Re: OutOfMemoryError: PermGen space

[Román Valoria]

Cris:

Couple of things here.

First, you can use in any Java 6 Update 45 and above the Java Visual VM, to
monitor in real time the memory utilization done by the Java virtual
machine. This will show you both the Help and Perm Gen memory graphs. You
can find this tool in the bin directory of any JDK.

Second, you can issue some Java parameters to actually enlarge the PermGen
memory allocation upon startup. Please refer to your java version
documentation on Oracle and lookup for the -XX parameters.

You can start by enlarging your PermGen space and the monitor on the Visual
VM the behavior, if you consistently run out of memory, then you may have a
leak.

Of course that you would be constrained by the fact of running a 32-bit or
64-bit Tomcat / Java environment.


On Fri, Jul 15, 2016 at 2:26 AM, Berneburg, Cris J. - US <
cberneb...@caci.com> wrote:

> Hi Folks
>
> I got this error from the Tomcat Web Application Manager after having
> stopped and started one of the applications multiple times.  (This was
> after repeatedly deploying the application manually to attempt to find a
> bug that I could not reproduce in my IDE.)  Once the error occurred, the
> server was extremely sluggish to respond even to remote desktop mouse and
> keyboard events.
>
> FYI, I deploy the app by stopping it on the Tomcat web manager, deleting
> almost everything out of the app folder using file manager, copying the new
> files and folders in, then starting the app from the Tomcat manager.
>
> Here's the error:
>
> FAIL - Application at context path /someapp could not be started
> FAIL - Encountered exception java.lang.OutOfMemoryError: PermGen space
>
> Is this likely due to a memory leak in my application?  Or does it have
> something to do with me doing so many repeated deployments?  Or perhaps
> simply from restarting the app so many times?  I might try an experiment to
> see how many times I can stop/start the app before the error next occurs.
>
> OS: Win Server 2012 R2
> Java: 1.6.0_24  (oops, need to upgrade that now)
> Tomcat: 6.0.37  (hmm... will need to upgrade soon-ish)
>
> --
> Cris Berneburg, Lead Software Engineer, CACI
>
>

Re: Tomcat FREAK Issue

[uzair rashid]

Hello Chris,

We are using Tomcat version: 6.0.36.0

JRE 1.6.0

Do you think I need to change the settings to the following:













Really look forward to your expertise on this.


Thank you





On Thu, Jul 14, 2016 at 7:07 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Uzair,
>
> On 7/14/16 10:12 AM, uzair rashid wrote:
> > Running Tomcat 6.x
>
> Which one exactly?
>
> > and every week during vulnerability scans we are having the
> > following results:
> >
> > Vulnerability References:
> >
> > SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability
> >
> > Impact: Exploitation allows an attacker to bypass security
> > restrictions on the targeted host. Solution: Disable RSA_EXPORT
> > cipher suites. Do not use temporary RSA key multiple times
> > Result: #table cols=2 Public key source key size Public key in
> > certificate 2048(bits) Temporary RSA key 512(bits)
> >
> > [snip]
> >
> > 
> >  > SSLEnabled="true" minSpareThreads="25" enableLookups="false"
> > disableUploadTimeout="true" acceptCount="100" scheme="https"
> > secure="true" clientAuth="false" sslProtocol="TLS"
> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_
> 128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES
> _256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH
> A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
> >
> >
> SSLCipherSuite="!EXPORT"
>
> Are you using tcnative+APR+OpenSSL or JSSE? "ciphers" is for JSSE and
> SSLCipherSuite is for tcnative+APR+OpenSSL. Either case you should be
> good.
>
> What version of Java are you using?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAleIRXsACgkQ9CaO5/Lv0PDuxwCgnlmNaVSkDH4bEHXFEsWcwVxL
> jsYAoLPDf4y6FI0Np/DVPDxL6ijVkhgY
> =X5B9
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Facing issue while configuring SSL

[Román Valoria]

Dear all:

The issue was solved, it was compounded by several factors, once full path
to the certificates was used.

The SSL Certificate was created using the wrong FQDN, which meant that the
hostname to IP address resolution done by the browser was failing. The
telnet command was done using the wrong FQDN, while openssl using
localhost. On top of that, since the FQDN to IP was not working, Devendra
had created a host alias in the local host file, which further complicated
troubleshooting.

After removing all aliasing from the local host file, and doing an nslookup
from another machine in the network using the short host name, I manage to
obtain the FQDN and the IP address.

Then when connecting from another machine with either, we had the
certificate warning (as the SSL certificate CN does not match the real
FQDN).

This was also further complicated by the server.xml APR parameter
SSLVerifyClient, which was set as optional and thus I was getting a pop-up
window to chose a certificate upon connection from a browser.

So after we changed the SSLVerifyClient to none and once we re-issue the
SSL certificate with the correct FQDN, we should be fine.

The certificate is still being generated, but I am sure this will
definitively fix the issue.

Thanks for your support.

Bottom line, the error message was correct all the way along, we were
simply configuring the SSL certificates parameters on the server.xml with a
relative path and we should have used an absolute path.

On Thu, Jul 14, 2016 at 8:22 PM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Devendra,
>
> On 14.7.2016 10:38, Devendra Sengar wrote:
>
>> But the tomcat server is started without any error but won't able to open
>> the home page of tomcat giving the error like:
>> This site can’t be reached
>> The webpage at *https://:8443/* might be temporarily down or it
>> may have moved permanently to a new web address.
>>
>> If i telnet the server then its not able to connect but if i use openssl
>> s_client -connect it shows the certificate information.
>> Any suggestion?
>>
>
> Symptoms you are describing are very strange. It is unlikely that
> telnetting to HTTPS port (which basicaly just opens TCP connection) won't
> work, while connecting with openssl (which opens TCP connection AND starts
> HTTPS handshake) does work.
>
> Could you test one more time, and send us exact commands you used, and
> exact output you got. Also, send us Tomcat log messages so we could verify
> HTTPS APR connector port.
>
> -Ognjen
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat FREAK Issue

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Uzair,

On 7/14/16 10:12 AM, uzair rashid wrote:
> Running Tomcat 6.x

Which one exactly?

> and every week during vulnerability scans we are having the
> following results:
> 
> Vulnerability References:
> 
> SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability
> 
> Impact: Exploitation allows an attacker to bypass security
> restrictions on the targeted host. Solution: Disable RSA_EXPORT
> cipher suites. Do not use temporary RSA key multiple times
> Result: #table cols=2 Public key source key size Public key in
> certificate 2048(bits) Temporary RSA key 512(bits)
> 
> [snip]
> 
>  
>  SSLEnabled="true" minSpareThreads="25" enableLookups="false" 
> disableUploadTimeout="true" acceptCount="100" scheme="https" 
> secure="true" clientAuth="false" sslProtocol="TLS" 
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES
_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH
A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
>
> 
SSLCipherSuite="!EXPORT"

Are you using tcnative+APR+OpenSSL or JSSE? "ciphers" is for JSSE and
SSLCipherSuite is for tcnative+APR+OpenSSL. Either case you should be
good.

What version of Java are you using?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAleIRXsACgkQ9CaO5/Lv0PDuxwCgnlmNaVSkDH4bEHXFEsWcwVxL
jsYAoLPDf4y6FI0Np/DVPDxL6ijVkhgY
=X5B9
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How do I start and stop just the tomcat admin application from a command line?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul,

On 7/14/16 12:43 PM, Paul Roubekas wrote:
> How do I start and stop just the tomcat admin application from a
> command line?  I had someone try to guess the password to my
> Tomee-Plume server last night. Thankfully I changed the default
> password and the hacker only tried twice.

Note that there is no default password in current Tomcat versions.

> I want to be able to keep the admin application closed most of the
> time. On the rare occasion that I need access to the tomcat admin
> console I would like to start it up only for a brief period of time
> and then stop it.  Internet searches showed me how to stop other 
> applications using the tomcat admin application.  I want to stop
> just the Tomcat admin application not the whole server.

$ rm -rf webapps/manager

Or, if you want to be able to put it back:

$ mv webapps/manager .

That's if you have autodeployment enabled. If you don't, you'll have
to use the manager to undeploy itself. They you're stuck, because you
can't re-deploy it.

A better solution might be to use the RemoteAddrValve to restrict
access to the manager application to a select IP range. The default
configuration for it (shipped disabled) in the
manager/META-INF/context.xml restricts access to localhost, but it can
easily be extended to your own local subnet e.g.
"192\.168\.\d+\.\d+|10\.0\.\d+\.\d+", etc.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAleIQlsACgkQ9CaO5/Lv0PByaQCgkTPJrj5GGOc4SF12StwbZZsf
8xMAoIPhs6pOEHiaBZd/Nu+q6XhW4rGp
=aZVf
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: question on Java / Tomcat / GC

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

David,

On 7/14/16 5:37 PM, David Kerber wrote:
> On 7/14/2016 1:41 PM, André Warnier (tomcat) wrote:
>> Hi Java GC gurus.
>> 
>> I am coming for a bit of expert advice, not for a problem.
>> 
>> At some customer site, some applications appear to react
>> somewhat slowly sometimes, although these are not very heavy
>> applications, and traffic on the site is also not very high.
>> 
>> Amog several other things I'm looking at, wondering if this might
>> have something to do with Java/Tomcat running out of memory, and
>> perhaps doing excessive GC's, I set up GC logging. Below I am
>> pasting that small Java GC log. This is running tomcat 6 still,
>> the java versions and tomcat JVM relevant switches are shown in
>> the log. I am starting the tomcat JVM with "-Xms1024M -Xmx1024M",
>> and no other non-default settings regarding memory management or
>> GC type.
>> 
>> I take it that in the log below, the first number on the left is
>> a timestamp in "seconds , thousands of a second".
> 
> What version of java are you running under?  Since you're running a
> very old Tomcat version, you might be running an old java too, and
> Java itself has had some significant performance improvements over
> the years.

Good news! I have obtained Pid's crystal ball. It says:

Java HotSpot(TM) 64-Bit Server VM (25.51-b03) for linux-amd64 JRE
(1.8.0_51-b16), built on Jun  8 2015 19:28:07 by "java_re" with gcc
4.3.0 20080428 (Red Hat 4.3.0-8)

(Note that the first time I asked it, it said "Ask Again Later". This
was the second response.)

But unfortunately, I am bound by the same rules as Pid was: we only
get to use it once every decade. So I guess maybe it was a waste this
time.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAleIP8kACgkQ9CaO5/Lv0PBI5wCeJST3bGdh4IPVz3RxWdmOInkg
UEMAmwSLVsQJwfy6/xi4paFrATt0F6ts
=QKX+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL/TLS and ciphers vulnerability

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark,

On 7/14/16 4:14 PM, Mark Thomas wrote:
> On 14/07/2016 19:36, uzair rashid wrote:
>> Jeffrey,
>> 
>> Working for a corporation that has strict ssl and security
>> requirements.. There is no way to use the tools you suggested,
>> since the tomcat URLs are not exposed.
> 
> That doesn't stop you setting up a stand-alone test instance using
> the same settings (with a different cert if you are especially
> paranoid) and checking those settings using the excellent ssllabs.
> 
> Keeping your Tomcat and JVM versions up to date will also help.
> The Tomcat team periodically reviews Tomcat's default TLS
> configuration and adjusts it accordingly. For details of the most
> recent review see: https://wiki.apache.org/tomcat/Security/Ciphers

A few thoughts:

1. Since Tomcat can take OpenSSL-style cipher suites configuration, is
there a way to ask Tomcat to take an OpenSSL 'ciphers' specification
and have it emit the JSSE equivalent? I know Tomcat does this
internally, but can it dump the configuration for debugging purposes?

2. The OpenSSL ciphers specs on the "Ciphers" page above only includes
"HIGH" ciphers which is appropriate for today's safety, but it doesn't
prioritize them in any particular way. This may be the default for
OpenSSL, but I typically prioritize ECDHE and ECDH ciphers before the
other ones in the HIGH category.

3. There's usually no reason to include the "PSK" (pre-shared key)
ciphers in your server's cipher spec, so I always disable those as well.

4. It's fairly important to enable "server-order" cipher suite
selection, so that the server's preferences are used over the client's
preferences, in case you have a lay client who would choose a trivial
cipher if it were available. This is, for example, how older versions
of MSIE behave: they REALLY prefer to use cipher suites using RC4 even
if higher-grade ones are available. Of course, you should really
disable cipher suites you aren't willing to use, but sometimes you
just HAVE to include some really bad ciphers in the list in order to
support super-old clients.

5. Many people don't know about the "Unlimited Strength Policy Files".
I've been thinking that we might want to issue an INFO message at
startup if TLS/JSSE is in use and the "Unlimited Strength Policy
Files" aren't available. This may encourage more people to install
them. Unfortunately, I don't know if a way to install those files
without modifying the JRE being used to launch the JVM. If anyone
knows how they can be installed just for one application (Tomcat), it
would be nice to provide a guide for how to do that.

6. Qualys has a tool called ssllabs-scan available on GitHub:
https://github.com/ssllabs/ssllabs-scan/

I haven't read-through the code yet, but I suspect it's a copy of the
whole scanner and doesn't "phone home" (except maybe to grab the
latest configuration and scoring rules). This may make it possible to
scan some of those internal servers that aren't facing the public
Internet (and therefore can't be scanned directly using ssllabs
web-based tool). It may also speed-up the scanning of a site, since
their web-based tool is throttled to avoid using it as a DOS tool.

The existence of the ssllabs-scan tool means it's also possible to
set-up automated periodic scanning of your own site(s). If you expect
to get an "A" rating and one day you aren't "A" quality any more, you
should get an alarm without having to remember to manually-run the
web-based tool when you get around to doing it.

Have fun. Be safe.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAleIOuoACgkQ9CaO5/Lv0PC5qACgv3S3g507PqlkzU3kDpVH3WJw
zlYAnjXP/nvFpvnKPG4XPlMLOgqEzjrk
=hb5i
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: java

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ambica,

On 7/14/16 4:31 PM, Sanka, Ambica wrote:
> Does anyone facing issues with security from jdk1.8.0_51 onwards?
> We wrote a Valve in tomcat that connects to our ldap and gets user
> roles and groups. We connect ldap through ssl certificate. Our ldap
> ssl Certificate is working  fine till jdk1.8.0_45. From jdk1.8.0_51
> , our applications are failing with below error
> 
> SEVERE: Naming Exception occured 
> javax.naming.ServiceUnavailableException: ldap.atpco.net:636;
> socket closed; remaining name
> 
> I also posted this question in java community. But no response.

Can you post the full stack trace? It also looks like the full error
message is being truncated: "remaining name" looks like it's incomplete.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAleINUUACgkQ9CaO5/Lv0PA/+wCcDpVgXGxY5FCFUn/pWN2SMJbk
2rAAn3/f9EpIvtFAN8v81pwJTTjeNeiY
=Qkh7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: A complex issue concerning the application lifecycle, MBeans and Spring

[Guido Jäkel]

On 14.07.2016 22:09, Mark Thomas wrote:
> On 14/07/2016 21:14, Mark Thomas wrote:
>> On 14/07/2016 09:26, Jäkel, Guido wrote:
> 
> 
> 
>>> So maybe there should be a special code path in case of an ongoing 
>>> initialization on the top like the 'if(unloading)' clause. The note states, 
>>> that one can't decide if a Servlet implements SingleThreadModel until 
>>> loading. So maybe on startup this must be answered in a "conservative way" 
>>> (if possible) or thrown back with an exception. If this will lead to an 
>>> overall exception for the MBean request, this might be "the right thing", 
>>> because at leaset one of the returned information can't be answered yet at 
>>> this moment (during initialization of the servlet).
>>
>> 
>>
>> Something along those lines, yes.
> 
> Fixed in svn for:
> 9.0.0.M10 onwards
> 8.5.5 onwards
> 8.0.37 onwards
> 7.0.71 onwards

Dear Mark,

thank you a lot for giving your time and knowledge to follow and confirm my 
thoughts on this complex and inscrutable issue and fixing it at the core within 
a day!

I take a look at  http://svn.apache.org/viewvc?view=revision=1752739  
and I found that you picked up my suggestion of "a conservative way to answer 
the question about isSingleThreadModel()". I was close about to use the term 
"three-state" but I just forgot that with Java one may code this in this 
elegant way.

I'm already on a short holiday until Monday, but I can start to verify it right 
then. Because I'm using Gentoo Linux, I might bump the ebuild to this version 
within minutes, if an official source tarball is already available then. Or I 
may apply it as a patch to the 8.0.32 because it's just a few lines.

I'll give feedback ASAP. Our home-brewed "Multi-Tomcat Monitoring Scoreboard" 
is an excellent stress test ;)

greetings

Guido




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: question on Java / Tomcat / GC

[David Kerber]

On 7/14/2016 1:41 PM, André Warnier (tomcat) wrote:

Hi Java GC gurus.

I am coming for a bit of expert advice, not for a problem.

At some customer site, some applications appear to react somewhat 
slowly sometimes, although these are not very heavy applications, and 
traffic on the site is also not very high.


Amog several other things I'm looking at, wondering if this might have 
something to do with Java/Tomcat running out of memory, and perhaps 
doing excessive GC's, I set up GC logging.

Below I am pasting that small Java GC log.
This is running tomcat 6 still, the java versions and tomcat JVM 
relevant switches are shown in the log.
I am starting the tomcat JVM with "-Xms1024M -Xmx1024M", and no other 
non-default settings regarding memory management or GC type.


I take it that in the log below, the first number on the left is a 
timestamp in "seconds , thousands of a second".


What version of java are you running under?  Since you're running a very 
old Tomcat version, you might be running an old java too, and Java 
itself has had some significant performance improvements over the years.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL inconsistency

[Mark Thomas]

On 14/07/2016 15:09, i...@flyingfischer.ch wrote:
> While testing locally the new 8.5 branch, I did experience some
> inconsistency with self-sigend SSL certs. I did manage to resolve them
> by installing Tomcat-Native library / APR, but maybe it is still worth
> reporting in regard of the different behaviour for the same cert,
> between Tomcat versions and configuartions.
> 
> I didn't want to file a bug, since this very likely is a configuration
> and/or self-signed cert problem.
> 
> Thanks for considering.
> 
> Markus
> 
> Tomcat 8, works fine.
> Tomcat 8.5  error => Alias name tomcat does not identify a key entry
> 
> URIEncoding="UTF-8"
>clientAuth="false"
>keystoreType="PKCS12"
>keystoreFile="[path-to]/localhost.p12"
>keystorePass="tomcat"
>maxThreads="150"
>port="8443"
>protocol="HTTP/1.1"
>scheme="https"
>secure="true"
>sslProtocol="TLS"/>
> 
> ---
> 
> Tomcat 8.5, same cert, starts fine but throws on first SSL invocation:
> 
> java.lang.IllegalArgumentException: Invalid character found in method
> name. HTTP method names must be tokens
> 
>  sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>port="8443"
>URIEncoding="UTF-8"
>clientAuth="false"
>keystoreType="PKCS12"
>keystoreFile="[path-to]/localhost.p12"
>keystorePass="tomcat"
>maxThreads="150"
>scheme="https"
>secure="true"
>sslProtocol="TLS" />

Entirely expected. You haven't set SSLEnabled="true" so the connector is
expecting HTTP, not HTTPS.

> Tomcat 8.5, new cert
> Tomcat-Native / APR disabled
> 
> Failed to initialize end point associated with ProtocolHandler
> ["https-jsse-nio-8443"]
> java.security.KeyStoreException: Cannot store non-PrivateKeys
> 
> Same cert works with Tomcat-Native / APR enabled
> 
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
>maxThreads="150" secure="true" scheme="https"
> SSLEnabled="true" defaultSSLHostConfigName="localhost">
> 
>   certificateFile="[path-to]/localhost.crt"
>  type="RSA" />
> 
> 

You don't say which 8.5.x version. While I can't repeat this exact
error, I can create a similar problem with 8.5.4 where PEM files (ie the
standard OpenSSL format) does not work with a JSSE connector.

I've fixed this issue for 8.5.5


> Also works with protocol="org.apache.coyote.http11.Http11AprProtocol"
> with Tomcat-Native / APR enabled

That appears to confirm that it was the PEM -> JSSE conversion was
broken since that is not required for APR/native.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

java

[Sanka, Ambica]

Hi,

Does anyone facing issues with security from jdk1.8.0_51 onwards? We wrote a 
Valve in tomcat that connects to our ldap and gets user roles and groups. We 
connect ldap through ssl certificate. Our ldap ssl Certificate is working  fine 
till jdk1.8.0_45. From jdk1.8.0_51 , our applications are failing with below 
error

SEVERE: Naming Exception occuredjavax.naming.ServiceUnavailableException: 
ldap.atpco.net:636; socket closed; remaining name

I also posted this question in java community. But no response.

Any help is appreaciated.

Thanks in advance,

Ambica.

Re: SSL/TLS and ciphers vulnerability

[Mark Thomas]

On 14/07/2016 19:36, uzair rashid wrote:
> Jeffrey,
> 
> Working for a corporation that has strict ssl and security requirements..
> There is no way to use the tools you suggested, since the tomcat URLs are
> not exposed.

That doesn't stop you setting up a stand-alone test instance using the
same settings (with a different cert if you are especially paranoid) and
checking those settings using the excellent ssllabs.

Keeping your Tomcat and JVM versions up to date will also help. The
Tomcat team periodically reviews Tomcat's default TLS configuration and
adjusts it accordingly.
For details of the most recent review see:
https://wiki.apache.org/tomcat/Security/Ciphers

Mark

> 
> On Thu, Jul 14, 2016 at 8:41 AM, Jeffrey Janner > wrote:
> 
>> Hi folks,
>>
>> I've been off the list for a bit, getting ducks in a row here and
>> everything.
>> I noticed a number of posts about SSL & TLS security settings lately and I
>> wanted to point out that maintaining your SSL configurations is an on-going
>> processes.
>> New exploits are discovered and released quite often, and often the fault
>> lies with a cipher and not necessarily an overall SSL/TLS protocol.
>> So using a cipher list like "all except RC4" is probably not sufficient
>> anymore.
>> And what is secure may depend completely on the SSL/TLS software you use,
>> be it OpenSSL or Java's built in SSL libraries.
>> For example, with OpenSSL, you should be using 1.0.1t or higher, and even
>> then only TLS1.2 with a handful of ciphers.
>> I'm not sure what the recommended options for java's libraries are at the
>> moment.
>> A really good, free tool is Qualys' SSL Labs server test tool located at:
>> https://www.ssllabs.com/ssltest/
>> Run that against your implementation and follow its recommendations.
>>
>> Of course, at the end of the day, it will be up to you and your firm to
>> decide what risks you are willing to take with your SSL communications and
>> whether or not you need to support insecure browsers, i.e. browsers that
>> cannot negotiate up to the most secure protocol and ciphers.
>>
>> Jeffrey Janner
>> p.s. Qualys also has a test suite for the browsers that you use.
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: A complex issue concerning the application lifecycle, MBeans and Spring

[Mark Thomas]

On 14/07/2016 21:14, Mark Thomas wrote:
> On 14/07/2016 09:26, Jäkel, Guido wrote:



>> So maybe there should be a special code path in case of an ongoing 
>> initialization on the top like the 'if(unloading)' clause. The note states, 
>> that one can't decide if a Servlet implements SingleThreadModel until 
>> loading. So maybe on startup this must be answered in a "conservative way" 
>> (if possible) or thrown back with an exception. If this will lead to an 
>> overall exception for the MBean request, this might be "the right thing", 
>> because at leaset one of the returned information can't be answered yet at 
>> this moment (during initialization of the servlet).
> 
> 
> 
> Something along those lines, yes.

Fixed in svn for:
9.0.0.M10 onwards
8.5.5 onwards
8.0.37 onwards
7.0.71 onwards

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: question on Java / Tomcat / GC

[Leon Rosenberg]

On Thu, Jul 14, 2016 at 9:15 PM, Anthony Biacco  wrote:

> On Thu, Jul 14, 2016 at 11:41 AM, André Warnier (tomcat) 
> wrote:
>
> >
> Well, i'm not a GC expert by any stretch of the imagination, but i think
> with your PrintGC options the "GC (System.gc())" and the "Full GC
> (System.gc())" are the same GC.
> Since they're consistent at every hour, the application may be calling the
> System.gc
> You may want to check the code if you have access to it.
>
> -Tony
>

If you don't have access to the code you could just disable the gc
(recommended anyway):

-XX:+DisableExplicitGC

Since the app is running in tomcat6 it must be old, and a lot has been
happening with the gc since tomcat6 time.

Btw, you may want to add -XX:+PrintGCDetails for more insights into spaces.

Also shouldn't -XX:+UseParallelGC be default since 1.7?


regards

leon

Re: A complex issue concerning the application lifecycle, MBeans and Spring

[Mark Thomas]

On 14/07/2016 09:26, Jäkel, Guido wrote:
> Hi Mark,
> 
> OK - as a newbie I read this from the stack trace: ...
> 
>> 20160713-161427.340 ERROR [catalina-exec-64] [] [[/]] 
>> StandardWrapper.Throwable
>> [...]
>>at 
>> org.springframework.web.servlet.HttpServletBean.init(HttpServletBean.java:136)
>>at javax.servlet.GenericServlet.init(Unknown Source)
>>at org.apache.catalina.core.StandardWrapper.initServlet(Unknown 
>> Source)
>>at org.apache.catalina.core.StandardWrapper.loadServlet(Unknown 
>> Source)
>>at org.apache.catalina.core.StandardWrapper.allocate(Unknown Source)
>> 2)at 
>> org.apache.catalina.core.StandardWrapper.isSingleThreadModel(Unknown Source)
>>at sun.reflect.GeneratedMethodAccessor178.invoke(Unknown Source)
>>at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>at java.lang.reflect.Method.invoke(Method.java:497)
>> 1)at org.apache.tomcat.util.modeler.BaseModelMBean.getAttribute(Unknown 
>> Source)
>>at 
>> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttribute(DefaultMBeanServerInterceptor.java:647)
>>at 
>> com.sun.jmx.mbeanserver.JmxMBeanServer.getAttribute(JmxMBeanServer.java:678)
>>at org.apache.catalina.mbeans.MBeanDumper.dumpBeans(Unknown Source)
>  [...]
> 
> It seems to me that "all reading is passiv" don't hold because the call to 
> getAttibute() at 1) will invoke the MBean and this leads to the call of 
> isSingleThreadModel at 2) -- I don't see why at the moment.

Your analysis is spot on. I only reviewed the StandardContext
attributes. I didn't look at StandardWrapper.



> So maybe there should be a special code path in case of an ongoing 
> initialization on the top like the 'if(unloading)' clause. The note states, 
> that one can't decide if a Servlet implements SingleThreadModel until 
> loading. So maybe on startup this must be answered in a "conservative way" 
> (if possible) or thrown back with an exception. If this will lead to an 
> overall exception for the MBean request, this might be "the right thing", 
> because at leaset one of the returned information can't be answered yet at 
> this moment (during initialization of the servlet).



Something along those lines, yes.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: question on Java / Tomcat / GC

[Mark Thomas]

On 14/07/2016 20:15, Anthony Biacco wrote:



> Since they're consistent at every hour, the application may be calling the
> System.gc

That sounds like this bug:
https://bz.apache.org/bugzilla/show_bug.cgi?id=53267

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OutOfMemoryError: PermGen space

[Mark Thomas]

On 14/07/2016 20:26, Berneburg, Cris J. - US wrote:
> Hi Folks
> 
> I got this error from the Tomcat Web Application Manager after having stopped 
> and started one of the applications multiple times.  (This was after 
> repeatedly deploying the application manually to attempt to find a bug that I 
> could not reproduce in my IDE.)  Once the error occurred, the server was 
> extremely sluggish to respond even to remote desktop mouse and keyboard 
> events.
> 
> FYI, I deploy the app by stopping it on the Tomcat web manager, deleting 
> almost everything out of the app folder using file manager, copying the new 
> files and folders in, then starting the app from the Tomcat manager.
> 
> Here's the error:
> 
> FAIL - Application at context path /someapp could not be started
> FAIL - Encountered exception java.lang.OutOfMemoryError: PermGen space
> 
> Is this likely due to a memory leak in my application?

Yes.

>  Or does it have something to do with me doing so many repeated deployments?

Also yes.

>  Or perhaps simply from restarting the app so many times?

Stop/start has the same effect as redeploy in this case.

>  I might try an experiment to see how many times I can stop/start the app 
> before the error next occurs.
> 
> OS: Win Server 2012 R2
> Java: 1.6.0_24  (oops, need to upgrade that now)
> Tomcat: 6.0.37  (hmm... will need to upgrade soon-ish)

Indeed. Some upgrades are certainly in order. Not least because some of
the potential sources of memory leaks are JVM bugs that are fixed in the
lastest Java 8 releases.

This is probably a useful read:
http://people.apache.org/~markt/presentations/2010-11-04-Memory-Leaks-60mins.pdf

Despite the age, it is still very relevant today.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Apache Tomcat 8.5.4 available

[Mark Thomas]

On 14/07/2016 11:40, Johan Compagner wrote:
>>
>>
>> This is the first stable release of the 8.5.x branch. Tomcat 8.x users
>> should now use 8.5.x releases in preference to 8.0.x releases.
>>
>>
> i thought 8.5.3 was the first stable release ;)

Yep. My bad. Copy/paste error trying to do stuff too quickly and not
checking carefully enough.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

OutOfMemoryError: PermGen space

[Berneburg, Cris J. - US]

Hi Folks

I got this error from the Tomcat Web Application Manager after having stopped 
and started one of the applications multiple times.  (This was after repeatedly 
deploying the application manually to attempt to find a bug that I could not 
reproduce in my IDE.)  Once the error occurred, the server was extremely 
sluggish to respond even to remote desktop mouse and keyboard events.

FYI, I deploy the app by stopping it on the Tomcat web manager, deleting almost 
everything out of the app folder using file manager, copying the new files and 
folders in, then starting the app from the Tomcat manager.

Here's the error:

FAIL - Application at context path /someapp could not be started
FAIL - Encountered exception java.lang.OutOfMemoryError: PermGen space

Is this likely due to a memory leak in my application?  Or does it have 
something to do with me doing so many repeated deployments?  Or perhaps simply 
from restarting the app so many times?  I might try an experiment to see how 
many times I can stop/start the app before the error next occurs.

OS: Win Server 2012 R2
Java: 1.6.0_24  (oops, need to upgrade that now)
Tomcat: 6.0.37  (hmm... will need to upgrade soon-ish)

--
Cris Berneburg, Lead Software Engineer, CACI

Re: question on Java / Tomcat / GC

[Anthony Biacco]

On Thu, Jul 14, 2016 at 11:41 AM, André Warnier (tomcat) 
wrote:

> Hi Java GC gurus.
>
> I am coming for a bit of expert advice, not for a problem.
>
> At some customer site, some applications appear to react somewhat slowly
> sometimes, although these are not very heavy applications, and traffic on
> the site is also not very high.
>
> Amog several other things I'm looking at, wondering if this might have
> something to do with Java/Tomcat running out of memory, and perhaps doing
> excessive GC's, I set up GC logging.
> Below I am pasting that small Java GC log.
> This is running tomcat 6 still, the java versions and tomcat JVM relevant
> switches are shown in the log.
> I am starting the tomcat JVM with "-Xms1024M -Xmx1024M", and no other
> non-default settings regarding memory management or GC type.
>
> I take it that in the log below, the first number on the left is a
> timestamp in "seconds , thousands of a second".
>
> Based on what I am seeing below, it does not appear that this Tomcat would
> be at any time running short of Heap space, does it ?
> The most it seems to be using below, is 153579K, when it has 1024M to play
> with.
> Meither does it seem to be doing excessive GC either, since these logged
> GC's are separated by several thousands of seconds.
>
> But what does puzzle me a bit, is that each time it runs a "minor GC", it
> seems to follow this almost immediately (within 1-2 ms) with a "full GC".
>
>
Well, i'm not a GC expert by any stretch of the imagination, but i think
with your PrintGC options the "GC (System.gc())" and the "Full GC
(System.gc())" are the same GC.
Since they're consistent at every hour, the application may be calling the
System.gc
You may want to check the code if you have access to it.

-Tony

ApacheCon Europe call for papers open

[Rich Bowen]

Dear Apache Enthusiast,

As you are no doubt already aware, we will be holding ApacheCon in
Seville, Spain, the week of November 14th, 2016. The call for papers
(CFP) for this event is now open, and will remain open until
September 9th.

The event is divided into two parts, each with its own CFP. The first
part of the event, called Apache Big Data, focuses on Big Data
projects and related technologies.

Website: http://events.linuxfoundation.org/events/apache-big-data-europe
CFP:
http://events.linuxfoundation.org/events/apache-big-data-europe/program/cfp

The second part, called ApacheCon Europe, focuses on the Apache
Software Foundation as a whole, covering all projects, community
issues, governance, and so on.

Website: http://events.linuxfoundation.org/events/apachecon-europe
CFP: http://events.linuxfoundation.org/events/apachecon-europe/program/cfp

ApacheCon is the official conference of the Apache Software
Foundation, and is the best place to meet members of your project and
other ASF projects, and strengthen your project's community.

If your organization is interested in sponsoring ApacheCon, contact me
at e...@apache.org  ApacheCon is a great place to find the brightest
developers in the world, and experts on a huge range of technologies.

I hope to see you in Seville!

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache server as forward and reverse proxy

[Anthony Biacco]

On Thu, Jul 14, 2016 at 3:21 AM, Mohanavelu Subramanian 
wrote:

> Hi All,
>
> I know this group is for tomcat related queries.
> I have some query related to apache server, if someone have an idea about
> this, I request you to please share.
>
>
You should ask your questions on the apache users mailing list then.


-Tony

Re: SSL/TLS and ciphers vulnerability

[uzair rashid]

Jeffrey,

Working for a corporation that has strict ssl and security requirements..
There is no way to use the tools you suggested, since the tomcat URLs are
not exposed.

On Thu, Jul 14, 2016 at 8:41 AM, Jeffrey Janner  wrote:

> Hi folks,
>
> I've been off the list for a bit, getting ducks in a row here and
> everything.
> I noticed a number of posts about SSL & TLS security settings lately and I
> wanted to point out that maintaining your SSL configurations is an on-going
> processes.
> New exploits are discovered and released quite often, and often the fault
> lies with a cipher and not necessarily an overall SSL/TLS protocol.
> So using a cipher list like "all except RC4" is probably not sufficient
> anymore.
> And what is secure may depend completely on the SSL/TLS software you use,
> be it OpenSSL or Java's built in SSL libraries.
> For example, with OpenSSL, you should be using 1.0.1t or higher, and even
> then only TLS1.2 with a handful of ciphers.
> I'm not sure what the recommended options for java's libraries are at the
> moment.
> A really good, free tool is Qualys' SSL Labs server test tool located at:
> https://www.ssllabs.com/ssltest/
> Run that against your implementation and follow its recommendations.
>
> Of course, at the end of the day, it will be up to you and your firm to
> decide what risks you are willing to take with your SSL communications and
> whether or not you need to support insecure browsers, i.e. browsers that
> cannot negotiate up to the most secure protocol and ciphers.
>
> Jeffrey Janner
> p.s. Qualys also has a test suite for the browsers that you use.
>
>

question on Java / Tomcat / GC

[tomcat]

Hi Java GC gurus.

I am coming for a bit of expert advice, not for a problem.

At some customer site, some applications appear to react somewhat slowly sometimes, 
although these are not very heavy applications, and traffic on the site is also not very high.


Amog several other things I'm looking at, wondering if this might have something to do 
with Java/Tomcat running out of memory, and perhaps doing excessive GC's, I set up GC logging.

Below I am pasting that small Java GC log.
This is running tomcat 6 still, the java versions and tomcat JVM relevant switches are 
shown in the log.
I am starting the tomcat JVM with "-Xms1024M -Xmx1024M", and no other non-default settings 
regarding memory management or GC type.


I take it that in the log below, the first number on the left is a timestamp in "seconds , 
thousands of a second".


Based on what I am seeing below, it does not appear that this Tomcat would be at any time 
running short of Heap space, does it ?

The most it seems to be using below, is 153579K, when it has 1024M to play with.
Meither does it seem to be doing excessive GC either, since these logged GC's are 
separated by several thousands of seconds.


But what does puzzle me a bit, is that each time it runs a "minor GC", it seems to follow 
this almost immediately (within 1-2 ms) with a "full GC".


Is this normal, expected behaviour ?
And if not, what could be the cause ?
(and, should I worry about it ?)

Should I be looking at something else than the Heap ?

-- begin log file --
Java HotSpot(TM) 64-Bit Server VM (25.51-b03) for linux-amd64 JRE (1.8.0_51-b16), built on 
Jun  8 2015 19:28:07 by "java_re" with gcc 4.3.0 20080428 (Red Hat 4.3.0-8)

Memory: 4k page, physical 12198284k(871340k free), swap 8088572k(7962988k free)
CommandLine flags: -XX:InitialHeapSize=1073741824 -XX:MaxHeapSize=1073741824 -XX:+PrintGC 
-XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers -XX:+UseCompressedOops 
-XX:+UseParallelGC

0,465: [GC (System.gc())  26214K->3880K(1005056K), 0,0065929 secs]
0,472: [Full GC (System.gc())  3880K->3679K(1005056K), 0,0156589 secs]
3600,493: [GC (System.gc())  98060K->17186K(1005056K), 0,0158018 secs]
3600,509: [Full GC (System.gc())  17186K->14349K(1005056K), 0,0463734 secs]
7200,555: [GC (System.gc())  35320K->14389K(1005056K), 0,0026610 secs]
7200,558: [Full GC (System.gc())  14389K->8712K(1005056K), 0,0336780 secs]
10800,592: [GC (System.gc())  13957K->8744K(1005056K), 0,0013067 secs]
10800,594: [Full GC (System.gc())  8744K->8713K(1005056K), 0,0202595 secs]
14400,615: [GC (System.gc())  13956K->8745K(1005056K), 0,0011526 secs]
14400,616: [Full GC (System.gc())  8745K->8713K(1005056K), 0,0225167 secs]
18000,639: [GC (System.gc())  13956K->8777K(1005056K), 0,0011825 secs]
18000,640: [Full GC (System.gc())  8777K->8719K(1005056K), 0,0204080 secs]
21600,661: [GC (System.gc())  13962K->8751K(1005056K), 0,0014680 secs]
21600,662: [Full GC (System.gc())  8751K->8719K(1005056K), 0,0231917 secs]
25200,686: [GC (System.gc())  13962K->8751K(1005056K), 0,0013049 secs]
25200,687: [Full GC (System.gc())  8751K->8719K(1005056K), 0,0178894 secs]
28800,706: [GC (System.gc())  13962K->8751K(1005056K), 0,0009395 secs]
28800,707: [Full GC (System.gc())  8751K->8730K(1005056K), 0,0177490 secs]
32400,725: [GC (System.gc())  13973K->8762K(1005056K), 0,0012018 secs]
32400,726: [Full GC (System.gc())  8762K->8730K(1005056K), 0,0199877 secs]
36000,747: [GC (System.gc())  13973K->8762K(1005056K), 0,0045768 secs]
36000,751: [Full GC (System.gc())  8762K->8731K(1005056K), 0,0205136 secs]
39600,772: [GC (System.gc())  82213K->11405K(1005056K), 0,0035769 secs]
39600,776: [Full GC (System.gc())  11405K->11098K(1005056K), 0,0436870 secs]
43200,820: [GC (System.gc())  153579K->12647K(1005056K), 0,0053538 secs]
43200,826: [Full GC (System.gc())  12647K->11921K(1005056K), 0,0494967 secs]
46800,876: [GC (System.gc())  80022K->13513K(1005056K), 0,0029589 secs]
46800,879: [Full GC (System.gc())  13513K->12697K(1005056K), 0,0395771 secs]
50400,919: [GC (System.gc())  103251K->13825K(1005056K), 0,0030939 secs]
50400,922: [Full GC (System.gc())  13825K->12641K(1005056K), 0,0341599 secs]
54000,957: [GC (System.gc())  86842K->13305K(1005056K), 0,0018964 secs]
54000,959: [Full GC (System.gc())  13305K->12999K(1005056K), 0,0329190 secs]
57600,992: [GC (System.gc())  72900K->13583K(1005056K), 0,0024302 secs]
57600,995: [Full GC (System.gc())  13583K->13142K(1005056K), 0,0327378 secs]
-- end logfile --

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How do I start and stop just the tomcat admin application from a command line?

[Paul Roubekas]

How do I start and stop just the tomcat admin application from a command
line?  I had someone try to guess the password to my Tomee-Plume server
last night. Thankfully I changed the default password and the hacker
only tried twice.  I want to be able to keep the admin application
closed most of the time. On the rare occasion that I need access to the
tomcat admin console I would like to start it up only for a brief period
of time and then stop it.  Internet searches showed me how to stop other
applications using the tomcat admin application.  I want to stop just
the Tomcat admin application not the whole server. 




signature.asc
Description: OpenPGP digital signature

Re: [OT] mod-jk + ssl: requests are not forward to tomcat correctly

[Anthony Biacco]

On Wed, Jul 13, 2016 at 8:44 AM, André Warnier (tomcat) 
wrote:

> On 13.07.2016 16:34, Anthony Biacco wrote:
>
>> On Mon, Jul 11, 2016 at 5:39 PM, Wayne Li  wrote:
>>
>> Probably the quickest : download these files, install them on your

>>> server, and change the above links.
>>> Like : create a sub-directory "/js" of your webapp, and install them
>>> there.
>>> Then change the above links to : href="js/jquery.mobile-1.4.5.min.css"
>>>
>>> Yes. It works. Thanks.
>>>
>>> It is okay for now. but, if I do not want host these files, what should I
>>> do? Can you point a direction for me please?
>>>
>>>
>>
>> If you must not host these files, use CDNjs, i.e.
>> https://cdnjs.com/libraries/jquery-mobile
>>
>>
> But then Rainer's previous point would still be valid.
>
>
>
Yes, of course. Doesn't change that fact.


-Tony

SSL/TLS and ciphers vulnerability

[Jeffrey Janner]

Hi folks,

I've been off the list for a bit, getting ducks in a row here and everything.
I noticed a number of posts about SSL & TLS security settings lately and I 
wanted to point out that maintaining your SSL configurations is an on-going 
processes.
New exploits are discovered and released quite often, and often the fault lies 
with a cipher and not necessarily an overall SSL/TLS protocol.
So using a cipher list like "all except RC4" is probably not sufficient anymore.
And what is secure may depend completely on the SSL/TLS software you use, be it 
OpenSSL or Java's built in SSL libraries.
For example, with OpenSSL, you should be using 1.0.1t or higher, and even then 
only TLS1.2 with a handful of ciphers.
I'm not sure what the recommended options for java's libraries are at the 
moment.
A really good, free tool is Qualys' SSL Labs server test tool located at: 
https://www.ssllabs.com/ssltest/
Run that against your implementation and follow its recommendations.

Of course, at the end of the day, it will be up to you and your firm to decide 
what risks you are willing to take with your SSL communications and whether or 
not you need to support insecure browsers, i.e. browsers that cannot negotiate 
up to the most secure protocol and ciphers.

Jeffrey Janner
p.s. Qualys also has a test suite for the browsers that you use.

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

On Thu, Jul 14, 2016 at 8:15 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Sean,
>
> On 13.7.2016 21:56, Sean Son wrote:
>
>> Thank you for your answer guys. Is there anywhere in the Tomcat config
>> files that I would need to specify the DNS name?  Like in Apache we
>> would specify the DNS name in a Virtualhost.
>>
>
> Take a look at context xml, attribute "name" in Host element [1], and
> attribute "defaultHost" in Engine element [2].
>
> -Ognjen
>
> ps. Please, write your answers below the quotes, that is standard on
> Tomcat mailing lists.
>
> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
> [2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Thanks for the links and sorry bad habit of mine Lol   Today i will set up
a DNS record for the server and test out the SSL. I will let you all know
what I see.

Thanks!

Tomcat FREAK Issue

[uzair rashid]

Hello Experts:

Running Tomcat 6.x and every week during vulnerability scans we are having
the following results:



Vulnerability References:

SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability

Impact: Exploitation allows an attacker to bypass security restrictions
on the targeted host. Solution: Disable RSA_EXPORT cipher suites.
Do not use temporary RSA key multiple times Result: #table cols=2
Public key source key size Public key in certificate 2048(bits) Temporary
RSA key 512(bits)



Could someone please help?

Server.xml:



  
  
  
  
  
  
  
  
  

  
  


  

  
  



















  
  

  
  

  
  

  
  







  

  

SSL inconsistency

[i...@flyingfischer.ch]

While testing locally the new 8.5 branch, I did experience some 
inconsistency with self-sigend SSL certs. I did manage to resolve them 
by installing Tomcat-Native library / APR, but maybe it is still worth 
reporting in regard of the different behaviour for the same cert, 
between Tomcat versions and configuartions.


I didn't want to file a bug, since this very likely is a configuration 
and/or self-signed cert problem.


Thanks for considering.

Markus

Tomcat 8, works fine.
Tomcat 8.5  error => Alias name tomcat does not identify a key entry



---

Tomcat 8.5, same cert, starts fine but throws on first SSL invocation:

java.lang.IllegalArgumentException: Invalid character found in method 
name. HTTP method names must be tokens




---

Tomcat 8.5, new cert
Tomcat-Native / APR disabled

Failed to initialize end point associated with ProtocolHandler 
["https-jsse-nio-8443"]

java.security.KeyStoreException: Cannot store non-PrivateKeys

Same cert works with Tomcat-Native / APR enabled

protocol="org.apache.coyote.http11.Http11NioProtocol"
   maxThreads="150" secure="true" scheme="https" 
SSLEnabled="true" defaultSSLHostConfigName="localhost">






Also works with protocol="org.apache.coyote.http11.Http11AprProtocol" 
with Tomcat-Native / APR enabled



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Facing issue while configuring SSL

[Ognjen Blagojevic]

Devendra,

On 14.7.2016 10:38, Devendra Sengar wrote:

But the tomcat server is started without any error but won't able to open
the home page of tomcat giving the error like:
This site can’t be reached
The webpage at *https://:8443/* might be temporarily down or it
may have moved permanently to a new web address.

If i telnet the server then its not able to connect but if i use openssl
s_client -connect it shows the certificate information.
Any suggestion?


Symptoms you are describing are very strange. It is unlikely that 
telnetting to HTTPS port (which basicaly just opens TCP connection) 
won't work, while connecting with openssl (which opens TCP connection 
AND starts HTTPS handshake) does work.


Could you test one more time, and send us exact commands you used, and 
exact output you got. Also, send us Tomcat log messages so we could 
verify HTTPS APR connector port.


-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

[Ognjen Blagojevic]

Sean,

On 13.7.2016 21:56, Sean Son wrote:

Thank you for your answer guys. Is there anywhere in the Tomcat config
files that I would need to specify the DNS name?  Like in Apache we
would specify the DNS name in a Virtualhost.


Take a look at context xml, attribute "name" in Host element [1], and 
attribute "defaultHost" in Engine element [2].


-Ognjen

ps. Please, write your answers below the quotes, that is standard on 
Tomcat mailing lists.


[1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
[2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Facing issue while configuring SSL

[Daniel Savard]

2016-07-14 4:38 GMT-04:00 Devendra Sengar :

> If i am giving the full path of the certificate like
> c:/tomcat/conf/ then its taking the file, as the error i was
> getting "SEVERE: Failed to initialize end point associated with
> ProtocolHandler ["http-apr-443"]" that's no more.
>
> But the tomcat server is started without any error but won't able to open
> the home page of tomcat giving the error like:
> This site can’t be reached
> The webpage at *https://:8443/* might be temporarily down or it
> may have moved permanently to a new web address.
>
> If i telnet the server then its not able to connect but if i use openssl
> s_client -connect it shows the certificate information.
> Any suggestion?
>
>
Yes, specify the path as ${catalina.base}/conf/ since your file
seems to be in the conf directory of your Tomcat instance. I'm not sure
about the C: in the pathname. However, ${catalina.base}/conf/ is
portable and enables you to move you instance into another directory
without having to modify all the configuration files.

-
Daniel Savard

Re: [ANN] Apache Tomcat 8.5.4 available

[Johan Compagner]

>
>
> This is the first stable release of the 8.5.x branch. Tomcat 8.x users
> should now use 8.5.x releases in preference to 8.0.x releases.
>
>
i thought 8.5.3 was the first stable release ;)

Apache server as forward and reverse proxy

[Mohanavelu Subramanian]

Hi All,

I know this group is for tomcat related queries.
I have some query related to apache server, if someone have an idea about
this, I request you to please share.

I want to configure apache to act as both forward and reverse proxy.

The official doc says "Apache can be configured in both a forward and
reverse proxy mode."

But there is also another statement "In a typical reverse proxy
configuration, this option ProxyRequests Directive should be set to Off."

Could you please confirm me , can apache be configured to act as both
forward and reverse proxy?
If possible, can you please the configuration for the same.

Thanks in Advance.

Best Regards,
Mohan

Re: Facing issue while configuring SSL

[Devendra Sengar]

If i am giving the full path of the certificate like
c:/tomcat/conf/ then its taking the file, as the error i was
getting "SEVERE: Failed to initialize end point associated with
ProtocolHandler ["http-apr-443"]" that's no more.

But the tomcat server is started without any error but won't able to open
the home page of tomcat giving the error like:
This site can’t be reached
The webpage at *https://:8443/* might be temporarily down or it
may have moved permanently to a new web address.

If i telnet the server then its not able to connect but if i use openssl
s_client -connect it shows the certificate information.
Any suggestion?

Thanks,
Devendra

On Wed, Jul 13, 2016 at 1:54 PM, André Warnier (tomcat) 
wrote:

> On 13.07.2016 07:02, Devendra Sengar wrote:
>
>> File is there and permission is also fine and having proper openssl.cnf.
>>
>> Any other view?
>>
>
> Really "shooting in the dark" here, since I am neither a Windows nor an
> SSL specialist :
> The error message mentions "no such process".  Assuming (and that may be a
> naive assumption) that the error message reflects the reality, could it not
> be that the handling of these SSL keys/cartificates under Windows, requires
> some background Windows "cryptographic service" to be active, and that it
> is not ?
> (or some DLL to be found somewhere, where it isn't)
>
>
>
>> Thanks,
>> Devendra
>>
>> On Tue, Jul 12, 2016 at 9:10 PM, André Warnier (tomcat) 
>> wrote:
>>
>> On 12.07.2016 16:33, Harrie Robins wrote:
>>>
>>> java.lang.Exception: Unable to load certificate key
 conf/localhost-key.pem (error:02001003:system library:fopen:No such
 process

 If I'm correct you are either missing correct rights to this file or it
 is not in the given location.
 A second possibility is missing password for key file.


>>> Alternatively, searching Google for error:02001003, there are a number of
>>> hits there which point to the same kind of message, most of which seem to
>>> be for Windows and OpenSSL, and most of which mention the need for a
>>> proper
>>> "openssl.cnf" in the proper location.
>>> This may or may not be relevant to your problem.
>>>
>>>
>>>
>>> SSLPassword="pass"

 Regards,

 Harrie

 -Original Message-
 From: Devendra Sengar [mailto:dssen...@gmail.com]
 Sent: dinsdag 12 juli 2016 10:50
 To: users@tomcat.apache.org
 Subject: Facing issue while configuring SSL

 Hi,

 This is regarding the configuration of Tomcat SSL using the APR library
 on Java 6.

 While starting the server I am getting the below error:

 SEVERE: Failed to initialize end point associated with ProtocolHandler
 ["http-apr-443"]
 java.lang.Exception: Unable to load certificate key
 conf/localhost-key.pem (error:02001003:system library:fopen:No such
 process)

 I am trying to implement SSL using independent libraries for OpenSSL,
 Tomcat Native and Apache Portable Runtime.

 I have downloaded precompiled versions of OpenSSL and Tomcat Native (see
 them attached). I have tried compiling the Apache Portable Runtime using
 Visual Studio (find it also attached).

 I am running those libraries on either Tomcat 7.0.6 or 7.0.70 64-bit for
 Windows (using the 64-bit distro, not the installer one).

 We are restricted by our applicatioin to use Oracle Java 6 Updated 115
 64-bit.

 The versions of the libraries I am using are the latest available
 online,
 again see the binaries attached.

 The parameters used in the server.xml file are:

 For Tomcat 7.0.6:
 >>> protocol="org.apache.coyote.http11.Http11AprProtocol"
 port="443" maxThreads="200"
 scheme="https" secure="true" SSLEnabled="true"
 SSLCertificateFile="conf/localhost-cert.pem"
 SSLCertificateKeyFile="conf/localhost-key.pem"
 SSLCertificateChainFile="conf/ca.crt"
 SSLVerifyClient="optional" SSLProtocol="TLSv1"
 SSLCipherSuite="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"/>

 For Tomcat 7.0.70

 >>> protocol="org.apache.coyote.http11.Http11AprProtocol"
 port="443" maxThreads="200"
 scheme="https" secure="true" SSLEnabled="true"
 SSLCertificateFile="conf/localhost-cert.pem"
 SSLCertificateKeyFile="conf/localhost-key.pem"
 SSLCertificateChainFile="conf/ca.crt"
 SSLVerifyClient="optional" SSLProtocol="TLSv1_2"
 SSLCipherSuite="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"/>

 The library files are in the tomcat bin folder as openssl.exe,
 tcnative-1.dll and libapr-1.dll.

 tcnative-1.dll:


 https://drive.google.com/file/d/0ByilOlQCXOkWQ1ZCckhodHBvQk0/view?usp=sharing
 openssl.exe:


 https://drive.google.com/file/d/0ByilOlQCXOkWQk9KUUJSb3ZqeW8/view?usp=sharing
 libapr-1.dll:


 

RE: A complex issue concerning the application lifecycle, MBeans and Spring

[Jäkel , Guido]

Hi Mark,

OK - as a newbie I read this from the stack trace: ...

>20160713-161427.340 ERROR [catalina-exec-64] [] [[/]] StandardWrapper.Throwable
>[...]
>at 
> org.springframework.web.servlet.HttpServletBean.init(HttpServletBean.java:136)
>at javax.servlet.GenericServlet.init(Unknown Source)
>at org.apache.catalina.core.StandardWrapper.initServlet(Unknown Source)
>at org.apache.catalina.core.StandardWrapper.loadServlet(Unknown Source)
>at org.apache.catalina.core.StandardWrapper.allocate(Unknown Source)
> 2)at org.apache.catalina.core.StandardWrapper.isSingleThreadModel(Unknown 
> Source)
>at sun.reflect.GeneratedMethodAccessor178.invoke(Unknown Source)
>at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>at java.lang.reflect.Method.invoke(Method.java:497)
> 1)at org.apache.tomcat.util.modeler.BaseModelMBean.getAttribute(Unknown 
> Source)
>at 
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttribute(DefaultMBeanServerInterceptor.java:647)
>at 
> com.sun.jmx.mbeanserver.JmxMBeanServer.getAttribute(JmxMBeanServer.java:678)
>at org.apache.catalina.mbeans.MBeanDumper.dumpBeans(Unknown Source)
 [...]

It seems to me that "all reading is passiv" don't hold because the call to 
getAttibute() at 1) will invoke the MBean and this leads to the call of 
isSingleThreadModel at 2) -- I don't see why at the moment.

But about 2) I take a look at the sources at github:


public boolean isSingleThreadModel() {

// Short-cuts
// If singleThreadModel is true, must have already checked this
// If instance != null, must have already loaded
if (singleThreadModel || instance != null) {
return singleThreadModel;
}

// The logic to determine this safely is more complex than one might
// expect. allocate() already has the necessary logic so re-use it.
// Make sure the Servlet is loaded with the right class loader
ClassLoader oldCL = null;
try {
oldCL = ((Context) getParent()).bind(false, null);
--->Servlet s = allocate();
deallocate(s);
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
} finally {
((Context) getParent()).unbind(false, oldCL);
}
return singleThreadModel;
}


And this will load (and initialize) the servlet because some conditions are 
fulfilled: It is sure that  singleThradModel == false  and  instance == null  
because we are called from isSingleThreadModel

So maybe there should be a special code path in case of an ongoing 
initialization on the top like the 'if(unloading)' clause. The note states, 
that one can't decide if a Servlet implements SingleThreadModel until loading. 
So maybe on startup this must be answered in a "conservative way" (if possible) 
or thrown back with an exception. If this will lead to an overall exception for 
the MBean request, this might be "the right thing", because at leaset one of 
the returned information can't be answered yet at this moment (during 
initialization of the servlet).


@Override
public Servlet allocate() throws ServletException {

// If we are currently unloading this servlet, throw an exception
if (unloading) {
throw new 
ServletException(sm.getString("standardWrapper.unloading", getName()));
}

boolean newInstance = false;

// If not SingleThreadedModel, return the same instance every time
if (!singleThreadModel) {
// Load and initialize our instance if necessary
--->if (instance == null || !instanceInitialized) {
synchronized (this) {
if (instance == null) {
try {
if (log.isDebugEnabled()) {
log.debug("Allocating non-STM instance");
}

// Note: We don't know if the Servlet implements
// SingleThreadModel until we have loaded it.
instance = loadServlet();
[...]


By the way: The only occurrence where  instaceInitialized is set to true is 
*after* a call to the core servlet.init at initServelt. Therefore it semantic 
is not "initialization is started and in progress" but "initialization is 
completed" and IMHO therefore one can't take it as an indicator for the fact 
that's it should be done. But I can't overview if the  synchronized(this)  will 
close this gap. 



Greetings

Guido