Re: [VOTE] Release Apache Tomcat 8.0.35
On 12.5.2016 0:34, Mark Thomas wrote: The proposed 8.0.35 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 8.0.35 Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.8.0_77 and APR/native 1.2.7: - Tested TLS connectivity for BIO, NIO, NIO2 and APR connectors. Default configuration gets "A" on SSLLabs test. Great job! - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.32
On 3.2.2016 10:05, Mark Thomas wrote: The proposed 8.0.32 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 8.0.32 Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.8.0_71 and APR/native 1.2.4: - Tested TLS connectivity for BIO, NIO, NIO2 and APR connectors. - Crawled most links (except /manager, /host-manager and /examples/async* and alike). No broken links found. - Smoke tests of BIO, NIO, NIO2 and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.30
On 2.12.2015 0:02, Mark Thomas wrote: The proposed 8.0.30 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 8.0.30 Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.8.0_60 and APR/native 1.2.2: - Tested TLS connectivity for BIO, NIO, NIO2 and APR connectors. - Crawled most links (except /manager, /host-manager and /examples/async* and alike). No broken links found. - Smoke tests of BIO, NIO, NIO2 and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Mark, On 15.11.2015 13:42, Mark Thomas wrote: * SSLTest also reports that APR/native does not serve full certificate chain; instead, it serves only server certificate. The same APR config serves full chain with Tomcat 8.0.28 + Native 1.2.2, so it seems to be a regression. Not serving full chain might be a problem for some clients -- browsers will probably work, but other clients may fail to establish TLS connection. Hmm. I'm sure this was working at one point. I'll retest it. Tomcat 8 docs lists APR Connector attribute "SSLCertificateChainFile" [1]. Tomcat 9 docs, does not list such attribute (neither in "SSL Support - SSLHostConfig", "SSL Support - Certificate" nor "SSL Support - Connector - APR/Native (deprecated)"). I also check the class SSLHostConfigCertificate, and couldn't find a field for the chain. -Ognjen [1] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html#SSL_Support_-_APR/Native - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Mark, Chris, On 16.11.2015 17:15, Mark Thomas wrote: Tomcat 8 docs lists APR Connector attribute "SSLCertificateChainFile" [1]. Tomcat 9 docs, does not list such attribute (neither in "SSL Support - SSLHostConfig", "SSL Support - Certificate" nor "SSL Support - Connector - APR/Native (deprecated)"). I also check the class SSLHostConfigCertificate, and couldn't find a field for the chain. You use the same attribute as for the cert. i.e. you provide the full chain rather than just the cert. Ok, my initial testing was with the attribute SSLCertificateChainFile, which was deprecated. Now I tried to add chain to server certificate file, but it does not work for me, either. I still get the warning that certificate chain is incomplete. I tried those two configurations, both of them serve only server cert: File "cert-with-chain.pem" contains three certificates -- first the server certificate, and then two intermediate sertificates. I also tried changing certificate order (first the intermediate certificates, then server cert) but that results with "error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch", so I guess server certificate must be the first one. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Chris,
On 16.11.2015 23:06, Christopher Schultz wrote:
What is your TLS configuration?
Please look at my previous reply on this thread.
* It seems that it is not possible anymore to use attribute "digest"
in realms. It would be nice if that is mentioned in release
announcement. I guess quite a number of people uses Realms with digest,
and they will need to adjust the config before switching to 9.0.0.
"digest" should still work
For me, it doesn't work [1]. It yields:
org.apache.tomcat.util.digester.SetPropertiesRule.begin
[SetPropertiesRule]{Context/Realm/Realm} Setting property 'digest' to
'SHA-512' did not find a matching property.
The webapp is started, but I cannot log in. It works fine, however, with
nested CredentialHandler [2].
-Ognjen
[1]
[2]
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="SHA-512" />
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Mark, On 13.11.2015 1:12, Mark Thomas wrote: The proposed Apache Tomcat 9.0.0.M1 release is now available for voting. The proposed 9.0.0.M1 release is: [ ] Broken - do not release [X] Alpha - go ahead and release as 9.0.0.M1 Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.8.0_60 and APR/native 1.2.2: - Tested TLS connectivity for NIO and APR connectors: * Thanks to Java 8 parameter (-Djdk.tls.ephemeralDHKeySize=2048) with NIO and Native 1.2.2 with APR, I was able to configure DH key size >= 2048. SSLTest is happy. * SSLTest also reports that APR/native does not serve full certificate chain; instead, it serves only server certificate. The same APR config serves full chain with Tomcat 8.0.28 + Native 1.2.2, so it seems to be a regression. Not serving full chain might be a problem for some clients -- browsers will probably work, but other clients may fail to establish TLS connection. - Crawled most links (except /manager, /host-manager and /examples/async* and alike). No broken links found. - Smoke tests of NIO and APR, with and without TLS, all passed. - Tested HTTP/2, Firefox reports that HTTP/2 is active. Smoke test passes. - Tested with several webapps that are in active development. Small nuisances: * It seems that it is not possible anymore to use attribute "digest" in realms. It would be nice if that is mentioned in release announcement. I guess quite a number of people uses Realms with digest, and they will need to adjust the config before switching to 9.0.0. * Tomcat 9 uses DBCP2, so attribute names for connection pool are different now (e.g. maxActive -> maxTotal). It would be nice to also add that to the announcement. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Switch 6.0.x from RTC to CTR
On 28.10.2015 23:42, Mark Thomas wrote: [ ] Continue to use RTC for 6.0.x [X] Switch 6.0.x to CTR -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.24
Mark, On 1.7.2015 22:56, Mark Thomas wrote: The proposed 8.0.24 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 8.0.24 Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.7.0_79 and APR/native 1.1.33: - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO, NIO2 and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. - I encountered some minor bugs during testing, and filed them in Bugzilla [1][2][3]. They also existed in previous Tomcat 8 versions. -Ognjen [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58103 [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=58104 [3] https://bz.apache.org/bugzilla/show_bug.cgi?id=58105 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.63
Violeta, On 30.6.2015 11:01, Violeta Georgieva wrote: The proposed 7.0.63 release is: [ ] Broken - do not release [x] Stable - go ahead and release as 7.0.63 Stable Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.7.0_79 and APR/native 1.1.33: - Tested TLS connectivity for BIO, NIO, and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [RESULT][VOTE] Release Apache Tomcat 8.0.23
Mark, On 22.5.2015 11:42, Mark Thomas wrote: Closing the vote now so I have a chance to get the release out before the weekend. The votes cast were as follows: Binding: stable: markt, kfujino, remm, jfarcand, kkolinko, schultz, violetagg Non-binding: stable: fschumacher The vote therefore passes. I'll start pushing the release out. Late to the party... Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.7.0_79 and APR/native 1.1.33: - Tested TLS connectivity for BIO, NIO, NIO2 and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO, NIO2 and APR, with and without TLS, all passed. The problem with NIO2+TLS that I experienced 8.0.22 is now solved. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.44
On 8.5.2015 16:24, jean-frederic clere wrote: The proposed 6.0.44 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 6.0.44 Stable Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.7.0_79 and APR/native 1.1.33: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors. Note: APR/native supports only TLS 1.0 by default. I needed to add attribute SSLProtocol to enable TLS 1.1/1.2. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.22
On 3.5.2015 19:36, Rémy Maucherat wrote: 2015-05-03 18:28 GMT+02:00 Felix Schumacher felix.schumac...@internetallee.de: In my test case position() will be either 0 or 341 (complete request). They seem to happen at about the same rate. r1672626 fixed a loop issue, but oversimplified. So I am going back to the previous code, with an added fix to resolve the loop, and hopefully it will be fine now. Since there's something wrong in both cases, it's not really a regression and I doubt it is worth doing a new build for this. I repeated my smoke/stress tests against latest 8.0.x/trunk (r1677647), and all connectors pass them, with and without TLS. I still get NIO2 warnings and APR 20005 errors in the log, as I reported earlier, but everything else seems Ok. They seem to be unrelated to the NIO2+TLS failure I reported with 8.0.22. Same warnings and errors exists with 8.0.21. I wouldn't say that 8.0.22 is not a regression compared to 8.0.21, as 8.0.21 passes my tests, 8.0.x/trunk also passes them, but 8.0.22 does not pass them. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.22
On 29.4.2015 18:41, Mark Thomas wrote: The proposed 8.0.22 release is: [X] Broken - do not release [ ] Stable - go ahead and release as 8.0.22 Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.8.0_45 and APR/native 1.1.33: - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO, NIO2 and APR, with and without TLS. Only NIO2+TLS fails. Connector configuration: Connector port=449 protocol=org.apache.coyote.http11.Http11Nio2Protocol SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=(snip).p12 keyAlias=(snip) keystoreType=pkcs12 / I smoke tested with this crawler: https://bz.apache.org/bugzilla/attachment.cgi?id=31184 I get in the logs some of those: 01-May-2015 01:29:59.631 SEVERE [http-apr-83-exec-7] org.apache.coyote.http11.AbstractHttp11Processor.endRequest Error finishing response org.apache.tomcat.jni.Error: 20005: An invalid socket was returned at org.apache.tomcat.jni.Socket.sendbb(Native Method) at org.apache.coyote.http11.InternalAprOutputBuffer.writeToSocket(InternalAprOutputBuffer.java:287) at org.apache.coyote.http11.InternalAprOutputBuffer.writeToSocket(InternalAprOutputBuffer.java:244) at org.apache.coyote.http11.InternalAprOutputBuffer.flushBuffer(InternalAprOutputBuffer.java:213) at org.apache.coyote.http11.AbstractOutputBuffer.endRequest(AbstractOutputBuffer.java:378) at org.apache.coyote.http11.AbstractHttp11Processor.endRequest(AbstractHttp11Processor.java:1800) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1143) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2463) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2452) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) And a lot of those: 01-May-2015 01:29:59.625 WARNING [http-nio2-84-exec-6] org.apache.tomcat.util.net.AbstractEndpoint.countDownConnection Incorrect connection count, multiple socket.close called on the same socket. 01-May-2015 01:29:59.627 WARNING [http-nio2-84-exec-4] org.apache.tomcat.util.net.AbstractEndpoint.countDownConnection Incorrect connection count, multiple socket.close called on the same socket. 01-May-2015 01:29:59.627 WARNING [http-nio2-84-exec-1] org.apache.tomcat.util.net.AbstractEndpoint.countDownConnection Incorrect connection count, multiple socket.close called on the same socket. I probably won't be able to do any more tests before Monday. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.61
On 27.3.2015 13:36, Violeta Georgieva wrote: The proposed 7.0.61 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 7.0.61 Stable Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.7.0_75 and APR/native 1.1.33: - Tested TLS connectivity for BIO, NIO, and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. Tested BIO and NIO option useServerCipherSuitesOrder=true: 1. Throws exception with JDK 1.7.0_75, as expected. 2. Works as expected with JDK 1.8.0_40 (gets mark A on SSLTest, instead of A-). -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.60
On 26.3.2015 9:31, Violeta Georgieva wrote: The proposed 7.0.60 release is: [X] Broken - do not release [ ] Stable - go ahead and release as 7.0.60 Stable (non-binding vote) Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.8.0_40. Tested BIO and NIO connector option useServerCipherSuitesOrder=true: Throws exception with JDK 1.8.0_40, and that shouldn't happen: == ??? 26, 2015 1:46:56 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Server version:Apache Tomcat/7.0.60 ... ??? 26, 2015 1:46:56 PM org.apache.catalina.startup.VersionLoggerListener log INFO: JVM Version: 1.8.0_40-b26 ... SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-443] java.lang.UnsupportedOperationException: Java Runtime does not support useServerCipherSuitesOrder. You must use Java 8 or later to use this feature. - I'm still investigating why this doesn't work as expected. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.60
On 26.3.2015 14:23, Ognjen Blagojevic wrote:
On 26.3.2015 9:31, Violeta Georgieva wrote:
The proposed 7.0.60 release is:
[X] Broken - do not release
[ ] Stable - go ahead and release as 7.0.60 Stable
...
I'm still investigating why this doesn't work as expected.
It was introduced in 1662994, in method
AbstractEndpoint.testServerCipherSuitesOrderSupport (reformatted for
clarity):
if (JreCompat.isJre8Available()) {
throw new UnsupportedOperationException(
sm.getString(endpoint.jsse.cannotHonorServerCipherOrder));
Condition is wrong, it should throw exception only if Jre8 is NOT available:
if (!JreCompat.isJre8Available()) {
throw new UnsupportedOperationException(
sm.getString(endpoint.jsse.cannotHonorServerCipherOrder));
-Ognjen
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE][CANCEL] Release Apache Tomcat 7.0.60
Violetta, On 26.3.2015 15:43, Violeta Georgieva wrote: 2015-03-26 16:36 GMT+02:00 Ognjen Blagojevic ognjen.d.blagoje...@gmail.com : Violeta, On 26.3.2015 14:57, Violeta Georgieva wrote: I'm canceling the vote in order to pickup the fix for ServerCipherSuitesOrder support. Could you, please wait until I test if everything is Ok with 7.0.x, before you put 7.0.61 on voting? OK Thank you. I found two more bugs that broke cipher suites ordering in 7.0.x. They are described in issue 55988, and the patch 32611 that resolves them is attached to that issue. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE][CANCEL] Release Apache Tomcat 7.0.60
Violeta, On 26.3.2015 14:57, Violeta Georgieva wrote: I'm canceling the vote in order to pickup the fix for ServerCipherSuitesOrder support. Could you, please wait until I test if everything is Ok with 7.0.x, before you put 7.0.61 on voting? -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.21
On 23.3.2015 15:59, Mark Thomas wrote: The proposed 8.0.21 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 8.0.21 Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.7.0_75 and APR/native 1.1.33: - Tested TLS connectivity for BIO, NIO, NIO2 and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO, NIO2 and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. Tested BIO, NIO and NIO2 option useServerCipherSuitesOrder=true: 1. Throws exception with JDK 1.7.0_75, as expected. 2. Works as expected with JDK 1.8.0_40 (gets mark A on SSLTest, instead of A-). -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.59
Violeta, On 28.1.2015 20:35, Violeta Georgieva wrote: The proposed 7.0.59 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 7.0.59 Stable Tested .zip distribution on Windows 7 64-bit and Oracle JDK 1.7.0_75: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.17
Mark, On 9.1.2015 19:26, Mark Thomas wrote: The proposed Apache Tomcat 8.0.17 release is now available for voting. ... The proposed 8.0.17 release is: [ ] Broken - do not release [x] Stable - go ahead and release as 8.0.17 Tested .zip distribution on Windows 7 64-bit and Oracle JDK 1.7.0_67: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.1.32
Mark, On 21.10.2014 11:05, Mark Thomas wrote: Version 1.1.32 includes the following changes: - Add support for TLS v1.1 and TLS v1.2 - Windows binaries built with APR 1.5.1 and OpenSSL 1.0.1j The Apache Tomcat Native (--1.1.31--) 1.1.32 is [X] Stable, go ahead and release [ ] Broken because of ... (non-binding) Tested with Tomcat 8.0.14 and 8-trunk. 8.0.14 reports, as expected: An invalid value [TLSv1+TLSv1.1+TLSv1.2] was provided for the SSLProtocol attribute 8-trunk works fine. SSLLabs reports that the server is not vulnerable to POODLE. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.56
Violeta, On 28.9.2014 14:34, Violeta Georgieva wrote: The proposed 7.0.56 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 7.0.56 Stable (non-binding) Tested .zip distribution on Windows 7 64-bit: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.14
Mark, On 24.9.2014 23:07, Mark Thomas wrote: The proposed 8.0.14 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 8.0.14 (non-binding) Tested .zip distribution on Windows 7 64-bit: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. - Tested OpenSSL cypher syntax with BIO connector. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.11
Mark, On 15.8.2014 22:07, Mark Thomas wrote: The proposed 8.0.11 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 8.0.11 (non-binding) Tested .zip distribution on Windows 7 64-bit: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. But, I had some problems with testing OpenSSL cypher syntax with BIO connector. Some values for ciphers attribute worked, like ciphers=EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS but others did not: ciphers=EECDH+aRSA+SHA384:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS Thw exception thrown is: - 20-Aug-2014 09:56:48.568 SEVERE [main] org.apache.coyote.AbstractProtocol.init F ailed to initialize end point associated with ProtocolHandler [http-bio-443] java.io.IOException at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact ory.java:467) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESo cketFactory.java:181) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:360) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.jav a:730) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:456) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp 11JsseProtocol.java:120) at org.apache.catalina.connector.Connector.initInternal(Connector.java:9 60) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardService.initInternal(StandardService .java:567) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.j ava:842) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:576) at org.apache.catalina.startup.Catalina.load(Catalina.java:599) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) Caused by: java.lang.NullPointerException at java.util.ArrayList.init(ArrayList.java:164) at org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationPar ser.parse(OpenSSLCipherConfigurationParser.java:636) at org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationPar ser.parseExpression(OpenSSLCipherConfigurationParser.java:668) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getEnableableCipher s(JSSESocketFactory.java:239) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact ory.java:455) ... 19 more 20-Aug-2014 09:56:48.631 SEVERE [main] org.apache.catalina.core.StandardService. initInternal Failed to initialize connector [Connector[org.apache.coyote.http11. Http11Protocol-443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connect or[org.apache.coyote.http11.Http11Protocol-443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService .java:567) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.j ava:842) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:576) at org.apache.catalina.startup.Catalina.load(Catalina.java:599) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) Caused by: org.apache.catalina.LifecycleException: Protocol handler initializati on failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:9 62) at
Re: [VOTE] Release Apache Tomcat 6.0.41
On 19.5.2014 14:58, Mark Thomas wrote: The proposed 6.0.41 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 6.0.41 Stable Tested .zip distribution on Windows 7 64-bit and Oracle JDK 1.7.0_51: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.54
On 20.5.2014 12:04, Violeta Georgieva wrote: The proposed 7.0.54 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 7.0.54 Stable Tested .zip distribution on Windows 7 64-bit and Oracle JDK 1.7.0_51: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.8
On 16.5.2014 22:55, Mark Thomas wrote: The proposed 8.0.8 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 8.0.8 (alpha) [ ] Beta - go ahead and release as 8.0.8 (beta) [X] Stable - go ahead and release as 8.0.8 (stable) (non-binding) Tested .zip distribution on Windows 7 64-bit: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Wiki
On 14.4.2014 4:47, Konstantin Kolinko wrote: 2014-04-14 3:03 GMT+04:00 Ognjen Blagojevic ognjen.d.blagoje...@gmail.com: Hi, Please allow me to edit Tomcat wiki. OK, but did you create an account there? Your Wiki account name = ? OgnjenBlagojevic. I used that username on one of the Apache wikis couple of years ago (don't remember which one), but now I realized there is more than one wiki instance, so now I created account with same username also on Tomcat wiki. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Wiki
Hi, Please allow me to edit Tomcat wiki. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.1.30
Mladen, On 10.4.2014 13:50, Mladen Turk wrote: The Apache Tomcat Native 1.1.30 is [X] Stable, go ahead and release [ ] Broken because of ... (non-binding) Tested with Tomcat 8.0.5, Oracle Java 1.7.0_51 on Windows 7 64-bit. - Filippo.io [1] reports it is not vulnerable to Heartbleed bug. - SSLLabs [2] reports it is not vulnerable to Heartbleed bug. - SSLLabs reports that Forward secrecy is enabled when proper cipher suites (including EECDH/ECDHE) are enabled. - Smoke tests of APR, with and without TLS, all passed. -Ognjen [1] http://filippo.io/Heartbleed/ [2] https://www.ssllabs.com/ssltes - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1585898 - in /tomcat/native/branches/1.1.x: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
On 9.4.2014 9:32, mt...@apache.org wrote: Log: Apply Ognjen's patch for bz55915 For the record, I am an issue reporter, but patch was provided by Mike Noordermeer. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.53
On 25.3.2014 9:25, Violeta Georgieva wrote: The proposed Apache Tomcat 7.0.53 release is now available for voting. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-7/v7.0.53/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1010/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_53/ The proposed 7.0.53 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 7.0.53 Stable (non-binding) Tested .zip distribution on Windows 7 64-bit: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.5
On 24.3.2014 19:47, Mark Thomas wrote: The proposed Apache Tomcat 8.0.5 release is now available for voting. The proposed 8.0.5 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 8.0.5 (alpha) [ ] Beta - go ahead and release as 8.0.5 (beta) [X] Stable - go ahead and release as 8.0.5 (stable) (non-binding) Tested .zip distribution on Windows 7 64-bit: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.52
Violeta, On 13.2.2014 9:17, Violeta Georgieva wrote: The proposed Apache Tomcat 7.0.52 release is now available for voting. ... The proposed 7.0.52 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 7.0.52 Stable Tested .zip distribution on Windows 7 64-bit with Oracle JDK 1.7.0_51-64 bit: - Tested SSL/TLS connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. - Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.3
Mark,
On 10.2.2014 10:07, Mark Thomas wrote:
In 8.0.1, I needed to add the following configuration to catalina.policy
(sensitive parts removed):
permission java.net.SocketPermission (dbserver), resolve;
permission java.net.SocketPermission (dbserver):(port),
connect,resolve;
snip/
Do you have stack traces for the exceptions related to these? What I
really want to know is if DBCP 2 is on the code path and if so, what is
the stack trace from the entry point to DBCP 2 to this exception. If
DBCP 2 is on the code path, it looks like a PA is required somewhere.
Update: for 8.0.3, I am able to remove not only permissions I initially
reported, but also the following ones:
//permission java.util.PropertyPermission
javax.mail.Session.Factory, read;
//permission java.net.SocketPermission (mailserver), resolve;
//permission java.net.SocketPermission (mailserver):(port),
connect,resolve;
//permission java.net.SocketPermission (dbserver), resolve;
//permission java.net.SocketPermission (dbserver):(port),
connect,resolve;
In the meantime, I also added one new permission for 8.0.3:
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.jni;
Therefore, I guess everything is as you expected in 8.0.3?
For clarity, I repeat the list of permissions for 8.0.1, and updated
list for 8.0.3.
8.0.1:
grant codeBase file:${catalina.base}/webapps/(context)/- {
permission java.lang.RuntimePermission modifyThread;
permission java.lang.RuntimePermission setContextClassLoader;
permission java.util.PropertyPermission
com.sun.faces.SerializationProvider, read;
permission java.lang.RuntimePermission getClassLoader;
permission java.util.PropertyPermission
com.sun.faces.InjectionProvider, read;
permission java.io.FilePermission
file:(...)\\WEB-INF\\lib\\(...)!\\META-INF\\-, read;
permission java.lang.RuntimePermission accessDeclaredMembers;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.util;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.compiler;
permission java.lang.RuntimePermission createClassLoader;
permission java.util.PropertyPermission openjpa.properties, read;
permission java.util.PropertyPermission
javax.persistence.properties, read;
permission java.util.PropertyPermission openjpa.slice.properties,
read;
permission java.util.PropertyPermission
javax.mail.Session.Factory, read;
permission java.net.SocketPermission (mailserver), resolve;
permission java.net.SocketPermission (mailserver):(port),
connect,resolve;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.dbcp.dbcp2;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.dbcp.pool2;
permission java.net.SocketPermission (dbserver), resolve;
permission java.net.SocketPermission (dbserver):(port),
connect,resolve;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.dbcp.pool2.impl;
permission javax.management.MBeanServerPermission createMBeanServer;
permission javax.management.MBeanPermission
org.apache.tomcat.dbcp.pool2.impl.GenericObjectPool#-[Catalina:class=javax.sql.DataSource,context=/(context),host=localhost,name=\(jndiname)\,pool=connections,type=DataSource],
registerMBean;
};
8.0.3:
grant codeBase file:${catalina.base}/webapps/(context)/- {
permission java.lang.RuntimePermission modifyThread;
permission java.lang.RuntimePermission setContextClassLoader;
permission java.util.PropertyPermission
com.sun.faces.SerializationProvider, read;
permission java.lang.RuntimePermission getClassLoader;
permission java.util.PropertyPermission
com.sun.faces.InjectionProvider, read;
permission java.io.FilePermission
file:(...)\\WEB-INF\\lib\\(...)!\\META-INF\\-, read;
permission java.lang.RuntimePermission accessDeclaredMembers;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.util;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.compiler;
permission java.lang.RuntimePermission createClassLoader;
permission java.util.PropertyPermission openjpa.properties, read;
permission java.util.PropertyPermission
javax.persistence.properties, read;
permission java.util.PropertyPermission openjpa.slice.properties,
read;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.jni;
};
BTW, my webapp is still not 100% functional with security manager, but I
am at least able to access database server using JNDI and DBCP2.
Exceptions I get seems to be completely unrelated to DBCP2 (e.g.
javax.el.ELException: /(snip).jspx: Property 'contextPath' not found on
type org.apache.catalina.connector.RequestFacade).
-Ognjen
-
Re: [VOTE] Release Apache Tomcat 8.0.3
Mark,
On 9.2.2014 2:36, Ognjen Blagojevic wrote:
I also tried to test my production webapps, which also use DBCP2.
However I get a lot of AccessControlExceptions, which I resolved one by
one. Now I am stucked with particularly stubborn FilePermission problem.
If I resolve that one, and other following exceptions I will report the
results of testing here.
I got one of my production webapps working (for the most part) with
security manager in 8.0.1 and 8.0.3.
In 8.0.1, I needed to add the following configuration to catalina.policy
(sensitive parts removed):
grant codeBase file:${catalina.base}/webapps/(context)/- {
permission java.lang.RuntimePermission modifyThread;
permission java.lang.RuntimePermission setContextClassLoader;
permission java.util.PropertyPermission
com.sun.faces.SerializationProvider, read;
permission java.lang.RuntimePermission getClassLoader;
permission java.util.PropertyPermission
com.sun.faces.InjectionProvider, read;
permission java.io.FilePermission
file:(...)\\WEB-INF\\lib\\(...)!\\META-INF\\-, read;
permission java.lang.RuntimePermission accessDeclaredMembers;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.util;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.compiler;
permission java.lang.RuntimePermission createClassLoader;
permission java.util.PropertyPermission openjpa.properties, read;
permission java.util.PropertyPermission
javax.persistence.properties, read;
permission java.util.PropertyPermission openjpa.slice.properties,
read;
permission java.util.PropertyPermission
javax.mail.Session.Factory, read;
permission java.net.SocketPermission (mailserver), resolve;
permission java.net.SocketPermission (mailserver):(port),
connect,resolve;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.dbcp.dbcp2;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.dbcp.pool2;
permission java.net.SocketPermission (dbserver), resolve;
permission java.net.SocketPermission (dbserver):(port),
connect,resolve;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.dbcp.pool2.impl;
permission javax.management.MBeanServerPermission createMBeanServer;
permission javax.management.MBeanPermission
org.apache.tomcat.dbcp.pool2.impl.GenericObjectPool#-[Catalina:class=javax.sql.DataSource,context=/(context),host=localhost,name=\(jndiname)\,pool=connections,type=DataSource],
registerMBean;
};
In 8.0.3, I was able to remove following permissions from the above list:
// permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.dbcp.dbcp2;
// permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.dbcp.pool2;
// permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.dbcp.pool2.impl;
// permission javax.management.MBeanPermission
org.apache.tomcat.dbcp.pool2.impl.GenericObjectPool#-[Catalina:class=javax.sql.DataSource,context=/(context),host=localhost,name=\(jndiname)\,pool=connections,type=DataSource],
registerMBean;
// permission javax.management.MBeanServerPermission createMBeanServer;
HTH,
Ognjen
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.3
Mark, On 8.2.2014 12:19, Mark Thomas wrote: - Tested with several webapps that are in active development (Linux). You mentioned in the 8.0.2 vote that some of these used Tomcat's packaged renamed DBCP. I've added support for using that with a security manager in 8.0.3 (with apps not needing extra permissions to connect to the database). It works with my simple database app. Any chance you could try it with your apps and see if I missed any classes that need to be pre-loaded or methods that need PrivilegedActions? I appreciate that enabling the security manage may cause all sorts of things to break but if you can provide any feedback on DBCP and the security manager that would be great. I can only confirm what you already know. In order to isolate the problem with 8.0.2 I created a simple webapp that uses JNDI lookup to get data source from DBCP2 pool defined in context.xml. With that simple webapp, when I enable security manager: 1. with 8.0.1, it throws: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.dbcp.dbcp2) 2. with 8.0.3, it works Ok. I also tried to test my production webapps, which also use DBCP2. However I get a lot of AccessControlExceptions, which I resolved one by one. Now I am stucked with particularly stubborn FilePermission problem. If I resolve that one, and other following exceptions I will report the results of testing here. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.3
Mark, On 7.2.2014 19:16, Mark Thomas wrote: The proposed Apache Tomcat 8.0.3 release is now available for voting. ... The proposed 8.0.3 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 8.0.3 (alpha) [ ] Beta - go ahead and release as 8.0.3 (beta) [X] Stable - go ahead and release as 8.0.3 (stable) Tested .zip distribution on Windows 7 64-bit, and .tar.gz on CentOS 5 64-bit: - Tested TLS/SSL connectivity for BIO, NIO and APR connectors (Windows). - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs (Windows). - Smoke tests of BIO, NIO and APR, with and without TLS, all passed (Windows). - Tested with several webapps that are in active development (Linux). -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: support for salted passwords
Chris, On 6.2.2014 15:28, Christopher Schultz wrote: 3. option 2 with salt Adding a salt would be trivial given the changes I have proposed. I'd love to enable salting by default when using a hash, but that may be surprising to some users. I suppose the salt could be separated from the salted-hashed-password by some obvious delimiter such as :. See below for the sync problem. Linux, I think, uses $ as salt separator. I don't know about other implementations. Maybe you could consider using $ as separator users are accustomed at? Default salting is relevant only when storing password hash (e.g. changing password), not when validating it, right? Validating part is part of Realm. Realm checks for separator in the password hash. If the separator exists, password is salted. So, default salting and default salt length would be only important when storing password hash. But that is not part of Tomcat's Realm implementation. Or, am I missing something? 4. password-based key derivation functions (e.g. bcrypt, scrypt, pbkdf2) This would also be trivial given such changes. Great. I also think that if the user selects anything other then option 4, Tomcat should log a gentle warning during startup with suggestion that there is a more secure solution for storing passwords. Well, using a PBKDF is best, but how can Tomcat know if you are using one? TBH, I have no idea. It is just on my wishlist. At first thought every Realm implementation would need to somehow inform Tomcat is what kind of password protection does it use (none, hash, salted hash, pbkdf, unknown), and Tomcat would act accordingly (log a warning message, if needed). Tomcat already suggests that APR is superior connector, why wouldn't it also suggest what is the best practice for other things like passwords? There is another problem: the credential-verification system needs to be in sync with whatever system sets the passwords in the first place. For example, nobody uses Tomcat's Realms to actually change the password for their users: they do their own hashing, and write the new password to the database. If those processes are out of sync with each other, everything breaks. Absolutely. So, if Tomcat suddenly starts wanting to use salts, you won't get the benefit unless you have your own software actually using the salts. Well, Tomcat would start to *support* salts, and user must decide whether to use it, and change the way password hashes are stored. That is similar to adding new hash function, for instance. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.2
On 6.2.2014 21:23, Mark Thomas wrote: - Update to the latest DBCP 2 snapshot (...) The proposed 8.0.2 release is: [X] Broken - do not release [ ] Alpha - go ahead and release as 8.0.2 (alpha) [ ] Beta - go ahead and release as 8.0.2 (beta) [ ] Stable - go ahead and release as 8.0.2 (stable) (non-binding) All my webapps that are using DBCP2 are failing when I upgrade from 8.0.1 to 8.0.2. root cause java.lang.ClassNotFoundException: org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory It seems that the whole package org.apache.tomcat.dbcp.dbcp2 is missing from lib/tomcat-dbcp.jar shipped with 8.0.2. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: support for salted passwords
On 4.2.2014 21:29, Gabriel E. Sánchez Martínez wrote: I've been tossing-around some upgrades in my mind for the realm implementations that would allow for better pluggability for things like this. Right now, the only way to implement, say, bcrypt, would be to write your own Realm. That's silly: all you need to do is implement two methods: mutatePassword() and verifyMutatedPassword(). That opens the door for all kinds of things like bcrypt/scrypt/etc. with a trivial pluggable interface. ... -chris ... Bravo! I agree on a need for more pluggability. And I believe that out of the box it should offer stronger protection. Ideally hashes designed for password storage, but if not at least it should support salting. IMO, it would be great if Tomcat could support: 1. plain text passwords 2. hashed passwords using crypto hash functions 3. option 2 with salt 4. password-based key derivation functions (e.g. bcrypt, scrypt, pbkdf2) I also think that if the user selects anything other then option 4, Tomcat should log a gentle warning during startup with suggestion that there is a more secure solution for storing passwords. Tomcat already suggests that APR is superior connector, why wouldn't it also suggest what is the best practice for other things like passwords? For option number 4, in order to avoid adding new dependecies to Tomcat, it would be just fine to add step-by-step guide how to enable particular KDF. At the moment options 1 and 2 are supported. There is already some work done to support options 3 and 4 on this thread, as well as on issues: https://issues.apache.org/bugzilla/show_bug.cgi?id=53785 https://issues.apache.org/bugzilla/show_bug.cgi?id=51966 I am also willing to contribute some effort to implement those options. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1564668 - /tomcat/jk/trunk/native/common/jk_connect.c
Mladen, On 5.2.2014 14:34, Mladen Turk wrote: On 02/05/2014 12:42 PM, Rainer Jung wrote: I think as soon as you are confident, that you IP6 changes are stable we should make the overdue release. Yep, that's the plan. Definitively this month. Any chance to include patch for EECDH support [1]? -Ognjen [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=55915 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1564668 - /tomcat/jk/trunk/native/common/jk_connect.c
On 5.2.2014 16:51, Mladen Turk wrote: On 02/05/2014 03:12 PM, Ognjen Blagojevic wrote: Mladen, On 5.2.2014 14:34, Mladen Turk wrote: On 02/05/2014 12:42 PM, Rainer Jung wrote: I think as soon as you are confident, that you IP6 changes are stable we should make the overdue release. Yep, that's the plan. Definitively this month. Any chance to include patch for EECDH support [1]? This about mod_jk not tomcat native. Sorry, my mistake. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.1
On 30.1.2014 0:43, Mark Thomas wrote: The proposed Apache Tomcat 8.0.1 release is now available for voting. ... The proposed 8.0.1 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 8.0.1 (alpha) [ ] Beta - go ahead and release as 8.0.1 (beta) [X] Stable - go ahead and release as 8.0.1 (stable) Tested .zip distribution on Windows 7 64-bit, and .tar.gz on CentOS 5 64-bit: - Tested SSL/TLS connectivity for BIO, NIO and APR connectors (Windows). - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs (Windows). - Smoke tests of BIO, NIO and APR, with and without TLS, all passed (Windows). - Tested with several webapps that are in active development (Linux). -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.39
On 28.1.2014 0:08, Mark Thomas wrote: The proposed Apache Tomcat 6.0.39 release candidate is now available for voting. ... The proposed 6.0.39 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 6.0.39 Stable Tested .zip distribution on Windows 7 64-bit: - Tested SSL/TLS connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.38
On 17.1.2014 21:17, Mark Thomas wrote: The proposed Apache Tomcat 6.0.38 release candidate is now available for voting. ... The proposed 6.0.38 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 6.0.38 Stable Tested .zip distribution on Windows 7 64-bit with Oracle JDK 1.7.0_45: - Tested SSL/TLS connectivity for BIO, NIO and APR connectors. All good, with one peculiarity: NIO connector is sensitive to whitespace in ciphers attribute. BIO is not. - Crawled all links (except /manager, /host-manager and /examples/async*). One broken link found in webapps/docs/jasper-howto.html a href=ant.apache.org should be a href=http://ant.apache.org; - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.50
Violeta and others, On 21.12.2013 23:41, Ognjen Blagojevic wrote: On 21.12.2013 12:30, Violeta Georgieva wrote: Thanks for the testing. I'm still not convinced to stop the voting based on the frequency (1/5000) of the problem. Ok. I'm having hard time creating reproducible test case. As I test more, the frequency of failures is even lower then I initially reported. Sometimes it takes 5k request to create a failure, and sometimes even 500k reqests is not enough. I analyzed the issue during past few days, and I have more info. But since no one else reported any problem, I conclude that it might be something very specific to my configuration. Therefore, I am changing my (non-binding) vote to +1. I created, however, an issue in Bugzilla [1] to keep the record of the problem, and to publish my findings so far. -Ognjen [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=55976 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.50
Violeta,
On 21.12.2013 12:30, Violeta Georgieva wrote:
Thanks for the testing.
I'm still not convinced to stop the voting based on the frequency (1/5000)
of the problem.
Ok.
I'm having hard time creating reproducible test case. As I test more,
the frequency of failures is even lower then I initially reported.
Sometimes it takes 5k request to create a failure, and sometimes even
500k reqests is not enough.
If anyone wants to try to reproduce the problem, at the end of this
message is a test I use. At the first phase, it crawls all pages
starting from Tomcat root at localhost:8080. At the second phase, it
starts reading all collected URLs, 500 times in a row. In total, it
reads around 140k pages. If there is an error it will be printed in the
console, e.g:
Round: 75 / 500
Round: 76 / 500
ERROR: couldn't open URL:
'http://localhost:82/examples/jsp/jsptoserv/ServletToJsp.java.html
Invalid Http response
Round: 77 / 500
Round: 78 / 500
There are also errors during the first phase (crawling), but they are
404s (e.g. /docs/api/*) or 401s (e.g. /manager/html), and may be ignored.
-Ognjen
package webcrawler;
// Based on: http://cs.nyu.edu/courses/fall02/G22.3033-008/WebCrawler.java
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
import java.util.Hashtable;
import java.util.Vector;
public class WebCrawler {
public static final int MAX_PAGES = 2000; // Absolute max pages
public static final int MAXSIZE = 200; // Max size of file
public static final boolean DEBUG = false;
// URLs to be searched
VectorURL newURLs;
// Known URLs
HashtableURL, Integer knownURLs;
String startUrl;
public static void main(String[] argv) throws Exception {
WebCrawler wc = new WebCrawler();
String start = http://localhost:8080/;;
wc.crawl(start);
wc.repeat();
}
// initializes data structures. argv is the command line arguments.
public void initialize(String start) {
URL url;
knownURLs = new HashtableURL, Integer();
newURLs = new VectorURL();
try {
startUrl = start;
url = new URL(startUrl);
} catch (MalformedURLException e) {
System.out.println(Invalid starting URL + startUrl);
return;
}
knownURLs.put(url, new Integer(1));
newURLs.addElement(url);
System.out.println(Starting search: Initial URL +
url.toString());
System.out.println(Maximum number of pages: + MAX_PAGES);
}
// adds new URL to the queue. Accept only new URL's that end in
// htm or html. oldURL is the context, newURLString is the link
// (either an absolute or a relative URL).
public void addnewurl(URL oldURL, String newUrlString) {
URL url;
if (oldURL.toString().matches(.*?/[a-z0-9_-]+)) {
try {
oldURL = new URL(oldURL.toString() + /);
} catch (MalformedURLException e) {
throw new RuntimeException(e);
}
}
if (DEBUG)
System.out.println(URL String + newUrlString);
try {
url = new URL(oldURL, newUrlString);
if (!knownURLs.containsKey(url)
url.toString().startsWith(startUrl)) {
knownURLs.put(url, new Integer(1));
newURLs.addElement(url);
System.out.println(Found new URL + url.toString());
}
} catch (MalformedURLException e) {
return;
}
}
// Download contents of URL
public String getpage(URL url, boolean printMessages) {
try {
// try opening the URL
URLConnection urlConnection = url.openConnection();
if (printMessages) {
System.out.println(Downloading + url.toString());
}
if (url.toString().contains(/examples/async/)) {
System.out.println(skip async url + url.toString());
return ;
}
urlConnection.setAllowUserInteraction(false);
InputStream urlStream = url.openStream();
// search the input stream for links
// first, read in the entire URL
byte b[] = new byte[1000];
int numRead = urlStream.read(b);
String content = new String(b, 0, numRead);
while ((numRead != -1) (content.length() MAXSIZE)) {
numRead = urlStream.read(b);
if (numRead != -1) {
String newContent = new String(b, 0, numRead);
content += newContent;
}
}
return content;
} catch (IOException e) {
System.out.println(ERROR: couldn't open URL: ' +
url.toString());
System.out.println(e.getMessage());
return ;
}
}
Re: [VOTE] Release Apache Tomcat 7.0.50
Violeta, On 20.12.2013 13:52, Violeta Georgieva wrote: The proposed 7.0.50 release is: [X] Broken - do not release [ ] Stable - go ahead and release as 7.0.50 Stable My vote is non-binding. NIO connector fails during smoke tests from time to time (one failed request on every ~5000). I smoke test by repeatedly crawling links on default Tomcat installation in one single thread. I use Windows 7 64-bit, Oracle JDK 1.7.0_40. These are exceptions I get in the logs: ??? 20, 2013 2:03:13 PM org.apache.coyote.http11.AbstractHttp11Processor endRequest SEVERE: Error finishing response java.lang.IllegalArgumentException at java.nio.Buffer.position(Buffer.java:236) at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:96) at sun.nio.ch.IOUtil.write(IOUtil.java:51) at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:487) at org.apache.tomcat.util.net.SecureNioChannel.flush(SecureNioChannel.java:135) at org.apache.tomcat.util.net.SecureNioChannel.write(SecureNioChannel.java:509) at org.apache.tomcat.util.net.NioBlockingSelector.write(NioBlockingSelector.java:94) at org.apache.tomcat.util.net.NioSelectorPool.write(NioSelectorPool.java:174) at org.apache.coyote.http11.InternalNioOutputBuffer.writeToSocket(InternalNioOutputBuffer.java:163) at org.apache.coyote.http11.InternalNioOutputBuffer.flushBuffer(InternalNioOutputBuffer.java:242) at org.apache.coyote.http11.InternalNioOutputBuffer.endRequest(InternalNioOutputBuffer.java:121) at org.apache.coyote.http11.AbstractHttp11Processor.endRequest(AbstractHttp11Processor.java:1746) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1100) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1721) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:724) - ??? 20, 2013 2:08:11 PM org.apache.tomcat.util.net.NioEndpoint$PollerEvent run SEVERE: java.nio.channels.ClosedChannelException at java.nio.channels.spi.AbstractSelectableChannel.register(AbstractSelectableChannel.java:194) at org.apache.tomcat.util.net.NioEndpoint$PollerEvent.run(NioEndpoint.java:896) at org.apache.tomcat.util.net.NioEndpoint$Poller.events(NioEndpoint.java:1038) at org.apache.tomcat.util.net.NioEndpoint$Poller.run(NioEndpoint.java:1194) at java.lang.Thread.run(Thread.java:724) - ??? 20, 2013 2:26:36 PM org.apache.tomcat.util.net.NioEndpoint processSocket SEVERE: Error allocating socket processor java.lang.NullPointerException at org.apache.tomcat.util.net.NioEndpoint.processSocket(NioEndpoint.java:726) at org.apache.tomcat.util.net.NioEndpoint$Poller.processKey(NioEndpoint.java:1257) at org.apache.tomcat.util.net.NioEndpoint$Poller.run(NioEndpoint.java:1210) at java.lang.Thread.run(Thread.java:724) - ??? 20, 2013 2:30:38 PM org.apache.tomcat.util.net.NioEndpoint processSocket SEVERE: Error allocating socket processor java.lang.NullPointerException - These are URLs that caused exceptions: ERROR: couldn't open URL: http://(snip):82/examples/jsp/chat/ Invalid Http response ERROR: couldn't open URL: http://(snip):82/examples/jsp/checkbox/check.html Invalid Http response ERROR: couldn't open URL: http://(snip):82/examples/websocket-deprecated Invalid Http response ERROR: couldn't open URL: http://(snip):82/examples/servlets Invalid Http response ERROR: couldn't open URL: http://(snip):82/examples/jsp Invalid Http response Only those 5 URLs are repeating, other URLs doesn't couse exceptions. I see exceptions both over HTTP and HTTPS. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.48
On 9.12.2013 22:21, Violeta Georgieva wrote: The proposed Apache Tomcat 7.0.48 release is now available for voting. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-7/v7.0.48/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-030/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_48/ The proposed 7.0.48 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 7.0.48 Stable Tested .zip distribution on Windows 7 64-bit: - Tested SSL/TLS connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.47
On 18.10.2013 13:14, Violeta Georgieva wrote: The proposed Apache Tomcat 7.0.47 release is now available for voting. This release candidate contains JSR-356 Java WebSocket 1.0 implementation. Note that use of this functionality requires Java 7. ... The proposed 7.0.47 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 7.0.47 Stable Tested .zip distribution on Windows 7 64-bit: - Tested SSL/TLS connectivity for BIO, NIO and APR connectors. - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs. - Smoke tests of BIO, NIO and APR, with and without TLS, all passed. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.0-RC5
Mark, On 16.10.2013 20:21, Mark Thomas wrote: The proposed Apache Tomcat 8.0.0 release candidate 5 is now available for voting. ... The proposed 8.0.0-RC5 release is: [ ] Broken - do not release [X] Alpha - go ahead and release as 8.0.0-RC5 alpha Tested .zip distribution on Windows 7 64-bit, and .tar.gz on CentOS 5 64-bit: - Tested SSL/TLS connectivity for BIO, NIO and APR connectors (Windows). - Crawled all links (except /manager, /host-manager and /examples/async*). No broken links found, except links to JavaDocs (Windows). - Smoke tests of BIO, NIO and APR, with and without TLS, all passed (Windows). - Tested with several webapps that are in active development (Linux). -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [Tomcat 8.0.x trunk] APR sendfile problem
Mark, On 13.10.2013 11:42, Mark Thomas wrote: Fixed. Thanks again for the pointers. Thanks, it works as exptected: 1. useSendfile=true, issues a warning, and disables sendfile. 2. useSednfile=false or omitting attribute useSendfile, disables sendfile. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [Tomcat 8.0.x trunk] APR sendfile problem
Konstantin, On 12.10.2013 3:52, Konstantin Preißer wrote: I am testing tcnative-1.1.29 RC, with Tomcat 8.0.x trunk (r1531461) on Win7 64-bit. I have HTTPS configured. I can't get any response larger than 50 kB. ... Now, this is interesting: I know that 50 kB limit usually smells like sendfile issue. So I tried to add EITHER useSendfile=true or useSendfile=false to the above configuration, and with either of those attributes the problem is resolved. I also tried this now with trunk (r1531312) and Native 1.1.29 RC on Windows 8 64-bit with Java 1.7.0_40, and can confirm the behavior: With the above configuration for a SSL HTTP APR connector, I cannot receive the contents of /docs/manager-howto.html, whereas it works if I either add useSendfile=true or useSendfile=false. Thank you for verifying. I now re-read the docs, and realized that sendfile is not allowed with HTTPS, so one should always add useSendfile=false to HTTPS APR connector. It is strange that useSendfile=true, and not adding attribute useSendfile at all behaves differently, but this is, IMO, minor issue in interpreting server.xml. Additionally, I regularly got following exceptions and crashes when playing with the Drawboard example (using brush to draw on it, or press F5 so that a binary websocket message with the PNG image is sent to the browser). They happen independent of the presence and value of the sendFile attribute, but they do not happen with a Non-SSL HTTP APR connector. Was sendFile a typo? It should be useSendfile. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.1.29
Mladen, On 10.10.2013 15:18, Mladen Turk wrote: Version 1.1.29 is bug fixing release. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The VOTE will remain open for at least 48 hours. The Apache Tomcat Native 1.1.29 is [X] Stable, go ahead and release [ ] Broken because of ... Tested with Tomcat 8 trunk on Win7 64-bit with Java 1.7.0_40. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat 8.0.x trunk] APR sendfile problem
Hi, I am testing tcnative-1.1.29 RC, with Tomcat 8.0.x trunk (r1531461) on Win7 64-bit. I have HTTPS configured. I can't get any response larger than 50 kB. For instance these links did not work for me (Firefox renders blank page): https://localhost:443/docs/manager-howto.html https://localhost:443/docs/config/http.html ... Here is my connector configuration: Connector protocol=org.apache.coyote.http11.Http11AprProtocol port=443 maxHttpHeaderSize=8192 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEnabled=true SSLCertificateFile=c:\Users\xx\xx.cert SSLCertificateKeyFile=c:\Users\xx\xx.key SSLCertificateChainFile=c:\Users\xx\xx.chain / Now, this is interesting: I know that 50 kB limit usually smells like sendfile issue. So I tried to add EITHER useSendfile=true or useSendfile=false to the above configuration, and with either of those attributes the problem is resolved. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: 8.0.x / 7.0.x progress
Mark, On 1.10.2013 20:39, Mark Thomas wrote: Pulling together information from multiple threads: 8.0.x trunk appears to be stable (i.e. no longer crashes) (...) Tomcat 8.0.x trunk (r1528329) + tcnative built by Mladen works for me, as well. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.45
Mark, On 1.10.2013 11:18, Mark Thomas wrote: I just tested trunk with r1527733, but unfortanetly I still see the same crashes in tcnative-1.dll. Hmm. I can't re-create these any more. Are you sure you are using the latest 8.0.x code? I also still get the crash with r1527985. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.45
Violeta, On 25.9.2013 15:37, Violeta Georgieva wrote: The proposed Apache Tomcat 7.0.45 release is now available for voting. This release candidate contains JSR-356 Java WebSocket 1.0 implementation. Note that use of this functionality requires Java 7. I have problems when I test Tomcat 7.0.45 with APR (tcnative-1.1.28), using Oracle JDK 1.7.0_40 on Windows 7. I am able to reproduce that on Tomcat 8.0.0-RC3 + tcnative-1.1.28, but NOT on 7.0.42 + tcnative-1.1.28. NIO and BIO connectors work fine on all tested versions of Tomcat. Ne changes were made to default Tomcat .zip installation. The problem is that after couple of seconds/minutes after Tomcat startup while I am manually reading (with Firefox) or automaticly crawling (with custom Java web crawler) local Tomcat docs, Tomcat crashes. I will refrain from voting, since I really don't have a lot of experience with APR, so I assume it might be also my local configuration problem. But, since the problem does not exist on 7.0.42, but it does exist on 7.0.45, I find it appropriate to report it on this thread. Crash report for Tomcat 7.0.45 + tcnative-1.1.28 is at the end of this message. -Ognjen # # A fatal error has been detected by the Java Runtime Environment: # # EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x000180007e23, pid=3028, tid=3272 # # JRE version: Java(TM) SE Runtime Environment (7.0_40-b43) (build 1.7.0_40-b43) # Java VM: Java HotSpot(TM) 64-Bit Server VM (24.0-b56 mixed mode windows-amd64 compressed oops) # Problematic frame: # C [tcnative-1.dll+0x7e23] # # Failed to write core dump. Minidumps are not enabled by default on client versions of Windows # # If you would like to submit a bug report, please visit: # http://bugreport.sun.com/bugreport/crash.jsp # The crash happened outside the Java Virtual Machine in native code. # See problematic frame for where to report the bug. # --- T H R E A D --- Current thread (0x0cc5e800): JavaThread http-apr-8080-Poller daemon [_thread_in_native, id=3272, stack(0x0e56,0x0e66)] siginfo: ExceptionCode=0xc005, reading address 0x Registers: RAX=0x, RBX=0x0e8e44f0, RCX=0x003fecc8, RDX=0x00c0 RSP=0x0e65f2a0, RBP=0x, RSI=0x, RDI=0x0040fcd8 R8 =0x, R9 =0x003f7d20, R10=0x0060, R11=0x003f7d78 R12=0x0008, R13=0x0040fd20, R14=0x0004e74402162131, R15=0x0001 RIP=0x000180007e23, EFLAGS=0x00010246 Top of Stack: (sp=0x0e65f2a0) 0x0e65f2a0: 0040fcd8 0x0e65f2b0: 0e65f318 0e65f320 0x0e65f2c0: 0e65f348 02516274 0x0e65f2d0: 0cc5e800 0e65f370 0x0e65f2e0: 035a 0x0e65f2f0: 0001 0e65f380 0x0e65f300: 0400 02597e48 0x0e65f310: 0cc5e9e8 0006 0x0e65f320: 00407cd8 ef9d43dd 0x0e65f330: 0e65f350 0001 0x0e65f340: 00077dbfe2a0 0e65f388 0x0e65f350: 0007d7b9d2c0 0x0e65f360: 00077dbfe308 0x0e65f370: 0007d7b9d128 0007d7b74760 0x0e65f380: 026673ec 0x0e65f390: 01ceba86ea1bcbef 0e65f388 Instructions: (pc=0x000180007e23) 0x000180007e03: 47 18 49 89 1c 04 45 84 ff 74 69 48 8b 94 24 80 0x000180007e13: 00 00 00 48 8b 4f 10 e8 61 53 01 00 48 8b 43 38 0x000180007e23: 48 8b 10 48 8b 43 38 48 8b 48 08 48 89 11 48 8b 0x000180007e33: 43 38 48 8b 50 08 48 8b 43 38 48 8b 08 48 89 51 Register to memory mapping: RAX=0x is an unknown value RBX=0x0e8e44f0 is an unknown value RCX=0x003fecc8 is an unknown value RDX=0x00c0 is an unknown value RSP=0x0e65f2a0 is pointing into the stack for thread: 0x0cc5e800 RBP=0x is an unknown value RSI=0x is an unknown value RDI=0x0040fcd8 is an unknown value R8 =0x is an unknown value R9 =0x003f7d20 is an unknown value R10=0x0060 is an unknown value R11=0x003f7d78 is an unknown value R12=0x0008 is an unknown value R13=0x0040fd20 is an unknown value R14=0x0004e74402162131 is an unknown value R15=0x0001 is an unknown value Stack: [0x0e56,0x0e66], sp=0x0e65f2a0, free space=1020k Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) C [tcnative-1.dll+0x7e23] [error occurred during error reporting (printing native stack), id 0xc005] Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
Broken links
Hi, I noticed several broken links in Tomcat 7.0 trunk. 1. On page: http://tomcat.apache.org/tomcat-7.0-doc/proxy-howto.html URL: http://tomcat.apache.org/tomcat-7.0-doc/config/coyote.html 2. On page: http://localhost:8080/docs/ URL: http://localhost:8080/tomcat-7.0-doc/comments.html 3. On page: http://localhost:8080/examples/jsp/jsptoserv/jts.html URL: http://localhost:8080/examples/jsp/jsptoserv/servletToJsp.java.html All of them are visible in default Tomcat installation docs and examples contexts, while the first one is also visible on Tomcat website. Regards, Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Broken links
Konstantin, On 26.9.2013 15:00, Konstantin Preißer wrote: I have fixed 1) and 2) in trunk and tc7.0.x. Thank you. When looking at 3) and browsing in SVN history, it seems there never was such a HTML page that contains the source for servletToJsp.java. However, as I'm working on improving the HTML markup, I'm looking if we can get rid of those static HTML pages that duplicate the source code of other files (with adding syntax highlighting using legacy font elements etc.), and use a programmatic solution to generate source code with syntax highlighting instead. Yes, it seems that jts.html wass added 26. may 2006, r410080, together with jsptoservlet.jsp, but servletToJsp.java.html was, and still is, missing. ServletToJsp.java was commited so I guess that should be converted to .java.html, somehow. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.45
On 26.9.2013 22:54, Konstantin Preißer wrote: I wanted to know if the same crash would be observed in APR/AJP because it's slightly easier for me to enable that and test against it in my environment (which is not win32 but Linux). There's little information in the win32 native backtrace that I can decipher as well as something from a Linux backtrace. The less work I have to do to reproduce the better ;) I now tried Tomcat 7.0.45 with Native 1.1.28 and AJP-APR-Connector, with IIS 8.0 using ISAPI Redirector 1.2.37 on WinSvr 2012 64-bit, and I indeed get the same crashes again - however only, when I add connectionTimeout=2 to the AJP connector in server.xml. Otherwise, it doesn't crash, but for some requests Tomcat never sends a response. It seems the crash happens when Tomcat wants to close the TCP connection after the connection timeout. I now installed httpd-2.4.6-x64-vc11.zip binary from ApacheHaus, and configured mod_ajp_proxy. Everything works ok when I access port 80 (httpd - mod_ajp_proxy - ajp-apr on Tomcat). But, as earlier, when I try port 8080 (http-apr on Tomcat) it crashes after few minutes. I tried with and without connectionTimeout parameter for AJP connector, and it works ok both ways. Which is expected, since response times are really short. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.45
Rainer, On 26.9.2013 20:22, Rainer Jung wrote: Any chance you can try current trunk? Mark added more fixes to AprEndpoint after r1523781. It would be great if you could check r1526052 (or later). I agree that the problem should be solved in tcnative, but I just wanted to check if trunk maybe workarounds the problem. No, it does not. 8.0.0-dev r1526792 with tcnative 1.1.18 still crashes. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.1.28
On 9.9.2013 13:31, Mladen Turk wrote: Version 1.1.28 is bug fixing release. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The VOTE will remain open for at least 48 hours. The Apache Tomcat Native 1.1.28 is [X] Stable, go ahead and release [ ] Broken because of ... Tested on Windows 7. Tested HTTP and HTTPS connectors with several different configurations. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE][RESULT] Release Apache Tomcat 8.0.0-RC1
Mark, On 5.8.2013 22:56, Mark Thomas wrote: The site has been updated with the various parts required for a new major release (security, migration, download, docs, navigation, which version etc.) but I haven't posted the release announcement yet to give the remaining mirrors time to sync up. Great job. BTW, on Tomcat 8 migration guide [1] there is a broken link to resources documentation [2]. I guess, the right URL is: http://tomcat.apache.org/tomcat-8.0-doc/config/resources.html -Ognjen [1] http://tomcat.apache.org/migration-8.html#Web_application_resources [2] http://tomcat.apache.org/tomcat-8-docs/config/resources.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.0.0-RC1
On 1.8.2013 22:53, Mark Thomas wrote: The proposed Apache Tomcat 8.0.0 release candidate 1 is now available for voting. (...) The proposed 8.0.0-RC1 release is: [ ] Broken - do not release [X] Alpha - go ahead and release as 8.0.0-RC1 alpha Tested .zip distribution on Windows 7 64-bit, and .tar.gz on CentOS 5 64-bit. Tested SSL/TLS connectivity for BIO, NIO and APR connectors. Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.42
On 2.7.2013 11:18, Mark Thomas wrote: The proposed Apache Tomcat 7.0.42 release is now available for voting. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-7/v7.0.42/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-098/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_42/ The proposed 7.0.42 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 7.0.42 Stable Tested .zip distribution on Windows 7 64-bit, and .tar.gz on CentOS 5 64-bit. Tested SSL/TLS connectivity for BIO, NIO and APR connectors. Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.41
Mark, On 6.6.2013 14:06, Mark Thomas wrote: The proposed Apache Tomcat 7.0.41 release is now available for voting. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-7/v7.0.41/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-073/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_41/ The proposed 7.0.41 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 7.0.41 Stable Tested .zip distribution on Windows 7, and .tar.gz on CentOS 5. Tested SSL/TLS connectivity for BIO and NIO. Tested with several webapps that are in active development. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.40
On 5.5.2013 12:44, Mark Thomas wrote: The proposed Apache Tomcat 7.0.40 release is now available for voting. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-7/v7.0.40/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-001/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_40/ The proposed 7.0.40 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 7.0.40 Stable Tested with several webapps that are in active development. Tested SSL/TLS connectivity for BIO and NIO. Tested jsvc. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Tighten up wiki security to reduce spam
[X] +1 Make it so It is nice not to have any obstacles to contribute to wiki, but then again, spam on the wiki really started to be annoying. -Ognjen On 22.4.2013 13:44, Tim Funk wrote: [X] +1 Make it so I'm surprised not to see more discussion ... but it could be due to the word spam in the subject line. So many folks (maybe including me) aren't seeing any of the replies. (or possibly the original vote request so they are unable to reply/vote) -Tim On Fri, Apr 19, 2013 at 10:49 AM, Mark Thomas ma...@apache.org wrote: On 19/04/2013 15:49, Mark Thomas wrote: Should the changes described in [1] be applied to the Tomcat wiki? [X] +1 Make it so [ ] 0 No opinion [ ] -1 I object to this proposed change because... My vote for the record. Mark [1] http://wiki.apache.org/general/OurWikiFarm#per_wiki_access_control_-_tighten_your_wiki_just_a_little.2C_benefit_just_a_lot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: jsvc from tomcat v7.0.39 src build segfaults @ error 4 in libc-2.17.so; jsvc from v7.0.37 is ok.
Darx, On 16.4.2013 3:44, d...@sent.com wrote: i can now reproduce this across any of my boxes. it's acting like a bug, but would appreciate some guidance here re: what i'm seeing and and what additional info would be useful before posting a bug. (...) bug, or something else? It's a bug [1]. Use commons-daemon 1.0.15 or 1.0.13, or patch 1.0.14 yourself [2]. -Ognjen [1] https://issues.apache.org/jira/browse/DAEMON-291 [2] http://www.mail-archive.com/dev@tomcat.apache.org/msg72332.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.39
On 22.3.2013 17:48, Mark Thomas wrote: The proposed Apache Tomcat 7.0.39 release is now available for voting. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-7/v7.0.39/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-015/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_39/ The proposed 7.0.39 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 7.0.39 Stable I have a problem running jsvc from commons-daemon-1.0.14 on CentOS 5.9 64-bit. I get: Starting tomcat: /etc/init.d/tomcat: line 173: 19336 Segmentation fault $JSVC $JSVC_OPTS -java-home $JAVA_HOME -user $TOMCAT_USER -pidfile $CATALINA_PID -wait 10 -outfile $CATALINA_OUT -errfile 1 -classpath $CLASSPATH $LOGGING_CONFIG $JAVA_OPTS $CATALINA_OPTS -Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS -Dcatalina.base=$CATALINA_BASE -Dcatalina.home=$CATALINA_HOME -Djava.io.tmpdir=$CATALINA_TMP $CATALINA_MAIN Jsvc 1.0.13 works fine. Can anyone verify? Here is the build procedure: [root@(snip) bin]# cat /etc/redhat-release CentOS release 5.9 (Final) [root@(snip) bin]# uname -a Linux (snip) 2.6.18-348.1.1.el5 #1 SMP Tue Jan 22 16:19:19 EST 2013 x86_64 x86_64 x86_64 GNU/Linux [root@(snip) bin]# su - tomcat [tomcat@(snip) ~]$ cd /usr/local/tomcat/bin [tomcat@(snip) bin]$ tar xvfz commons-daemon-native.tar.gz commons-daemon-1.0.14-native-src/README commons-daemon-1.0.14-native-src/LICENSE.txt commons-daemon-1.0.14-native-src/NOTICE.txt commons-daemon-1.0.14-native-src/RELEASE-NOTES.txt commons-daemon-1.0.14-native-src/unix/ commons-daemon-1.0.14-native-src/unix/support/ commons-daemon-1.0.14-native-src/unix/native/ commons-daemon-1.0.14-native-src/unix/man/ commons-daemon-1.0.14-native-src/unix/support/config.guess commons-daemon-1.0.14-native-src/unix/support/config.sub commons-daemon-1.0.14-native-src/unix/support/apfunctions.m4 commons-daemon-1.0.14-native-src/unix/support/apsupport.m4 commons-daemon-1.0.14-native-src/unix/support/apjava.m4 commons-daemon-1.0.14-native-src/unix/Makefile.in commons-daemon-1.0.14-native-src/unix/configure.in commons-daemon-1.0.14-native-src/unix/native/home.c commons-daemon-1.0.14-native-src/unix/native/java.h commons-daemon-1.0.14-native-src/unix/native/.indent.pro commons-daemon-1.0.14-native-src/unix/native/Makefile.in commons-daemon-1.0.14-native-src/unix/native/debug.c commons-daemon-1.0.14-native-src/unix/native/signals.h commons-daemon-1.0.14-native-src/unix/native/home.h commons-daemon-1.0.14-native-src/unix/native/dso-dyld.c commons-daemon-1.0.14-native-src/unix/native/location.c commons-daemon-1.0.14-native-src/unix/native/debug.h commons-daemon-1.0.14-native-src/unix/native/java.c commons-daemon-1.0.14-native-src/unix/native/version.h commons-daemon-1.0.14-native-src/unix/native/help.c commons-daemon-1.0.14-native-src/unix/native/signals.c commons-daemon-1.0.14-native-src/unix/native/jsvc.h commons-daemon-1.0.14-native-src/unix/native/help.h commons-daemon-1.0.14-native-src/unix/native/locks.h commons-daemon-1.0.14-native-src/unix/native/dso-dlfcn.c commons-daemon-1.0.14-native-src/unix/native/dso.h commons-daemon-1.0.14-native-src/unix/native/arguments.h commons-daemon-1.0.14-native-src/unix/native/replace.c commons-daemon-1.0.14-native-src/unix/native/locks.c commons-daemon-1.0.14-native-src/unix/native/location.h commons-daemon-1.0.14-native-src/unix/native/arguments.c commons-daemon-1.0.14-native-src/unix/native/replace.h commons-daemon-1.0.14-native-src/unix/native/jsvc-unix.c commons-daemon-1.0.14-native-src/unix/Makedefs.in commons-daemon-1.0.14-native-src/unix/CHANGES.txt commons-daemon-1.0.14-native-src/unix/man/README commons-daemon-1.0.14-native-src/unix/man/jsvc.1.xml commons-daemon-1.0.14-native-src/unix/INSTALL.txt commons-daemon-1.0.14-native-src/unix/support/install.sh commons-daemon-1.0.14-native-src/unix/support/mkdist.sh commons-daemon-1.0.14-native-src/unix/support/buildconf.sh commons-daemon-1.0.14-native-src/unix/configure commons-daemon-1.0.14-native-src/unix/man/fetch.sh commons-daemon-1.0.14-native-src/windows/ commons-daemon-1.0.14-native-src/windows/xdocs/ commons-daemon-1.0.14-native-src/windows/src/ commons-daemon-1.0.14-native-src/windows/resources/ commons-daemon-1.0.14-native-src/windows/include/ commons-daemon-1.0.14-native-src/windows/apps/ commons-daemon-1.0.14-native-src/windows/apps/prunmgr/ commons-daemon-1.0.14-native-src/windows/apps/prunsrv/ commons-daemon-1.0.14-native-src/windows/xdocs/index.xml commons-daemon-1.0.14-native-src/windows/src/private.h commons-daemon-1.0.14-native-src/windows/src/handles.c commons-daemon-1.0.14-native-src/windows/src/utils.c commons-daemon-1.0.14-native-src/windows/src/service.c commons-daemon-1.0.14-native-src/windows/src/mclib.c commons-daemon-1.0.14-native-src/windows/src/mclib.h commons-daemon-1.0.14-native-src/windows/src/log.c commons-daemon-1.0.14-native-src/windows/src/console.c
(was: Re: [VOTE] Release Apache Tomcat 7.0.39)
Mladen, On 25.3.2013 12:36, Mladen Turk wrote: On 03/25/2013 12:09 PM, Ognjen Blagojevic wrote: On 22.3.2013 17:48, Mark Thomas wrote: I have a problem running jsvc from commons-daemon-1.0.14 on CentOS 5.9 64-bit. I get: Starting tomcat: /etc/init.d/tomcat: line 173: 19336 Segmentation fault $JSVC $JSVC_OPTS -java-home $JAVA_HOME -user $TOMCAT_USER -pidfile $CATALINA_PID -wait 10 -outfile $CATALINA_OUT -errfile 1 -classpath $CLASSPATH $LOGGING_CONFIG $JAVA_OPTS $CATALINA_OPTS -Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS -Dcatalina.base=$CATALINA_BASE -Dcatalina.home=$CATALINA_HOME -Djava.io.tmpdir=$CATALINA_TMP $CATALINA_MAIN Jsvc 1.0.13 works fine. Can anyone verify? Try setting LD_LIBRARY_PATH before invoking jsvc. BTW, please open a new thread so that we don't hijack this one. It wasn't my intention to hijack thread, but to point out to possible regression in the Tomcat release candidate. Commons daemon 1.0.13 shipped with official Tomcat 7.0.37 works for me, as it used to worked for years. Commons daemon 1.0.14 shipped with Tomcat 7.0.39 does not work for me. For both jsvc 1.0.13 and 1.0.14 I used instructions on official Tomcat website: http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon LD_LIBRARY_PATH is not mentioned in that document. Regards, Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.39
Mladen, On 25.3.2013 15:49, Mladen Turk wrote: On 03/25/2013 03:26 PM, Ognjen Blagojevic wrote: Mladen, It wasn't my intention to hijack thread, but to point out to possible regression in the Tomcat release candidate. Commons daemon 1.0.13 shipped with official Tomcat 7.0.37 works for me, as it used to worked for years. Commons daemon 1.0.14 shipped with Tomcat 7.0.39 does not work for me. Fancy to check with following patch http://svn.apache.org/viewvc/commons/proper/daemon/branches/1.0.x/src/native/unix/native/jsvc-unix.c?r1=1460686r2=1460687pathrev=1460687view=patch With that patch jsvc compiles and works as expected. Thank you. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Typo
Hi, http://tomcat.apache.org/tomcat-7.0-doc/config/http.html restrictedUserAgents - The value is a regular expression (using java.util.regex) *matching matching* ... -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Tomcat 6 and Tomcat 7 enables different TLS protocols by default
On 8.3.2013 11:14, Ognjen Blagojevic wrote:
Hi,
As previously discussed on user list [1], HTTPS JSSE Connectors (both
BIO and NIO) have different behavior in Tomcat 6 and in Tomcat 7, in
terms of enabled TLS/SSL protocols.
(I repeat the parts from that thread here.)
Tomcat 6 will by default enable SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while
Tomcat 7 will enable SSLv3 and TLSv1. This is counter-intuitive and
might introduce problems when upgrading from Tomcat 6 to Tomcat 7.
Reason for this discrepancy is that in Tomcat 6 code, if (undocumented)
attribute protocols is omitted, method socket.setEnabledProtocols is
not being invoked (JSSESocketFactory, lines 700-702, in tc6.0.x/trunk):
protected void setEnabledProtocols(SSLServerSocket socket,
String []protocols){
if (protocols != null) {
socket.setEnabledProtocols(protocols);
}
}
Default on Oracle JDK 7 (1.7.0_15), when socket.setEnabledProtocols is
not invoked is to enable SSLv2Hello (pseudo protocol), SSLv3, TLSv1,
TLSv1.1, TLSv1.2.
In Tomcat 7, when (documented) attribute sslEnabledProtocols is omitted,
method socket.setEnabledProtocols will be invoked with default protocols
enabled (JSSESocketFactory linkes 679-681 and line 727, in tc7.0.x/trunk)
if ((requestedProtocols == null)
|| (requestedProtocols.length == 0)) {
return context.getDefaultSSLParameters().getProtocols();
}
...
socket.setEnabledProtocols(enabledProtocols);
Now, here is the catch. Oracle JDK 7 method
SSLContext.getDefaultSSLParameters().getProtocols() returns SSLv3, TLSv1
as default protocols, but if you create socket without ever calling
SSLServerSocket.setEnabledProtocols, than SSLv2Hello (pseudo protocol),
SSLv3, TLSv1, TLSv1.1, TLSv1.2 will be enabled.
This bizarre behavior from Oracle JDK 7 combined with slight difference
in Tomcat 6 and Tomcat 7 code results in different TLS/SSL protocols
being enabled by default.
What do you think, should we do anything about it? We could:
1. Patch Tomcat 6 trunk to call setEnabledProtocols always.
2. Patch Tomcat 7 trunk not to call setEnabledProtocols when protocols
are not specified.
3. Document the different behavior, and leave it as-is.
I prefer how Tomcat 6 is interpreting that attribute -- trying to enable
best possible TLS protocol versions available. That is what I would
expect as a Tomcat user.
-Ognjen
[1] http://www.mail-archive.com/users@tomcat.apache.org/msg104756.html
Bug report: https://issues.apache.org/bugzilla/show_bug.cgi?id=54690.
-Ognjen
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Tomcat 6 and Tomcat 7 enables different TLS protocols by default
Hi,
As previously discussed on user list [1], HTTPS JSSE Connectors (both
BIO and NIO) have different behavior in Tomcat 6 and in Tomcat 7, in
terms of enabled TLS/SSL protocols.
(I repeat the parts from that thread here.)
Tomcat 6 will by default enable SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while
Tomcat 7 will enable SSLv3 and TLSv1. This is counter-intuitive and
might introduce problems when upgrading from Tomcat 6 to Tomcat 7.
Reason for this discrepancy is that in Tomcat 6 code, if (undocumented)
attribute protocols is omitted, method socket.setEnabledProtocols is
not being invoked (JSSESocketFactory, lines 700-702, in tc6.0.x/trunk):
protected void setEnabledProtocols(SSLServerSocket socket,
String []protocols){
if (protocols != null) {
socket.setEnabledProtocols(protocols);
}
}
Default on Oracle JDK 7 (1.7.0_15), when socket.setEnabledProtocols is
not invoked is to enable SSLv2Hello (pseudo protocol), SSLv3, TLSv1,
TLSv1.1, TLSv1.2.
In Tomcat 7, when (documented) attribute sslEnabledProtocols is omitted,
method socket.setEnabledProtocols will be invoked with default protocols
enabled (JSSESocketFactory linkes 679-681 and line 727, in tc7.0.x/trunk)
if ((requestedProtocols == null)
|| (requestedProtocols.length == 0)) {
return context.getDefaultSSLParameters().getProtocols();
}
...
socket.setEnabledProtocols(enabledProtocols);
Now, here is the catch. Oracle JDK 7 method
SSLContext.getDefaultSSLParameters().getProtocols() returns SSLv3, TLSv1
as default protocols, but if you create socket without ever calling
SSLServerSocket.setEnabledProtocols, than SSLv2Hello (pseudo protocol),
SSLv3, TLSv1, TLSv1.1, TLSv1.2 will be enabled.
This bizarre behavior from Oracle JDK 7 combined with slight difference
in Tomcat 6 and Tomcat 7 code results in different TLS/SSL protocols
being enabled by default.
What do you think, should we do anything about it? We could:
1. Patch Tomcat 6 trunk to call setEnabledProtocols always.
2. Patch Tomcat 7 trunk not to call setEnabledProtocols when protocols
are not specified.
3. Document the different behavior, and leave it as-is.
I prefer how Tomcat 6 is interpreting that attribute -- trying to enable
best possible TLS protocol versions available. That is what I would
expect as a Tomcat user.
-Ognjen
[1] http://www.mail-archive.com/users@tomcat.apache.org/msg104756.html
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Disable TLS compression in JSSE
On 23.1.2013 2:13, Tim Whittington wrote: As far as I know, JSSE doesn't support compression. [1] claims this, but doesn't have a reference, and I can't find anything else useful on the internet, although i recall an analysis of the CRIME attack that claimed the same thing. I tested couple of my Tomcat installations, each of them uses JSSE, with this tool: https://www.ssllabs.com/ssltest/analyze.html I came to the same conclusion, JSSE probably doesn't support compression at all (or, at least, out-of-the-box). -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
JSVC 1.0.11
Hi, Is it possible to change JSVC version included in Tomcat to 1.0.11? One certain bug in JSVC 1.0.10 (DAEMON-246) makes my Tomcat upgrades unnecessery complicated. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: JSVC 1.0.11
Mark, On 20.11.2012 11:30, Mark Thomas wrote: On 20/11/2012 10:29, Ognjen Blagojevic wrote: Hi, Is it possible to change JSVC version included in Tomcat to 1.0.11? One certain bug in JSVC 1.0.10 (DAEMON-246) makes my Tomcat upgrades unnecessery complicated. That is a question for the users list, not the dev list. Sorry, maybe I chose the wrong wording. I know it is possible for the users to switch from default JSVC shipped with Tomcat (1.0.10) to some other version (1.0.11), but I am asking if someone of the developers is willing to change default JSVC version shipped with Tomcat to 1.0.11? Issue DAEMON-246 is breaking JSVC on Redhat/CentOS 64-bit, and Debian 32-bit, which affects, I believe, a significant number of users who start Tomcat using JSVC. Therefore, I propose such a change in Tomcat dependencies. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: JSVC 1.0.11
Konstantin, On 20.11.2012 11:37, Konstantin Kolinko wrote: 1. In what branch of Tomcat ? 7.0.x. 2. According to commons.apache.org, the latest released version of commons-daemon is 1.0.10. Until 1.0.11 is released there is no way to bundle it with Tomcat. D'oh! I didn't check that, sorry. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Just a slight note
Henri, On 13.1.2012 12:06, Henri Gomez wrote: Do you have link to original article ? Pid already sent it to the user list: http://blog.newrelic.com/2012/01/10/infographic-oss-java-wins-in-the-cloud-era/ -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: next release
Romain, On 14.12.2011 22:38, Romain Manni-Bucau wrote: However we are interested by (at least) one fix in tomcat 7.0.24. Any planned date for this release? Yes, see: http://www.mail-archive.com/dev@tomcat.apache.org/msg58230.html -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug 51497 -- Use canonical IPv6 text representation in logs
Hi devs, Is anyone interested to review the patch for bug 51497 (Use canonical IPv6 text representation in logs) [1]? It modifies IPv6 textual representation to be aligned with usual practice on Linux, Windows, HTTPD, and recommendations from RFC 5952. Regards, Ognjen [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=51497 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Use canonical IPv6 text representation in logs
Hi, In AccessLogValve and on other places where IPv6 address is logged or printed, it would bi good if Tomcat would use canonical IPv6 format as described in RFC 5952 [1] (especially note section 3.2.2. Logging), e.g: 1. instead of logging 2001:4000:0:5:0:0:0:66, it should log 2001:4000:0:5::66, 2. instead of logging 0:0:0:0:0:0:0:1, it should log ::1. What do you think about that? Class Inet6Address method getHostAddress confirms to RFC recommendations, in everything except in zero groups handling. It simply prints full form with all zeroes. In Java API I don't see any method to convert it to canonical form. I wrote small utility that converts Inet6Address object into canonical representation. Are you interested in such contribution? Should it be contributed directly to Tomcat code, or maybe offered to Jakarta Commons project (Codec or Net component)? If it is contributed to Jakarta Commons project, would it be a problem to use it in Tomcat, because of new dependency? Net component seems to be quite big (all kind of protocol implementations), while Codec contains only small number of conversion classes, so if it is contributed to commons, is Codec component better choice? Regards, Ognjen [1] http://tools.ietf.org/html/rfc5952 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Use canonical IPv6 text representation in logs
Konstantin, 1. One should really ask system administrators what they prefer What would be the right place to do that? User list, maybe? I assume at least some of Tomcat developers are also involved in system administration, so I hope they will state their opinion here. (or provide a configuration option). That is also possibility. What would be good place to configure: 1. AccessLogValve XML parameter? 2. AccessLogValve system property (-D...) 3. Global Tomcat XML parameter? 4. Global Tomcat system property? Personally I would prefer the full address, as I think it is easier when all is data is visible, and it is easier to search or filter. I thought that at first, but after looking IPv6 addresses in log files for some time, I changed my mind. Shorter means easier to read, and easier to search... if there are no ambiguities. If there are several sequences of zeros, only one of them can be collapsed. This introduces ambiguity when trying to specify a search filter. Actually, mentioned RFC resolves all ambiguities: When there is an alternative choice in the placement of a ::, the longest run of consecutive 16-bit 0 fields MUST be shortened (i.e., the sequence with three consecutive zero fields is shortened in 2001: 0:0:1:0:0:0:1). When the length of the consecutive 16-bit 0 fields are equal (i.e., 2001:db8:0:0:1:0:0:1), the first sequence of zero bits MUST be shortened. For example, 2001:db8::1:0:0:1 is correct representation. 2. If you want to contribute, please create a bugzilla entry, mark it as an enhancement. Ok, I created: https://issues.apache.org/bugzilla/show_bug.cgi?id=51497 The class may go into org.apache.tomcat.util.net. I would prefer to see some JUnit tests together with the class. Of course, I have JUnit for all the examples in the RFC. 3. Regarding Apache Commons: you can ask on their mailing lists. ... As thus, your contribution to Tomcat can be independent from Commons. Ok, let's see first if it works for Tomcat. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Use canonical IPv6 text representation in logs
On 11.7.2011 20:57, Konstantin Kolinko wrote: I wonder how Apache HTTPD server handles IP6 addresses. Out-of-the-box, without any specific configuration, my httpd 2.2.3 installation on CentOS 5.6, seems to use canonized text representation. Here is the log excerpt, slightly obfuscated: 2001::0:a::aa - - [11/Jul/2011:22:32:03 +0200] GET /aaa/aaa.css HTTP/1.1 304 - http://aaa.example.com/aaa/aaa.aaa; Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 So does Linux: login as: root root@aaa's password: Last login: Wed Jul 6 14:17:27 2011 from 2001::0:a::aa [root@aaa ~]# host aaa aaa.example.com has address 123.12.1.123 aaa.example.com has IPv6 address 2001::0:aa::aaa ...and Windows XP: C:\Documents and Settings\ognjennetstat -na Active Connections Proto Local Address Foreign AddressState (snip) TCP[2001::0:a::aa]:2276 [2001::0:aa::aaa]:22 ESTABLISHED 0 2. AccessLogValve system property (-D...) 3. Global Tomcat XML parameter? 4. Global Tomcat system property? I do not like 2.,3. or 4. I understand, but then we should add similar parameter to every other filter/valve/logger that could use IPv6 addresses, right? -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Tomcat7.sh example script
Duh. Wrong mailing list. For the record, I created issues: https://issues.apache.org/jira/browse/DAEMON-201 https://issues.apache.org/jira/browse/DAEMON-202 -Ognjen On 28.3.2011 13:10, Ognjen Blagojevic wrote: Hi, Commons-daemon that goes with Tomcat 7.0.11 includes Tomcat7.sh init.d example script. Out-of-the box, that script runs on default JVM, which is for 32-bit Sun Java equal to 'Client' JVM. I assume that starting tomcat on 'Server' JVM is generally better then 'Client' JVM. What do you think about adding '$JSVC_JVM' into run, start and version actions of that script? Then, user could add e.g. export JSVC_JVM='-jvm server' into setenv.sh to use appropriate JVM, without need to modify the example script. I also believe that it would be nice to add just one short startup/shutdown message into the same script (e.g. Starting tomcat... [OK]). What do you think? -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Tomcat7.sh example script
Hi, Commons-daemon that goes with Tomcat 7.0.11 includes Tomcat7.sh init.d example script. Out-of-the box, that script runs on default JVM, which is for 32-bit Sun Java equal to 'Client' JVM. I assume that starting tomcat on 'Server' JVM is generally better then 'Client' JVM. What do you think about adding '$JSVC_JVM' into run, start and version actions of that script? Then, user could add e.g. export JSVC_JVM='-jvm server' into setenv.sh to use appropriate JVM, without need to modify the example script. I also believe that it would be nice to add just one short startup/shutdown message into the same script (e.g. Starting tomcat... [OK]). What do you think? -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Adding support for Spring security users to guessed user list
Hi developers, I have one micro request for Tomcat manager application. Manager application can display active sessions, with the most relevant data for that session (session id, TTL, last accessed time, TTL and so on). Guessed username is one of the columns. AFAICS in the code (SessionUtils.java) username is guessed from the request attributes that are listed in the array USER_TEST_ATTRIBUTES. Can we add attribute SPRING_SECURITY_LAST_USERNAME to that array, so the users that are using Spring security for authentication may also see the username for the displayed session? (I already tested this, and it works fine.) If yes, what are next steps? Should I open JIRA and provide patch? Or maybe that is not necessary, since it is a smallest possible modification. Regards, Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Adding support for Spring security users to guessed user list
Mark Thomas wrote: Can we add attribute SPRING_SECURITY_LAST_USERNAME to that array, so the users that are using Spring security for authentication may also see the username for the displayed session? (I already tested this, and it works fine.) ... I've applied the change to trunk for 7.0.x and proposed the change for 6.0.x. That was fast. :) Thank you, Mark. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
