[ANN] Apache Tomcat 6.0.41 released

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 6.0.41 stable.

Apache Tomcat 6.0.41 is primarily a bug fix release. The
notable changes include:
- Add support for using ecj-P20140317-1600.jar to use Java 8 syntax in
  JSPs
- Update native library to 1.1.30
- Various improvements to XML processing

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Note that is version has 4 zip binaries: a generic one and three
bundled with Tomcat native binaries for different CPU architectures.

Downloads:
http://tomcat.apache.org/download-60.cgi

Migration guide from earlier releases:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 7.0.54 released

[Violeta Georgieva]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.54.

Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Expression Language and Java
WebSocket technologies.

This release contains a number of bug fixes and improvements compared to
version 7.0.53. The notable changes since 7.0.53 include:

- Extend and improve memory leak protection and fix a few leaks that crept
   in during the various refactorings.
- Add additional protection against a failure to correctly recycle the
request
   and response objects.
- APR/native library version updated to 1.1.30.


Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note: This version has 4 zip binaries: a generic one and
  three bundled with Tomcat native binaries for Windows operating
  systems running on different CPU architectures.

Note: Use of the JSR-356 Java WebSocket 1.0 implementation requires Java 7.

Note: If you use the APR/native AJP or HTTP connector you *must* upgrade
  to version 1.1.30 or later of the APR/native library.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guides from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

- The Apache Tomcat team

Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384

[Tim Whittington]

On 21/05/2014, at 10:21 pm, Sverre Moe sverre@gmail.com wrote:

snip

 ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256
 /

Documentation aside, none of these cipher-suites are supported in Oracle Java 7.
Oracle Java 7 has no GCM support (AIX does I think, but from memory the cipher 
suite names are different), and some of the cipher-suites don’t exist (see 
below).
GCM was originally targeted for JDK 7 (which is why the cipher suite names and 
AEAD APIs in the JCE are there) but the implementation didn’t show up until JDK 
8.

 
 I have tried running Tomcat with Java 7 and Java 8. Both of these should
 support CBC_SHA256 and CBC_SHA384, but only Java 8 supports GCM_SHA384.
 I have downloaded the Java cryptographic extensions policy files for both
 Java 7 and Java 8.
 
 The only way I get a connection is when I add the following ciphers:
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 
 According to the specification all these ciphers are correct names:
 http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites
 

This is not true for TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265 or 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 in Java 7 or 8 (only SHA/ SHA384 or 
AES_128 variants of these are listed in the docs and reported by the JRE).

i.e. for whatever reason, SHA384 and SHA are coupled with AES_256, and SHA256 
and SHA are coupled with AES_128.

The email trail Christopher linked should help you discover what’s available on 
the system you’re running on.

cheers
tim

For the record, these are the ECDHE cipher suites supported in Oracle Java 7, 
excluding those that use SHA(1):

Cipher   Kx   Au   EncMode Key 
Str   MacSize Unsafe
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  ECDHEECDSAAESCBC  256 
(256) SHA384  384 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384ECDHERSA  AESCBC  256 
(256) SHA384  384 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  ECDHEECDSAAESCBC  128 
(128) SHA256  256 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256ECDHERSA  AESCBC  128 
(128) SHA256  256 

Oracle Java 8 adds the following ECDHE + GCM cipher suites (again not including 
SHA(1)) to the list above:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  ECDHEECDSAAESGCM  256 
(256) SHA384  384 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDHEECDSAAESGCM  128 
(128) SHA256  256 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ECDHERSA  AESGCM  256 
(256) SHA384  384 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256ECDHERSA  AESGCM  128 
(128) SHA256  256 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org