Re: Strange crash-on-takeoff, Tomcat 7.0.104
James, On 11/18/2020 5:06 PM, James H. H. Lampert wrote: Ladies and Gentlemen: The same customer installation that required 104 (but with the 103 catalina.sh, to avoid Bug 64501) back in June is now demanding an update to 106 because of the CVE-2020-13935 vulnerability. Two questions: 1. Is the problem from June fixed in 106? 2. Does 106 take care of CVE-2020-13935? -- JHHL http://tomcat.apache.org/tomcat-7.0-doc/changelog.html http://tomcat.apache.org/security-7.html . . . just my two cents /mde/ OpenPGP_0x41466EC60D793C2D.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature
Re: Strange crash-on-takeoff, Tomcat 7.0.104
Ladies and Gentlemen: The same customer installation that required 104 (but with the 103 catalina.sh, to avoid Bug 64501) back in June is now demanding an update to 106 because of the CVE-2020-13935 vulnerability. Two questions: 1. Is the problem from June fixed in 106? 2. Does 106 take care of CVE-2020-13935? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 8.5 TLS cipher strings
On Wed, Nov 18, 2020 at 04:45:05PM +, Mark Thomas wrote: On 18/11/2020 03:07, Baron Fujimoto wrote: On Mon, Nov 16, 2020 at 09:47:03AM +, Mark Thomas wrote: Have you tried adding ":-AES:+AESGCM" to the cipher string you are already using? I hadn't (did I miss where these were documented somewhere?). However it seems like once I add "":-AES", tomcat fails to start with the following error: Sorry, wrong information on my part. Try appending: ":-AES:AESGCM" See https://www.openssl.org/docs/man1.1.1/man1/ciphers.html Tomcat aims to support the same set of options as the latest stable OpenSSl release and to return the same set of ciphers for the same input. Note that due to different defaults in different versions of OpenSSL as well as support for ciphers being added/removed in some versions we only aim to replicate the behaviour of the latest stable OpenSSL release (currently 1.1.1h). Mahalo, that did the trick! -- UH Information Technology Services : Identity & Access Mgmt, Middleware minutas cantorum, minutas balorum, minutas carboratum desendus pantorum - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
how to configure per-host logging with rsyslogd
Hello, I'm running tomcat9 on Debian 10 (systemd). The logging appears to go through rsyslog.d and there is a /etc/rsyslog.d/tomcat9.conf that seems to govern the location of the logs: :programname, startswith, "tomcat9" { /var/log/tomcat9/catalina.out;TomcatFormat stop } My setup is that I have multiple virtual hosts running (i.e. different sites), and I would like the messages for the different WAR files/hosts to end up in different log files (e.g. example.com.out , site.com.out). How do I do this? Things that I've tried: 1. Modifying /etc/rsyslog.d/tomcat9.conf and introducing templates with %HOSTNAME% template, which just ends up with the name of the machine, rather than the website. 2. Modifying /etc/tomcat9/logging.properties; this seems to be overridden by /etc/rsyslog.d/tomcat9.conf. Thanks for your help, Jerry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 8.5 TLS cipher strings
On 18/11/2020 03:07, Baron Fujimoto wrote: > On Mon, Nov 16, 2020 at 09:47:03AM +, Mark Thomas wrote: >> Have you tried adding ":-AES:+AESGCM" to the cipher string you are >> already using? > > I hadn't (did I miss where these were documented somewhere?). However it > seems like once I add "":-AES", tomcat fails to start with the following > error: Sorry, wrong information on my part. Try appending: ":-AES:AESGCM" See https://www.openssl.org/docs/man1.1.1/man1/ciphers.html Tomcat aims to support the same set of options as the latest stable OpenSSl release and to return the same set of ciphers for the same input. Note that due to different defaults in different versions of OpenSSL as well as support for ciphers being added/removed in some versions we only aim to replicate the behaviour of the latest stable OpenSSL release (currently 1.1.1h). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Weirdest Tomcat Behavior Ever?
On 18/11/2020 15:41, Eric Robinson wrote: >> -Original Message- >> From: Mark Thomas >> Sent: Wednesday, November 18, 2020 3:03 AM >> To: users@tomcat.apache.org >> Subject: Re: Weirdest Tomcat Behavior Ever? >> >> On 13/11/2020 23:46, Mark Thomas wrote: >>> Eric sent me a copy of the strace (thanks Eric) and while it is >>> consistent with what has already been observed, it didn't provide any >>> new information on the socket / file descriptor being closed. >>> >>> I'd like to suggest running again with the following: >>> >>> sudo strace -r -f -e trace=network,desc -p >>> >>> That should log the file descriptor being closed (and other fd >>> activity). There are a couple of things we might be able to do with this: >>> >>> - we'll be able to determine if the socket is closed on the same or a >>> different thread >>> - we might be able to correlate the time of closure with other logs >>> (seems unlikely as we have this from Wireshark but you never know) >>> - the class before the close might be enlightening >> >> Hi Eric, >> >> I looked at the updated logs this morning. I don't see any additional logging >> for file descriptors in the strace output. >> >> I wonder if you need a slightly different command on your platform? >> >> I'd expect to see entries like this: >> >> [pid 8062] 0.70 openat(AT_FDCWD, >> "/home/mark/repos/asf-tomcat-master/output/build/webapps/ROOT/bg- >> nav.png", >> O_RDONLY) = 57 >> [pid 8062] 0.27 fstat(57, >> [pid 8062] 0.05 <... fstat resumed>{st_mode=S_IFREG|0664, >> st_size=1401, ...}) = 0 >> [pid 8062] 0.43 read(57, >> [pid 8062] 0.33 <... read >> resumed>"\211PNG\r\n\32\n\0\0\0\rIHDR\0\0\0\n\0\0\0002\10\6\0\0\0e\3 >> 3J". >> resumed>.., >> 1401) = 1401 >> [pid 8062] 0.13 close(57 >> >> showing file access although what I really want to see are the calls to close >> the sockets (like the last two in the sequence below from a test where I used >> telnet to perform an HTTP/1.0 request) >> >> pid 8069] 0.124099 <... accept resumed>{sa_family=AF_INET6, >> sin6_port=htons(52656), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, >> ":::127.0.0.1", &sin6_addr), sin6_scope_id=0}, [28]) = 50 ... >> [pid 8063] 0.000216 read(50, >> [pid 8063] 0.58 <... read resumed>"GET / HTTP/1.0\r\n", 8192) = 16 >> [pid 8063] 0.29 read(50, >> [pid 8063] 0.30 <... read resumed>0x7f4f6c000e70, 8192) = -1 >> EAGAIN (Resource temporarily unavailable) >> [pid 8064] 0.001061 read(50, "Host: a\r\n", 8192) = 9 >> [pid 8064] 0.000239 read(50, 0x7f4f6e70, 8192) = -1 EAGAIN >> (Resource temporarily unavailable) >> [pid 8062] 0.000214 read(50, "\r\n", 8192) = 2 >> [pid 8062] 0.007897 write(50, "HTTP/1.1 200 \r\nContent-Type: >> tex"..., 8192) = 8192 >> [pid 8062] 0.000353 write(50, ">Tomcat Native\n >> "..., 3079) = 3079 >> [pid 8062] 0.002071 getsockopt(50, SOL_SOCKET, SO_LINGER, >> {l_onoff=0, l_linger=0}, [8]) = 0 >> [pid 8062] 0.000102 shutdown(50, SHUT_WR) = 0 >> [pid 8068] 0.000342 close(50) = 0 >> >> It is probably worth running a couple of quick tests to figure out the >> correct >> form of the strace command on your platform and then retesting. >> >> Mark >> > > Entirely my fault. I'm new to strace, so I didn't know what to expect. I have > now read the strace man page and I'm more up to speed. I tested it and we're > now capturing file descriptor operations. The next batch of logs will be > better. No worries. This strace stuff is new to me as well. I shouldn't have assumed what worked on my Ubuntu desktop was going to work the same way on your CentOS server. I am very curious as to what we are going to see in these logs. Cheers, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Weirdest Tomcat Behavior Ever?
> -Original Message- > From: Mark Thomas > Sent: Wednesday, November 18, 2020 3:03 AM > To: users@tomcat.apache.org > Subject: Re: Weirdest Tomcat Behavior Ever? > > On 13/11/2020 23:46, Mark Thomas wrote: > > Eric sent me a copy of the strace (thanks Eric) and while it is > > consistent with what has already been observed, it didn't provide any > > new information on the socket / file descriptor being closed. > > > > I'd like to suggest running again with the following: > > > > sudo strace -r -f -e trace=network,desc -p > > > > That should log the file descriptor being closed (and other fd > > activity). There are a couple of things we might be able to do with this: > > > > - we'll be able to determine if the socket is closed on the same or a > > different thread > > - we might be able to correlate the time of closure with other logs > > (seems unlikely as we have this from Wireshark but you never know) > > - the class before the close might be enlightening > > Hi Eric, > > I looked at the updated logs this morning. I don't see any additional logging > for file descriptors in the strace output. > > I wonder if you need a slightly different command on your platform? > > I'd expect to see entries like this: > > [pid 8062] 0.70 openat(AT_FDCWD, > "/home/mark/repos/asf-tomcat-master/output/build/webapps/ROOT/bg- > nav.png", > O_RDONLY) = 57 > [pid 8062] 0.27 fstat(57, > [pid 8062] 0.05 <... fstat resumed>{st_mode=S_IFREG|0664, > st_size=1401, ...}) = 0 > [pid 8062] 0.43 read(57, > [pid 8062] 0.33 <... read > resumed>"\211PNG\r\n\32\n\0\0\0\rIHDR\0\0\0\n\0\0\0002\10\6\0\0\0e\3 > 3J". > resumed>.., > 1401) = 1401 > [pid 8062] 0.13 close(57 > > showing file access although what I really want to see are the calls to close > the sockets (like the last two in the sequence below from a test where I used > telnet to perform an HTTP/1.0 request) > > pid 8069] 0.124099 <... accept resumed>{sa_family=AF_INET6, > sin6_port=htons(52656), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, > ":::127.0.0.1", &sin6_addr), sin6_scope_id=0}, [28]) = 50 ... > [pid 8063] 0.000216 read(50, > [pid 8063] 0.58 <... read resumed>"GET / HTTP/1.0\r\n", 8192) = 16 > [pid 8063] 0.29 read(50, > [pid 8063] 0.30 <... read resumed>0x7f4f6c000e70, 8192) = -1 > EAGAIN (Resource temporarily unavailable) > [pid 8064] 0.001061 read(50, "Host: a\r\n", 8192) = 9 > [pid 8064] 0.000239 read(50, 0x7f4f6e70, 8192) = -1 EAGAIN > (Resource temporarily unavailable) > [pid 8062] 0.000214 read(50, "\r\n", 8192) = 2 > [pid 8062] 0.007897 write(50, "HTTP/1.1 200 \r\nContent-Type: > tex"..., 8192) = 8192 > [pid 8062] 0.000353 write(50, ">Tomcat Native\n > "..., 3079) = 3079 > [pid 8062] 0.002071 getsockopt(50, SOL_SOCKET, SO_LINGER, > {l_onoff=0, l_linger=0}, [8]) = 0 > [pid 8062] 0.000102 shutdown(50, SHUT_WR) = 0 > [pid 8068] 0.000342 close(50) = 0 > > It is probably worth running a couple of quick tests to figure out the correct > form of the strace command on your platform and then retesting. > > Mark > Entirely my fault. I'm new to strace, so I didn't know what to expect. I have now read the strace man page and I'm more up to speed. I tested it and we're now capturing file descriptor operations. The next batch of logs will be better. -Eric Disclaimer : This email and any files transmitted with it are confidential and intended solely for intended recipients. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physician Select Management. Warning: Although Physician Select Management has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 8.5.60 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.60. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers technologies. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from the 9.0.x branch. The notable changes since 8.5.59 include: - Statistics are now available (via JMX) for HTTP/2, WebSocket and HTTP/1.1 upgraded connections - Stability improvements for HTTP/2 - Improvements to error handling in the connection pool used by the JNDI Realm Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: http://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 9.0.40 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.40. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.40 is a bugfix and feature release. The notable changes compared to 9.0.39 include: - Statistics are now available (via JMX) for HTTP/2, WebSocket and HTTP/1.1 upgraded connections - Stability improvements for HTTP/2 - Stability improvements for the NIO connector Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 10.0.0-M10 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.0-M9. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process. Apache Tomcat 10.0.0-M10 is a milestone release of the 10.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.0.x so that they may provide feedback. The notable changes compared to 10.0.0-M9 include: - Statistics are now available (via JMX) for HTTP/2, WebSocket and HTTP/1.1 upgraded connections - Stability improvements for HTTP/2 - Stability improvements for the NIO connector Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Weirdest Tomcat Behavior Ever?
On 13/11/2020 23:46, Mark Thomas wrote: > Eric sent me a copy of the strace (thanks Eric) and while it is > consistent with what has already been observed, it didn't provide any > new information on the socket / file descriptor being closed. > > I'd like to suggest running again with the following: > > sudo strace -r -f -e trace=network,desc -p > > That should log the file descriptor being closed (and other fd > activity). There are a couple of things we might be able to do with this: > > - we'll be able to determine if the socket is closed on the same or a > different thread > - we might be able to correlate the time of closure with other logs > (seems unlikely as we have this from Wireshark but you never know) > - the class before the close might be enlightening Hi Eric, I looked at the updated logs this morning. I don't see any additional logging for file descriptors in the strace output. I wonder if you need a slightly different command on your platform? I'd expect to see entries like this: [pid 8062] 0.70 openat(AT_FDCWD, "/home/mark/repos/asf-tomcat-master/output/build/webapps/ROOT/bg-nav.png", O_RDONLY) = 57 [pid 8062] 0.27 fstat(57, [pid 8062] 0.05 <... fstat resumed>{st_mode=S_IFREG|0664, st_size=1401, ...}) = 0 [pid 8062] 0.43 read(57, [pid 8062] 0.33 <... read resumed>"\211PNG\r\n\32\n\0\0\0\rIHDR\0\0\0\n\0\0\0002\10\6\0\0\0e\33J"..., 1401) = 1401 [pid 8062] 0.13 close(57 showing file access although what I really want to see are the calls to close the sockets (like the last two in the sequence below from a test where I used telnet to perform an HTTP/1.0 request) pid 8069] 0.124099 <... accept resumed>{sa_family=AF_INET6, sin6_port=htons(52656), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, ":::127.0.0.1", &sin6_addr), sin6_scope_id=0}, [28]) = 50 ... [pid 8063] 0.000216 read(50, [pid 8063] 0.58 <... read resumed>"GET / HTTP/1.0\r\n", 8192) = 16 [pid 8063] 0.29 read(50, [pid 8063] 0.30 <... read resumed>0x7f4f6c000e70, 8192) = -1 EAGAIN (Resource temporarily unavailable) [pid 8064] 0.001061 read(50, "Host: a\r\n", 8192) = 9 [pid 8064] 0.000239 read(50, 0x7f4f6e70, 8192) = -1 EAGAIN (Resource temporarily unavailable) [pid 8062] 0.000214 read(50, "\r\n", 8192) = 2 [pid 8062] 0.007897 write(50, "HTTP/1.1 200 \r\nContent-Type: tex"..., 8192) = 8192 [pid 8062] 0.000353 write(50, ">Tomcat Native\n "..., 3079) = 3079 [pid 8062] 0.002071 getsockopt(50, SOL_SOCKET, SO_LINGER, {l_onoff=0, l_linger=0}, [8]) = 0 [pid 8062] 0.000102 shutdown(50, SHUT_WR) = 0 [pid 8068] 0.000342 close(50) = 0 It is probably worth running a couple of quick tests to figure out the correct form of the strace command on your platform and then retesting. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org