Re: Session Replication across common base domain
Hi Guys, Any solution for this?? On 03-01-2014 02:31 PM, Sanket Paranjape wrote: Hi, I am using Tomcat 7.0.47 on windows 7 with JDK 1.7. I want to achieve session replications on multiple subdomains. If I have a domain as xyz.example.com and abc.example.com, then I would like to store session cookie on "example.com" and hence then I would be able to access same session on both domains. By default session cookie is set on whole domain, if I access xyz.example.com then session cookie will be set on this domain. I went through the documentation for Tomcat 7 and found that in element type I can add attribute like "sessionCookieDomain". I can easily set this attribute to base domain like ".example.com" and this works like charm. But my requirement is slightly different. I have single tomcat serving multiple domains. They all different base domains as well. So hardcoding would not help me out here. So I tried following. In docs I found this link, http://tomcat.apache.org/tomcat-7.0-doc/config/context.html. It says that className attribute can be set for context. So I wrote my own class MyStandardContext which extends org.apache.catalina.core.StandardContext. I overridden public String getSessionCookieDomain() method. I want to return base domain of the URL from this domain so that tomcat will set cookie on this domain. But to my surprise I do not have access to Request URI. If I could get access to this URI somehow then I would be able to extract base domain. It is not possible. is it? I also tried adding multiple hosts in conf/server.xml under . This loads context multiple times, which I do not wish. My question is there any way I can get access to request URI in MyStandardContext? Or is there any configuration which forces tomcat to set cookie on base domain instead full domain? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Running native JNI calls in parallel from different Tomcat threads
Hi, I have a Tomcat server that receives many web requests in parallel. The web requests make a native call using JNI to my library. These calls are long running (400 ms each call). What I have noticed is that even though I am getting web requests in parallel, the native calls seem to be serialized. I don't take any locks in the native code that would force serialization. Is there anything in Tomcat that prevents same native calls being called in parallel from separate Tomcat threads? Thanks, Jas
Re: Problem configuring SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/5/14, 12:30 PM, Alex Kogan wrote: > I have a strange problem configuring SSL to work with Tomcat. > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 > > It's a new Tomcat installation. All keystore operations were done > with keytool. I imported CA root/intermediate certificate and > client certificate, configured SSL connector in server.xml. I have > this same setup on another server that works fine. Connecting to > this server via http works. > > 1. If I try to connect this address via https in Chrome I get: > "This Webpage is not available." In Firefox: "Error code: > ssl_error_no_cypher_overlap" Sounds familiar. Please post your configuration(s) from your server.xml file. Remember to remove any sensitive information from the configuration. Also please post all of the startup messages from Tomcat's logs/catalina.out file: we need to see the versions of various things and what components (if any) suffer problems starting up. > 3. Here's a list of enabled ciphers using SSLInfo: > > #java -showversion SSLInfo Nice to see someone is getting some use out of that. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ VCpWYwQ3I2qGEm5RBvbh =9FS1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problem configuring SSL
Hi, I have a strange problem configuring SSL to work with Tomcat. Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 It's a new Tomcat installation. All keystore operations were done with keytool. I imported CA root/intermediate certificate and client certificate, configured SSL connector in server.xml. I have this same setup on another server that works fine. Connecting to this server via http works. 1. If I try to connect this address via https in Chrome I get: "This Webpage is not available." In Firefox: "Error code: ssl_error_no_cypher_overlap" 2. I tried connecting from another server via openssl: #openssl s_client -state -nbio -connect :443 CONNECTED(0003) turning on non blocking io SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A write R BLOCK SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 26180:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: 3. Here's a list of enabled ciphers using SSLInfo: #java -showversion SSLInfo java version "1.7.0_45" Java(TM) SE Runtime Environment (build 1.7.0_45-b18) Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode) Default Cipher SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA * SSL_RSA_WITH_RC4_128_MD5 * SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_NULL_SHA * TLS_ECDHE_ECDSA_WITH_RC4_128_SHA * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_NULL_SHA * TLS_ECDHE_RSA_WITH_RC4_128_SHA * TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_NULL_SHA * TLS_ECDH_ECDSA_WITH_RC4_128_SHA * TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_NULL_SHA * TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA TLS_ECDH_anon_WITH_RC4_128_SHA * TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 Any ideas? I already spent one and a half days trying to figure this out. I would appreciate any ideas. Thanks, Alex.
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
most of the people puking here regarding the tlsv1.1 and tlsv1.2 support in tomcat 7.0.47 or just trying them-self to look over smart. Hi Mudassir, By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you have to apply these two patches in order to run TLSv1.1 and tlsv1.2 https://issues.apache.org/bugzilla/attachment.cgi?id=30150 https://issues.apache.org/bugzilla/attachment.cgi?id=30166 I spend 5 hours to test this. I am using ubuntu trusty. Here is my test result root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect 127.0.0.1:8443 CONNECTED(0003) depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify error:num=18:self signed certificate verify return:1 depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify return:1 --- Certificate chain 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- Server certificate -BEGIN CERTIFICATE- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -END CERTIFICATE- subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- No client certificate CA names sent --- SSL handshake has read 828 bytes and written 445 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDH-ECDSA-AES256-GCM-SHA384 Session-ID: AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C Session-ID-ctx: Master-Key: 45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51 ...V..IQ 0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf ..+.aE ..PP...A. 0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9 .v)..[5.;>m. 0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21 ..T#.9-Z..^! 0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed ..7.fY.._..* 0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16 ]r..^.)..I..P... 0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6 #..cy.6#...5y.h. 0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a .. How To Apply the patches. 1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch will be applied to tomcat-native-1.1.29. after the patch compile it using cd tomcat-native-1.1.29/jni/native/ ./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes --with-apr=/usr/bin/apr-1-config make cd tomcat-native-1.1.29/jni ant copy the libs and place them to default lib directory of ubuntu cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/ 2- Get the source code of tomcat-7.0.47. install jdk6 apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166 to tomcat-7.0.47. export the jdk6 path. run "ant" in the source folder. this will download many files and also compile the code. there will be some errors related to SSLV2. comment that code. as sslv2 will no more supported. after the successful build start the tomcat server. let me know if there is still any errors. Regards, San On Sun, Jan 5, 2014 at 12:17 PM, Terence M. Bandoian wrote: > On 1/4/2014 3:08 PM, Christopher Schultz wrote: > > Musassir, > > > > On 1/3/14, 5:27 PM, Mudassir Aftab wrote: > > > Again, we have to submit this as a bug.TLS 1.2 is not working > > > in Tomcat > > > > Tomcat 7.0.74 > > Oracle Java 1.7.0_45 > > tcnative 1.1.29 trunk (essentially 1.2.29 > > > > tcnative$ make clean > > tcnative$ ./configure --with-apr=`which apr-config` > > --with-java-home=/usr/local/java-7 --with-ssl > > tcnative$ time make > > [...] > > make[1]: Leaving directory > > `/home/cschultz/projects/tomcat-native-1.1.x/native' > > > > real0m14.790s > > user0m15.300s > > sys0m1.840s > > > > tcnative$ cp -d .libs/* $CATALINA_HOME/bin > > > > tcnative$ cd $CATALINA_BA