RE: Tomcat 7 SSL Session ID
Vincent RST always terminates a TCP connection. The question is really why was it *sent.* The usual reason is writing to a connection that has already been closed by the peer. Is there an incoming close_notify higher up in the SSL log? I suppose not otherwise an SSLException would have been thrown. Re loss of the SSL session, I suppose it is plausible that SSL discards it on security grounds because of the broken connection. EJP _ From: Vincent Goelen [mailto:goel...@gmail.com] Sent: Wednesday, 5 December 2012 9:19 PM To: Esmond Pitt Subject: Re: Tomcat 7 SSL Session ID http-bio-8443-exec-21, READ: TLSv1 Application Data, length = 32 http-bio-8443-exec-21, READ: TLSv1 Application Data, length = 432 http-bio-8443-exec-20, WRITE: TLSv1 Application Data, length = 32 http-bio-8443-exec-20, WRITE: TLSv1 Application Data, length = 976 http-bio-8443-exec-20, handling exception: java.net.SocketException: Broken pipe %% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA] http-bio-8443-exec-20, SEND TLSv1 ALERT: fatal, description = unexpected_message http-bio-8443-exec-20, WRITE: TLSv1 Alert, length = 32 http-bio-8443-exec-20, Exception sending alert: java.net.SocketException: Broken pipe http-bio-8443-exec-20, called closeSocket() http-bio-8443-exec-20, called close() http-bio-8443-exec-20, called closeInternal(true) This is what I get in the SSL debug logs.. It seems to happen when the tcp connection is closed while the application data is being sent.. I think this is a security thing to prevent SSL truncation attacks which sounds quite normal to me. The issue is, why does my tcp connection close there: http://users.telenet.be/goelenv/Schermafbeelding%202012-12-04%20om%2015.09.5 6.png The screenshot above is one from where things go wrong when I analyse the traffic, the tcp rst is one from the connection that was used by the previous request.. But why can that rst packet terminate the current active tcp connection? 2012/12/5 Esmond Pitt Yes but he *already has* an SSL session which he states is being invalidated. To the limited extent to which I could make sense of your incomprehensible post, it appears to be 100% irrelevant. -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Wednesday, 5 December 2012 11:27 AM To: Tomcat Users List; goel...@gmail.com Subject: RE: Tomcat 7 SSL Session ID yes but he needs to achieve a reliable connection between himself and the SSLServer (at least until key negotiation has completed) broken pipe(s) are a bear to debug but you have a few tools available to you: netstat SSLServerIP -- if you see ANY intervening nodes hanging more than 4 sec drop from arp cache generally by arp -d ServerIP assuming your ServerIP is is 157.55.85.212 and the physical address of the network you want to connect to is 00-aa-00-62-c6-09 (check with net-admin for the physical-address or eth-addr to use) > arp -s 157.55.85.212 00-aa-00-62-c6-09 Adds a static entry. > arp -a Displays the arp table. route print will display the routes between you and the SSLServer if you dont see a route referencing the server you may want to add in your own route with route add DESTINATION MASK Mask METRIC NoOfHops Interface InterfaceNumbercheck with net-admin DESTINATION is generally the dotted.quad.of.SSLServercheck with net-admin generally Mask =255.255.255.0 will docheck with net admin about which Interface to use..avoid 127.0.0.1 (unless testing locally)check with net admin on NoOfHops param ..generally the lower the better use curl (command line url) to check the validity of the certificate, keys and passwordscurl -1 --cacert [file] --key PrivateKey.jks --pass PrivateKeyPass --key-type PEM --pubkey PublicKey.jks-1 says use TLSv1check the type of key most keys start out as PEM PEM key ends with .PEM extension ...DER key with .DER... ENG key ends with .ENGhttp://curl.haxx.se/docs/sslcerts.html once you've been able to achieve a Key Exchange you will have a valid SSL Connection..remember binaries have lower CPU so test with a reliable binary first then start debugging your code (i assume you added your CA cert into your local truststore) enough pollution? Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. > From: esmond.p...@bigpond.com > To: goel...@gmail.com; users@tomcat.apache.org > Subject: RE: Tomcat 7 SSL Session ID > Date: Wed, 5 Dec 2012 09:57:38 +1100 > > Broken pipes don't invalidate the SSL session. They just break the TCP > conn
Re: [OT] Recognizing certificate removal (SmartCard)
Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: [OT] Recognizing certificate removal (SmartCard) Too late (at least in the US); you just made it public... Shuks. Ok then, I'll have to be satisfied with the glory. The US patent law has changed (but may not go into effect until next year; not sure about the timing) so that credit is given to first-to-file, rather than first-to-invent, regardless of public disclosure. So, you may still have time... I'll probably need a more complete description, possibly even working code. And I'm not so confident in my Java skills. Any volunteer for helping and sharing in the glory, and maybe even the bucks then ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Recognizing certificate removal (SmartCard)
> From: André Warnier [mailto:a...@ice-sa.com] > Subject: Re: [OT] Recognizing certificate removal (SmartCard) > > Too late (at least in the US); you just made it public... > Shuks. Ok then, I'll have to be satisfied with the glory. The US patent law has changed (but may not go into effect until next year; not sure about the timing) so that credit is given to first-to-file, rather than first-to-invent, regardless of public disclosure. So, you may still have time... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Recognizing certificate removal (SmartCard)
David kerber wrote: On 12/5/2012 4:18 PM, André Warnier wrote: David kerber wrote: On 12/5/2012 1:35 PM, André Warnier wrote: ... (*) Come to think of it, it would be rather universal as a solution. and not so complex to set up. I may have to patent this idea... Too late (at least in the US); you just made it public... Shuks. Ok then, I'll have to be satisfied with the glory. You could always try a European patent; I'm not sure what their patent rules are... :-D When you consider that Amazon could patent the 1-click, and Apple a black screen with round corners, I'm not sure that there are any rules, anywhere. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Recognizing certificate removal (SmartCard)
On 12/5/2012 4:18 PM, André Warnier wrote: David kerber wrote: On 12/5/2012 1:35 PM, André Warnier wrote: ... (*) Come to think of it, it would be rather universal as a solution. and not so complex to set up. I may have to patent this idea... Too late (at least in the US); you just made it public... Shuks. Ok then, I'll have to be satisfied with the glory. You could always try a European patent; I'm not sure what their patent rules are... :-D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Recognizing certificate removal (SmartCard)
David kerber wrote: On 12/5/2012 1:35 PM, André Warnier wrote: ... (*) Come to think of it, it would be rather universal as a solution. and not so complex to set up. I may have to patent this idea... Too late (at least in the US); you just made it public... Shuks. Ok then, I'll have to be satisfied with the glory. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Recognizing certificate removal (SmartCard)
On 12/5/2012 1:35 PM, André Warnier wrote: ... (*) Come to think of it, it would be rather universal as a solution. and not so complex to set up. I may have to patent this idea... Too late (at least in the US); you just made it public... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Recognizing certificate removal (SmartCard)
Will Nordmeyer wrote: ... Oddly enough, yes, it is a valid use case. we have specific scenarios where there are common use PCs that have a generic ID logged in, As far as I remember the classics, that in itself is already a flaw with regard to security, no ? > but > they use their CAC and the browser to access the web application. Presumably, your application is not the only one running on these workstations. So any other application must have similar issues. How do they resolve it ? Assuming that there are many client workstations, and assuming that you cannot control what's installed on them, then one way I can think of - but it is quite heavy - is to have every single one of your pages contain a java applet running at all times, which checks the presence of the card and does something drastic (or doesn't do something vital) in case the card isn't there, and which causes the server to drop the session) (I mention the "doesn't do" bit, to avoid the user simply disabling java in the browser) One way I could imagine this, would be to have the applet establish its own connection to the server (maybe on a different port, and send a regular ping to another application on the server which would keep track of valid sessions. Should the ping no longer come, this application would somehow tell the main one to abort the session. It all sounds a bit complicated, but maybe in a very security-conscious environment, this would be sellable ? (*) Note that in order for the browser-based java applet to gain access to the local card-reader, may require some special security settings too. (*) Come to think of it, it would be rather universal as a solution. and not so complex to set up. I may have to patent this idea... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache issue
What is the memory use when it dies? How much cpu is being used by tomcat? You probably have a fault in the application. On 6/12/12 2:05 AM, "vicky" wrote: > > >Is there anything in the error log? Access log? ===> No errors/exception >in logs >What applications are you running on it? > basic customer data entry >application deployed on tomcart >What version is it? ==> Apache 2.2 >What OS are you on? ==> Linux Redhat 5 > > > > > From: Darryl Lewis >To: Tomcat Users List >Sent: Wednesday, 5 December 2012 7:35 PM >Subject: Re: Apache issue > >Is there anything in the error log? Access log? >What applications are you running on it? >What version is it? >What OS are you on? > >On 6/12/12 12:25 AM, "vicky007aggar...@yahoo.co.in" > wrote: > >>Hello Guys, >> >>My apache instance after sometime become unresponsive & to restore it i >>need to restart it. Weird thing is that no exception/error is coming in >>logs. >> >>Can you please suggest what all things i can check for my apache. >> >>Is there any jvm related things which i need to check. >> >>Please suggest what all basic troubleshooting i can do >> >>Thanks in advance >>Vicky >> >> >> >>- >>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>For additional commands, e-mail: users-h...@tomcat.apache.org >> > > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat7.0-Setting property 'threadPriority' did not find a matching property
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Konstantin, On 12/5/12 12:17 AM, Konstantin Kolinko wrote: > 2012/12/3 Caldarale, Charles R : >>> From: Weixiang [mailto:kurt.weixi...@huawei.com] Subject: >>> Tomcat7.0-Setting property 'threadPriority' did not find a >>> matching property >> >>> I config in my server.xml for a HTTP Connector named "MGMT": >> >>> threadPriority="java.lang.Thread#Thread.MAX_PRIORITY" >> >> The documentation may give the impression that you can set the >> value of the threadPriority attribute to a string referring to >> some static field, but that is not actually the case. You must >> supply a numeric value here, which will normally be 10 for the >> maximum. You can write a simple Java program to display the >> values of Thread.MIN_PRIORITY and Thread.MAX_PRIORITY, and choose >> a number within that range. >> >> class ThreadPriority { static public void main(String args[]) >> throws Exception { System.out.format("thread priorities: MIN %d, >> NORM %d, MAX %d%n", Thread.MIN_PRIORITY, Thread.MIN_PRIORITY, >> Thread.MAX_PRIORITY); } } >> >> The JDK 7 Javadoc includes a description for the priority values, >> but it doesn't appear to be completely accurate: >> http://docs.oracle.com/javase/7/docs/api/constant-values.html#java.lang.Thread.MAX_PRIORITY > >> > The MIN/NORM/MAX_PRIORITY constants in the Thread class are "final > static" and thus they are evaluated and inlined at compile time > and cannot differ between systems. Yeah, I was surprised long ago to find that javac converts foreign static final primitives into local constants in the class file's constant pool. That means that, once compiled, a client class has the values from compile-time and if the defining-class is changed to have a different value and the client class isn't recompiled, they will be out of sync. So much for what feels like dynamic linking. A bunch of years ago, I started monkeying around with the JVM, compiler, disassembler (jad) and a bytecode assembler (I have forgotten which one... or maybe I wrote one). I found that you could prevent the compiler from inlining constants from other classes by using this technique: public static int SOME_CONSTANT; static { SOME_CONSTANT = 4; } In that case, references to SomeClass.SOME_CONSTANT in another class are fetched at runtime using a getfield operation, rather than loading from the local class's constant pool. I also found out that the JVM allows you to throw any kind of reference type, not just exceptions (kinda like C++). I can't remember if I was able to catch any of those types, though. I hope this information is interesting to someone. I expect that Chuck already knows all of this. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC/diUACgkQ9CaO5/Lv0PCq5ACfdK4RlKomC2DH1lf53C1kOHzc UbAAn3jt5Oci37BFF5ovCWE7wp6r2jci =hsrF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vicky, On 12/5/12 10:35 AM, vicky wrote: > Is there anything in the error log? Access log? ===> No > errors/exception in logs What applications are you running on it? > > basic customer data entry application deployed on tomcart > What version is it? ==> Apache 2.2 What OS are you on? > ==> Linux Redhat 5 Are you running Apache Tomcat at all? If so, tell us what version and then take some thread dumps to find out what Tomcat is (not) doing: http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC/c+QACgkQ9CaO5/Lv0PBR2QCglcf21eicGkusvOna0l3eJrE0 kq4AnRUNOYKRf3ERtmoA7Og4nLfh6HD3 =hVPB -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Recognizing certificate removal (SmartCard)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will, On 12/5/12 7:33 AM, Will Nordmeyer wrote: > On Tue, Dec 4, 2012 at 3:07 PM, Christopher Schultz > wrote: Will, > > On 12/4/12 2:47 PM, Will Nordmeyer wrote: Thanks for the quick response and the thoughts. a 5 minute timeout wouldn't be acceptable in our environment - theory being, if user A pulls his smart card out (but didn't log out of the app), and user B goes up to the machine within 5 minutes, he may have access to someone else's account in the application. So I was really hoping there was some way to trigger the session to expire. > > The only thing I can think of would be to have the web browser > complicit in the deal: if the browser can be configured to expire > the SSL session when the card is removed, then that is really the > only solution that will be truly secure. > >> That's a potential, but there are quite a few clients so I'm not >> sure we can impact the clients... interesting scenario we've >> got. > I'll keep looking, or suggest to my dev team that they write a little app that queries the card regularly and as soon as the card can't be found, logs out. > > Is it a valid use case to have the computer itself logged-in when > the card is removed? For instance, if you configured the machine > to auto-lock when the card was removed, then you might be able to > do other things, too (like kill the browser, which should kill the > SSL session). > >> Oddly enough, yes, it is a valid use case. we have specific >> scenarios where there are common use PCs that have a generic ID >> logged in, but they use their CAC and the browser to access the >> web application. Okay, good to know. Well, the OS can certainly detect when the CAC has been removed. I think it's time to talk to some of the desktop IT folks to see what your options are. This is something that is going to have to be solved on the client side, not the server side. Now, if the CAC is definitely required in order to establish an SSL connection (can you confirm that? It's kind of important for my whole line of thinking, here), you could simply set the SSL session timeout to something typically considered foolishly low (like 1 second). That will significantly impact performance (every request will require a new SSL key negotiation), but should ultimately fulfill your requirement: the only way for a CAC to be removed yet still allow a post-withdraw request would be if the new and old users were face-to-face (discounting the usual edge-cases that crop-up on this list occasionally, like unlikely quantum phenomena, interference from Time Lords, etc.). It cannot, of course, prevent any physical attack (or mistake) on the client side such as one user taking another's CAC or a user forgetting to remove the card from the slot before leaving a terminal. You can fix those vectors with robust cables attaching the CAC to the user's pelvic bone, which I hear will be implemented starting in 2013. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC/c48ACgkQ9CaO5/Lv0PB+1QCfRh43nJbEPtxcE//0y5rXluNe pQIAnRoOlpByn9bEAU31gp99pXt6WnWc =RZ6x -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Recognizing certificate removal (SmartCard)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 12/5/12 3:12 AM, André Warnier wrote: > Other than that, and without any pretense at offering a "solution" > to the present issue, maybe this is the point where one needs to > step back and ask oneself if this is really a problem of the > application. You're right: this is not a problem of the "application" (at least, not the web application itself). Unfortunately, it's an operation requirement which means it must be solved *somewhere*. At this point, we're way off-topic where Tomcat is concerned. ;) > If the environment is such that it is a concern that one might > login using a card, then remove the card and walk away, leaving > the workstation logged-in and a session open with some > security-conscious application, for someone else to use at will, > then maybe this is not a problem of the application at the other > end, but a problem with the environment ? What for example if that > same person walks away while leaving their card in the reader ? Court martial. :) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC/cUQACgkQ9CaO5/Lv0PAXGQCdGPdtFnEl8Cz0zpk9m9+GXMmc Ms4Aniaxee53v/UY2ZGx8mFYd/CtlI3Z =mHTz -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat 7 SSL Session ID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 12/5/12 2:49 AM, André Warnier wrote: > Esmond Pitt wrote: >> Broken pipes don't invalidate the SSL session. They just break >> the TCP connection. The SSL session persists, across multiple TCP >> connections, until it is specifically invalidated by someone: for >> example, timed out by the SSLSessionContext. >> > Ah. That would explain some other (totally unrelated) phenomenon > which I had noticed and which puzzled me. I didn't know that. > Thanks for the info. Yes. SSL sessions are essentially an optimization because SSL key exchange and setup are fairly expensive (it uses asymmetric, public-key encryption which is slw). Once the session is established, a symmetric encryption key is used and the client and server generally refer to the session id for a period of time. At some interval, the session is re-negotiated ostensibly to improve security (to limit the lifetime of the encryption keys) though there have been some vulnerabilities identified in recent years (you have probably heard the phrase "unsafe renegotiation") with this mechanism. When the session times out (or is explicitly destroyed... I don't know the specific mechanism for accomplishing this as the client is not guaranteed to ever return for more data), everything must be renegotiated from scratch and a new session is created. Again, this has absolutely nothing to do with HttpSession, nor does it really have anything to do with HTTP at all -- that just happens to be the protocol tunneled through TLS in this case. The fact that the OP is playing around with keepalive timeouts really shouldn't have any bearing on what's going on, here: Tomcat's documentation says that the default SSL session timeout is 24 hours. That means that, 24 hours after a client makes a single SSL connection, Tomcat will expire the session. I don't know that a client can specifically ask the server to expire an SSL session. So, something weird is definitely going on. I can't yet figure out if this is a Tomcat bug, a configuration snafu, or a complete misunderstanding of SSL sessions on the OP's part. Honestly, I was hoping that after extracting more information from the OP, someone with more low-level knowledge of JSSE and/or OpenSSL (Filip or Konstantin, probably) would chime-in with some more useful thoughts. The "description" section on Wikipedia is definitely worth the read: http://en.wikipedia.org/wiki/Transport_Layer_Security - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC/cI8ACgkQ9CaO5/Lv0PDVeQCgw02zqPBMWIIoIuhlXd18NHd/ UmUAn0vj2QxtyrYPN5s7MJWZeChG4zj8 =CfQX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache issue
Is there anything in the error log? Access log? ===> No errors/exception in logs What applications are you running on it? > basic customer data entry application deployed on tomcart What version is it? ==> Apache 2.2 What OS are you on? ==> Linux Redhat 5 From: Darryl Lewis To: Tomcat Users List Sent: Wednesday, 5 December 2012 7:35 PM Subject: Re: Apache issue Is there anything in the error log? Access log? What applications are you running on it? What version is it? What OS are you on? On 6/12/12 12:25 AM, "vicky007aggar...@yahoo.co.in" wrote: >Hello Guys, > >My apache instance after sometime become unresponsive & to restore it i >need to restart it. Weird thing is that no exception/error is coming in >logs. > >Can you please suggest what all things i can check for my apache. > >Is there any jvm related things which i need to check. > >Please suggest what all basic troubleshooting i can do > >Thanks in advance >Vicky > > > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache issue
Is there anything in the error log? Access log? What applications are you running on it? What version is it? What OS are you on? On 6/12/12 12:25 AM, "vicky007aggar...@yahoo.co.in" wrote: >Hello Guys, > >My apache instance after sometime become unresponsive & to restore it i >need to restart it. Weird thing is that no exception/error is coming in >logs. > >Can you please suggest what all things i can check for my apache. > >Is there any jvm related things which i need to check. > >Please suggest what all basic troubleshooting i can do > >Thanks in advance >Vicky > > > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache issue
Hello Vicky, What are your configs and h/w specs ?Make sure you have enough memory? Regards, Mohammad Tariq On Wed, Dec 5, 2012 at 7:25 PM, wrote: > Hello Guys, > > My apache instance after sometime become unresponsive & to restore it i > need to restart it. Weird thing is that no exception/error is coming in > logs. > > Can you please suggest what all things i can check for my apache. > > Is there any jvm related things which i need to check. > > Please suggest what all basic troubleshooting i can do > > Thanks in advance > Vicky > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Apache issue
Hello Guys, My apache instance after sometime become unresponsive & to restore it i need to restart it. Weird thing is that no exception/error is coming in logs. Can you please suggest what all things i can check for my apache. Is there any jvm related things which i need to check. Please suggest what all basic troubleshooting i can do Thanks in advance Vicky - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Recognizing certificate removal (SmartCard)
On Tue, Dec 4, 2012 at 3:07 PM, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Will, > > On 12/4/12 2:47 PM, Will Nordmeyer wrote: >> Thanks for the quick response and the thoughts. a 5 minute >> timeout wouldn't be acceptable in our environment - theory being, >> if user A pulls his smart card out (but didn't log out of the app), >> and user B goes up to the machine within 5 minutes, he may have >> access to someone else's account in the application. So I was >> really hoping there was some way to trigger the session to expire. > > The only thing I can think of would be to have the web browser > complicit in the deal: if the browser can be configured to expire the > SSL session when the card is removed, then that is really the only > solution that will be truly secure. > That's a potential, but there are quite a few clients so I'm not sure we can impact the clients... interesting scenario we've got. >> I'll keep looking, or suggest to my dev team that they write a >> little app that queries the card regularly and as soon as the card >> can't be found, logs out. > > Is it a valid use case to have the computer itself logged-in when the > card is removed? For instance, if you configured the machine to > auto-lock when the card was removed, then you might be able to do > other things, too (like kill the browser, which should kill the SSL > session). > Oddly enough, yes, it is a valid use case. we have specific scenarios where there are common use PCs that have a generic ID logged in, but they use their CAC and the browser to access the web application. > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with undefined - http://www.enigmail.net/ > > iEYEARECAAYFAlC+WBUACgkQ9CaO5/Lv0PBmeACeN5Y/m0G73Mplzufsys70uZPZ > EsoAn0Lh/cuM4vtC6Y5B8QekaDXff7eE > =mSK7 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Data sources definitions are lost in memory
Hi Konstantin, 1. This NullPointerException happens when an application starts up? (Do the apps perform the lookup once and cache the result, or they perform multiple lookups?) No, it happens after application starts up. The applications perform multiple lookups. 2. What is seen in JNDI context depends on the current classloader (Thread.getContextClassLoader()). Does the issue happen in a request processing thread, or somewhere else? Request processing thread. 3. Does it affect specific web applications, or it is more random? When it happens, it affects all datasources (globals and applications specific) of all applications. 4. Anything interesting in the logs and in catalina.out? E.g. OutOfMemoryError. No, but we're still looking for some lead. 5. What connector implementations are you using? Bio, Nio, APR? APR. The last time that this issue happened was on 11/22. Thanks, Robert On Tue, Dec 4, 2012 at 6:01 PM, Konstantin Kolinko wrote: > 2012/11/28 Robert Anderson : > > Hi, > > > > > > We've some data sources defined in server.xml as following: > > > > ... > > > > ... > >> type="javax.sql.DataSource" removeAbandoned="true" > > removeAbandonedTimeout="300" > >maxActive="400" maxIdle="30" > > maxWait="1" > >validationQuery="select 1 from dual" > >testOnBorrow="true" > >username="" password="" > > driverClassName="com.intersys.jdbc.CacheDriver" > >url="jdbc:Cache://server:1972/DB"/> > > ... > > > > > > ... > > > > conf/context.xml > > > > > > ... > > > > ... > > > > > > > > Everything has worked normal during many months...until now. > > > > At least once a day, since 11/21, webapplications throw > > NullPointerException because they cannot find jndi data sources. The Data > > sources tab in psi-probe (http://code.google.com/p/psi-probe/) says that > > there aren't jndi data sources in server. We are thinking that some > > application may have added some jar or class in classpath that is causing > > the problem. > > > > After restart, without changes in conf files, everything backs to > normal. > > > > Any idea? > > > > Environment: > > > > java version "1.6.0_35" > > Java(TM) SE Runtime Environment (build 1.6.0_35-b10) > > Java HotSpot(TM) 64-Bit Server VM (build 20.10-b01, mixed mode) > > > > Server version: Apache Tomcat/6.0.32 > > Server built: February 2 2011 2003 > > Server number: 6.0.32.0 > > OS Name:Linux > > OS Version: 2.6.18-194.17.1.el5 > > Architecture: amd64 > > JVM Version:1.6.0_35-b10 > > JVM Vendor: Sun Microsystems Inc. > > > > 1. This NullPointerException happens when an application starts up? > > (Do the apps perform the lookup once and cache the result, or they > perform multiple lookups?) > > 2. What is seen in JNDI context depends on the current classloader > (Thread.getContextClassLoader()). > > Does the issue happen in a request processing thread, or somewhere else? > > 3. Does it affect specific web applications, or it is more random? > > 4. Anything interesting in the logs and in catalina.out? E.g. > OutOfMemoryError. > > 5. What connector implementations are you using? Bio, Nio, APR? > > Best regards, > Konstantin Kolinko > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: Tomcat 7 SSL Session ID
Yes but he *already has* an SSL session which he states is being invalidated. To the limited extent to which I could make sense of your incomprehensible post, it appears to be 100% irrelevant. -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Wednesday, 5 December 2012 11:27 AM To: Tomcat Users List; goel...@gmail.com Subject: RE: Tomcat 7 SSL Session ID yes but he needs to achieve a reliable connection between himself and the SSLServer (at least until key negotiation has completed) broken pipe(s) are a bear to debug but you have a few tools available to you: netstat SSLServerIP -- if you see ANY intervening nodes hanging more than 4 sec drop from arp cache generally by arp -d ServerIP assuming your ServerIP is is 157.55.85.212 and the physical address of the network you want to connect to is 00-aa-00-62-c6-09 (check with net-admin for the physical-address or eth-addr to use) > arp -s 157.55.85.212 00-aa-00-62-c6-09 Adds a static entry. > arp -a Displays the arp table. route print will display the routes between you and the SSLServer if you dont see a route referencing the server you may want to add in your own route with route add DESTINATION MASK Mask METRIC NoOfHops Interface InterfaceNumbercheck with net-admin DESTINATION is generally the dotted.quad.of.SSLServercheck with net-admin generally Mask =255.255.255.0 will docheck with net admin about which Interface to use..avoid 127.0.0.1 (unless testing locally)check with net admin on NoOfHops param ..generally the lower the better use curl (command line url) to check the validity of the certificate, keys and passwordscurl -1 --cacert [file] --key PrivateKey.jks --pass PrivateKeyPass --key-type PEM --pubkey PublicKey.jks-1 says use TLSv1check the type of key most keys start out as PEM PEM key ends with .PEM extension ...DER key with .DER... ENG key ends with .ENGhttp://curl.haxx.se/docs/sslcerts.html once you've been able to achieve a Key Exchange you will have a valid SSL Connection..remember binaries have lower CPU so test with a reliable binary first then start debugging your code (i assume you added your CA cert into your local truststore) enough pollution? Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. > From: esmond.p...@bigpond.com > To: goel...@gmail.com; users@tomcat.apache.org > Subject: RE: Tomcat 7 SSL Session ID > Date: Wed, 5 Dec 2012 09:57:38 +1100 > > Broken pipes don't invalidate the SSL session. They just break the TCP > connection. The SSL session persists, across multiple TCP connections, > until it is specifically invalidated by someone: for example, timed > out by the SSLSessionContext. > > EJP > > _ > > From: Vincent Goelen [mailto:goel...@gmail.com] > Sent: Wednesday, 5 December 2012 1:15 AM > To: Tomcat Users List > Subject: Re: Tomcat 7 SSL Session ID > > > Hey, > > thanks for the help! > > To be clear, I do not want a 0ms timeout... I'm doing research about > how "usable" the SSL session tracking option is for session management... > With the standard settings it seems very unstable to me, when sending > alot of parallel requests I get a broken socket error invalidating the > ssl session and making the session with this id disappear. In this > case it would seem to me that it's easy to create Denial of Service > attacks by just sending alot of requests so the user loses his session. > > By playing with the timeouts I found out this problem doesn't occur > when I set the timeout to 0, just by playing with the settings. > Perhaps because this disables the possibility of too many parallel > connections? I can't find the reason of this in the Tomcat or SSL specs... > > I've added a screenshot of a capture where things go wrong without > setting a keepAlive.. So I send alot of requests to the server, the > first clientHello (pck 38943) and the following packets everything > goes ok, when the application data is being send I get a tcp rst from > port 54195 (this is the connection that was used for the transactions > before the current one) ... At this moment my session gets invalidates > making the next SSL handshake a full one with new ID (pckt 40361, ...) > > > > > 2012/11/29 Christopher Schultz > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Vincent, > > > On 11/28/12 3:14 AM, Vincent Goelen wrote: > > When the keepAliveTimeout is not set to "0" I can see in the SSL > > debug logs the SSL session get's invalidated after some reques
Re: Running Tomcat under jsvc - logging problems
On 4 December 2012 21:18, Konstantin Kolinko wrote: > 2012/12/5 Lyallex : > > On 4 December 2012 19:41, Konstantin Kolinko > wrote: > > > >> 2012/12/4 Lyallex : > >> > On 4 December 2012 18:50, Konstantin Kolinko > >> wrote: > > [snip] > Moreover, I think it should run just fine with an older jsvc. > > OK, thanks for your assistance, it seems fairly obvious then that there is some aspect of the logging config that I've missed. I've never really got my head around logging, It's a bit like a washing machine, I don't know or care how it works, it just does. I suppose I'll have to start reading ... I've just got so many more interesting things to be getting on with. Ho Hum Thanks again Lyallex
Re: Suggestion for improving Tomcat startup performance...
On 05/12/2012 01:05, Tony Anecito wrote: > Also, if there is some other email group I should be using for technical > questions about use of Tomcat please let me know. No, this is it. p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Recognizing certificate removal (SmartCard)
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will, On 12/4/12 2:47 PM, Will Nordmeyer wrote: Thanks for the quick response and the thoughts. a 5 minute timeout wouldn't be acceptable in our environment - theory being, if user A pulls his smart card out (but didn't log out of the app), and user B goes up to the machine within 5 minutes, he may have access to someone else's account in the application. So I was really hoping there was some way to trigger the session to expire. The only thing I can think of would be to have the web browser complicit in the deal: if the browser can be configured to expire the SSL session when the card is removed, then that is really the only solution that will be truly secure. I'll keep looking, or suggest to my dev team that they write a little app that queries the card regularly and as soon as the card can't be found, logs out. Is it a valid use case to have the computer itself logged-in when the card is removed? For instance, if you configured the machine to auto-lock when the card was removed, then you might be able to do other things, too (like kill the browser, which should kill the SSL session). Sorry for barging in where I know little myself. In the thread "Tomcat 7 SSL Session ID", a recent post by EJP may have a bearing on this discussion, maybe. Other than that, and without any pretense at offering a "solution" to the present issue, maybe this is the point where one needs to step back and ask oneself if this is really a problem of the application. If the environment is such that it is a concern that one might login using a card, then remove the card and walk away, leaving the workstation logged-in and a session open with some security-conscious application, for someone else to use at will, then maybe this is not a problem of the application at the other end, but a problem with the environment ? What for example if that same person walks away while leaving their card in the reader ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org