Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-05 Thread Sanaullah
most of the people puking here regarding the tlsv1.1 and tlsv1.2 support in
tomcat 7.0.47 or just trying them-self to look over smart.

Hi Mudassir,

By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you
have to apply these two patches in order to run TLSv1.1 and tlsv1.2
https://issues.apache.org/bugzilla/attachment.cgi?id=30150
https://issues.apache.org/bugzilla/attachment.cgi?id=30166

I spend 5 hours to test this. I am using ubuntu trusty.

Here is my test result

root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect
127.0.0.1:8443
CONNECTED(0003)
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify error:num=18:self signed certificate
verify return:1
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify return:1
---
Certificate chain
 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
   i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---
Server certificate
-BEGIN CERTIFICATE-
MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
+aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
EmVg3uQq9XxPfiI=
-END CERTIFICATE-
subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---
No client certificate CA names sent
---
SSL handshake has read 828 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDH-ECDSA-AES256-GCM-SHA384
Session-ID:
AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C
Session-ID-ctx:
Master-Key:
45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51
...V..IQ
0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf   ..+.aE
..PP...A.
0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9
.v)..[5.;m.
0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21
..T#.9-Z..^!
0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed
..7.fY.._..*
0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16
]r..^.)..I..P...
0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6
#..cy.6#...5y.h.
0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a   ..w'
..
0080 - 40 11 a1 d2 8e 8a 68 ab-5e c9 81 3d 72 46 56 d8
@.h.^..=rFV.
0090 - 84 66 b7 6f 57 ce 0f 05-d0 52 a4 d3 9c 66 de b4
.f.oWR...f..
00a0 - 85 cb 9f fe 85 16 e2 35-df 46 c2 c8 fc 37 bb 48
...5.F...7.H

Start Time: 1388926368
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=0


/***Server.xml***///

 Connector port=8443

protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true
   maxThreads=150 scheme=https secure=true
   SSLProtocol=all
   clientAuth=false
   SSLCertificateFile=/home/san/sinful.pem
   SSLCertificateKeyFile=/home/san/sinful.key /



How To Apply the patches.

1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch
will be applied to tomcat-native-1.1.29.  after the patch compile it using
cd tomcat-native-1.1.29/jni/native/
./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes
--with-apr=/usr/bin/apr-1-config
make
cd tomcat-native-1.1.29/jni
ant

copy the libs and place them to default lib directory of ubuntu
cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/


2- Get the source code of tomcat-7.0.47.
install  jdk6

apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166
to tomcat-7.0.47.
export the jdk6 path.
run ant in the source folder. this will download many files and also
compile the code.

there will be some errors related to SSLV2. comment that code. as sslv2
will no more supported. after the successful build start the tomcat server.

let me know if there is still any errors.


Problem configuring SSL

2014-01-05 Thread Alex Kogan
Hi,

I have a strange problem configuring SSL to work with Tomcat.
Environment:
Tomcat 7.0.42
CentOS 5.10
Java 1.7.0_45

It's a new Tomcat installation. All keystore operations were done with
keytool. I imported CA root/intermediate certificate and client
certificate, configured SSL connector in server.xml. I have this same setup
on another server that works fine. Connecting to this server via http works.

1. If I try to connect this address via https in Chrome I get: This
Webpage is not available. In Firefox: Error code:
ssl_error_no_cypher_overlap

2. I tried connecting from another server via openssl:

#openssl s_client -state -nbio -connect mydomainname:443

CONNECTED(0003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
26180:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:562:

3. Here's a list of enabled ciphers using SSLInfo:

#java -showversion SSLInfo

java version 1.7.0_45
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)

Default Cipher
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
*   SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
*   SSL_RSA_WITH_RC4_128_MD5
*   SSL_RSA_WITH_RC4_128_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
*   TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
*   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
*   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_NULL_SHA
*   TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
*   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
*   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
*   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_NULL_SHA
*   TLS_ECDHE_RSA_WITH_RC4_128_SHA
*   TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
*   TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
*   TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_NULL_SHA
*   TLS_ECDH_ECDSA_WITH_RC4_128_SHA
*   TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
*   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
*   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_NULL_SHA
*   TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_NULL_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
*   TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_RC4_128_SHA
*   TLS_RSA_WITH_AES_128_CBC_SHA
*   TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_NULL_SHA256


Any ideas? I already spent one and a half days trying to figure this out.

I would appreciate any ideas.

Thanks, Alex.


Re: Problem configuring SSL

2014-01-05 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alex,

On 1/5/14, 12:30 PM, Alex Kogan wrote:
 I have a strange problem configuring SSL to work with Tomcat. 
 Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45
 
 It's a new Tomcat installation. All keystore operations were done
 with keytool. I imported CA root/intermediate certificate and
 client certificate, configured SSL connector in server.xml. I have
 this same setup on another server that works fine. Connecting to
 this server via http works.
 
 1. If I try to connect this address via https in Chrome I get:
 This Webpage is not available. In Firefox: Error code: 
 ssl_error_no_cypher_overlap

Sounds familiar.

Please post your Connector configuration(s) from your server.xml
file. Remember to remove any sensitive information from the configuration.

Also please post all of the startup messages from Tomcat's
logs/catalina.out file: we need to see the versions of various things
and what components (if any) suffer problems starting up.

 3. Here's a list of enabled ciphers using SSLInfo:
 
 #java -showversion SSLInfo

Nice to see someone is getting some use out of that. ;)

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS
JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ
+d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC
f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6
bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8
m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE
/enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD
SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB
Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu
RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH
4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+
VCpWYwQ3I2qGEm5RBvbh
=9FS1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Running native JNI calls in parallel from different Tomcat threads

2014-01-05 Thread Jasmeet Chhabra
Hi,
   I have a Tomcat server that receives many web requests in parallel. The
web requests make a native call using JNI to my library. These calls are
long running (400 ms each call). What I have noticed is that even though I
am getting web requests in parallel,  the native calls seem to be
serialized.   I don't take any locks in the native code that would force
serialization. Is there anything in Tomcat that prevents same native calls
being called in parallel from separate Tomcat threads?

Thanks,
Jas


Re: Session Replication across common base domain

2014-01-05 Thread Sanket Paranjape

Hi Guys,

Any solution for this??

On 03-01-2014 02:31 PM, Sanket Paranjape wrote:

Hi,

I am using Tomcat 7.0.47 on windows 7 with JDK 1.7.

I want to achieve session replications on multiple subdomains. If I 
have a domain as xyz.example.com and abc.example.com, then I would 
like to store session cookie on example.com and hence then I would 
be able to access same session on both domains. By default session 
cookie is set on whole domain, if I access xyz.example.com then 
session cookie will be set on this domain.


I went through the documentation for Tomcat 7 and found that in 
Context element type I can add attribute like sessionCookieDomain. 
I can easily set this attribute to base domain like .example.com and 
this works like charm.


But my requirement is slightly different. I have single tomcat serving 
multiple domains. They all different base domains as well. So 
hardcoding would not help me out here.


So I tried following.

In docs I found this link, 
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html. It says 
that className attribute can be set for context.
So I wrote my own class MyStandardContext which extends 
org.apache.catalina.core.StandardContext. I overridden public String 
getSessionCookieDomain() method. I want to return base domain of the 
URL from this domain so that tomcat will set cookie on this domain. 
But to my surprise I do not have access to Request URI. If I could get 
access to this URI somehow then I would be able to extract base 
domain. It is not possible. is it?


I also tried adding multiple hosts in conf/server.xml under Engine. 
This loads context multiple times, which I do not wish.


My question is there any way I can get access to request URI in 
MyStandardContext? Or is there any configuration which forces tomcat 
to set cookie on base domain instead full domain?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org