https://cwiki.apache.org/confluence/display/TOMCAT
Hi, I looked to the page, wondering how to get a "new comer" to the cwiki... That is not documented. What is the process? Create a Apache JIRA user and user it? If yes that should be in the wiki ;-) -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.89
On 5/3/24 22:37, Rémy Maucherat wrote: [X] +1, Stable - go ahead and release as 9.0.89 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.23
On 4/23/24 14:47, Christopher Schultz wrote: Jean-Frederic, On 4/23/24 08:27, jean-frederic clere wrote: On 4/23/24 09:47, Mark Thomas wrote: On 23/04/2024 06:35, jean-frederic clere wrote: On 4/17/24 12:00, Mark Thomas wrote: Build is reproducible. My tests here complain about examples, did I miss something. No idea. You'd need to do a diff to see what didn't match and that will (hopefully) point you towards the root cause. The class files are different... Investigating. I'm holding the VOTE-RESULT email just in case you find something truly weird. I have changed my VM to 22 and the diff are passing now so I think we are good, thanks for releasing. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.23
On 4/23/24 14:44, Christopher Schultz wrote: Jean-Frederic, On 4/23/24 08:27, jean-frederic clere wrote: On 4/23/24 09:47, Mark Thomas wrote: On 23/04/2024 06:35, jean-frederic clere wrote: On 4/17/24 12:00, Mark Thomas wrote: Build is reproducible. My tests here complain about examples, did I miss something. No idea. You'd need to do a diff to see what didn't match and that will (hopefully) point you towards the root cause. The class files are different... Investigating. Try using "ant verify-release". It will give you suggestions for investigating anything that doesn't match. +++ BUILD FAILED /home/jfclere/TMP/tomcat-native-tests/apache-tomcat-10.1.23-src/build.xml:4363: Release toolchain versions do not match local toolchain: Release Java: 22+36 Local Java: 17.0.9+9 Release Ant: 1.10.14 Local Ant:1.10.12 You may not be able to verify that this build is reproducible. +++ -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.23
On 4/23/24 09:47, Mark Thomas wrote: On 23/04/2024 06:35, jean-frederic clere wrote: On 4/17/24 12:00, Mark Thomas wrote: Build is reproducible. My tests here complain about examples, did I miss something. No idea. You'd need to do a diff to see what didn't match and that will (hopefully) point you towards the root cause. The class files are different... Investigating. Mark TCK tests are still running... - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.23
On 4/16/24 15:11, Christopher Schultz wrote: [X] Stable - go ahead and release as 10.1.23 Tested on fedora39 with tc-native 2.0.7 looks OK, TCK passes. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.23
On 4/17/24 12:00, Mark Thomas wrote: Build is reproducible. My tests here complain about examples, did I miss something. TCK tests are still running... -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.19
On 2/14/24 23:43, Christopher Schultz wrote: [X] Stable - go ahead and release as 10.1.19 Tested on fedora39, build reproduced and TCK passed. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Multiple PRs for 'super tomcat'
On 2/15/24 04:46, Mark Thomas wrote: All, The spate of PRs (nearly) all at the same time, all with (nearly) the same title and all with (nearly) the same apology appear to be linked. I don't know what is going on but I have a very hard time believing that they were all accidental. It looks very much like deliberate, coordinated activity to me. The question is what do we do about it. Do we - ignore it Yes don't feed the trolls. - add a comment to the PR that we view it as abusive and that - any further on the PR will be reported to GitHub as abuse - any further behaviour of this nature from this user will reported to GitHub as abuse - anyone reported to GitHub for abuse *will* be permanently banned from contributing to all ASF repositories - report them (and ban them) for abuse now That is probably the other option. I suspect some training course is using Tomcat to send dummy PRs. As such I'm leaning to the second option as it should send a clear message that such use is not acceptable. Thoughts? It might be the next new kind of spam :-( Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.86
On 2/14/24 09:53, Rémy Maucherat wrote: [X] +1, Stable - go ahead and release as 9.0.86 Tested on fedora 39 with tc-native 1.3.0. Reproducible. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: 6 TCK remaining failing tests
On 1/10/24 09:20, Mark Thomas wrote: On 09/01/2024 18:16, jean-frederic clere wrote: Hi, While testing 10.1.18 I have the remaining failing tests: com/sun/ts/tests/servlet/api/jakarta_servlet_http/cookie/URLClient.java#setMaxAgePositiveTest com/sun/ts/tests/servlet/pluggability/api/jakarta_servlet_http/cookie/URLClient.java#setMaxAgePositiveTest Those 2 are due to the TCK expecting the old netscape date format... somthing like: "EEE, dd-MMM-yy HH:mm:ss z" Does it make sense to tell it is a TCK mistake (and report it) or do we need to resurrect the old LegacyCookieProcessor? See https://github.com/jakartaee/servlet/issues/471 Those tests should be excluded. Are you using 6.0.1 of the TCK? I have retried with 6.0.1 that helps ;-) com/sun/ts/tests/servlet/spec/defaultcontextpath/URLClient.java#getDefaultContextPathTest We know this one won't pass. +1 With 6.0.1 that is the only one failing. com/sun/ts/tests/servlet/spec/security/clientcert/Client.java#clientCertTest com/sun/ts/tests/servlet/spec/security/clientcertanno/Client.java#clientCertTest Those 2 are due to key/cert of the TCK being so old: My JVM version reject them as too small... Raise an issue for that please so they get updated for Servlet 6.1 It seems they are passing with 6.0.1 so we are GOOD! com/sun/ts/tests/signaturetest/servlet/ServletSigTest.java#signatureTest Do we care about this one? Yes. This one should pass although from memory getting the setup right was tricky. If no one complains I will document those as not passing in https://cwiki.apache.org/confluence/display/TOMCAT/Servlet+TCK+6.0 Thanks, Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: 6 TCK remaining failing tests
On 1/10/24 09:20, Mark Thomas wrote: Yes. This one should pass although from memory getting the setup right was tricky. Yes I have found a work-around and it is passing now. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
6 TCK remaining failing tests
Hi, While testing 10.1.18 I have the remaining failing tests: com/sun/ts/tests/servlet/api/jakarta_servlet_http/cookie/URLClient.java#setMaxAgePositiveTest com/sun/ts/tests/servlet/pluggability/api/jakarta_servlet_http/cookie/URLClient.java#setMaxAgePositiveTest Those 2 are due to the TCK expecting the old netscape date format... somthing like: "EEE, dd-MMM-yy HH:mm:ss z" Does it make sense to tell it is a TCK mistake (and report it) or do we need to resurrect the old LegacyCookieProcessor? com/sun/ts/tests/servlet/spec/defaultcontextpath/URLClient.java#getDefaultContextPathTest We know this one won't pass. com/sun/ts/tests/servlet/spec/security/clientcert/Client.java#clientCertTest com/sun/ts/tests/servlet/spec/security/clientcertanno/Client.java#clientCertTest Those 2 are due to key/cert of the TCK being so old: My JVM version reject them as too small... com/sun/ts/tests/signaturetest/servlet/ServletSigTest.java#signatureTest Do we care about this one? If no one complains I will document those as not passing in https://cwiki.apache.org/confluence/display/TOMCAT/Servlet+TCK+6.0 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.85
On 1/5/24 10:25, Rémy Maucherat wrote: [X] +1, Stable - go ahead and release as 9.0.85 Tested on fedora39 with tc-native-1.2.39. and it is reproducible. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.18
On 1/5/24 16:25, Christopher Schultz wrote: [X] Stable - go ahead and release as 10.1.18 A part the: +++ [concat] TEST-org.apache.tomcat.websocket.server.TestAsyncMessagesPerformance.NIO.txt [concat] TEST-org.apache.tomcat.websocket.server.TestAsyncMessagesPerformance.NIO2.txt +++ "messages" All tests are passing on fedora39 with tomcat-native-2.0.6 The release is reproducible. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: TCK servlet TCK 6.0
On 12/22/23 15:20, jean-frederic clere wrote: On 12/22/23 11:21, Mark Thomas wrote: On 22/12/2023 10:01, jean-frederic clere wrote: Yep, is there an "easy" way to configure the CharsetMapperDefault.properties used by the mapper? Add the following to the global web.xml ja Shift_JIS Any idea for this error: +++ 12-22-2023 13:52:50: ERROR: Test case throws exception: Exception occurred:org.apache.commons.httpclient.cookie.MalformedCookieException: Invalid expires attribute: Unparseable date: "Fri, 22 Dec 2023 12:52:52 GMT" +++ The TCK is testing for Fri, 22-Dec-2023 12:52:52 GMT ... Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: TCK servlet TCK 6.0
On 12/22/23 11:21, Mark Thomas wrote: On 22/12/2023 10:01, jean-frederic clere wrote: Yep, is there an "easy" way to configure the CharsetMapperDefault.properties used by the mapper? Add the following to the global web.xml ja Shift_JIS Any idea for this error: +++ 12-22-2023 13:52:50: ERROR: Test case throws exception: Exception occurred:org.apache.commons.httpclient.cookie.MalformedCookieException: Invalid expires attribute: Unparseable date: "Fri, 22 Dec 2023 12:52:52 GMT" +++ Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: TCK servlet TCK 6.0
On 12/22/23 11:21, Mark Thomas wrote: On 22/12/2023 10:01, jean-frederic clere wrote: Yep, is there an "easy" way to configure the CharsetMapperDefault.properties used by the mapper? Add the following to the global web.xml ja Shift_JIS Yes thanks! Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: TCK servlet TCK 6.0
On 12/22/23 10:51, Rémy Maucherat wrote: On Fri, Dec 22, 2023 at 10:41 AM jean-frederic clere wrote: On 12/19/23 18:37, Mark Thomas wrote: On 19/12/2023 13:05, jean-frederic clere wrote: Hi, I have tried to run the TCK against Tomcat-10.1.17 I have 12 failed tests. Before investigating I have questions: Did someone run the servlet TCK recently? Not recently but I have run it. Are some tests expected to fail (well for sure the DefaultContextPathTest and the signatures, but are there others? DefaultContextPathTest should be the only failure. Everything else should pass. Some test are fixed by: +++ diff --git a/java/org/apache/catalina/util/CharsetMapperDefault.properties b/java/org/apache/catalina/util/CharsetMapperDefault.properties index 6f8bf49493..d438bcf71e 100644 --- a/java/org/apache/catalina/util/CharsetMapperDefault.properties +++ b/java/org/apache/catalina/util/CharsetMapperDefault.properties @@ -15,3 +15,4 @@ en=ISO-8859-1 fr=ISO-8859-1 +ja=Shift_JIS +++ It's ok to change the config to run the TCK, but that's about it: https://github.com/apache/tomcat/commit/471c84b89630664e16d80c5557c681b658acabc4 Yep, is there an "easy" way to configure the CharsetMapperDefault.properties used by the mapper? Rémy I have created https://cwiki.apache.org/confluence/display/TOMCAT/Servlet+TCK+6.0 and I am planning to update it ;-) Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: TCK servlet TCK 6.0
On 12/19/23 18:37, Mark Thomas wrote: On 19/12/2023 13:05, jean-frederic clere wrote: Hi, I have tried to run the TCK against Tomcat-10.1.17 I have 12 failed tests. Before investigating I have questions: Did someone run the servlet TCK recently? Not recently but I have run it. Are some tests expected to fail (well for sure the DefaultContextPathTest and the signatures, but are there others? DefaultContextPathTest should be the only failure. Everything else should pass. Some test are fixed by: +++ diff --git a/java/org/apache/catalina/util/CharsetMapperDefault.properties b/java/org/apache/catalina/util/CharsetMapperDefault.properties index 6f8bf49493..d438bcf71e 100644 --- a/java/org/apache/catalina/util/CharsetMapperDefault.properties +++ b/java/org/apache/catalina/util/CharsetMapperDefault.properties @@ -15,3 +15,4 @@ en=ISO-8859-1 fr=ISO-8859-1 +ja=Shift_JIS +++ I have created https://cwiki.apache.org/confluence/display/TOMCAT/Servlet+TCK+6.0 and I am planning to update it ;-) Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: TCK servlet TCK 6.0
On 12/19/23 18:37, Mark Thomas wrote: On 19/12/2023 13:05, jean-frederic clere wrote: Hi, I have tried to run the TCK against Tomcat-10.1.17 I have 12 failed tests. Before investigating I have questions: Did someone run the servlet TCK recently? Not recently but I have run it. Are some tests expected to fail (well for sure the DefaultContextPathTest and the signatures, but are there others? DefaultContextPathTest should be the only failure. Everything else should pass. OK the 2 security tests are failing for me and I know why and not sure what to do, the key/cert are too small (and very old). I will look to the 9 other tests (one seems a date format problem, the others look to be some "Locale" problem, probably related to my environment). I have created https://cwiki.apache.org/confluence/display/TOMCAT/Servlet+TCK+6.0 and I am planning to update it ;-) Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
TCK servlet TCK 6.0
Hi, I have tried to run the TCK against Tomcat-10.1.17 I have 12 failed tests. Before investigating I have questions: Did someone run the servlet TCK recently? Are some tests expected to fail (well for sure the DefaultContextPathTest and the signatures, but are there others? I have created https://cwiki.apache.org/confluence/display/TOMCAT/Servlet+TCK+6.0 and I am planning to update it ;-) -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.17
On 12/8/23 04:17, Christopher Schultz wrote: [X] Stable - go ahead and release as 10.1.17 Tested on fedora 38. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.84
On 12/7/23 20:44, Rémy Maucherat wrote: [X] +1, Stable - go ahead and release as 9.0.84 Tested on fedora fc38 with tc-native 1.2.39. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 11.0.0-M14
On 11/9/23 20:58, Mark Thomas wrote: [X] +1 Alpha - go ahead and release as 11.0.0-M14 Thanks! -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.83
On 11/9/23 23:12, Rémy Maucherat wrote: [X] +1, Stable - go ahead and release as 9.0.83 Tested on fedora38... -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.14
On 10/10/23 00:18, Christopher Schultz wrote: [X] Stable - go ahead and release as 10.1.14 Tested on fedora 37 openjdk 17 with tc-native-2.0.6 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.81
On 10/9/23 23:36, Rémy Maucherat wrote: [X] +1, Stable - go ahead and release as 9.0.81 tested with tc-native-1.2.39 on fedora 38 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.13
On 8/24/23 01:28, Mark Thomas wrote: [X] Stable - go ahead and release as 10.1.13 Tested on fedora 38 with open-ssl-3.0.9, tc-native-2.0.5 and open-jdk 17.0.8 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.80
On 8/24/23 01:29, Mark Thomas wrote: [X] +1, Stable - go ahead and release as 9.0.80 Tested with openjdk version "17.0.8", tc-native 1.2.37 and openssl 3.0.9 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.11
On 7/6/23 16:41, Christopher Schultz wrote: [X] Stable - go ahead and release as 10.1.11 tested with tc-native 2.0.4 on fedora38 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.78
On 7/4/23 15:28, Rémy Maucherat wrote: [X] +1, Stable - go ahead and release as 9.0.78 Tested on fedora 38 with OpenJDK 17 (fc38 build). I had: +++ [concat] Testsuites with failed tests: [concat] TEST-org.apache.tomcat.jni.TestSocketServerAnyLocalAddress.APR.txt [concat] TEST-org.apache.tomcat.jni.TestSocketServerAnyLocalAddress.NIO.txt [concat] TEST-org.apache.tomcat.jni.TestSocketServerAnyLocalAddress.NIO2.txt +++ Due to: +++ [jfclere@fedora NOTES]$ sysctl net.ipv6.conf.all.disable_ipv6 net.ipv6.conf.all.disable_ipv6 = 1 +++ my bad! ;-) -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
tomcat and httpd track before July 13th! Final Reminder: Community Over Code call for presentations closing soon
Hi, Don't forget to submit talks ASAP to: https://communityovercode.org/call-for-presentations/ there is a tomcat and httpd track for us. Cheers Jean-Frederic Forwarded Message Subject: Final Reminder: Community Over Code call for presentations closing soon Date: Wed, 28 Jun 2023 16:09:34 -0400 From: Rich Bowen Reply-To: plann...@apachecon.com Organization: The Apache Software Foundation To: ApacheCon Planners [Note: You're receiving this email because you are subscribed to one or more project dev@ mailing lists at the Apache Software Foundation.] This is your final reminder that the Call for Presentations for Community Over Code (formerly known as ApacheCon) is closing soon - on Thursday, 13 July 2023 at 23:59:59 GMT. https://communityovercode.org/call-for-presentations/ We are looking for talk proposals on all topics related to ASF projects and open source software. The event will be held in Halifax, Nova Scotia, Octiber 7th through 10th. More details about the event may be found on the event website at https://communityovercode.org/ Rich, for the event planners -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.75
On 5/4/23 16:20, Rémy Maucherat wrote: [X] +1, Stable - go ahead and release as 9.0.75 Tested on fedora 37. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.74
On 4/13/23 10:42, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.74 Tested on fedora 37 with native 1.2.26 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.5
On 1/9/23 21:25, Mark Thomas wrote: [X] Stable - go ahead and release as 10.1.5 Tested on fedora 37. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.71
On 1/9/23 23:53, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.71 Tested on fedora 37 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.4
On 12/8/22 20:35, Mark Thomas wrote: Ping. Just a reminder we need one more PMC vote for this release. [X] Stable - go ahead and release as 10.1.4 Tested of fedora36 Jean-Frederic Thanks, Mark On 05/12/2022 17:42, Mark Thomas wrote: The proposed Apache Tomcat 10.1.4 release is now available for voting. The notable changes compared to 10.1.2 are: - Refactor WebappLoader so it only has a runtime dependency on the migration tool for Jakarta EE if configured to use the converter as classes are loaded. - When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection. - Update to Commons Daemon 1.3.3 For full details, see the change log: https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.4/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1412 The tag is: https://github.com/apache/tomcat/tree/10.1.4 a8e13f8d7e621be9f58af45f5a67e7bf847a8321 The proposed 10.1.4 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 10.1.4 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.4
On 12/8/22 20:35, Mark Thomas wrote: Ping. Just a reminder we need one more PMC vote for this release. > [X] Stable - go ahead and release as 10.1.4 Tested of fedora36 Jean-Frederic Thanks, Mark On 05/12/2022 17:42, Mark Thomas wrote: The proposed Apache Tomcat 10.1.4 release is now available for voting. The notable changes compared to 10.1.2 are: - Refactor WebappLoader so it only has a runtime dependency on the migration tool for Jakarta EE if configured to use the converter as classes are loaded. - When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection. - Update to Commons Daemon 1.3.3 For full details, see the change log: https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.4/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1412 The tag is: https://github.com/apache/tomcat/tree/10.1.4 a8e13f8d7e621be9f58af45f5a67e7bf847a8321 The proposed 10.1.4 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 10.1.4 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.70
On 12/1/22 15:27, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.70 Test on fedora36 with tc-native-1.2.35 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Handling reports from oss-fuzz
On 11/24/22 10:13, Mark Thomas wrote: Hi all, We currently receive reports from oss-fuzz to the Tomcat security list. There is a relatively high volume of reports with a very high false positive rate. To date, we haven't had any valid security issues reported. Concern has been expressed that oss-fuzz is generating excessive noise on the security list. I'd like to propose the following solution, recently adopted by Apache Commons. 1. Create a new, private mailing list: fuzz-testing@tomcat.a.o 2. This new list becomes the primary contact for oss-fuzz issues. 3. security@tomact.a.o remains on the CC but we disable notifications unless the issue is explicitly starred The new process would then be: - issues reported to fuzz-testing@tomact.a.o - interested PMC members subscribe to that list - we triage issues (depending on volume this could become an issue) - false positives are rejected - bugs are fixed - security issues are starred this triggers notification of issue updates to the security list - security issues are handled as per the usual process Thoughts? +1 Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.2
On 11/9/22 18:32, Mark Thomas wrote: [X] Stable - go ahead and release as 10.1.2 Tested on fedora 36. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.5
On 11/2/22 13:43, Mark Thomas wrote: [X] +1: Acceptable. Go ahead and release. Tested on fedora using 9.0.67 examples on 10.1.0 tomcat. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [DISCUSS] EOL date for 8.5.x
On 10/7/22 11:27, Mark Thomas wrote: Based on the above I think EOL for 8.5.x should be either 31 March 2024 +1 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.67
On 9/23/22 14:03, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.67 (stable) Testing on fedora36 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0
On 9/23/22 11:44, Mark Thomas wrote: [X] Stable - go ahead and release as 10.1.0 (stable) Tested on fedora36 with tc-native 2.0.1 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.66
On 9/22/22 11:21, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.66 (stable) Tested on fedora 36 with tc-native 1.2.35 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.0.23
On 14/07/2022 11:25, Mark Thomas wrote: [X] Stable - go ahead and release as 10.0.23 (stable) Tested on fedora36 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: tcnative crashes during shutdown (TC 10.x unit tests)
On 20/07/2022 00:16, Rainer Jung wrote: Roughly the same pattern I saw for TC 10.0 now also seen for TC 10.1. May be something wrong in apr? Which apr version are you using? Am 18.07.2022 um 12:09 schrieb Rainer Jung: Hi there, this is just an info, at this point probably not a showstopper. The topic is crashes in tcnative 1.2 and 2.0 for TC 10.0 during shutdown after TLS unit tests. Details: I ran the TC unit tests for latest 9.x, 10.x and 10.1.x with tcnative 1.2.35 OpenSSL 1.1.1q, 1.2.35 OpenSSL 3.0.2 and 2.0.1 OpenSSL 3.0.2. I ran the test for a variety of OpenJDK builds (Adoptium, Zulu, Oracle, RedHat) and versions (latest 1.8.0 except for 10.1, 11, 17 and current 19). The platforms where SLES 11, 12 and 15 and RHEL 6, 7 and 8. For RHEL 7 and 8 there were 48 runs, for the other platforms 39 (no RedHat JDK). I only ran about 150 test classes (for NIO and also for NIO2), because I also ran the full unit tests (about 450 classes) for JSSE and didn't want to rerun all tests for time and efficiency reasons. For TC 10 I observed crashes in TLS tests during shutdown: Out of the roughly 250 test runs, 5 produced such a crash. For TC 9 I did not observe a single one. Tests for TC 10.1 are ongoing, until now no crash, but it is a bit early for a final result. I think the crashes are not new. All hapened in the TLS tests in org.apache.tomcat.util.net. The list of crashes I saw for TC 10.0.23: RHEL7 jdk1.8.0 tcnative 1.2.35 OpenSSL 3.0.2 org.apache.tomcat.util.net.TestSsl FAILED (crashed) openjdk version "1.8.0_332-ea" OpenJDK Runtime Environment (build 1.8.0_332-ea-b06) OpenJDK 64-Bit Server VM (build 25.332-b06, mixed mode) double free or corruption (!prev): 0x7f473c19df50 === Backtrace: = /lib64/libc.so.6(+0x7d56d)[0x7f4742aa456d] /.../tcnative-deps/libapr-1.so.0(apr_allocator_destroy+0x1d)[0x7f472871923d] /.../tcnative-deps/libapr-1.so.0(apr_pool_terminate+0x30)[0x7f4728719c10] [0x7f472d018427] RHEL7 jdk17 tcnative 1.2.35 OpenSSL 1.1.1q org.apache.tomcat.util.net.TestCustomSslTrustManager FAILED (crashed) openjdk version "17.0.2" 2022-01-18 OpenJDK Runtime Environment (build 17.0.2+8-86) OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing) corrupted double-linked list: 0x7f6bb8001d10 === Backtrace: = /lib64/libc.so.6(+0x7bfc7)[0x7f6bf481dfc7] /lib64/libc.so.6(+0x7d774)[0x7f6bf481f774] /.../tcnative-deps/libapr-1.so.0(apr_allocator_destroy+0x1d)[0x7f6bc543223d] /.../tcnative-deps/libapr-1.so.0(apr_pool_terminate+0x30)[0x7f6bc5432c10] [0x7f6bd572249a] SLES11 oracle_jdk1.8.0 tcnative 2.0.1 OpenSSL 3.0.2 org.apache.tomcat.util.net.TestSsl FAILED (crashed) java version "1.8.0_331" Java(TM) SE Runtime Environment (build 1.8.0_331-b09) Java HotSpot(TM) 64-Bit Server VM (build 25.331-b09, mixed mode) double free or corruption (!prev): 0x7fbf88c1de10 === Backtrace: = /lib64/libc.so.6(+0x75018)[0x7fbf87b35018] /lib64/libc.so.6(cfree+0x6c)[0x7fbf87b39f6c] /.../tcnative-deps/libapr-1.so.0(apr_allocator_destroy+0x1d)[0x7fbf718a5aad] /.../tcnative-deps/libapr-1.so.0(apr_pool_terminate+0x34)[0x7fbf718a66f4] [0x7fbf770264a7] SLES11 jdk11 tcnative 1.2.35 OpenSSL 1.1.1q org.apache.tomcat.util.net.TestSsl FAILED (crashed) openjdk version "11.0.15" 2022-04-19 OpenJDK Runtime Environment 18.9 (build 11.0.15+10) OpenJDK 64-Bit Server VM 18.9 (build 11.0.15+10, mixed mode) double free or corruption (!prev): 0x7f4f6bb93040 === Backtrace: = /lib64/libc.so.6(+0x75018)[0x7f4f6a171018] /lib64/libc.so.6(cfree+0x6c)[0x7f4f6a175f6c] /.../tcnative-deps/libapr-1.so.0(apr_allocator_destroy+0x1d)[0x7f4f49403aad] /.../tcnative-deps/libapr-1.so.0(apr_pool_terminate+0x34)[0x7f4f494046f4] [0x7f4f508b88b0] RHEL 8 Adoptium jdk11 tcnative 1.2.35 OpenSSL 1.1.1q Test org.apache.tomcat.util.net.TestClientCert FAILED (crashed) Since they are rare and happen in various tests and version combinations, it seems the general shutdown behavior w.r.t. the library is not yet perfect. Once the tests for 10.1 complete, I will see, whether I can force the crashes more often by focusing on the TLS tests in org.apache.tomcat.util.net. Best regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.65
On 14/07/2022 15:17, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.65 (stable) Tested on fedora 36 with tc-native 1.2.35 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M17
On 13/07/2022 23:57, Mark Thomas wrote: [X] Beta - go ahead and release as 10.1.0-M17 (beta) Tested on fedora 36 ;-) -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.0.22
On 02/06/2022 19:11, Mark Thomas wrote: [X] Stable - go ahead and release as 10.0.22 (stable) Tested on fedora35 and rhel6 (with my own openssl/apr on rhel6). Note 10.0.22 not 21!!! -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M16
On 02/06/2022 15:22, Mark Thomas wrote: [X] Beta - go ahead and release as 10.1.0-M16 (beta) Tested on fedora 35. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.64
On 02/06/2022 21:46, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.64 (stable) Tested on fedora35. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.62
On 31/03/2022 16:56, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.62 (stable) -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.61
On 30/03/2022 10:21, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.61 (stable) Tested with tc-native-1.2.32 on fedora35 [jfclere@ovpn-113-163 tomcat-native-tests]$ java --version +++ openjdk 11.0.14.1 2022-02-08 OpenJDK Runtime Environment 18.9 (build 11.0.14.1+1) OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1, mixed mode, sharing) +++ -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.59
On 25/02/2022 18:14, Rainer Jung wrote: Hi Jean-Frederic, Am 25.02.2022 um 17:27 schrieb jean-frederic clere: On 21/02/2022 22:20, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.59 (stable) Tested on fedora fc35 with openjdk version "11.0.14.1" My tests failed with openjdk version "1.8.0_322" test-nio: [junit] Unrecognized option: --add-opens=java.base/java.lang=ALL-UNNAMED [junit] Error: Could not create the Java Virtual Machine. The problem is to compile the tests with java11 and test with java8 I need to fix my tests :-( we had this discussion in another thread. It should suffice to add the following lines to your own build.properties file: opens.javalang=-Dnop opens.javaio=-Dnop opens.sunrmi=-Dnop opens.javautil=-Dnop opens.javautilconcurrent=-Dnop You can add them before building or also just before running the test. They only apply to the unit test runs. The "nop" was chosen as any system property name that is likely not actually being used. It should remind one of a "no-operation". Yes that helps +++ BUILD SUCCESSFUL Total time: 76 minutes 39 seconds DONE: All OK +++ So tested: with openjdk version "1.8.0_322" too. Best regards, Rainer -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M11
On 21/02/2022 19:42, Mark Thomas wrote: [X] Alpha - go ahead and release as 10.1.0-M11 (alpha) Tested on fedora35 with openjdk version "11.0.14.1" 2022-02-08 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.59
On 21/02/2022 22:20, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.59 (stable) Tested on fedora fc35 with openjdk version "11.0.14.1" My tests failed with openjdk version "1.8.0_322" test-nio: [junit] Unrecognized option: --add-opens=java.base/java.lang=ALL-UNNAMED [junit] Error: Could not create the Java Virtual Machine. The problem is to compile the tests with java11 and test with java8 I need to fix my tests :-( -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M10
On 15/01/2022 13:49, Mark Thomas wrote: [X] Alpha - go ahead and release as 10.1.0-M10 (alpha) Tested on fedora34 with openjdk version "11.0.13 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.56
On 06/12/2021 15:19, jean-frederic clere wrote: On 03/12/2021 09:49, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.56 (stable) Tested on fedora33 with openjdk 11.0.13. Same results for adoptium jdk8u302-b08 looks good to me. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.56
On 03/12/2021 09:49, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.56 (stable) Tested on fedora33 with openjdk 11.0.13. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Problems with let's encrypt
On 21/09/2021 15:16, Rainer Jung wrote: Am 21.09.2021 um 14:39 schrieb Christopher Schultz: Jean-Frederic, On 9/21/21 08:17, jean-frederic clere wrote: On 19/09/2021 15:22, Christopher Schultz wrote: Jean-Frederic, On 9/19/21 03:09, jean-frederic clere wrote: Hi, I have some problems with let's encrypt certificates and firefox, basically I get: Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING It looks like tomcat and tomcat-native are missing something with my certificate, the same certificate with with httpd. The work-around is security.ssl.enable_ocsp_must_staple=false in the firefox configuration. Has someone the same problem? I think it is related to +++ Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ +++ and SSLUseStapling On Does your certificate have the Must-Staple extension/feature in it? If the cert has the Must-Staple feature, then the server must provide stapling. Is it a surprise to you that your cert that this extension enabled? I think you have to specifically-request Must-Staple when requesting a cert from LE. May be it is related to that I am using mod_md in Apache httpd and just moved the certificate/key to use the pair in tomcat. And yes I have the Must-Staple in the certicate but I don't know why... If you had mod_md request the cert, I suspect it included "must staple" in the request, since mod_md should be performing the stapling internally. If you copied the cert from that environment into Tomcat, then you will likely have to enable stapling there, in Tomcat, too. -chris Default for MjustStaple in mod_md should be off, but it is configurable: http://httpd.apache.org/docs/2.4/en/mod/mod_md.html#mdmuststaple I have not checked, whether the default changed or whether the must staple of the old certificate that needs renewal comes into play. Correct I have: ServerAdmin jfcl...@gmail.com MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf MDomain jfclere.myddns.me MDMustStaple On So Yes I have MDMustStaple On and SSLUseStapling On in the httpd VirtualHost configuration. Note using MDRenewWindow 60s renew the cert and fix the "problem". If I have time I will looking how to add the SSLUseStapling to tomcat but that is probably not urgent ;-) Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Problems with let's encrypt
On 19/09/2021 15:22, Christopher Schultz wrote: Jean-Frederic, On 9/19/21 03:09, jean-frederic clere wrote: Hi, I have some problems with let's encrypt certificates and firefox, basically I get: Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING It looks like tomcat and tomcat-native are missing something with my certificate, the same certificate with with httpd. The work-around is security.ssl.enable_ocsp_must_staple=false in the firefox configuration. Has someone the same problem? I think it is related to +++ Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ +++ and SSLUseStapling On Does your certificate have the Must-Staple extension/feature in it? If the cert has the Must-Staple feature, then the server must provide stapling. Is it a surprise to you that your cert that this extension enabled? I think you have to specifically-request Must-Staple when requesting a cert from LE. May be it is related to that I am using mod_md in Apache httpd and just moved the certificate/key to use the pair in tomcat. And yes I have the Must-Staple in the certicate but I don't know why... -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Problems with let's encrypt
Hi, I have some problems with let's encrypt certificates and firefox, basically I get: Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING It looks like tomcat and tomcat-native are missing something with my certificate, the same certificate with with httpd. The work-around is security.ssl.enable_ocsp_must_staple=false in the firefox configuration. Has someone the same problem? I think it is related to +++ Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ +++ and SSLUseStapling On -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M5
On 10/09/2021 08:10, jean-frederic clere wrote: On 06/09/2021 16:43, Mark Thomas wrote: [X] Alpha - go ahead and release as 10.1.0-M5 (alpha) Tested on fedora34 with adoptopenjdk jdk-11.0.12+7 Still one failure: [concat] Testsuites with failed tests: [concat] TEST-org.apache.tomcat.util.net.TestSsl.NIO2.txt I will have a closer look later. +++ Core was generated by `/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.fc34.x86_64/bin/java -Djava.security'. Program terminated with signal SIGABRT, Aborted. #0 0x7f72260932a2 in raise () from /lib64/libc.so.6 [Current thread is 1 (Thread 0x7f722495a640 (LWP 1925219))] (gdb) bt #0 0x7f72260932a2 in raise () from /lib64/libc.so.6 #1 0x7f722607c8a4 in abort () from /lib64/libc.so.6 #2 0x7f72260d5a97 in __libc_message () from /lib64/libc.so.6 #3 0x7f72260dd70c in malloc_printerr () from /lib64/libc.so.6 #4 0x7f72260def9c in _int_free () from /lib64/libc.so.6 #5 0x7f72260e27c8 in free () from /lib64/libc.so.6 #6 0x7f71f002a5cb in apr_allocator_destroy () from /lib64/libapr-1.so.0 #7 0x7f71f0032ea0 in apr_pool_terminate () from /lib64/libapr-1.so.0 #8 0x7f7207fa2a30 in ?? () #9 0x7f7220019000 in ?? () #10 0x7f7224957338 in ?? () #11 0x in ?? () +++ hm no very promising :-( -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M5
On 06/09/2021 16:43, Mark Thomas wrote: [X] Alpha - go ahead and release as 10.1.0-M5 (alpha) Tested on fedora34 with adoptopenjdk jdk-11.0.12+7 Still one failure: [concat] Testsuites with failed tests: [concat] TEST-org.apache.tomcat.util.net.TestSsl.NIO2.txt I will have a closer look later. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.53
On 06/09/2021 21:21, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.53 (stable) Tested on fedora34 with openjdk8. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.70
On 09/08/2021 22:05, Mark Thomas wrote: [X] Stable - go ahead and release as 8.5.70 On fedora 34, I have the following failures: +++ [concat] Testsuites with failed tests: [concat] TEST-org.apache.catalina.valves.rewrite.TestResolverSSL.NIO.txt [concat] TEST-org.apache.catalina.valves.rewrite.TestResolverSSL.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt [concat] TEST-org.apache.tomcat.util.net.TestClientCert.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.TestClientCertTls13.NIO.txt [concat] TEST-org.apache.tomcat.util.net.TestClientCertTls13.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt [concat] TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO2.txt +++ But that looks like a configuration problem... invalid certificate... -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: openssl-3.0.0 test failures with 9.0.x (I have not checked the other branches)
On 10/08/2021 14:02, jean-frederic clere wrote: Hi, I have the following failure with ant test: [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.APR.txt [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.NIO.txt [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.APR.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.APR.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO2.txt The ciphers ones are not new for me on fedora, the TestSSLHostConfigCompat ones look new, is anyone seeing those? I was trying with openssl/"master". For the TestSSLHostConfigCompat it is due to a patch I was planning to commit later. So forget those ones. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: openssl-3.0.0 test failures with 9.0.x (I have not checked the other branches)
On 10/08/2021 14:56, Konstantin Kolinko wrote: вт, 10 авг. 2021 г. в 15:02, jean-frederic clere : Hi, I have the following failure with ant test: [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.APR.txt [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.NIO.txt [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.APR.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.APR.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO2.txt The ciphers ones are not new for me on fedora, the TestSSLHostConfigCompat ones look new, is anyone seeing those? I was trying with openssl/"master". Looking at Apache Gump, - tomcat/10.1.x (main) fails to compile Apparently Gunp tries to build it with Java 8 instead of Java 11 Well according to http://vmgump.apache.org/ the VM is for java-8-openjdk, not sure how to get a Java11 VM. - tomcat//10.0.x with APR: http://vmgump.apache.org/tomcat-10.0.x/tomcat-10.0.x-test-apr/index.html Two failing tests: [concat] Testsuites with failed tests: [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.APR.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.APR.txt Content of those log files: The first one: http://vmgump.apache.org/tomcat-10.0.x/tomcat-10.0.x-test-apr/gump_file/TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.APR.txt.html [[[ Testsuite: org.apache.tomcat.util.net.openssl.ciphers.TestCipher Tests run: 3, Failures: 2, Errors: 0, Skipped: 0, Time elapsed: 0.069 sec - Standard Error - /srv/gump/public/workspace/openssl-master/dest-20210810/bin/openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory /srv/gump/public/workspace/openssl-master/dest-20210810/bin/openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory /srv/gump/public/workspace/openssl-master/dest-20210810/bin/openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory - --- [...] Testcase: testOpenSSLCipherAvailability took 0.001 sec FAILED Unavailable cipher suites: [...SKIPPED a list of 160 cipher names...] expected:<0> but was:<160> at org.apache.tomcat.util.net.openssl.ciphers.TestCipher.testOpenSSLCipherAvailability(TestCipher.java:97) ]]] The second one: http://vmgump.apache.org/tomcat-10.0.x/tomcat-10.0.x-test-apr/gump_file/TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.APR.txt.html Clicking on "Complete File" to see the content, it is the same error throughout the file: /srv/gump/public/workspace/openssl-master/dest-20210810/bin/openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory Not sure what is wrong there... it seems we depend on openssl and it looks like we have the right version (building master it seems). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: openssl-3.0.0 test failures with 9.0.x (I have not checked the other branches)
On 10/08/2021 14:02, jean-frederic clere wrote: Hi, I have the following failure with ant test: [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.APR.txt [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.NIO.txt [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.APR.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.APR.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO2.txt The ciphers ones are not new for me on fedora, the TestSSLHostConfigCompat ones look new, is anyone seeing those? I was trying with openssl/"master". (gdb) bt #0 0x7fd7801822a2 in ?? () from /lib64/libc.so.6 #1 0x7fd78016b8a4 in ?? () from /lib64/libc.so.6 #2 0x7fd77f4535ef in os::abort(bool) [clone .cold] () from /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-4.fc34.x86_64/jre/lib/amd64/server/libjvm.so #3 0x7fd77fe16df9 in VMError::report_and_die() () from /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-4.fc34.x86_64/jre/lib/amd64/server/libjvm.so #4 0x7fd77fc007c4 in JVM_handle_linux_signal () from /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-4.fc34.x86_64/jre/lib/amd64/server/libjvm.so #5 0x7fd77fbf387c in signalHandler(int, siginfo_t*, void*) () from /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-4.fc34.x86_64/jre/lib/amd64/server/libjvm.so #6 #7 0x7fd739546c20 in SSL_set_SSL_CTX () from /home/jfclere/OPENSSL/lib64/libssl.so.3 #8 0x7fd7395d112c in ssl_callback_ServerNameIndication (ssl=0x7fd6c0005060, al=, c=0x7fd778830570) at src/sslcontext.c:127 #9 0x7fd739565032 in final_server_name () from /home/jfclere/OPENSSL/lib64/libssl.so.3 #10 0x7fd73956673e in tls_parse_all_extensions () from /home/jfclere/OPENSSL/lib64/libssl.so.3 #11 0x7fd7395831d5 in tls_post_process_client_hello () from /home/jfclere/OPENSSL/lib64/libssl.so.3 #12 0x7fd739570dfd in state_machine.part () from /home/jfclere/OPENSSL/lib64/libssl.so.3 #13 0x7fd73955f79f in ssl3_read_bytes () from /home/jfclere/OPENSSL/lib64/libssl.so.3 #14 0x7fd739533189 in ssl3_read () from /home/jfclere/OPENSSL/lib64/libssl.so.3 #15 0x7fd73953fae5 in SSL_read () from /home/jfclere/OPENSSL/lib64/libssl.so.3 #16 0x7fd769018427 in ?? () #17 0x000720a53170 in ?? () #18 0x in ?? () Looks like a problem in openssl. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
openssl-3.0.0 test failures with 9.0.x (I have not checked the other branches)
Hi, I have the following failure with ant test: [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.APR.txt [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.NIO.txt [concat] TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.APR.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.APR.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO.txt [concat] TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO2.txt The ciphers ones are not new for me on fedora, the TestSSLHostConfigCompat ones look new, is anyone seeing those? I was trying with openssl/"master". -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M4
On 03/08/2021 21:21, Mark Thomas wrote: [X] Alpha - go ahead and release as 10.1.0-M4 (alpha) Tested on fedora34. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.52
On 31/07/2021 06:35, Rémy Maucherat wrote: [ ] Stable - go ahead and release as 9.0.52 (stable) tested on fedora34 with java8 and adoptium jdk8u302-b08 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
On 13/07/2021 11:03, jean-frederic clere wrote: On 09/07/2021 18:40, Rainer Jung wrote: Hi Jean-Frederic, how do you make sure, that your tests actually land in the correct SSLHost? You are using the same server certificate, so a check on the client side might not be easy. I would find a test more convincing, if the three TLS hosts would use three different certificates and you could check on the TLS client, that it actually gets the right server certificate. Yes I have retested with 3 different certificates localhost gets the localhost certificate and the TLSv1.1 protocol server1 gets the server1 certificate but the TLSv1.1 protocol server2 gets the server2 certificate but the TLSv1.1 protocol... Use nio/nio2 the protocol is the expected one. https://github.com/apache/tomcat-native/pull/10 the fix for it. Best regards, Rainer Am 09.07.2021 um 15:33 schrieb jean-frederic clere: On 09/07/2021 15:15, Christopher Schultz wrote: Jean-Ferderic, On 7/9/21 07:55, jean-frederic clere wrote: On 09/07/2021 12:38, Mark Thomas wrote: On 09/07/2021 11:08, jean-frederic clere wrote: Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. Yes. We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically. Just as a reminder, both elements and .../> are likely to be required as the are configured separately. Quick test and code review seems to show it is not working (I tested the apr connector and 9.0.x). Can you post a sample config? I assume you mean: 1. Define two , configure for TLS a. One attempting to use e.g. only TLSv1 b. One attempting to use e.g. only TLSv1.2 2. Run a protocol-checker against both hosts Result is that host (a) supports not-only TLSv1 and/or host (b) supports not-only TLSv1.2? Yes that is what I am testing, actually Nio and Nio2 are working Apr isn't... The configuration is something like: +++ +++ and I have the 3 corresponding -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
On 09/07/2021 18:40, Rainer Jung wrote: Hi Jean-Frederic, how do you make sure, that your tests actually land in the correct SSLHost? You are using the same server certificate, so a check on the client side might not be easy. I would find a test more convincing, if the three TLS hosts would use three different certificates and you could check on the TLS client, that it actually gets the right server certificate. Yes I have retested with 3 different certificates localhost gets the localhost certificate and the TLSv1.1 protocol server1 gets the server1 certificate but the TLSv1.1 protocol server2 gets the server2 certificate but the TLSv1.1 protocol... Use nio/nio2 the protocol is the expected one. Best regards, Rainer Am 09.07.2021 um 15:33 schrieb jean-frederic clere: On 09/07/2021 15:15, Christopher Schultz wrote: Jean-Ferderic, On 7/9/21 07:55, jean-frederic clere wrote: On 09/07/2021 12:38, Mark Thomas wrote: On 09/07/2021 11:08, jean-frederic clere wrote: Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. Yes. We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically. Just as a reminder, both elements and .../> are likely to be required as the are configured separately. Quick test and code review seems to show it is not working (I tested the apr connector and 9.0.x). Can you post a sample config? I assume you mean: 1. Define two , configure for TLS a. One attempting to use e.g. only TLSv1 b. One attempting to use e.g. only TLSv1.2 2. Run a protocol-checker against both hosts Result is that host (a) supports not-only TLSv1 and/or host (b) supports not-only TLSv1.2? Yes that is what I am testing, actually Nio and Nio2 are working Apr isn't... The configuration is something like: +++ +++ and I have the 3 corresponding -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
On 09/07/2021 15:15, Christopher Schultz wrote: Jean-Ferderic, On 7/9/21 07:55, jean-frederic clere wrote: On 09/07/2021 12:38, Mark Thomas wrote: On 09/07/2021 11:08, jean-frederic clere wrote: Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. Yes. We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically. Just as a reminder, both elements and .../> are likely to be required as the are configured separately. Quick test and code review seems to show it is not working (I tested the apr connector and 9.0.x). Can you post a sample config? I assume you mean: 1. Define two , configure for TLS a. One attempting to use e.g. only TLSv1 b. One attempting to use e.g. only TLSv1.2 2. Run a protocol-checker against both hosts Result is that host (a) supports not-only TLSv1 and/or host (b) supports not-only TLSv1.2? Yes that is what I am testing, actually Nio and Nio2 are working Apr isn't... The configuration is something like: +++ +++ and I have the 3 corresponding -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
On 09/07/2021 12:38, Mark Thomas wrote: On 09/07/2021 11:08, jean-frederic clere wrote: Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. Yes. We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically. Just as a reminder, both elements and are likely to be required as the are configured separately. Quick test and code review seems to show it is not working (I tested the apr connector and 9.0.x). Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: certificateVerification="optionalNoCA" and OCSP validation.
On 29/06/2021 18:22, Mark Thomas wrote: On 29/06/2021 15:19, jean-frederic clere wrote: On 29/06/2021 14:45, Mark Thomas wrote: On 29/06/2021 12:29, jean-frederic clere wrote: Hi, It seems certificateVerification="optionalNoCA" only works if the OCSP is disabled. In Otherwise the OCSP check forces an error because it can't check anything... How to "fix" that? Just document it? or return OK where we test SSL_CVERIFY_OPTIONAL_NO_CA (https://github.com/apache/tomcat-native/blob/main/native/src/sslutils.c#L337)? Hmm. My expectation is that: - certificate provided results in OCSP for that cert and the connection fails if the check fails. certificateVerification="optional" makes the client certificate optional (required by webapps if needed). certificateVerification="optionalNoCA" does the same and additionally should avoid checking the client against the CA. The OCSP checking needs to validate the client certificate against the CA otherwise it will prevent getting the connection, making NoCA like ignored... Got it. In which case I'll change my expectation to optionalNoCA == no OCSP check. We should document this. OK I will fix the code and document it. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M2
On 26/06/2021 00:06, Mark Thomas wrote: [X] Alpha - go ahead and release as 10.1.0-M2 (alpha) Tested on fedora34. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.50
On 28/06/2021 10:56, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.50 (stable) Tested on fedora fc34. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: certificateVerification="optionalNoCA" and OCSP validation.
On 29/06/2021 14:45, Mark Thomas wrote: On 29/06/2021 12:29, jean-frederic clere wrote: Hi, It seems certificateVerification="optionalNoCA" only works if the OCSP is disabled. In Otherwise the OCSP check forces an error because it can't check anything... How to "fix" that? Just document it? or return OK where we test SSL_CVERIFY_OPTIONAL_NO_CA (https://github.com/apache/tomcat-native/blob/main/native/src/sslutils.c#L337)? Hmm. My expectation is that: - certificate provided results in OCSP for that cert and the connection fails if the check fails. certificateVerification="optional" makes the client certificate optional (required by webapps if needed). certificateVerification="optionalNoCA" does the same and additionally should avoid checking the client against the CA. The OCSP checking needs to validate the client certificate against the CA otherwise it will prevent getting the connection, making NoCA like ignored... - no cert, no check I don't know how practical that is. What does OpenSSL do in those circumstances? Or is it up to the application using the OpenSSL library? It is up to the application. Note when using SSLOCSPEnable on, Httpd is behaving like Tomcat, but SSLOCSPEnable default is off. So in Httpd SSLVerifyClient optional_no_ca works by default and certificateVerification="optionalNoCA" doesn't in Tomcat. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
certificateVerification="optionalNoCA" and OCSP validation.
Hi, It seems certificateVerification="optionalNoCA" only works if the OCSP is disabled. In Otherwise the OCSP check forces an error because it can't check anything... How to "fix" that? Just document it? or return OK where we test SSL_CVERIFY_OPTIONAL_NO_CA (https://github.com/apache/tomcat-native/blob/main/native/src/sslutils.c#L337)? -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.48
On 10/06/2021 12:19, Rémy Maucherat wrote: [X] Stable - go ahead and release as 9.0.48 (stable) Tested on fedora 34 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.30
On 01/06/2021 11:53, Mark Thomas wrote: [X] Stable, go ahead and release Tested with fedora34 and tomcat-10.0.6 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.0.6
On 08/05/2021 18:18, Mark Thomas wrote: [X] Stable - go ahead and release as 10.0.6 (stable) Tested on fedora34. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.46
On 08/05/2021 20:14, Mark Thomas wrote: [X] Stable - go ahead and release as 9.0.46 Tested on fedora34 looks OK. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.0
On 04/05/2021 14:06, Mark Thomas wrote: [X] +1: Acceptable. Go ahead and release. tested with my test war file, works like a charm. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.44
On 04/03/2021 23:22, Mark Thomas wrote: [X] Stable - go ahead and release as 9.0.44 Tested on fedora 33. -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.43
On 28/01/2021 21:48, Mark Thomas wrote: [X] Stable - go ahead and release as 9.0.43 Tested on fedora33 and rhel8.0 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
channelSendOptions default may cause problems
Hi,
While testing the tomcat clustering I have noted that at the start from
time to the attribute replication is failing.
While debugging I have the messages:
+++
05-Jan-2021 10:25:07.046 FINE [Tribes-Task-Receiver[Catalina-Channel]-6]
org.apache.catalina.ha.session.DeltaManager.handleSESSION_DELTA Manager
[localhost#/demo-1.0]: received session delta for unknown session
[596AEB7A68DE2D8F6B9819D4F4F55CDA]
05-Jan-2021 10:25:07.045 FINE [Tribes-Task-Receiver[Catalina-Channel]-5]
org.apache.catalina.ha.session.DeltaManager.messageReceived Manager
[localhost#/demo-1.0]: Received SessionMessage of
type=[SESSION-MODIFIED] from
[org.apache.catalina.tribes.membership.MemberImpl[tcp://{10, 128, 2,
182}:4000,{10, 128, 2, 182},4000, alive=10037, securePort=-1, UDP
Port=-1, id={-87 87 4 -12 89 -46 96 94 12 20 -103 -109 -56 120 -16 74 },
payload={}, command={}, domain={}]]
05-Jan-2021 10:25:07.046 FINE [Tribes-Task-Receiver[Catalina-Channel]-5]
org.apache.catalina.ha.session.DeltaManager.handleSESSION_CREATED
Manager [localhost#/demo-1.0]: received session created message for
session [596AEB7A68DE2D8F6B9819D4F4F55CDA]
+++
It looks like the delta is processed before the session creation and it
is ignored.
When using the channelSendOptions="6" I am NOT getting the "received
session delta for unknown session" and the stuff is working perfectly.
Should we change the default for channelSendOptions to 6? - the actual
value is 8 -
--
Cheers
Jean-Frederic
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Failing Travis CI build and Smoke Test / JDK8 ubuntu-latest
On 05/08/2020 14:35, Martin Grigorov wrote: Hi, On Wed, Aug 5, 2020 at 10:22 AM jean-frederic clere <mailto:jfcl...@gmail.com>> wrote: Hi, The Travis CI build seems to fail on timout regularly should we increase the timeout? Or investigate the problem? Smoke Test / JDK8 ubuntu-latest fails on tls3 tests should we make the test conditional? TravisCI or GitHub Actions ? GitHub Actions. TravisCI is used for non-x86_64 architectures and they are known to run slow because those architectures are experimental on Travis and run on less powerful VMs. So, timeouts happen more often :-/ -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org <mailto:dev-unsubscr...@tomcat.apache.org> For additional commands, e-mail: dev-h...@tomcat.apache.org <mailto:dev-h...@tomcat.apache.org> -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Failing Travis CI build and Smoke Test / JDK8 ubuntu-latest
Hi, The Travis CI build seems to fail on timout regularly should we increase the timeout? Or investigate the problem? Smoke Test / JDK8 ubuntu-latest fails on tls3 tests should we make the test conditional? -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
ApacheCon @home CfP closes in 4 days
Hi folks, The Call for Papers will close in 4 days, don't shy we are looking for topics about how you use Tomcat, so please submit. The conference will take place ONLINE the 29 September to 1 of October. Check: https://acna2020.jamhosted.net/ and remember NO travels you just need a webcam and an internet connection: anyone can try ;-) -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.32
On 06/03/2020 11:12, Mark Thomas wrote: [X] Stable - go ahead and release as 9.0.32 Tested on fedora32 with tc-native-1.2.23 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.29
On 16/11/2019 19:56, Mark Thomas wrote: The proposed Apache Tomcat 9.0.29 release is now available for voting. The major changes compared to the 9.0.27 release are: - Improvements to Async error handling - Stricter processing of HTTP headers when looking for specific token values - Fix various issues that could lead to modification to a JSP not being reflected in the served page Along with lots of other bug fixes and improvements. For full details, see the changelog: https://ci.apache.org/projects/tomcat/tomcat9/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.29/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1236/ The tag is: https://github.com/apache/tomcat/tree/9.0.29 The proposed 9.0.29 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 9.0.29 Tested on fedora 31 with jdk8 and tomcat-native-1.2.23 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Tomcat S2I
On 30/07/2019 16:18, Maxime Beck wrote: > Hello everyone, > > Has there been any release of a Source-to-Image Tomcat builder container > by any chance? If not, is there any plan to implement one in the near > future? The idea is to have an operator for tomcat in operatorhub.io that uses S2I. > > Kind regards, > Maxime -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: H2 protocol validation
On 23/07/2019 11:27, Mark Thomas wrote:
> On 23/07/2019 09:40, jean-frederic clere wrote:
>> Hi,
>>
>> I have tried to run summerwind/h2spec (docker (1)) to validate tomcat
>> master (using the apr connector and java8) and I have a bunch of errors.
>>
>> Does someone validate our code against another test suite?
>>
>> (1) https://github.com/summerwind/h2spec
>
> That is the one I have been using.
>
>>From memory, there was one (maybe two?) explainable failures once Tomcat
> was configured appropriately - mainly (only?) turning off server
> initiated pings.
>
> Mark
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>
Something like:
+++
index 637e690c65..255883fb93 100644
--- a/java/org/apache/coyote/http2/HPackHuffman.java
+++ b/java/org/apache/coyote/http2/HPackHuffman.java
@@ -380,7 +380,8 @@ public class HPackHuffman {
int treePos = 0;
boolean eosBits = true;
int eosBitCount = 0;
-for (int i = 0; i < length; ++i) {
+int i = 0;
+for (; i < length; ++i) {
byte b = data.get();
int bitPos = 7;
while (bitPos >= 0) {
@@ -406,6 +407,9 @@ public class HPackHuffman {
} else {
target.append((char) ((val >> 16) & LOW_MASK));
treePos = 0;
+if (eosBitCount != 0) {
+throw new HpackException("Oops... JFC");
+}
eosBits = true;
}
}
+++
Seems to make the test suite happy, commments?
--
Cheers
Jean-Frederic
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
