Tomcat SSL - Where are the missing ciphers ?
When querying a Tomcat 4.01 standalone server with Netcraft's SSL checker (http://www.netcraft.com/sslwhats) only one cipher, 'RC4 with MD5', is listed. A breakpoint in the method SSLServerSockerFactory.initServerSockt() shows that more than 10 ciphers are available and are enabled. Where are the other ciphers ? Does tomcat ignore them somehow ? BTW, when querying a site like https://www.register.com, Netcraft lists 7 ciphers so the problem does not seem to be with Netcraft. Thanks, Tal -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Tomcat 4.01 SSL - how to reduce the encription strength
Hi Franco, When you create the certificate, instead of entering your first/last name, enter the domain of your server (e.g. localhost or www.mysite.com). This is the CN (Common Name) of the certificate. Note that you will still get a warning about the issuer of the certificate. If you accept the certificate permanently, you will not see the warning in the future. You may also try using wild card certificates such as '*.mycompany.com' though I think that IE does not support it any more (which requires you to purchase more certificates from Verisign and their other buddies). Tal -Original Message- From: Miao, Franco CAWS:EX [mailto:[EMAIL PROTECTED]] Sent: Sunday, November 25, 2001 9:35 PM To: '[EMAIL PROTECTED]' Cc: Tomcat Users List Subject: Tomcat 4.01 SSL - how to reduce the encription strength Hi there, did you get any message like The name of the security certificate is invalid or does not match the name of the site with your self-signed certificate? I have made one for testing, but got that message. Let me know if you didn't get that. Franco -Original Message- From: Tal Dayan [mailto:[EMAIL PROTECTED]] Sent: Sunday, November 25, 2001 9:25 PM To: Tomcat Users List Subject: Tomcat 4.01 SSL - how to reduce the encription strength Hello, We are using Tomcat 4.01 standalone with self signed certificate and all works just great. When we connect from IE, the browser indicates that the encryption is 128 bit long. Is there a way to instruct Tomcat to use a weaker encryption? Our motivation is to reduce the CPU overhead since the data in that specific system is not THAT important. Thanks, Tal -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Tomcat 4.01 SSL - how to reduce the encription strength
Typically, the browser and the server negotiate for the highest level of encryption available for both. If you reduce it on one side, it will affect both. The question is how to reduce the cipher list of Tomcat. The source code seems to enable any cipher that is available to it. Tal -Original Message- From: William Tansill [mailto:[EMAIL PROTECTED]] Sent: Sunday, November 25, 2001 9:46 PM To: Tomcat Users List Subject: RE: Tomcat 4.01 SSL - how to reduce the encription strength I believe that the cipher strength is built into the browser. If I click Help/About on my copy of IE, it tells me it's using 128 bit encryption, even though I'm not connected to anything. -Original Message- From: Tal Dayan [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 0:25 AM To: Tomcat Users List Subject: Tomcat 4.01 SSL - how to reduce the encription strength Hello, We are using Tomcat 4.01 standalone with self signed certificate and all works just great. When we connect from IE, the browser indicates that the encryption is 128 bit long. Is there a way to instruct Tomcat to use a weaker encryption? Our motivation is to reduce the CPU overhead since the data in that specific system is not THAT important. Thanks, Tal -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Tomcat 4.01 SSL - how to reduce the encription strength
Hello, We are using Tomcat 4.01 standalone with self signed certificate and all works just great. When we connect from IE, the browser indicates that the encryption is 128 bit long. Is there a way to instruct Tomcat to use a weaker encryption? Our motivation is to reduce the CPU overhead since the data in that specific system is not THAT important. Thanks, Tal -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Directory Traversal Vulnerability
Hello, I am looking for references to the vulnerability described at http://www.securityfocus.com/vdb/bottom.html?vid=2518 Is it documented in Bugzilla (what bug ID) ? Is it fixed in Tomcat 3.2.3 ? Thanks, Tal
RE: Directory Traversal Vulnerability
Is there a Bugzilla bug ID for it ? Tal -Original Message- From: Larry Isaacs [mailto:[EMAIL PROTECTED]] Sent: Friday, September 07, 2001 5:01 AM To: '[EMAIL PROTECTED]' Subject: RE: Directory Traversal Vulnerability Given that the document mentions that it is fixed in Tomcat 3.2.2beta2, the fix would also appear in Tomcat 3.2.3. This issue is addressed in the current releases of Tomcat 3.3 and Tomcat 4.0. Cheers, Larry -Original Message- From: Tal Dayan [mailto:[EMAIL PROTECTED]] Sent: Friday, September 07, 2001 6:15 AM To: [EMAIL PROTECTED] Subject: Directory Traversal Vulnerability Hello, I am looking for references to the vulnerability described at http://www.securityfocus.com/vdb/bottom.html?vid=2518 Is it documented in Bugzilla (what bug ID) ? Is it fixed in Tomcat 3.2.3 ? Thanks, Tal
Session timeout during long file upload
Hello, When we try to upload a long file to a servlet we encounters a problem with the session timeout because of the long time it takes to upload the file over a slow connection (sometimes several hours). It seems that the problem is in the way the session timeout is specified in the servlet session. It measures time between request, not just idle time (no activity related to that session). A possible solution would be to increase the session timeout to several hours but this will affect also affect the automatic logout of users after a predefined idle time period (by the automatic invalidation of the session). Is there a way to reset the session timer as if a new request has arrived ? With this option, we could add to the loop that reads the incoming files a periodic call that will reset the session timeout (watchdog). Thanks, Tal
RE: NT Service Bug Still in JDK 1.3.1
We are using j2sdk-1_3_0_02-win.exe (1.3.0.02 ?) with Alexandria JavaService and it seem to work just fine. Tal -Original Message-From: Mark Quinsland [mailto:[EMAIL PROTECTED]]Sent: Tuesday, March 27, 2001 2:11 PMTo: [EMAIL PROTECTED]Subject: NT Service Bug Still in JDK 1.3.1 Anyone running Tomcat as a service in NT knows that whenever a user logs out of NT, the tomcat service jk_nt_service.exe stops running as well. This worked under JDK 1.2 but not under JDK 1.3. After months of denial, Sun announced that it would be fixed in JDK 1.3.1. However, the problem continues to exist in the Beta version of JDK 1.3.1. Until this is fixed (and stable) I cannot recommend to my clients that they even plan to migrate from ASP. Mark Quinsland [EMAIL PROTECTED]
NT Service with IBM JVM 1.3 ?
We are running Tomcat 3.21 with IBM JVM 1.3. Is it possible to run it as an NT service or do we have to switch to Sun's JVM to do so ? We tried Alexandria's JavaService but we could not make it to work. Thanks, Tal
RE: How to execute a class on startup (Tomcat 3.2.1) ?
How about writing your own startup class that will call the Tomcat startup class ? You may have to change the class in the Tomcat startup files. Tal -Original Message- From: Lu, Spencer [mailto:[EMAIL PROTECTED]] Sent: Monday, April 16, 2001 4:26 PM To: [EMAIL PROTECTED] Subject: How to execute a class on startup (Tomcat 3.2.1) ? Hi, I'm wondering how I can have Tomcat 3.2.1 execute a class (not a servlet) when it starts up. Thanks. Spencer
RE: Tomcat monitor/poller/email
Not free but very reasonable priced: http://www.ipsentry.com/ If your server is open to the Intranet, we are using www.netmechanics.com for 10$ a month. Hope this helps. Tal -Original Message- From: Mark Mynsted [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 3:08 PM To: [EMAIL PROTECTED] Subject: Tomcat monitor/poller/email Has anybody out there set anything up that will email them in the event the Tomcat would crash or not be running? (Or know of free software that can do that.) I am running Tomcat under Windows NT. If so please let me know. (I do not want to re-create the wheel.) I have NOT had trouble with Tomcat crashing, I simply need to do this for my SLA.
Hanging Tomcat (Standlone) - problem and solution
FIY, If you are running Tomcat 3.x in standalone mode (that is, no Apache), you may want to take a look at bug #1006: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=1006 It describes a major reliability problem we encountered and how we addressed it with a simple patch. Tal Disclaimer: it works for us so far, your miles may vary.
RE: Plese, could you comment on this.. Hanging Tomcat (Standlone) - problem and solution
I think the Ajp connector is configured by default to use the PoolTcpConnector connector which uses PoolTcpEndpoint, so the problem may affect Ajp as well. Maybe one of the Tomcat experts on the list can elaborate on this. Tal -Original Message- From: Tagunov Anthony [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 18, 2001 10:50 AM To: [EMAIL PROTECTED] Subject: Plese, could you comment on this.. Hanging Tomcat (Standlone) - problem and solution On Sun, 18 Mar 2001 10:08:42 -0800, Tal Dayan wrote: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=1006 This is a severe problem that opens Tomcat stand-alone mode to DOS attaches but more importantly, it makes it incapable of surviving a single busy day on a production system of one of our partners. Year Looks like you've caught A BIG FAT RAT!!! One of the BIGGEST!!! I'm a person responsible for all java-based-serving on our sites, not very loaded yet.. And looks like _this_ is the problem that has nearly given me _grey_ hair!!! (What i ended up developing is a pinging facility that would find if our nice good Tomcat is _DEAD_ and force-restart it!!!) The symptoms are that Tomcat's built-in Web server (standalone mode) accumulates.. Can this happen to Ajp12 connections also? Please, anybody! this is the main question that i'd like to find out: our Tomcat falls tead pretty often (guess what my bosses tell me when our sites stop responding!!!) and we do not know why.. The thing is that although we have built-in Web server set (http connectors) up for all Tomcat instances (we still have 3.2b7..), they are not practically used much (maybe not invoked at all).. They are used via Ajp12. Can this same thing happen in this configuration (with mod_jserv on Apache, Apache running on BSD, Tomcat on Linux RH 6.2) Most hearty greeting to evryone, sincerely yours, Tagunov Anthony
RE: Changing Port 8080 to 80
If you are talking about Tomcat Standalone mode, you will also have to run is as 'root' (on Unix/Linux) which may be a security issue. If you run it with Apache, Apache is smart enough to switch from 'root' to whatever you specify. Tal -Original Message- From: Boon Yeo [mailto:[EMAIL PROTECTED]] Sent: Friday, March 16, 2001 12:29 AM To: [EMAIL PROTECTED] Subject: Changing Port 8080 to 80 Anyone knows what the consequences are if I were to change from port 8080 to the default port 80? -B
SimpleTcpConnector, how to use it ?
Hello, We are trying to user a pool'less Tomcat 3.2.1 on Windows NT but get an exception. The configuration (server.xml) is !-- Normal HTTP -- Connector className="org.apache.tomcat.service.SimpleTcpConnector" Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler" / Parameter name="port" value="80" / Parameter name="backlog"value="500"/ /Connector And the exception is 2001-03-16 07:40:28 - ContextManager: Error reading request, ignored - java.lang.NullPointerException at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpC onnectionHandler.java:191) at org.apache.tomcat.service.TcpConnectionThread.run(SimpleTcpEndpoint.java:338 ) at java.lang.Thread.run(Thread.java:498) We have never used the SimpleTcpConnector before and our goal is to diagnose some Tomcat hangs we encounter. We could not find anything in the Tomcat User Manual about the SimpleTcpConnection so more or less we made up the above configuration ourselves. Thanks, Tal
RE: Socket write error
Hassan, 1. Are you accessing an image file when the problem happens ? 2. Is the browser IE ? 3. Does the problem disappear in the first reload after clearing your browser cache ? 4. Are you using Tomcat in stand alone mode ? If you answered YES to all the four questions than the problem is probably due to the lack of support of HTTP Status 304 in Tomcat 3.2 stand alone server. When the browser discovers that the new image is identical to the one it has in the cache it simply aborts the connection and uses the cached value. The good news is that status 304 is supposed to be supported in Tomcat 4.0. Tal -Original Message- From: HASSAN,ZAID (Non-A-Australia,ex1) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 21, 2001 4:19 PM To: '[EMAIL PROTECTED]' Subject: Socket write error Hi Folks, I am also getting the Socket Write error Ctx(): IOException in R:( + /Template/... + null) Connection aborted by peer:socket write error. Can someone suggest and help here. Thanks heaps Zaid - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Socket write error solved
Several people mentioned in the past the 'socket write error' that happens when using standalone Tomcat and IE. We also encountered this problem and here are our findings, some of them based on facts and some are assumptions. Basically, the problem occurs because IE is smarter than the Tomcat's built-in web server. If the browser already has a given file in cache, then next time it needs it, it lets Tomcat know that it already has that version of the file (using the HTTP 'if-modified-since' header). Tomcat in turn is expected to check that the file has not been modified and if so, return a 304 status (SC_NOT_MODIFIED). This behavior reduces the traffic and improves the performance. However, Tomcat's built-in server does not support the 304 status code and simply resends the entire file. When IE starts to get the headers and the file data, it determines that the file has not been changed, drops the connection, and uses the value from the cache. On Tomcat's side, this causes an exception (when it try to send the next chunk of the file) and an error message. The error messages seems to be displayed by Tomcat only when sending the file from a servlet, and is ignored when Tomcat's itself sends a static file. Fixes 1. It would be nice to have support for 304 code by Tomcat static file server. This will improve the performance. 2. If you send files from your servlet, add support for 304 status code. That is, if the header 'if-modified-since' is found in the request, get its date, compare it to the actual date of the file, if the file has not been changed, send SC_NOT_MODIFIED status. Tal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: performance
Take a look at the end of the Volano Report (http://www.volano.com/report.html). It has links to the more usefull JVM's. Tal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Geoff Lane Sent: Friday, February 02, 2001 5:45 PM To: [EMAIL PROTECTED] Subject: Re: performance I think it's only for Linux (and AIX) - good reason to switch. :) More info is available at: http://www.alphaworks.ibm.com/tech Todd Carmichael wrote: Running Windows 2000 Advanced Server with Sun JDK 1.3 and hotspot. Anyone know where can I find the IBM JDK 1.3 for Windows platforms? -Original Message- From: Steve Ruby [mailto:[EMAIL PROTECTED]] Sent: Friday, February 02, 2001 2:15 PM To: [EMAIL PROTECTED] Subject: Re: performance With tomcat 3.2.1 and IBM JDK1.3 on linux running a PII 400Mhz with 192Megs (physical) I was able toget 650 requests/sec running apache ab like this -n 1 -c 100 against the RequestInfo example servlet. with no un-returned requests. Which JVM/OS where you running in the tests below? Todd Carmichael wrote: My tests, using Microsofts Web Application Stress (WAS) Tool, had the following results for a simple servlet that all it did was display a single html table: Weblogic: 490 requests/sec Tomcat: 540 requests/sec Resin: 850 requests/sec - produced numerous socket errors (Connection reset by peer). The other servlet engines did not do this. This was on a Pentium III 600 Mhz with a heap of 128mb. I had 4 WAS (HTTP) clients engaged in the tests. Each client had 50 threads hitting the Web server The real question being asked is Tomcat suitable for production environments. This is something I really would like to get a feel for from other developers experiences. I am very interested in using Tomcat for production and the performance seems reasonable enough for me. I am curious about monitoring tools and security issues with open source; that is what our IT department will hammer us on. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 02, 2001 7:56 AM To: [EMAIL PROTECTED] Subject: RE: performance Tomcat does indeed "catch up" if I stop the jmeter client, accessing the application through a browser is much more responsive, but still a little slower than I would hope. The same test with resin does not show any noticeable degradation in performance. In fact I upped the ante with resin. I started 2 more jmeter clients (configured the same), and still noticed no significant drop in performance when accessing the site through a browser. A few connections were refused, but that is to be expected, with the current configuration. You may ask, why not just use resin and stop whining :) ... in short while resin does perform it has some problems in how it implements the servlet spec that make me leery of deploying a production app on it. Once again, any insight would be appreciated. p.s. Randy, Thanks for the info, I will check into the things that you mentioned. With regards to the fingers, they are hard to come by, but I heard amazon.com is opening a new branch and offering extremely discounted server fingers .. you may want to check there :) Thanks, Bob -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Friday, February 02, 2001 9:30 AM To: [EMAIL PROTECTED] Subject: RE: performance I thought about what the delay probably meant after I sent the message, but the message was already sent by then. Back to the orginal problem or the performance Other people have reported similar problems under "high" load. No one have ever really given a definition of what high is since it depends upon your application, however I would think that 20 concurent users should be completely supported by Tomcat (our application does it). Two things to note: 1. People who have reported these issuses usually say that if the requests stop, Tomcat will eventually catch up 2. You might want to check whether or not its your application. Try the same test, but request a small static file. This will show you what the best performance you could hope to get. There were a few messages about a week or two ago about tuning Tomcat, you might want to look at that, although there wasn't much there. Another thing is you might look throught the source and see where they initalize the thread pool (probably in PoolTcpConnectors). Uping this size should give you more concurrent users, however it will add more overhead when the server is idle. While you're running your test, keep an eye on your network bandwidth usage and cpu utilization.
Anybody using OpenSTA ?
Does anybody have any experience with OpenSTA (www.opensta.org) ? This is an open source test/load tool. I played with it an hour or two and it looks very impressive. Tal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Recovering from oversize upload exception ?
Title: RE: Session Problem Hello, We are trying to use the Oreilly servlet package to service requests from a form that is used to upload files.The form contains buttons, checkboxes, radio buttons, and several 'file' fields. When request sizeis largerthan the max size we allow, the constructor new MultipartParser(req, 10, true, true) throws an exception, reporting about the size violation. This is fine but when this happens, wecannot access the values of fields and buttons that were submitted. This significantly reduce our ability to to provide the user with a graceful error handling and all we can indicate in the error message that the total request size was above the limit and any setting of checkboxes and radio buttons is lost. Are we missing something ? Any idea how to improve the error handling and to recover field values ? Thanks, Tal -Original Message-From: Mike Campbell [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 04, 2001 11:37 AMTo: '[EMAIL PROTECTED]'Subject: RE: Session Problem Craig (or anyone), You might want to turn your thinking inside out on how to handle this problem :-). I came in on this discussion thread mid-strand, and have a question. Your code snipped on session handling made perfect sense, and really made the session-handling issue finally "click" for me. My question is about timeouts; where is the timeout value set? Thanks
RE: IllegalStateException: Short Read while trying to do forward()
It seems that the problem is related to package javax.servlet.http.HttpUtils which is deprecated. Are you using HttpUtils.parsePostData() ? When I added a call to this method to a working servlet (Tomcat 3.2.1), the servlet generated a 'read short' excpetion when trying to forward the call to the JSP. When removed the call to the method, the servlet worked again. I presuem the right way to get the parameters are thrugh the request API but I have not tried it yet. Tal -Original Message- From: Jason C Jones [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 19, 2000 9:09 AM To: [EMAIL PROTECTED] Subject: IllegalStateException: Short Read while trying to do forward() I am running 3.2.1 in standalone mode and when I try to do a forward with a RequestDispatcher I get the following error: going to /patient.jsp res.isCommitted() = false res.getBufferSize() = 8192 2000-12-19 04:53:48 - Ctx( /nativeweb ): Exception in: /nativeweb + /patient. jsp + null) - java.lang.IllegalArgumentException: Short Read at javax.servlet.http.HttpUtils.parsePostData(HttpUtils.java:238) at org.apache.tomcat.util.RequestUtil.readFormData(RequestUtil.java:101) Note the two debugging lines above the exception. According to the specs, an IllegalArgumentException is thrown when the response is already committed, which it is not as you can see. Is this a bug? The servlet in question uses HttpUtil.parsePostData to read the post data and inflate a bean. It then puts the bean into the session object and tries to redirect to a jsp for display. Anyone have any ideas? Thanks, Jason --- Jason C. Jones [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
