tomcat/site/trunk/docs/whoweare.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/whoweare.html?rev=1880531&r1=1880530&r2=1880531&view=diff == --- tomcat/site/trunk/docs/whoweare.html (original) +++ tomcat/site/trunk/docs/whoweare.html Mon Aug 3 09:19:16 2020 @@ -177,7 +177,7 @@ Emeritus is defined in the Apache gl Gal Shachor (shachor at apache.org), Hans Bergsten (bergsten at apache.org), James Todd (gonzo at apache.org), -Rain Mordani (mode at apache.org), +Rajiv Mordani (mode at apache.org), Hans Granqvist (har at apache.org), Ian P. Springer (ishp at apache.org), Arun Jamwal (arun at apache.org), Modified: tomcat/site/trunk/xdocs/whoweare.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/whoweare.xml?rev=1880531&r1=1880530&r2=1880531&view=diff == --- tomcat/site/trunk/xdocs/whoweare.xml (original) +++ tomcat/site/trunk/xdocs/whoweare.xml Mon Aug 3 09:19:16 2020 @@ -194,7 +194,7 @@ Emeritus is defined in the Apache gl Gal Shachor (shachor at apache.org), Hans Bergsten (bergsten at apache.org), James Todd (gonzo at apache.org), -Rain Mordani (mode at apache.org), +Rajiv Mordani (mode at apache.org), Hans Granqvist (har at apache.org), Ian P. Springer (ishp at apache.org), Arun Jamwal (arun at apache.org), - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org