Re: Apache Tomcat 8.5.24 SSL Configuration

[logo]

Hi Thomas,

> Am 21.12.2017 um 00:56 schrieb Thomas Delaney :
> 
> Greetings,
> 
> I am having trouble regarding google chrome's behavior to Apache Tomcat's
> SSL setup. I have been successful getting an ssl website to work with
> Apache HTTP web server, but not Apache Tomcat 8.5.24 on google chrome.
> Mozilla Firefox brings me to my site with no problem.
> 
> When going to https://mydomain.com:8443 I recieve a message from Google
> Chrome.
> 
> Google Chrome Error -
> This site can’t provide a secure connection
> mydomain.com uses an unsupported protocol.
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> 
> Unsupported protocol
> The client and server don't support a common SSL protocol version or cipher
> suite.
> 
> When checking Google Chrome's Browser console in the security tab I
> recieve:
> Page is not secure
> Valid certificate
> secure resources
> 
> Here is the following background info I have for the configuration I gave
> Apache Tomcat when setting up the 8443 connector
> 
> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
> 
> Linux OS: SUSE Enterprise 12 sp1
> 
> Packages installed:
> 
> - OpenSSL 1.0.2n  7 Dec 2017
> - jdk version 1.7.0_79

That may be the culprit.

Apparently this (old) version of Java7 will not provide in the default modern 
ciphers that Chrome requires. And the config is using the JSSE SSL 
implementation.
But as you have TC Native and openssl 1.0.2 you should switch to openssl. 


> - tomcat version -> apache-tomcat-8.5.24
> - apr-1.6.3
> - tomcat-native-1.2.16-src
> 
> Server.xml apr connector (Certificates are signed from GoDaddy and are
> placed in the conf directory of Apache Tomcat):
> 
>maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> mydomain.com" >
> protocols="TLSv1,TLSv1.1,TLSv1.2">
> certificateFile="conf/server.crt"
> certificateChainFile="conf/CA_server_bundle.crt"
> type="RSA" />
>
>
> 
> 
My config for openssl is like this:


  


  

  

It contains openssl 1.1 ciphers but that will not matter for your config.

You may search this’ mailing list archive for some good posts on available 
ciphers.

Hope this helps.

Peter

> hostname displays properly when typing command: hostname -f and/or typing:
> cat /etc/HOSTNAME on the linux server

Apache Tomcat 8.5.24 SSL Configuration

[Thomas Delaney]

Greetings,

I am having trouble regarding google chrome's behavior to Apache Tomcat's
SSL setup. I have been successful getting an ssl website to work with
Apache HTTP web server, but not Apache Tomcat 8.5.24 on google chrome.
Mozilla Firefox brings me to my site with no problem.

When going to https://mydomain.com:8443 I recieve a message from Google
Chrome.

Google Chrome Error -
This site can’t provide a secure connection
mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol
The client and server don't support a common SSL protocol version or cipher
suite.

When checking Google Chrome's Browser console in the security tab I
recieve:
Page is not secure
Valid certificate
secure resources

Here is the following background info I have for the configuration I gave
Apache Tomcat when setting up the 8443 connector

Chrome Version 63.0.3239.108 (Official Build) (64-bit)

Linux OS: SUSE Enterprise 12 sp1

Packages installed:

- OpenSSL 1.0.2n  7 Dec 2017
- jdk version 1.7.0_79
- tomcat version -> apache-tomcat-8.5.24
- apr-1.6.3
- tomcat-native-1.2.16-src

Server.xml apr connector (Certificates are signed from GoDaddy and are
placed in the conf directory of Apache Tomcat):








hostname displays properly when typing command: hostname -f and/or typing:
cat /etc/HOSTNAME on the linux server

tomcat-jdbc PoolExhaustedException message

[Tara Czutno]

Hello, my application in production is having intermittent performance
problems.  My app shows db queries are taking too long.  The db team says
the database is running fine.  The network is between us and it has had
problems in the past.


We saw this pool exhausted exception at one point.

Can someone give me some insight to this message?  size is 100, busy is 66,
what are the other 44 connections doing?


Message:

org.apache.tomcat.jdbc.pool.PoolExhaustedException: [qtp334173295-1099]
Timeout: Pool empty. Unable to fetch a connection in 30 seconds, none
available[size:100; busy:66; idle:0; lastwait:3].


Config:




   
   
   
   
   

   
   
   
   
   
   

   
   
   
   

   
   
   
   
   
   
   
   
   
   

   
   
   

   
   
   
   

   
   
   
   
   
   
   
   
   
   
   
   
   

OutOfMemoryError when Uploading Files

[Igal @ Lucee.org]

Hello,

I am troubleshooting a servlet which is used to upload files. Small 
files under 25mb are processed properly.  Large files over 50mb are 
processed properly.  Files with size in the range of 25mb -- 50mb fail 
with OutOfMemoryError.


Unfortunately I do not get a Stack Trace.  Instead of a Stack Trace I 
only get "Java heap space".


I know that the FileUpload component has a threshold with default of 
10kb, so that files under 10kb are processed in memory, but files larger 
than that are processed using the disk to preserve memory.  I do not see 
anywhere in the code that the threshold is modified from its default value.


Is there anywhere else in Tomcat that might have a 50mb threshold for IO 
operations?  Specifically in NioEndpoint since I see this in catalina.out:


Jul 11, 2017 1:23:29 PM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor 
doRun
SEVERE:
java.lang.OutOfMemoryError: Java heap space

Running Tomcat 8.0.23 (and yes, I would love to upgrade it but this is 
for a large organization and I can not update it at this time).


Am I correct to assume that the error is logged from
https://github.com/apache/tomcat80/blob/TOMCAT_8_0_23/java/org/apache/tomcat/util/net/NioEndpoint.java#L1563

?

Thank you,

Igal Sapir
Lucee Core Developer
Lucee.org 

Re: internalProxies regex

[Konstantin Kolinko]

2017-12-20 11:37 GMT+03:00 Harrie Robins :
> Hello everyone,
>
>
>
> I have a question about the remoteipvalve in tomcat 8.5:
> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/Remo
> teIpValve.html
>
>
>
>
> internalProxies
>
> Regular expression that matches the IP addresses of internal proxies. If
> they appear in the remoteIpHeader value, they will be trusted and will not
> appear in the proxiesHeader value
>
> RemoteIPInternalProxy
>
> Regular expression (in the syntax supported by java.util.regex)
>
> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed.
>
>
>
> I need to convert some CIDR ranges to regex:
>
>
> my concern is that /d{1,3} wil match too many (non exist) addresses
>
> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|103\.3
> 1\.\d[4-7]\.\d[0-9]\d{1,3}
>
>
>
> So I re-wrote using capture groups, below does not function however, and I
> assume it is due to OR (|) which tomcat will affectively see as a new entry?
> So I tried escaping, but I cannot get it to work:
>
> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\|5[0-5
> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\|5
> [0-5]))

Your assumption that "tomcat will affectively see as a new entry" is wrong.
The string is used as whole to initialize a java.util.regex.Pattern().
Tomcat does not split it.

You may write a simple program / junit test to test how
java.util.regex.Pattern() processes your value.  Or you may run Tomcat
with debugger,

https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario

AFAIK, '\|' in a regular expression will be interpreted as expecting
literal '|' character in the matched string.  No IP address has this
character so none will match.



Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

internalProxies regex

[Harrie Robins]

Hello everyone,

 

I have a question about the remoteipvalve in tomcat 8.5:
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/Remo
teIpValve.html

 


internalProxies

Regular expression that matches the IP addresses of internal proxies. If
they appear in the remoteIpHeader value, they will be trusted and will not
appear in the proxiesHeader value

RemoteIPInternalProxy

Regular expression (in the syntax supported by java.util.regex)

10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} 
By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed.

 

I need to convert some CIDR ranges to regex:


my concern is that /d{1,3} wil match too many (non exist) addresses 

103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|103\.3
1\.\d[4-7]\.\d[0-9]\d{1,3}

 

So I re-wrote using capture groups, below does not function however, and I
assume it is due to OR (|) which tomcat will affectively see as a new entry?
So I tried escaping, but I cannot get it to work:

103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\|5[0-5
]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\|5
[0-5]))

 

Any thoughts?

 

Thanks,

Harrie