Re: I don't understand a recent change released in Tomcat 7.0.70

2016-06-23 Thread Lyallex 
On 23 June 2016 at 19:43, Mark Thomas  wrote:
> On 23/06/2016 17:56, Lyallex wrote:
>> I'm trying to understand why a recent change in 7.0.70 has been done
>> the way it has.
>> The change makes absolutely no sense to me and I need to ask the
>> implementer why in the name of sanity he did what he did.
>> I'm talking to you markt whoever you are :-)
>>
>> Where should I ask the question? dev list?
>>
>> I couldn't care less how much shouting ensues, I just need to get some sleep.
>
> How about you cut the attitude and just ask your question?

OK, I will.

To give this some context and with the greatest respect to a dedicated
committer none of what follows is intended as criticism it's just that
I think the current solution to 59399 need rethinking

My commercial site has been up for years, there are links dating back
years that refer to the old http scheme
I have no control over this, now, whenever I get a hit from an 'old'
link I need to force the switch to https, lots of sites have this
probem and need a solution, it has nothing whatsoever to do with
dabases in any way shape or form.

So,

https://bz.apache.org/bugzilla/show_bug.cgi?id=59399

What has the status code returned when switching from http -> https
got to do with a Realm?

http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html


"A Realm is a "database" of usernames and passwords that identify
valid users of a web application .. "


Or: What has the status code returned when switching from http ->
https got to do with a database of usernames and passwords?

https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html

JDBCDatabaseRealm

attrbute: transportGuaranteeRedirectStatus


The HTTP status code to use when the container needs to issue an HTTP
redirect to meet the requirements of a configured transport guarantee.
The prpvoded status code is not validated. If not specified, the
default value of 302 is used.


 I just don't get why this is here

furthermore
https://bz.apache.org/bugzilla/show_bug.cgi?id=59399


Mark Thomas 2016-06-15 11:12:11 UTC

This has been implemented as a new option in the Realm and will has
implemented in:
- 9.0.x for 9.0.0.M9 onwards
- 8.5.x for 8.5.4 onwards
- 8.0.x for 8.0.37 onwards
- 7.0.x for 7.0.70 onwards


Which Realm(s)? only JDBCDatabaseRealm has the attribute but your
comment seems to imply that all Realms
have it (transportGuaranteeRedirectStatus)

In which case surely it should be a common attribute and (I'm guessing
here) the functionality be included in the base class for Realm

What happens if I don't use JDBCDatabaseRealm, does that mean I can't
configure the switchover status code.
What happens if I write my own Realm?

In the 'good old days' it was common practice to only switch to https
during or after signing in to an application, networks were slow and
encryption takes time, now networks are faster and the overhead isn't
such an issue. Entire sites now use the https scheme, I know mine
does. I can see a situation where, because the mighty Google says it
must be so, even an entirely static site with no database and no
manager will be served up under https. How is such a site suppose to
implement https?

FYI I have it in black and white, from a Google webaster forum
responder that, in the event of  a tie between two pages in a ranking
calculation, the https scheme would produce a ranking signal that
would elevate the https page above the non https page in the resulting
rankings.

Once again this is not intended as criticsm of a dedicated and
prolific committer

With respect
Lyallex








>
> If you are ever unsure where to ask, use the users list.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to patch Apache Tomcat in AIX

2016-06-23 Thread Satyamurthy, Hariprasad 
Thanks Ben,

Please let me know if Apache HTTP does not support patching as well.

Regards,
Hariprasad Satyamurty
Global Infrastructure Services | Manulife Asia
Email : hariprasad_satyamur...@manulife.com

-Original Message-
From: Ben Stringer [mailto:b...@burbong.com]
Sent: Friday, June 24, 2016 12:32 PM
To: Tomcat Users List 
Subject: RE: How to patch Apache Tomcat in AIX

On Fri, June 24, 2016 2:00 pm, Satyamurthy, Hariprasad wrote:
> Hi All,
>
> We have multiple vulnerabilities in our environment ( AIX ) which are
> related to Apache, Apache Tomcat and Apache HTTP.
>
> Please let me know if there is a link to documentation which we can
> use to patch these vulnerabilities.

Hi Hariprasad,

This list is for Apache Tomcat. For Apache HTTPD, refer to that product's 
support list.

Apache Tomcat doesn't support patching. You need install a newer version of 
Apache Tomcat that resolves the issues you have listed, and migrate your apps 
to that version.

This page may be useful to identify which Tomcat versions resolve the issues 
you are concerned about. Aim to install the most recent version if you can.

http://tomcat.apache.org/security.html

Cheers, Ben


>
> AIX OS version : 6100-09-05-1524
>
> Note:
>
> These vulnerabilities are identified in a single server. So, please
> let me know if installing a highest version of the patch can resolve
> all the vulnerabilities or suggest alternatives for the same.
>
> Any help would be appreciated.
>
> Vulnerability details:
>
>
> Vendor ID
>
> Impacted issue
>
> Apache Tomcat
>
> Apache Tomcat Arbitrary File Upload Vulnerability
>
> Apache 2.2.15
>
> Apache HTTP Server Prior to 2.2.15 Multiple Vulnerabilities
>
> Apache httpd 2.2.22
>
> Apache HTTP Server Multiple Denial of Service Vulnerabilities
>
> Apache
>
> Apache HTTP Server multiple vulnerabilities
>
> Apache
>
> Apache HTTP Server Prior to 2.2.23 Multiple Vulnerabilities
>
> Apache HTTP Server 2.2 Vulnerabilities
>
> Apache HTTP Server mod_deflate Denial of Service Vulnerability
>
> Apache httpd 2.2 Vulnerabilities,Apache httpd 2.4 Vulnerabilities
>
> Apache Prior to 2.4.4 and 2.2.24 Multiple Vulnerabilities
>
> Apache Tomcat
>
> Apache Tomcat Information Disclosure and Denial of Service
> Vulnerability
>
> Tomcat 6.0,Tomcat 7.0,Tomcat 8.0
>
> Apache Tomcat Multiple Vulnerabilities
>
> Tomcat 6.0,Tomcat 7.0,Tomcat 8.0
>
> Apache Tomcat Multiple Vulnerabilities
>
> Apache SVN
>
> Apache Commons FileUpload Content Type Denial of Service Vulnerability
>
> Tomcat 7.0.40
>
> Apache Tomcat AsyncListener Method RuntimeException Vulnerability
>
> Apache 2.2.25
>
> Apache HTTP Server Prior to 2.2.25 Multiple Vulnerabilities
>
> Tomcat 7.0.28,Tomcat 6.0.36
>
> Apache Tomcat Denial of Service Vulnerabilities
>
> Tomcat 6.0.36,Tomcat 7.0.32
>
> Apache Tomcat CSRF Prevention Filter Bypass
>
> Tomcat 7.0.30,Tomcat 6.0.37
>
> Apache Tomcat Chunked Transfer Encoding Denial of Service
> Vulnerability
>
> Tomcat 6.0.37,Tomcat 7.0.33
>
> Apache Tomcat FormAuthenticator Session Hijacking Weakness
>
> Apache2.2.19,Apache HTTP Server 2.0 Vulnerabilities
>
> Apache HTTP Server APR "apr_fnmatch()" Denial of Service
> Vulnerability Apache%20Revision%20772997,RHSA-2009-1075%07Apache%20HTTP%20Server%20A
> llowOverride%20Options%20Security%20Bypass%07%07Apache%20Tomcat%207.0.
> 22,Apache%20Tomcat%206.0.35%07Apache%20Tomcat%20Hash%20Collision%20Den
> ial%20of%20Service%20Vulnerability%07%07Tomcat%205.5.34,Tomcat%207.0.2
> 1,Tomcat%206.0.35%07Apache%20Tomcat%20AJP%20Protocol%20Security%20Bypa
> ss%20Vulnerability%07%07Apache%202.2,IBM%20HTTP%20Server%07Apache%20HT
> TP%20Server%20HttpOnly%20Cookie%20Information%20Disclosure%20Vulnerabi
> lity%07%07Tomcat%206.0,Tomcat%207.0,Tomcat%208.0%07Apache%20Tomcat%20M
> ultiple%20Vulnerabilities%07%07Tomcat%206.0,Tomcat%207.0,Tomcat%208.0%
> 07Apache%20Tomcat%20Input%20Validation%20Security%20Bypass%20Vulnerabi
> lity%07%07Tomcat%206.0.36,Tomcat%207.0.30%07Apache%20Tomcat%20Security
> %20Constraints%20Bypass%07%07Apache%20Tomcat%207.0.22%07Apache%20Tomca
> t%20Manager%20Application%20Servlets%20Security%20Bypass%20Vulnerabili
> ty%07%07
 
Apache%20HTTP%20Server%202.2%07Apache%20HTTP%20Server%20APR-util%20Multiple%20Denial%20of%20Service%20Vulnerabilities%07%07Apache%20Tomcat%207.0.14%07Apache%20Tomcat%20%22@ServletSecurity>
>
> Apache Revision
> 772997,RHSA-2009-1075 ty%07%07Apache%20Revision%20772997,RHSA-2009-1075%07Apache%20HTTP%20Se
> rver%20AllowOverride%20Options%20Security%20Bypass%07%07Apache%20Tomca
> t%207.0.22,Apache%20Tomcat%206.0.35%07Apache%20Tomcat%20Hash%20Collisi
> on%20Denial%20of%20Service%20Vulnerability%07%07Tomcat%205.5.34,Tomcat
> %207.0.21,Tomcat%206.0.35%07Apache%20Tomcat%20AJP%20Protocol%20Securit
> y%20Bypass%20Vulnerability%07%07Apache%202.2,IBM%20HTTP%20Server%07Apa
> che%20HTTP%20Server%20HttpOnly%20Cookie%20Information%20Disclosure%20V
> ulnerabilit

RE: How to patch Apache Tomcat in AIX

2016-06-23 Thread Ben Stringer 
On Fri, June 24, 2016 2:00 pm, Satyamurthy, Hariprasad wrote:
> Hi All,
>
> We have multiple vulnerabilities in our environment ( AIX ) which are
> related to Apache, Apache Tomcat and Apache HTTP.
>
> Please let me know if there is a link to documentation which we can use to
> patch these vulnerabilities.

Hi Hariprasad,

This list is for Apache Tomcat. For Apache HTTPD, refer to that product's
support list.

Apache Tomcat doesn't support patching. You need install a newer version
of Apache Tomcat that resolves the issues you have listed, and migrate
your apps to that version.

This page may be useful to identify which Tomcat versions resolve the
issues you are concerned about. Aim to install the most recent version if
you can.

http://tomcat.apache.org/security.html

Cheers, Ben


>
> AIX OS version : 6100-09-05-1524
>
> Note:
>
> These vulnerabilities are identified in a single server. So, please let me
> know if installing a highest version of the patch can resolve all the
> vulnerabilities or suggest alternatives for the same.
>
> Any help would be appreciated.
>
> Vulnerability details:
>
>
> Vendor ID
>
> Impacted issue
>
> Apache Tomcat
>
> Apache Tomcat Arbitrary File Upload Vulnerability
>
> Apache 2.2.15
>
> Apache HTTP Server Prior to 2.2.15 Multiple Vulnerabilities
>
> Apache httpd 2.2.22
>
> Apache HTTP Server Multiple Denial of Service Vulnerabilities
>
> Apache
>
> Apache HTTP Server multiple vulnerabilities
>
> Apache
>
> Apache HTTP Server Prior to 2.2.23 Multiple Vulnerabilities
>
> Apache HTTP Server 2.2 Vulnerabilities
>
> Apache HTTP Server mod_deflate Denial of Service Vulnerability
>
> Apache httpd 2.2 Vulnerabilities,Apache httpd 2.4 Vulnerabilities
>
> Apache Prior to 2.4.4 and 2.2.24 Multiple Vulnerabilities
>
> Apache Tomcat
>
> Apache Tomcat Information Disclosure and Denial of Service Vulnerability
>
> Tomcat 6.0,Tomcat 7.0,Tomcat 8.0
>
> Apache Tomcat Multiple Vulnerabilities
>
> Tomcat 6.0,Tomcat 7.0,Tomcat 8.0
>
> Apache Tomcat Multiple Vulnerabilities
>
> Apache SVN
>
> Apache Commons FileUpload Content Type Denial of Service Vulnerability
>
> Tomcat 7.0.40
>
> Apache Tomcat AsyncListener Method RuntimeException Vulnerability
>
> Apache 2.2.25
>
> Apache HTTP Server Prior to 2.2.25 Multiple Vulnerabilities
>
> Tomcat 7.0.28,Tomcat 6.0.36
>
> Apache Tomcat Denial of Service Vulnerabilities
>
> Tomcat 6.0.36,Tomcat 7.0.32
>
> Apache Tomcat CSRF Prevention Filter Bypass
>
> Tomcat 7.0.30,Tomcat 6.0.37
>
> Apache Tomcat Chunked Transfer Encoding Denial of Service Vulnerability
>
> Tomcat 6.0.37,Tomcat 7.0.33
>
> Apache Tomcat FormAuthenticator Session Hijacking Weakness
>
> Apache2.2.19,Apache HTTP Server 2.0 Vulnerabilities
>
> Apache HTTP Server APR "apr_fnmatch()" Denial of Service
> Vulnerability
>
> Apache Revision
> 772997,RHSA-2009-1075

RE: How to patch Apache Tomcat in AIX

2016-06-23 Thread Satyamurthy, Hariprasad 
Hi All,

We have multiple vulnerabilities in our environment ( AIX ) which are related 
to Apache, Apache Tomcat and Apache HTTP.

Please let me know if there is a link to documentation which we can use to 
patch these vulnerabilities.

AIX OS version : 6100-09-05-1524

Note:

These vulnerabilities are identified in a single server. So, please let me know 
if installing a highest version of the patch can resolve all the 
vulnerabilities or suggest alternatives for the same.

Any help would be appreciated.

Vulnerability details:


Vendor ID

Impacted issue

Apache Tomcat

Apache Tomcat Arbitrary File Upload Vulnerability

Apache 2.2.15

Apache HTTP Server Prior to 2.2.15 Multiple Vulnerabilities

Apache httpd 2.2.22

Apache HTTP Server Multiple Denial of Service Vulnerabilities

Apache

Apache HTTP Server multiple vulnerabilities

Apache

Apache HTTP Server Prior to 2.2.23 Multiple Vulnerabilities

Apache HTTP Server 2.2 Vulnerabilities

Apache HTTP Server mod_deflate Denial of Service Vulnerability

Apache httpd 2.2 Vulnerabilities,Apache httpd 2.4 Vulnerabilities

Apache Prior to 2.4.4 and 2.2.24 Multiple Vulnerabilities

Apache Tomcat

Apache Tomcat Information Disclosure and Denial of Service Vulnerability

Tomcat 6.0,Tomcat 7.0,Tomcat 8.0

Apache Tomcat Multiple Vulnerabilities

Tomcat 6.0,Tomcat 7.0,Tomcat 8.0

Apache Tomcat Multiple Vulnerabilities

Apache SVN

Apache Commons FileUpload Content Type Denial of Service Vulnerability

Tomcat 7.0.40

Apache Tomcat AsyncListener Method RuntimeException Vulnerability

Apache 2.2.25

Apache HTTP Server Prior to 2.2.25 Multiple Vulnerabilities

Tomcat 7.0.28,Tomcat 6.0.36

Apache Tomcat Denial of Service Vulnerabilities

Tomcat 6.0.36,Tomcat 7.0.32

Apache Tomcat CSRF Prevention Filter Bypass

Tomcat 7.0.30,Tomcat 6.0.37

Apache Tomcat Chunked Transfer Encoding Denial of Service Vulnerability

Tomcat 6.0.37,Tomcat 7.0.33

Apache Tomcat FormAuthenticator Session Hijacking Weakness

Apache2.2.19,Apache HTTP Server 2.0 Vulnerabilities

Apache HTTP Server APR "apr_fnmatch()" Denial of Service 
Vulnerability

Apache Revision 
772997,RHSA-2009-1075

Apache HTTP Server AllowOverride Options Security 
Bypass

Re: Fail secure state

2016-06-23 Thread tomcat 

On 23.06.2016 21:43, Jason Ricles wrote:

Fail-secure is a condition achieved by the application server in order
to ensure that in the event of an operational failure, the system does
not enter into an unsecure state where intended security properties no
longer hold


Just to make sure : you do know that tomcat is a computer program, right ?



On Thu, Jun 23, 2016 at 3:33 PM, Mark Thomas  wrote:

On 23/06/2016 20:21, Jason Ricles wrote:

Does tomcat have a secure state if system initialization fails,
shutdown fails, or aborts fail?


Define "secure state", "system initialization", "fails", "shutdown" and
"aborts" and we might be able to help you.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fail secure state

2016-06-23 Thread Jason Ricles 
Fail-secure is a condition achieved by the application server in order
to ensure that in the event of an operational failure, the system does
not enter into an unsecure state where intended security properties no
longer hold

On Thu, Jun 23, 2016 at 3:33 PM, Mark Thomas  wrote:
> On 23/06/2016 20:21, Jason Ricles wrote:
>> Does tomcat have a secure state if system initialization fails,
>> shutdown fails, or aborts fail?
>
> Define "secure state", "system initialization", "fails", "shutdown" and
> "aborts" and we might be able to help you.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fail secure state

2016-06-23 Thread Mark Thomas 
On 23/06/2016 20:21, Jason Ricles wrote:
> Does tomcat have a secure state if system initialization fails,
> shutdown fails, or aborts fail?

Define "secure state", "system initialization", "fails", "shutdown" and
"aborts" and we might be able to help you.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Fail secure state

2016-06-23 Thread Jason Ricles 
Does tomcat have a secure state if system initialization fails,
shutdown fails, or aborts fail?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: I don't understand a recent change released in Tomcat 7.0.70

2016-06-23 Thread Mark Thomas 
On 23/06/2016 17:56, Lyallex wrote:
> I'm trying to understand why a recent change in 7.0.70 has been done
> the way it has.
> The change makes absolutely no sense to me and I need to ask the
> implementer why in the name of sanity he did what he did.
> I'm talking to you markt whoever you are :-)
> 
> Where should I ask the question? dev list?
> 
> I couldn't care less how much shouting ensues, I just need to get some sleep.

How about you cut the attitude and just ask your question?

If you are ever unsure where to ask, use the users list.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

I don't understand a recent change released in Tomcat 7.0.70

2016-06-23 Thread Lyallex 
I'm trying to understand why a recent change in 7.0.70 has been done
the way it has.
The change makes absolutely no sense to me and I need to ask the
implementer why in the name of sanity he did what he did.
I'm talking to you markt whoever you are :-)

Where should I ask the question? dev list?

I couldn't care less how much shouting ensues, I just need to get some sleep.

Thanks
Lyallex

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Incorrect request processing times in server status

2016-06-23 Thread Mohit Chawla 
Hey Mark,

Thanks for your reply. The problem is, this happens only for some requests,
not all. For eg., for the manager/status call, it shows the request time
correctly.

Thanks,
Mohit

On Thu, Jun 23, 2016 at 1:12 PM, Mark Thomas  wrote:

> On 23/06/2016 12:11, Mohit Chawla wrote:
> > Hi,
> >
> > Can someone suggest if this should be opened as a bug instead ?
>
> Not a bug. Probably just an unstable system clock.
>
> Mark
>
>
> >
> > Thanks,
> > Mohit
> >
> > On Tue, Jun 21, 2016 at 11:06 AM, Mohit Chawla <
> > mohit.chawla.bin...@gmail.com> wrote:
> >
> >> Hello list,
> >>
> >> On a new tomcat installation I am noticing extremely high values for
> >> request processing times being reported by the server status page. Even
> if
> >> I restart tomcat and start sending requests again, the request
> processing
> >> time again shows extremely high values for a few requests. I have tested
> >> this with tomcat 7.0.26 and 7.0.52 on Ubuntu 14.04.
> >>
> >> For example,
> >>
> >> K  1466499689496 ms  ?  ?  10.128.3.236  10.128.3.236  ?  ?
> >>
> >> In reality that request came into the system only a few milliseconds
> ago.
> >>
> >> Can someone suggest what could be done here ?
> >>
> >> Thanks,
> >>
> >> Mohit
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Http2UpgradeHandler error

2016-06-23 Thread Mark Thomas 
On 23/06/2016 13:07, Andrei Ivanov wrote:
> On Thu, Jun 23, 2016 at 2:52 PM, Mark Thomas  wrote:
>> On 22/06/2016 21:28, Andrei Ivanov wrote:
>>> Yes, I can test.
>>> 64-bit please.
>>
>> Thanks.
>>
>> It turned out not to be quite as simple as just a tc-native update.
>> You'll need this dll:
>> http://home.apache.org/~markt/dev/tc-native-debug/tcnative-1.dll
>>
>> and these class files:
>> http://home.apache.org/~markt/dev/tc-native-debug/tomcat-8.5.3-patch.zip
>>
>> The dll should replace the tc-native DLL you are currently using.
>>
>> The class files patch the 8.5.3 release. They might work with other
>> versions but if they don't work it won't be pretty. The class files
>> should be unpacked from the zip placed in this directory:
>> $CATALINA_BASE/lib/org/apache/tomcat/util/net
>>
>>
>> Hopefully, everything should now just work when you use TLS. If it
>> doesn't there will be some debug messages written to stdout by tc-native
>> that should give me an idea of what is going wrong.
>>
>> Finally, I need to point out the obvious.
>> The files above are not an official Apache release and are provided
>> solely for debugging this issue only. You use these files at your own risk.
>>
>> Thanks for the offer to help,
>>
>> Mark
>>
> 
> I ran the test, Tomcat doesn't log anymore errors, Firefox seems happy :-)
> 
> Tried with Chrome 51.0.2704.103 m, it also seems happy, showing h2
> and/or spdy as protocol when loading various resources of the app.
> 
> Tried MS Edge, but that seems to use HTTP 1.1 for some reason.

Excellent. Thanks for testing this so quickly. The fix will be in the
next releases.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Http2UpgradeHandler error

2016-06-23 Thread Andrei Ivanov 
On Thu, Jun 23, 2016 at 2:52 PM, Mark Thomas  wrote:
> On 22/06/2016 21:28, Andrei Ivanov wrote:
>> Yes, I can test.
>> 64-bit please.
>
> Thanks.
>
> It turned out not to be quite as simple as just a tc-native update.
> You'll need this dll:
> http://home.apache.org/~markt/dev/tc-native-debug/tcnative-1.dll
>
> and these class files:
> http://home.apache.org/~markt/dev/tc-native-debug/tomcat-8.5.3-patch.zip
>
> The dll should replace the tc-native DLL you are currently using.
>
> The class files patch the 8.5.3 release. They might work with other
> versions but if they don't work it won't be pretty. The class files
> should be unpacked from the zip placed in this directory:
> $CATALINA_BASE/lib/org/apache/tomcat/util/net
>
>
> Hopefully, everything should now just work when you use TLS. If it
> doesn't there will be some debug messages written to stdout by tc-native
> that should give me an idea of what is going wrong.
>
> Finally, I need to point out the obvious.
> The files above are not an official Apache release and are provided
> solely for debugging this issue only. You use these files at your own risk.
>
> Thanks for the offer to help,
>
> Mark
>

I ran the test, Tomcat doesn't log anymore errors, Firefox seems happy :-)

Tried with Chrome 51.0.2704.103 m, it also seems happy, showing h2
and/or spdy as protocol when loading various resources of the app.

Tried MS Edge, but that seems to use HTTP 1.1 for some reason.

Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Passing client certificate through Nginx to Tomcat SSL Valve

2016-06-23 Thread Mark Thomas 
On 23/06/2016 12:51, Lucas Ventura Carro wrote:


> And here comes the incompatibility: Nginx replaces new lines with tab
> characters, but the valve only try to change white spaces.
> Should not be the SSL Valve smarter and try to replace one or multiple
> whitespaces (the regex '\s+')? Or at least should be configurable the
> delimiter character?

Smarter sounds good to me. Why not try and write a patch for this?

On a related topic, I wonder how tolerant
CertificateFactory.generateCertificate() is since that will have an
impact on exactly how smart the SSLValve needs to be.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Http2UpgradeHandler error

2016-06-23 Thread Mark Thomas 
On 22/06/2016 21:28, Andrei Ivanov wrote:
> Yes, I can test.
> 64-bit please.

Thanks.

It turned out not to be quite as simple as just a tc-native update.
You'll need this dll:
http://home.apache.org/~markt/dev/tc-native-debug/tcnative-1.dll

and these class files:
http://home.apache.org/~markt/dev/tc-native-debug/tomcat-8.5.3-patch.zip

The dll should replace the tc-native DLL you are currently using.

The class files patch the 8.5.3 release. They might work with other
versions but if they don't work it won't be pretty. The class files
should be unpacked from the zip placed in this directory:
$CATALINA_BASE/lib/org/apache/tomcat/util/net


Hopefully, everything should now just work when you use TLS. If it
doesn't there will be some debug messages written to stdout by tc-native
that should give me an idea of what is going wrong.

Finally, I need to point out the obvious.
The files above are not an official Apache release and are provided
solely for debugging this issue only. You use these files at your own risk.

Thanks for the offer to help,

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Passing client certificate through Nginx to Tomcat SSL Valve

2016-06-23 Thread Lucas Ventura Carro 
I have a webapp which reads a X.509 client certificate from the standard
servlet request attribute:
ServletRequest.getAttribute("javax.servlet.request.X509Certificate").
When Tomcat is the HTTPS endpoint, works like a charm.
But when there is a Nginx as the HTTPS endpoint, and Tomcat is configured
with HTTP, the certificate (of course) won't be at the attribute unless:
  - Configured Nginx to send it through a header, using its variable
'$ssl_client_cert' [1]
  - Added to Tomcat the SSL Valve [2] (same header as before).

But as a certificate in PEM format, it will contain new lines, and an HTTP
header can't be multilined (header-folding is deprecated [3]).

And here comes the incompatibility: Nginx replaces new lines with tab
characters, but the valve only try to change white spaces.
Should not be the SSL Valve smarter and try to replace one or multiple
whitespaces (the regex '\s+')? Or at least should be configurable the
delimiter character?

Thanks!

  [1]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
  [2]:
https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/SSLValve.html
  [3]: https://tools.ietf.org/html/rfc7230#section-3.2.4
--
Lucas

Re: Incorrect request processing times in server status

2016-06-23 Thread Mark Thomas 
On 23/06/2016 12:11, Mohit Chawla wrote:
> Hi,
> 
> Can someone suggest if this should be opened as a bug instead ?

Not a bug. Probably just an unstable system clock.

Mark


> 
> Thanks,
> Mohit
> 
> On Tue, Jun 21, 2016 at 11:06 AM, Mohit Chawla <
> mohit.chawla.bin...@gmail.com> wrote:
> 
>> Hello list,
>>
>> On a new tomcat installation I am noticing extremely high values for
>> request processing times being reported by the server status page. Even if
>> I restart tomcat and start sending requests again, the request processing
>> time again shows extremely high values for a few requests. I have tested
>> this with tomcat 7.0.26 and 7.0.52 on Ubuntu 14.04.
>>
>> For example,
>>
>> K  1466499689496 ms  ?  ?  10.128.3.236  10.128.3.236  ?  ?
>>
>> In reality that request came into the system only a few milliseconds ago.
>>
>> Can someone suggest what could be done here ?
>>
>> Thanks,
>>
>> Mohit
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Incorrect request processing times in server status

2016-06-23 Thread Mohit Chawla 
Hi,

Can someone suggest if this should be opened as a bug instead ?

Thanks,
Mohit

On Tue, Jun 21, 2016 at 11:06 AM, Mohit Chawla <
mohit.chawla.bin...@gmail.com> wrote:

> Hello list,
>
> On a new tomcat installation I am noticing extremely high values for
> request processing times being reported by the server status page. Even if
> I restart tomcat and start sending requests again, the request processing
> time again shows extremely high values for a few requests. I have tested
> this with tomcat 7.0.26 and 7.0.52 on Ubuntu 14.04.
>
> For example,
>
> K  1466499689496 ms  ?  ?  10.128.3.236  10.128.3.236  ?  ?
>
> In reality that request came into the system only a few milliseconds ago.
>
> Can someone suggest what could be done here ?
>
> Thanks,
>
> Mohit
>

Re: sequence of loading jars

2016-06-23 Thread Mark Thomas 
On 23/06/2016 11:25, Venkata Reddy P wrote:
> Hi,
> 
> Sometimes I have to deploy the one special jar using on top of existing jar 
> classes for debugging.

Classes always override JARs in Tomcat so unpack the debug classes to
WEB-INF/classes or CATALINA_BASE/lib as appropriate and restart.

Mark

> 
> Thanks
> 
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org] 
> Sent: Thursday, June 23, 2016 3:51 PM
> To: Tomcat Users List
> Subject: Re: sequence of loading jars
> 
> On 23/06/2016 10:59, Venkata Reddy P wrote:
>> Hi,
>>
>> I am using the tomcat8.0.33, is there a way to control the order of 
>> loading the jars from particular folder using class loaders 
>> (common,shared,server)?
> 
> Yes, but why do you want to do that?
> 
>> I would also like to know if there is a way to control the sequence of 
>> loading the jars using "java.ext.dirs" system property?
> 
> That is outside of Tomcat's control. You'll need to look at the docs for your 
> JVM to see how that works.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Getting current_statement_cache in tomcat jdbc connection pool

2016-06-23 Thread Mark Thomas 
On 23/06/2016 11:06, Manisha Sapiah wrote:
> Hi ,
> 
> Is there any way to get current_statement_cache in tomcat jdbc connection 
> pool.

No, given that there is no such field or variable to be found anywhere
in the current 9.0.x code.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: sequence of loading jars

2016-06-23 Thread Venkata Reddy P 
Hi,

Sometimes I have to deploy the one special jar using on top of existing jar 
classes for debugging.

Thanks

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Thursday, June 23, 2016 3:51 PM
To: Tomcat Users List
Subject: Re: sequence of loading jars

On 23/06/2016 10:59, Venkata Reddy P wrote:
> Hi,
> 
> I am using the tomcat8.0.33, is there a way to control the order of 
> loading the jars from particular folder using class loaders 
> (common,shared,server)?

Yes, but why do you want to do that?

> I would also like to know if there is a way to control the sequence of 
> loading the jars using "java.ext.dirs" system property?

That is outside of Tomcat's control. You'll need to look at the docs for your 
JVM to see how that works.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: sequence of loading jars

2016-06-23 Thread Mark Thomas 
On 23/06/2016 10:59, Venkata Reddy P wrote:
> Hi,
> 
> I am using the tomcat8.0.33, is there a way to control the order of
> loading the jars from particular folder using class loaders
> (common,shared,server)?

Yes, but why do you want to do that?

> I would also like to know if there is a way to control the sequence
> of loading the jars using "java.ext.dirs" system property?

That is outside of Tomcat's control. You'll need to look at the docs for
your JVM to see how that works.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Getting current_statement_cache in tomcat jdbc connection pool

2016-06-23 Thread Manisha Sapiah 
Hi ,

Is there any way to get current_statement_cache in tomcat jdbc connection pool.

Many Thanks in advance.

sequence of loading jars

2016-06-23 Thread Venkata Reddy P 
Hi,

I am using the tomcat8.0.33, is there a way to control the order of loading the 
jars from particular folder using class loaders (common,shared,server)?

I would also like to know if there is a way to control the sequence of loading 
the jars using "java.ext.dirs" system property?

Many Thanks in advance.

want to know about how to post comment

2016-06-23 Thread Manisha Sapiah