Re: Tomcat 9 http2 upload failed with big file.
On 03/12/2019 07:14, Arief Hasani wrote: > On 01/12/2019 17:03, Arief Hasani wrote: >>> Hi, >>> Strangely I can not upload big file (~20Mb) when using http2 using curl >>> with \ >>> unexpected EOF error, whereas the upload was successful when forcing curl >>> to use \ >>> http1.1 protocol so I assume code and configuration should be correctI am >>> using \ >>> tomcat 9.0.29 > >> Which version of curl? >> I recommend you read through this issue: >> https://bz.apache.org/bugzilla/show_bug.cgi?id=63948 >> Mark > Hi Mark,That does it, thanks. So how does disabling those three > configurations affect the mitigation of the vulnerabilities explained in > https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md Tomcat wasn't (and isn't) vulnerable to any of those vulnerabilities. Tomcat handled those (spec compliant but effectively malicious) requests in broadly the same amount of time using the broadly the same CPU and broadly the same memory as normal requests. There was one of the attacks where Tomcat used noticeably more CPU but it wasn't excessive compared to what could be used be legitimate requests. Hence, no DoS. We added the overhead protection options more from a "Well, we can detect this behaviour, the behaviour is clearly malicious, so lets do something about it" point of view. An unexpected side-effect was that it identified a few clients that were sending lots of little HTTP/2 frames which is generally inefficient. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 http2 upload failed with big file.
On 01/12/2019 17:03, Arief Hasani wrote: >> Hi, >> Strangely I can not upload big file (~20Mb) when using http2 using curl >> with \ >> unexpected EOF error, whereas the upload was successful when forcing curl to >> use \ >> http1.1 protocol so I assume code and configuration should be correctI am >> using \ >> tomcat 9.0.29 > Which version of curl? > I recommend you read through this issue: > https://bz.apache.org/bugzilla/show_bug.cgi?id=63948 > MarkHi Mark,That does it, thanks. So how does disabling those three > configurations affect the mitigation of the vulnerabilities explained in > https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md CheersSorry, was unable to reply to original thread, somehow it was not delivered to my inbox
Re: Tomcat 9 http2 upload failed with big file.
On 01/12/2019 17:03, Arief Hasani wrote: > Hi, > Strangely I can not upload big file (~20Mb) when using http2 using curl with > unexpected EOF error, whereas the upload was successful when forcing curl to > use http1.1 protocol so I assume code and configuration should be correctI am > using tomcat 9.0.29 Which version of curl? I recommend you read through this issue: https://bz.apache.org/bugzilla/show_bug.cgi?id=63948 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 9 http2 upload failed with big file.
Hi, Strangely I can not upload big file (~20Mb) when using http2 using curl with unexpected EOF error, whereas the upload was successful when forcing curl to use http1.1 protocol so I assume code and configuration should be correctI am using tomcat 9.0.29 Kind regardsHasani
