[Bug 62343] New: CORS security: reflecting any origin header value when configured to * is dangerous
https://bz.apache.org/bugzilla/show_bug.cgi?id=62343 Bug ID: 62343 Summary: CORS security: reflecting any origin header value when configured to * is dangerous Product: Tomcat 8 Version: 8.5.x-trunk Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: whu...@gmail.com Target Milestone: What's the Problem? When CORS policy is configured to "Origin:*" and "Credentials:true"(default setting), current Tomcat CORS filter will actively convert it to reflect any Origin header value. This kind of behavior is dangerous and has caused many security problems in the past[1-5]. Why is that? Current CORS standards(both W3C CORS and WHATWG fetch standard) have a clear definition for the wildcard '*', which means any domain is allowed. But they also have another important security requirement: "Origin: *" and "Credentials: true" cannot be used at the same time, to avoid overly loose permissions. Currently all browsers follow this requirement to disallow this configuration combination. If a framework actively converts '*' to reflect any origin header value, it means "Origin: *" and "Credentials: true" can be used at the same time. This behavior leads to CORS protocol's security design to be bypassed, causing many misconfiguration security problems. How to fix? Therefore, I suggest frameworks to follow the standard definition of *. When a user configures "Origin:*", frameworks just directly returns "Access-control-Allow-Access: *". When a user configures both "Origin:*" and "Credentials: true" , frameworks should warn users that this is a misconfiguration, instead of return any origin header value. Some similar security issues: [1] https://github.com/cyu/rack-cors/issues/126 [2] https://nodesecurity.io/advisories/148 [3] https://github.com/yiisoft/yii2/issues/16193 Some related blog posts: [4] http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html [5] https://ejj.io/misconfigured-cors/ -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GUMP@vmgump-vm3]: Project tomcat-trunk-validate (in module tomcat-trunk) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-trunk-validate has an issue affecting its community integration. This issue affects 1 projects, and has been outstanding for 19 runs. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-trunk-validate : Tomcat 9.x, a web server implementing the Java Servlet 4.0, ... Full details are available at: http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-validate/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -DEBUG- Dependency on checkstyle exists, no need to add for property checkstyle.jar. -INFO- Failed with reason build failed The following work was performed: http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-validate/gump_work/build_tomcat-trunk_tomcat-trunk-validate.html Work Name: build_tomcat-trunk_tomcat-trunk-validate (Type: Build) Work ended in a state of : Failed Elapsed: 37 secs Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true -Dbuild.sysclasspath=only org.apache.tools.ant.Main -Dgump.merge=/srv/gump/public/gump/work/merge.xml -Dbase.path=/srv/gump/public/workspace/tomcat-trunk/tomcat-build-libs -Dcheckstyle.jar=/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar -Dexecute.validate=true validate [Working Directory: /srv/gump/public/workspace/tomcat-trunk] CLASSPATH: /usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar:/srv/gump/packages/antlr/antlr-3.1.3.jar:/srv/gump/public/workspace/commons-beanutils/dist/commons-beanutils-20180501.jar:/srv/gump/packages/commons-collections3/commons-collections-3.2.1.jar:/srv/gump/public/workspace/commons-cli/target/commons-cli-1.5-SNAPSHOT.jar:/srv/gump/public/workspace/commons-lang-trunk/target/commons-lang3-3.8-SNAPSHOT.jar:/srv/gump/pu blic/workspace/apache-commons/logging/target/commons-logging-20180501.jar:/srv/gump/public/workspace/apache-commons/logging/target/commons-logging-api-20180501.jar:/srv/gump/public/workspace/google-guava/guava/target/guava-HEAD-jre-SNAPSHOT.jar - [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:37:1: Disallowed import - org.apache.catalina.tribes.transport.AbstractRxTask. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:38:1: Disallowed import - org.apache.catalina.tribes.transport.ReceiverBase. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:39:1: Disallowed import - org.apache.catalina.tribes.transport.RxTaskPool. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:40:1: Disallowed import - org.apache.catalina.tribes.util.ExceptionUtils. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:41:1: Disallowed import - org.apache.catalina.tribes.util.StringManager. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:29:1: Disallowed import - org.apache.catalina.tribes.ChannelMessage. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:30:1: Disallowed import - org.apache.catalina.tribes.ChannelReceiver. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:31:1: Disallowed import - org.apache.catalina.tribes.RemoteProcessException. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:32:1: Disallowed import - org.apache.catalina.tribes.UniqueId. [ImportControl] [checkstyle] [ERROR]
[GUMP@vmgump-vm3]: Project tomcat-tc8.0.x-validate (in module tomcat-8.0.x) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-tc8.0.x-validate has an issue affecting its community integration. This issue affects 1 projects, and has been outstanding for 19 runs. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-tc8.0.x-validate : Tomcat 8.x, a web server implementing the Java Servlet 3.1, ... Full details are available at: http://vmgump-vm3.apache.org/tomcat-8.0.x/tomcat-tc8.0.x-validate/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -DEBUG- Dependency on checkstyle exists, no need to add for property checkstyle.jar. -INFO- Failed with reason build failed The following work was performed: http://vmgump-vm3.apache.org/tomcat-8.0.x/tomcat-tc8.0.x-validate/gump_work/build_tomcat-8.0.x_tomcat-tc8.0.x-validate.html Work Name: build_tomcat-8.0.x_tomcat-tc8.0.x-validate (Type: Build) Work ended in a state of : Failed Elapsed: 43 secs Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true -Dbuild.sysclasspath=only org.apache.tools.ant.Main -Dgump.merge=/srv/gump/public/gump/work/merge.xml -Dbase.path=/srv/gump/public/workspace/tomcat-8.0.x/tomcat-build-libs -Dcheckstyle.jar=/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar -Dexecute.validate=true validate [Working Directory: /srv/gump/public/workspace/tomcat-8.0.x] CLASSPATH: /usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar:/srv/gump/packages/antlr/antlr-3.1.3.jar:/srv/gump/public/workspace/commons-beanutils/dist/commons-beanutils-20180501.jar:/srv/gump/packages/commons-collections3/commons-collections-3.2.1.jar:/srv/gump/public/workspace/commons-cli/target/commons-cli-1.5-SNAPSHOT.jar:/srv/gump/public/workspace/commons-lang-trunk/target/commons-lang3-3.8-SNAPSHOT.jar:/srv/gump/pu blic/workspace/apache-commons/logging/target/commons-logging-20180501.jar:/srv/gump/public/workspace/apache-commons/logging/target/commons-logging-api-20180501.jar:/srv/gump/public/workspace/google-guava/guava/target/guava-HEAD-jre-SNAPSHOT.jar - [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:38:1: Disallowed import - org.apache.catalina.tribes.transport.AbstractRxTask. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:39:1: Disallowed import - org.apache.catalina.tribes.transport.ReceiverBase. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:40:1: Disallowed import - org.apache.catalina.tribes.transport.RxTaskPool. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:41:1: Disallowed import - org.apache.catalina.tribes.util.ExceptionUtils. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:42:1: Disallowed import - org.apache.catalina.tribes.util.StringManager. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:29:1: Disallowed import - org.apache.catalina.tribes.ChannelMessage. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:30:1: Disallowed import - org.apache.catalina.tribes.ChannelReceiver. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:31:1: Disallowed import - org.apache.catalina.tribes.RemoteProcessException. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:32:1: Disallowed import - org.apache.catalina.tribes.UniqueId. [ImportControl] [checkstyle] [ERROR]
[GUMP@vmgump-vm3]: Project tomcat-tc7.0.x-validate (in module tomcat-7.0.x) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-tc7.0.x-validate has an issue affecting its community integration. This issue affects 1 projects, and has been outstanding for 19 runs. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-tc7.0.x-validate : Tomcat 7.x, a web server implementing Java Servlet 3.0, ... Full details are available at: http://vmgump-vm3.apache.org/tomcat-7.0.x/tomcat-tc7.0.x-validate/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -DEBUG- Dependency on checkstyle exists, no need to add for property checkstyle.jar. -INFO- Failed with reason build failed The following work was performed: http://vmgump-vm3.apache.org/tomcat-7.0.x/tomcat-tc7.0.x-validate/gump_work/build_tomcat-7.0.x_tomcat-tc7.0.x-validate.html Work Name: build_tomcat-7.0.x_tomcat-tc7.0.x-validate (Type: Build) Work ended in a state of : Failed Elapsed: 38 secs Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true -Dbuild.sysclasspath=only org.apache.tools.ant.Main -Dgump.merge=/srv/gump/public/gump/work/merge.xml -Dbase.path=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-build-libs -Dcheckstyle.jar=/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar -Dexecute.validate=true validate [Working Directory: /srv/gump/public/workspace/tomcat-7.0.x] CLASSPATH: /usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar:/srv/gump/packages/antlr/antlr-3.1.3.jar:/srv/gump/public/workspace/commons-beanutils/dist/commons-beanutils-20180501.jar:/srv/gump/packages/commons-collections3/commons-collections-3.2.1.jar:/srv/gump/public/workspace/commons-cli/target/commons-cli-1.5-SNAPSHOT.jar:/srv/gump/public/workspace/commons-lang-trunk/target/commons-lang3-3.8-SNAPSHOT.jar:/srv/gump/pu blic/workspace/apache-commons/logging/target/commons-logging-20180501.jar:/srv/gump/public/workspace/apache-commons/logging/target/commons-logging-api-20180501.jar:/srv/gump/public/workspace/google-guava/guava/target/guava-HEAD-jre-SNAPSHOT.jar - [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/bio/util/LinkObject.java:23:1: Disallowed import - org.apache.catalina.tribes.group.InterceptorPayload. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:35:1: Disallowed import - org.apache.catalina.tribes.group.GroupChannel. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:36:1: Disallowed import - org.apache.catalina.tribes.io.ObjectReader. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:37:1: Disallowed import - org.apache.catalina.tribes.transport.AbstractRxTask. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:38:1: Disallowed import - org.apache.catalina.tribes.transport.Constants. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:39:1: Disallowed import - org.apache.catalina.tribes.transport.ReceiverBase. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:40:1: Disallowed import - org.apache.catalina.tribes.transport.RxTaskPool. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:41:1: Disallowed import - org.apache.catalina.tribes.util.StringManager. [ImportControl] [checkstyle] [ERROR] /srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:29:1: Disallowed import - org.apache.catalina.tribes.ChannelMessage. [ImportControl] [checkstyle] [ERROR]
Re: [Git migration] Old git repositories
On Mon, Apr 30, 2018, 16:48 Mark Thomaswrote: > The current plan is to merge all of the existing branches into a single > Git repo. This will be mirrored at GitHub under apache/tomcat. This is > currently used for the svn mirror for trunk only. > > This raises the question what to do with: > apache/tomcat7 > apache/tomcat8 > apache/tomcat85 > > I think there are two options: > > 1. Retain them but make them read-only > > 2. Delete them > > Suggestions for other options welcome. > > I'm actually leaning towards deleting them. My reasoning is that we > deleted apache/tomcat55 and apache/tomcat6 when those releases reached > EOL and no-one complained. As far as I recall, no-one even mentioned the > deletions on list. Therefore, I'd be happy to delete those mirrors just > as soon as apache/tomcat was up and running. > I don't see a reason for keeping them so I'm +1 for deleting them. > Mark > > P.S. Don't forget that apache/tomcat will become writeable as part of > the migration and will sync with gitbox.apache.org in a dual master > configuration > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
[Git migration] Old git repositories
The current plan is to merge all of the existing branches into a single Git repo. This will be mirrored at GitHub under apache/tomcat. This is currently used for the svn mirror for trunk only. This raises the question what to do with: apache/tomcat7 apache/tomcat8 apache/tomcat85 I think there are two options: 1. Retain them but make them read-only 2. Delete them Suggestions for other options welcome. I'm actually leaning towards deleting them. My reasoning is that we deleted apache/tomcat55 and apache/tomcat6 when those releases reached EOL and no-one complained. As far as I recall, no-one even mentioned the deletions on list. Therefore, I'd be happy to delete those mirrors just as soon as apache/tomcat was up and running. Mark P.S. Don't forget that apache/tomcat will become writeable as part of the migration and will sync with gitbox.apache.org in a dual master configuration - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [Tomcat Wiki] Update of "Security/Ciphers" by markt
On 30/04/18 21:11, Christopher Schultz wrote: > Mark, > > On 4/30/18 1:48 PM, Apache Wiki wrote: >> You have subscribed to a wiki page or wiki category on "Tomcat >> Wiki" for change notification. > >> The "Security/Ciphers" page has been changed by markt: >> https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=20 > v2=21 > >> Comment: Update versions, add Java 9 and update JSSE results > > >> == BIO/NIO/NIO2 with JSSE Results (Default) == > >> - |||| Java 6 || Java 7 || Java 8 || + |||| >> Java 6 || Java 7 || Java 8 || Java 9 || - || Tomcat 7 || C >> || A|| A|| + || Tomcat 7 || C|| B|| A >> || A|| - || Tomcat 8 || N/A || A|| A|| + || >> Tomcat 8 || N/A || B|| A|| A|| - || Tomcat >> 8.5 || N/A || A|| A|| + || Tomcat 8.5 || N/A || >> B|| A|| A|| - || Tomcat 9 || N/A || N/A || >> A|| + || Tomcat 9 || N/A || N/A || A|| A|| > >> Note: These results were obtained using the JCE Unlimited Strength >> Jurisdiction Policy Files > >> - Note: The 6 results are capped at C because Java 6 does not >> support TLS 1.1 or 1.2. + Note: The Java 6 results are capped at C >> because Java 6 does not support TLS 1.1 or 1.2. > > The latest releases (after "update 111") of Java 1.6 to support TLSv1.1. That assumes that you are paying Oracle for extended support. I'm not, so I don't have access to those versions. If someone wants to update the wiki for info for the paid support versions, I've no objections but I'd ask that they be given a separate column so it is clear to folks what they are looking at. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62334] Filter by remote IP address of request for status worker of ISAPI redirector
https://bz.apache.org/bugzilla/show_bug.cgi?id=62334 Christopher Schultzchanged: What|Removed |Added Status|NEW |NEEDINFO --- Comment #3 from Christopher Schultz --- Changing to NEEDINFO, since it's not clear this feature is even necessary. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62334] Filter by remote IP address of request for status worker of ISAPI redirector
https://bz.apache.org/bugzilla/show_bug.cgi?id=62334 --- Comment #2 from Marat Abrarov--- (In reply to Christopher Schultz from comment #1) > Does IIS not already provide such a facility? It looks like you are right, and it looks logical for me to handle this stuff at web server side. I am not sure why my colleagues found just workaround with Microsoft URL Rewrite Module for IIS (see original description of this issue) - I just googled for 30 min and found below solution myself: 1. I installed "IP and Domain Restrictions" feature of IIS according to https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/ipsecurity/. 2. Then I configured delegation of this feature according to https://stackoverflow.com/questions/16220819/internal-server-error-with-web-config-ipsecurity 3. Then I changed web.config file located at the root of IIS site - added below lines at the end (ISAPI redirector status worker is mapped to /jkmanager): 4. Then I restarted IIS with below PowerShell commands (not sure if this is needed, maybe just restart of site is sufficient and maybe restart is not needed at all): Stop-Service -Name "was" -Force Start-Service -Name "w3svc" This solution works for me. I'll test it sooner with larger number of scenarios (want to ensure that this solution wasn't taken in the past just because it wasn't found at that time and not because of any issues it may have) and will close this issue if no pitfalls / missing features will be found. Thank you. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [Tomcat Wiki] Update of "Security/Ciphers" by markt
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 4/30/18 1:48 PM, Apache Wiki wrote: > You have subscribed to a wiki page or wiki category on "Tomcat > Wiki" for change notification. > > The "Security/Ciphers" page has been changed by markt: > https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=20 v2=21 > > Comment: Update versions, add Java 9 and update JSSE results > > > == BIO/NIO/NIO2 with JSSE Results (Default) == > > - |||| Java 6 || Java 7 || Java 8 || + |||| > Java 6 || Java 7 || Java 8 || Java 9 || - || Tomcat 7 || C > || A|| A|| + || Tomcat 7 || C|| B|| A > || A|| - || Tomcat 8 || N/A || A|| A|| + || > Tomcat 8 || N/A || B|| A|| A|| - || Tomcat > 8.5 || N/A || A|| A|| + || Tomcat 8.5 || N/A || > B|| A|| A|| - || Tomcat 9 || N/A || N/A || > A|| + || Tomcat 9 || N/A || N/A || A|| A|| > > Note: These results were obtained using the JCE Unlimited Strength > Jurisdiction Policy Files > > - Note: The 6 results are capped at C because Java 6 does not > support TLS 1.1 or 1.2. + Note: The Java 6 results are capped at C > because Java 6 does not support TLS 1.1 or 1.2. The latest releases (after "update 111") of Java 1.6 to support TLSv1.1. If you have an environment handy for testing, could you see what rating you get when TLSv1.2 is available? Thanks, - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrneH4ACgkQHPApP6U8 pFgyzA//Zj71FU/WiA6/YJQt/NQU95jdFn84ebx9PdWvpravTFucr2uqsBLBM1Zq 59Wz/FEfqlhvVCo8F+aC8PKyf2yh8t29jwgaqO79h58CjETjD+WQNRKWoImZUDz9 IjdC7FQZd1Y7xOVtsEQEu+LGXOw5EfjGwYx/GxJLNd0ii3PyMG2L+py8wtkGLySH strRVyN2PzFT99pNlMEdqtkyY2zbHbX9nBTjB6/YwCuyeTwUpPFU/IMSEfegUN4V HU7hdMp0P6nqe+X9HGAXTS6TOrYbW1mcRIkW+jo9Ccs8cGd+3woY/JQKncx1DW2N xZ8OTSHrtl+7dB8V/9QTcOe/Co0PjdVggDnovzSVE0/7SZzj45SHcPnqnkyVowoD HquioxOoEqBciWejbCRxQws+/x/3m9WJbbfi5MO9CIEmyRBcxLaQzGX6ksNS4Ou0 an6ZnejfZk8tUWgQlxqhDtgHYV8OeKrq7OKGJbqIafFi7sXSXt8DU2ausTZdKDT/ DnqvuugVM1qoPp74D+xI+vcEVCUdNEvAF6FpyC51rPttizjqK+IFJPv7A5E2Wbqd 0LcBzDxpXEoYv0p3l8DFbuSqJUsZwEjS3eqTg3ltVig1P/6Li7f7UmwLwVNDY4Dk TWpG9unRWtSSqmE8BuQeJHxujOHSHkMrNirLP/URLIKUB1qeyfQ= =YmDT -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "Security/Ciphers" by markt
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "Security/Ciphers" page has been changed by markt: https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=23=24 Comment: Update OpenSSL table == APR with OpenSSL Results (Default) == - |||| Java 6 || Java 7 || Java 8 || + |||| Java 6 || Java 7 || Java 8 || Java 9 || Java 10 || - || Tomcat 7 || A|| A|| A|| + || Tomcat 7 || A|| A|| A|| A||A|| - || Tomcat 8 || N/A || A|| A|| + || Tomcat 8 || N/A || A|| A|| A||A|| - || Tomcat 8.5 || N/A || A|| A|| + || Tomcat 8.5 || N/A || A|| A|| A||A|| - || Tomcat 9 || N/A || N/A || A|| + || Tomcat 9 || N/A || N/A || A|| A||A|| The OpenSSL cipher configuration used was '''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of secure cipher suites in OpenSSL format is available at [[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]]. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "Security/Ciphers" by markt
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "Security/Ciphers" page has been changed by markt: https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=22=23 Comment: Update JSSE+OpenSSL table == NIO/NIO2 with JSSE+OpenSSL Results (Default) == - |||| Java 6 || Java 7 || Java 8 || + |||| Java 6 || Java 7 || Java 8 || Java 9 || Java 10 || - || Tomcat 8.5 || N/A || A|| A|| + || Tomcat 8.5 || N/A || A|| A|| A||A|| - || Tomcat 9 || N/A || N/A || A|| + || Tomcat 9 || N/A || N/A || A|| A||A|| The OpenSSL cipher configuration used was '''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of secure cipher suites in OpenSSL format is available at [[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]]. - - Note: JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native release to achieve an A since, without it, the full certificate chain is not presented to the client. == APR with OpenSSL Results (Default) == - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "Security/Ciphers" by markt
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "Security/Ciphers" page has been changed by markt: https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=21=22 Comment: Add Java 10 for JSSE == BIO/NIO/NIO2 with JSSE Results (Default) == - |||| Java 6 || Java 7 || Java 8 || Java 9 || + |||| Java 6 || Java 7 || Java 8 || Java 9 || Java 10 || - || Tomcat 7 || C|| B|| A|| A|| + || Tomcat 7 || C|| B|| A|| A||A|| - || Tomcat 8 || N/A || B|| A|| A|| + || Tomcat 8 || N/A || B|| A|| A||A|| - || Tomcat 8.5 || N/A || B|| A|| A|| + || Tomcat 8.5 || N/A || B|| A|| A||A|| - || Tomcat 9 || N/A || N/A || A|| A|| + || Tomcat 9 || N/A || N/A || A|| A||A|| Note: These results were obtained using the JCE Unlimited Strength Jurisdiction Policy Files - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "Security/Ciphers" by markt
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "Security/Ciphers" page has been changed by markt: https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=20=21 Comment: Update versions, add Java 9 and update JSSE results == BIO/NIO/NIO2 with JSSE Results (Default) == - |||| Java 6 || Java 7 || Java 8 || + |||| Java 6 || Java 7 || Java 8 || Java 9 || - || Tomcat 7 || C|| A|| A|| + || Tomcat 7 || C|| B|| A|| A|| - || Tomcat 8 || N/A || A|| A|| + || Tomcat 8 || N/A || B|| A|| A|| - || Tomcat 8.5 || N/A || A|| A|| + || Tomcat 8.5 || N/A || B|| A|| A|| - || Tomcat 9 || N/A || N/A || A|| + || Tomcat 9 || N/A || N/A || A|| A|| Note: These results were obtained using the JCE Unlimited Strength Jurisdiction Policy Files - Note: The 6 results are capped at C because Java 6 does not support TLS 1.1 or 1.2. + Note: The Java 6 results are capped at C because Java 6 does not support TLS 1.1 or 1.2. + + Note: The Java 7 results are capped at B because Java 7 does not support AEAD ciphers. The equivalent OpenSSL cipher configurations used to obtain the above results are: || Java 6 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!DHE || || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE || || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA || + || Java 9 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA || Note: kRSA ciphers are not excluded in Java 6 since they are likely to be the only ones left @@ -51, +54 @@ The results above were generated with: * Java 6, 64-bit, update 45 * Java 7, 64-bit, update 80 - * Java 8, 64-bit, update 77 + * Java 8, 64-bit, update 172 + * Java 9, 9.0.4 - * Apache Tomcat 7.0.69-dev, r1737253. + * Apache Tomcat 7.0.88-dev, r1737253. - * Apache Tomcat 8.0.34-dev, r1737224. + * Apache Tomcat 8.0.53-dev, r1737224. - * Apache Tomcat 8.5.1-dev, r1737241. + * Apache Tomcat 8.5.32-dev, r1737241. - * Apache Tomcat 9.0.0.M5-dev, r1737193. + * Apache Tomcat 9.0.9-dev, r1737193. - * tc-native 1.2.5 + * tc-native 1.2.16 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in on tomcat-trunk
The Buildbot has detected a restored build on builder tomcat-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/3228 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch tomcat/trunk] 1830595 Blamelist: csutherl,remm Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62334] Filter by remote IP address of request for status worker of ISAPI redirector
https://bz.apache.org/bugzilla/show_bug.cgi?id=62334 Christopher Schultzchanged: What|Removed |Added OS||All --- Comment #1 from Christopher Schultz --- Does IIS not already provide such a facility? For example, in Apache httpd, this kind of thing can be done easily with this configuration: Order allow,deny Allow from 127.0.0.1 Deny from all -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1830595 - in /tomcat/trunk: java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java webapps/docs/changelog.xml
Author: remm Date: Mon Apr 30 16:00:59 2018 New Revision: 1830595 URL: http://svn.apache.org/viewvc?rev=1830595=rev Log: Revert r1830592 due to unexpected CI failure. Modified: tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java?rev=1830595=1830594=1830595=diff == --- tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java (original) +++ tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java Mon Apr 30 16:00:59 2018 @@ -20,10 +20,7 @@ import java.io.EOFException; import java.io.IOException; import java.net.SocketTimeoutException; import java.nio.ByteBuffer; -import java.nio.channels.CompletionHandler; -import java.nio.channels.InterruptedByTimeoutException; import java.util.concurrent.RejectedExecutionException; -import java.util.concurrent.TimeUnit; import javax.websocket.SendHandler; import javax.websocket.SendResult; @@ -31,10 +28,6 @@ import javax.websocket.SendResult; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.net.SocketWrapperBase; -import org.apache.tomcat.util.net.SocketWrapperBase.BlockingMode; -import org.apache.tomcat.util.net.SocketWrapperBase.CompletionCheck; -import org.apache.tomcat.util.net.SocketWrapperBase.CompletionHandlerCall; -import org.apache.tomcat.util.net.SocketWrapperBase.CompletionState; import org.apache.tomcat.util.res.StringManager; import org.apache.tomcat.websocket.Transformation; import org.apache.tomcat.websocket.WsRemoteEndpointImplBase; @@ -72,92 +65,16 @@ public class WsRemoteEndpointImplServer @Override protected void doWrite(SendHandler handler, long blockingWriteTimeoutExpiry, ByteBuffer... buffers) { -if (socketWrapper.hasAsyncIO()) { -final boolean block = (blockingWriteTimeoutExpiry != -1); -long timeout = -1; -if (block) { -timeout = blockingWriteTimeoutExpiry - System.currentTimeMillis(); -if (timeout <= 0) { -SendResult sr = new SendResult(new SocketTimeoutException()); -handler.onResult(sr); -return; -} -} else { -this.handler = handler; -if (timeout > 0) { -// Register with timeout thread -timeoutExpiry = timeout + System.currentTimeMillis(); -wsWriteTimeout.register(this); -} -timeout = getSendTimeout(); -} -socketWrapper.write(block ? BlockingMode.BLOCK : BlockingMode.SEMI_BLOCK, timeout, -TimeUnit.MILLISECONDS, null, -new CompletionCheck() { -@Override -public CompletionHandlerCall callHandler(CompletionState state, ByteBuffer[] buffers, -int offset, int length) { -for (int i = 0; i < length; i++) { -if (buffers[offset + i].remaining() > 0) { -return CompletionHandlerCall.CONTINUE; -} -} -return CompletionHandlerCall.DONE; -} -}, -new CompletionHandler() { -@Override -public void completed(Long result, Void attachment) { -if (block) { -long timeout = blockingWriteTimeoutExpiry - System.currentTimeMillis(); -if (timeout <= 0) { -failed(new SocketTimeoutException(), null); -} else { -handler.onResult(SENDRESULT_OK); -} -} else { - wsWriteTimeout.unregister(WsRemoteEndpointImplServer.this); -clearHandler(null, true); -if (close) { -close(); -} -} -} -@Override -public void failed(Throwable exc, Void attachment) { -if (exc instanceof InterruptedByTimeoutException) { -exc = new SocketTimeoutException(); -
svn commit: r1830594 - /tomcat/trunk/webapps/docs/changelog.xml
Author: csutherl Date: Mon Apr 30 15:59:11 2018 New Revision: 1830594 URL: http://svn.apache.org/viewvc?rev=1830594=rev Log: Fix typo Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830594=1830593=1830594=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 15:59:11 2018 @@ -116,7 +116,7 @@ attribute allowMultipleLeadingForwardSlashInPath. (markt) -Improve handing of overflow in the UTF-8 decoder with supplementary +Improve handling of overflow in the UTF-8 decoder with supplementary characters. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/3227 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch tomcat/trunk] 1830592 Blamelist: remm BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1830592 - in /tomcat/trunk: java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java webapps/docs/changelog.xml
Author: remm Date: Mon Apr 30 15:28:26 2018 New Revision: 1830592 URL: http://svn.apache.org/viewvc?rev=1830592=rev Log: Add async IO API use in websockets writes. Although I doubt there's an actual benefit at the moment, the change is small and it still improves testing of the API as the usage is different from HTTP/2. Tested with the testsuite, the examples and Autobahn. Modified: tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java?rev=1830592=1830591=1830592=diff == --- tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java (original) +++ tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java Mon Apr 30 15:28:26 2018 @@ -20,7 +20,10 @@ import java.io.EOFException; import java.io.IOException; import java.net.SocketTimeoutException; import java.nio.ByteBuffer; +import java.nio.channels.CompletionHandler; +import java.nio.channels.InterruptedByTimeoutException; import java.util.concurrent.RejectedExecutionException; +import java.util.concurrent.TimeUnit; import javax.websocket.SendHandler; import javax.websocket.SendResult; @@ -28,6 +31,10 @@ import javax.websocket.SendResult; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.net.SocketWrapperBase; +import org.apache.tomcat.util.net.SocketWrapperBase.BlockingMode; +import org.apache.tomcat.util.net.SocketWrapperBase.CompletionCheck; +import org.apache.tomcat.util.net.SocketWrapperBase.CompletionHandlerCall; +import org.apache.tomcat.util.net.SocketWrapperBase.CompletionState; import org.apache.tomcat.util.res.StringManager; import org.apache.tomcat.websocket.Transformation; import org.apache.tomcat.websocket.WsRemoteEndpointImplBase; @@ -62,20 +69,95 @@ public class WsRemoteEndpointImplServer return false; } - @Override protected void doWrite(SendHandler handler, long blockingWriteTimeoutExpiry, ByteBuffer... buffers) { -if (blockingWriteTimeoutExpiry == -1) { -this.handler = handler; -this.buffers = buffers; -// This is definitely the same thread that triggered the write so a -// dispatch will be required. -onWritePossible(true); +if (socketWrapper.hasAsyncIO()) { +final boolean block = (blockingWriteTimeoutExpiry != -1); +long timeout = -1; +if (block) { +timeout = blockingWriteTimeoutExpiry - System.currentTimeMillis(); +if (timeout <= 0) { +SendResult sr = new SendResult(new SocketTimeoutException()); +handler.onResult(sr); +return; +} +} else { +this.handler = handler; +if (timeout > 0) { +// Register with timeout thread +timeoutExpiry = timeout + System.currentTimeMillis(); +wsWriteTimeout.register(this); +} +timeout = getSendTimeout(); +} +socketWrapper.write(block ? BlockingMode.BLOCK : BlockingMode.SEMI_BLOCK, timeout, +TimeUnit.MILLISECONDS, null, +new CompletionCheck() { +@Override +public CompletionHandlerCall callHandler(CompletionState state, ByteBuffer[] buffers, +int offset, int length) { +for (int i = 0; i < length; i++) { +if (buffers[offset + i].remaining() > 0) { +return CompletionHandlerCall.CONTINUE; +} +} +return CompletionHandlerCall.DONE; +} +}, +new CompletionHandler() { +@Override +public void completed(Long result, Void attachment) { +if (block) { +long timeout = blockingWriteTimeoutExpiry - System.currentTimeMillis(); +if (timeout <= 0) { +failed(new SocketTimeoutException(), null); +} else { +handler.onResult(SENDRESULT_OK); +} +} else { + wsWriteTimeout.unregister(WsRemoteEndpointImplServer.this); +
[Tomcat Wiki] Update of "Security/Ciphers" by markt
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "Security/Ciphers" page has been changed by markt: https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=19=20 Comment: Remove references to Java 5 and Tomcat 6 == BIO/NIO/NIO2 with JSSE Results (Default) == - |||| Java 5 || Java 6 || Java 7 || Java 8 || + |||| Java 6 || Java 7 || Java 8 || - || Tomcat 6 || C|| C|| A|| A|| - || Tomcat 7 || N/A || C|| A|| A|| + || Tomcat 7 || C|| A|| A|| - || Tomcat 8 || N/A || N/A || A|| A|| + || Tomcat 8 || N/A || A|| A|| - || Tomcat 8.5 || N/A || N/A || A|| A|| + || Tomcat 8.5 || N/A || A|| A|| - || Tomcat 9 || N/A || N/A || N/A || A|| + || Tomcat 9 || N/A || N/A || A|| Note: These results were obtained using the JCE Unlimited Strength Jurisdiction Policy Files - Note: The Java 5 and 6 results are capped at C because neither Java 5 nor 6 support TLS 1.1 or 1.2. + Note: The 6 results are capped at C because Java 6 does not support TLS 1.1 or 1.2. The equivalent OpenSSL cipher configurations used to obtain the above results are: - || Java 5 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!DHE || || Java 6 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!DHE || || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE || || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA || - Note: kRSA ciphers are not excluded in Java 6 and earlier since they are likely to be the only ones left + Note: kRSA ciphers are not excluded in Java 6 since they are likely to be the only ones left Note: In Java 7 and earlier DHE ciphers use insecure DH keys with no means to configure longer keys which is why DHE ciphers are excluded in those Java versions. == NIO/NIO2 with JSSE+OpenSSL Results (Default) == - |||| Java 5 || Java 6 || Java 7 || Java 8 || + |||| Java 6 || Java 7 || Java 8 || - || Tomcat 8.5 || N/A || N/A || A|| A|| + || Tomcat 8.5 || N/A || A|| A|| - || Tomcat 9 || N/A || N/A || N/A || A|| + || Tomcat 9 || N/A || N/A || A|| The OpenSSL cipher configuration used was '''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of secure cipher suites in OpenSSL format is available at [[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]]. @@ -40, +38 @@ == APR with OpenSSL Results (Default) == - |||| Java 5 || Java 6 || Java 7 || Java 8 || + |||| Java 6 || Java 7 || Java 8 || - || Tomcat 6 || A|| A|| A|| A|| - || Tomcat 7 || N/A || A|| A|| A|| + || Tomcat 7 || A|| A|| A|| - || Tomcat 8 || N/A || N/A || A|| A|| + || Tomcat 8 || N/A || A|| A|| - || Tomcat 8.5 || N/A || N/A || A|| A|| + || Tomcat 8.5 || N/A || A|| A|| - || Tomcat 9 || N/A || N/A || N/A || A|| + || Tomcat 9 || N/A || N/A || A|| The OpenSSL cipher configuration used was '''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of secure cipher suites in OpenSSL format is available at [[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]]. == Environment == The results above were generated with: - * Java 5, 64-bit, update 22 * Java 6, 64-bit, update 45 * Java 7, 64-bit, update 80 * Java 8, 64-bit, update 77 - * Apache Tomcat 6.0.46-dev, r1737284. * Apache Tomcat 7.0.69-dev, r1737253. * Apache Tomcat 8.0.34-dev, r1737224. * Apache Tomcat 8.5.1-dev, r1737241. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.8
On Fri, Apr 27, 2018 at 10:03 PM Mark Thomaswrote: > The proposed Apache Tomcat 9.0.8 release is now available for voting. > > The major changes compared to the 9.0.7 release are: > > - Implement configuration options to work-around specification > non-compliant user agents (including all the major browsers) that do > not correctly %nn encode URI paths and query strings as required by > RFC 7230 and RFC 3986 > > - Enable the CrawlerSessionManagerValve to correctly handle bots that > crawl multiple hosts and/or web applications when the Valve is > configured on a Host or an Engine. > > - Add support for annotation scanning of classes built with Java 11 EA > > > Along with lots of other bug fixes and improvements. > > For full details, see the changelog: > http://svn.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml > > It can be obtained from: > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.8/ > The Maven staging repo is: > https://repository.apache.org/content/repositories/orgapachetomcat-1180/ > The svn tag is: > http://svn.apache.org/repos/asf/tomcat/tags/TOMCAT_9_0_8/ > > The proposed 9.0.8 release is: > [ ] Broken - do not release > [X] Stable - go ahead and release as 9.0.8 > Rémy
Re: svn commit: r1830548 - /tomcat/trunk/webapps/docs/changelog.xml
On 30/04/18 12:17, r...@apache.org wrote: > Author: remm > Date: Mon Apr 30 11:17:26 2018 > New Revision: 1830548 > > URL: http://svn.apache.org/viewvc?rev=1830548=rev > Log: > Changelog format. Tx. Mark > > Modified: > tomcat/trunk/webapps/docs/changelog.xml > > Modified: tomcat/trunk/webapps/docs/changelog.xml > URL: > http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830548=1830547=1830548=diff > == > --- tomcat/trunk/webapps/docs/changelog.xml (original) > +++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 11:17:26 2018 > @@ -45,13 +45,15 @@ >issues do not "pop up" wrt. others). > --> > > - > + > > + >Correct a regression in the error page handling that prevented error > pages >from issuing redirects or taking other action that required the > response >status code to be changed. (markt) > + > > - > + > > > > > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1830556 - /tomcat/trunk/webapps/docs/changelog.xml
Author: markt Date: Mon Apr 30 12:13:32 2018 New Revision: 1830556 URL: http://svn.apache.org/viewvc?rev=1830556=rev Log: Fix indent Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830556=1830555=1830556=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 12:13:32 2018 @@ -48,9 +48,9 @@ - Correct a regression in the error page handling that prevented error pages - from issuing redirects or taking other action that required the response - status code to be changed. (markt) +Correct a regression in the error page handling that prevented error +pages from issuing redirects or taking other action that required the +response status code to be changed. (markt) Consistent exception propagation for NIO2 SSL close. (remm) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1830555 - /tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java
Author: markt Date: Mon Apr 30 12:12:31 2018 New Revision: 1830555 URL: http://svn.apache.org/viewvc?rev=1830555=rev Log: Remove unnecessary code Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1830555=1830554=1830555=diff == --- tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java Mon Apr 30 12:12:31 2018 @@ -571,7 +571,6 @@ public class Http11Processor extends Abs } MessageBytes protocolMB = request.protocol(); if (protocolMB.equals(Constants.HTTP_11)) { -http11 = true; protocolMB.setString(Constants.HTTP_11); } else if (protocolMB.equals(Constants.HTTP_10)) { http11 = false; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1830549 - in /tomcat/trunk: java/org/apache/tomcat/util/net/SecureNio2Channel.java webapps/docs/changelog.xml
Author: remm Date: Mon Apr 30 11:19:57 2018 New Revision: 1830549 URL: http://svn.apache.org/viewvc?rev=1830549=rev Log: Sometimes Future write will cause an ISE with NIO2 (timeout or cancel on a channel). Not a very good idea IMO. Make things more consistent with SSL close. Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java?rev=1830549=1830548=1830549=diff == --- tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java Mon Apr 30 11:19:57 2018 @@ -146,30 +146,41 @@ public class SecureNio2Channel extends N private class FutureFlush implements Future { private Future integer; +private Exception e = null; protected FutureFlush() { -integer = sc.write(netOutBuffer); +try { +integer = sc.write(netOutBuffer); +} catch (IllegalStateException e) { +this.e = e; +} } @Override public boolean cancel(boolean mayInterruptIfRunning) { -return integer.cancel(mayInterruptIfRunning); +return (e != null) ? true : integer.cancel(mayInterruptIfRunning); } @Override public boolean isCancelled() { -return integer.isCancelled(); +return (e != null) ? true : integer.isCancelled(); } @Override public boolean isDone() { -return integer.isDone(); +return (e != null) ? true : integer.isDone(); } @Override public Boolean get() throws InterruptedException, ExecutionException { +if (e != null) { +throw new ExecutionException(e); +} return Boolean.valueOf(integer.get().intValue() >= 0); } @Override public Boolean get(long timeout, TimeUnit unit) throws InterruptedException, ExecutionException, TimeoutException { +if (e != null) { +throw new ExecutionException(e); +} return Boolean.valueOf(integer.get(timeout, unit).intValue() >= 0); } } Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830549=1830548=1830549=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 11:19:57 2018 @@ -52,6 +52,9 @@ from issuing redirects or taking other action that required the response status code to be changed. (markt) + +Consistent exception propagation for NIO2 SSL close. (remm) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1830548 - /tomcat/trunk/webapps/docs/changelog.xml
Author: remm Date: Mon Apr 30 11:17:26 2018 New Revision: 1830548 URL: http://svn.apache.org/viewvc?rev=1830548=rev Log: Changelog format. Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830548=1830547=1830548=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 11:17:26 2018 @@ -45,13 +45,15 @@ issues do not "pop up" wrt. others). --> - + + Correct a regression in the error page handling that prevented error pages from issuing redirects or taking other action that required the response status code to be changed. (markt) + - + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1830547 - in /tomcat/trunk: java/org/apache/coyote/Response.java java/org/apache/coyote/http11/Http11InputBuffer.java webapps/docs/changelog.xml
Author: markt Date: Mon Apr 30 10:57:27 2018 New Revision: 1830547 URL: http://svn.apache.org/viewvc?rev=1830547=rev Log: Correct a regression in the error page handling that prevented error pages from issuing redirects or taking other action that required the response status code to be changed. Modified: tomcat/trunk/java/org/apache/coyote/Response.java tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/coyote/Response.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/Response.java?rev=1830547=1830546=1830547=diff == --- tomcat/trunk/java/org/apache/coyote/Response.java (original) +++ tomcat/trunk/java/org/apache/coyote/Response.java Mon Apr 30 10:57:27 2018 @@ -227,10 +227,6 @@ public final class Response { * @param status The status value to set */ public void setStatus(int status) { -if (this.status > 399) { -// Don't overwrite first recorded error status -return; -} this.status = status; } Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java?rev=1830547=1830546=1830547=diff == --- tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java Mon Apr 30 10:57:27 2018 @@ -409,6 +409,8 @@ public class Http11InputBuffer implement pos - parsingRequestLineStart); } else if (!HttpParser.isToken(chr)) { byteBuffer.position(byteBuffer.position() - 1); +// Avoid unknown protocol triggering an additional error +request.protocol().setString(Constants.HTTP_11); throw new IllegalArgumentException(sm.getString("iib.invalidmethod")); } } @@ -459,9 +461,13 @@ public class Http11InputBuffer implement } else if (chr == Constants.QUESTION && parsingRequestLineQPos == -1) { parsingRequestLineQPos = pos; } else if (parsingRequestLineQPos != -1 && !httpParser.isQueryRelaxed(chr)) { +// Avoid unknown protocol triggering an additional error +request.protocol().setString(Constants.HTTP_11); // %nn decoding will be checked at the point of decoding throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget")); } else if (httpParser.isNotRequestTargetRelaxed(chr)) { +// Avoid unknown protocol triggering an additional error +request.protocol().setString(Constants.HTTP_11); // This is a general check that aims to catch problems early // Detailed checking of each part of the request target will // happen in Http11Processor#prepareRequest() Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830547=1830546=1830547=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 10:57:27 2018 @@ -45,6 +45,13 @@ issues do not "pop up" wrt. others). --> + + + Correct a regression in the error page handling that prevented error pages + from issuing redirects or taking other action that required the response + status code to be changed. (markt) + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.31
On 27/04/18 21:47, Mark Thomas wrote: > The proposed 8.5.31 release is: > [ ] Broken - do not release > [X] Stable - go ahead and release as 8.5.31 Unit tests pass for NIO, NIO2 and APR/native on Windows, Linux and OSX. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.8
On 27/04/18 21:03, Mark Thomas wrote: > The proposed 9.0.8 release is: > [ ] Broken - do not release > [X] Stable - go ahead and release as 9.0.8 Unit tests pass for NIO, NIO2 and APR/native on Windows, Linux and OSX. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1830251 - in /tomcat/tc8.0.x/trunk: ./ java/org/apache/tomcat/util/http/parser/HttpParser.java res/maven/mvn-pub.xml test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java we
On 29/04/18 23:14, Violeta Georgieva wrote: > On Sun, 29 Apr 2018 at 17:10, Violeta Georgieva> wrote: >> On Sun, 29 Apr 2018 at 6:54, Mark Thomas wrote: >>> On 28/04/18 17:50, Violeta Georgieva wrote: Is this file really part of that change? >>> >>> No. I think it got caught up with that commit by mistake. I don't think >>> it does any harm though. >>> >> >> Only for the release ;) Sorry. > If you don’t mind I’ll revert this file to its previous version. Wdyt? No objection. Looking at the diff, there are rather more changes between 8.0.x and 8.5.x than I was expecting. Another option would be to update 8.0.x with all the changes from 8.5.x and 9.0.x (and the same for 7.0.x). I'd be happy to do that if folks are agreeable. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[ANN] TomcatCon Schedules Announced
All, I am delighted to announce the schedules are now available for: TomcatCon Berlin 13-14 June, 2018: http://apachecon.com/euroadshow18/tomcat-schedule.html TomcatCon Montréal 24-25 September, 2018: http://apachecon.dukecon.org/acna/2018/#/schedule/2018-09-24 Full details, including registration links are available on the Tomcat website: http://tomcat.apache.org/conference.html See you there! Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1830536 - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
Author: markt Date: Mon Apr 30 08:01:55 2018 New Revision: 1830536 URL: http://svn.apache.org/viewvc?rev=1830536=rev Log: Add EU Roadshow and NA to website Modified: tomcat/site/trunk/docs/bugreport.html tomcat/site/trunk/docs/ci.html tomcat/site/trunk/docs/conference.html tomcat/site/trunk/docs/contact.html tomcat/site/trunk/docs/download-70.html tomcat/site/trunk/docs/download-80.html tomcat/site/trunk/docs/download-90.html tomcat/site/trunk/docs/download-connectors.html tomcat/site/trunk/docs/download-native.html tomcat/site/trunk/docs/download-taglibs.html tomcat/site/trunk/docs/findhelp.html tomcat/site/trunk/docs/getinvolved.html tomcat/site/trunk/docs/heritage.html tomcat/site/trunk/docs/index.html tomcat/site/trunk/docs/irc.html tomcat/site/trunk/docs/legal.html tomcat/site/trunk/docs/lists.html tomcat/site/trunk/docs/maven-plugin.html tomcat/site/trunk/docs/migration-6.html tomcat/site/trunk/docs/migration-7.html tomcat/site/trunk/docs/migration-8.html tomcat/site/trunk/docs/migration-85.html tomcat/site/trunk/docs/migration-9.html tomcat/site/trunk/docs/migration.html tomcat/site/trunk/docs/oldnews-2010.html tomcat/site/trunk/docs/oldnews-2011.html tomcat/site/trunk/docs/oldnews-2012.html tomcat/site/trunk/docs/oldnews-2013.html tomcat/site/trunk/docs/oldnews-2014.html tomcat/site/trunk/docs/oldnews-2015.html tomcat/site/trunk/docs/oldnews-2016.html tomcat/site/trunk/docs/oldnews-2017.html tomcat/site/trunk/docs/oldnews.html tomcat/site/trunk/docs/presentations.html tomcat/site/trunk/docs/resources.html tomcat/site/trunk/docs/security-3.html tomcat/site/trunk/docs/security-4.html tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/docs/security-impact.html tomcat/site/trunk/docs/security-jk.html tomcat/site/trunk/docs/security-native.html tomcat/site/trunk/docs/security-taglibs.html tomcat/site/trunk/docs/security.html tomcat/site/trunk/docs/svn.html tomcat/site/trunk/docs/taglibs.html tomcat/site/trunk/docs/tomcat-55-eol.html tomcat/site/trunk/docs/tomcat-60-eol.html tomcat/site/trunk/docs/tomcat-80-eol.html tomcat/site/trunk/docs/tools.html tomcat/site/trunk/docs/whichversion.html tomcat/site/trunk/docs/whoweare.html tomcat/site/trunk/xdocs/conference.xml tomcat/site/trunk/xdocs/stylesheets/project.xml Modified: tomcat/site/trunk/docs/bugreport.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/bugreport.html?rev=1830536=1830535=1830536=diff == --- tomcat/site/trunk/docs/bugreport.html (original) +++ tomcat/site/trunk/docs/bugreport.html Mon Apr 30 08:01:55 2018 @@ -51,6 +51,14 @@ +TomcatCon + + +EU North America + + + + Download Modified: tomcat/site/trunk/docs/ci.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/ci.html?rev=1830536=1830535=1830536=diff == --- tomcat/site/trunk/docs/ci.html (original) +++ tomcat/site/trunk/docs/ci.html Mon Apr 30 08:01:55 2018 @@ -50,6 +50,14 @@ +TomcatCon + + +EU North America + + + + Download Modified: tomcat/site/trunk/docs/conference.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/conference.html?rev=1830536=1830535=1830536=diff == --- tomcat/site/trunk/docs/conference.html (original) +++ tomcat/site/trunk/docs/conference.html Mon Apr 30 08:01:55 2018 @@ -50,6 +50,14 @@ +TomcatCon + + +EU North America + + + + Download @@ -205,16 +213,35 @@ Content -TomcatCon Training: Tomcat for Administrators +TomcatCon + + + +TomcatCon is the place for all users of Tomcat to expand their Tomcat + knowledge in areas such as networking, security, performance and deployment. + It also offers an opportunity to discuss the current Tomcat roadmap and + help inform future development. + + + +Quick Navigation + + + +TomcatCon Berlin TomcatCon Montreal + + + +TomcatCon Berlin -When +When -Tuesday, 10 April 2018 +June 13 to 14, 2018. @@ -222,11 +249,16 @@ -Where +Where -Hotel Novotel Manchester Centre | 21 Dickinson Street | M1 4LX Manchester | United Kingdom + +http://apachecon.com/euroadshow18/venue.html;>KulturBrauerei, + Berlin, Germany, as part of the + http://apachecon.com/euroadshow18/index.html;>ApacheCon EU + Roadshow and alongside https://foss-backstage.de/;>FOSS + Backstage. @@ -234,23 +266,18 @@ -What +What -This training course is aimed at system administrators who are not very - familiar with Apache