Re: Operation has timed out
below is the server.xml configuration, as mentioened earlier the issue is related to the cluster configuration, and as per my research i can see that some users are facing the same issue but i didnt found the solution of it On Mon, Feb 6, 2017 at 6:51 PM, André Warnier (tomcat)wrote: > On 06.02.2017 17:45, Fady Haikal wrote: >> >> Hi, >> What is the host OS ? Windows Server 2012 >> What is the Tomcat version ? Apache Tomcat/8.0.30 >> >> Is this problem new ? was this working before ? how long ? Since >> cluster implementation >> > > I still don't know tribes, but then my non-educated guess at this point > would be that there is something wrong in your configuration. > Can you copy/paste it here ? (remove sensible things like passwords, public > IP addresses etc..)(but not to the point of making it uncheckable). > > Then maybe some tribes-specialist can take over ? > > >> >> Is there actually something listening on that address/port ? Tomcat >> cluster >> >> the Port 4000 is listening and there is no disconnection between 2 >> nodes ping and telnet are OK >> >> On Mon, Feb 6, 2017 at 6:42 PM, André Warnier (tomcat) >> wrote: >>> >>> On 06.02.2017 17:24, Fady Haikal wrote: Plz can i get some help here? This issue is still occurring and it's filling the log file in the Production server Regards, Fady >>> >>> >>> >>> Hi. >>> If you want quick answers, you should provide more information. >>> What is the host OS ? >>> What is the Tomcat version ? >>> Is this problem new ? was this working before ? how long ? >>> >>> I do not know tribes at all, but according to the logfile below, it seems >>> that something is trying to "ping" the address 10.114.43.103, port 4000, >>> and >>> never getting a response (or at least not within 3000ms). >>> Is there actually something listening on that address/port ? >>> The "netstat" command (available both on Linux and Windows) can tell you. >>> If there is something listening there, can it respond to whatever is >>> ping-ing it ? >>> (routing, firewall, ..) >>> On Mon, Feb 6, 2017 at 8:52 AM, Fady Haikal wrote: > > > Guys, we are facing the below errors in Tomcat cluster, please advise > > > 06-Feb-2017 01:14:20.718 SEVERE [GroupChannel-Heartbeat-1] > org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat > Unable to send AbstractReplicatedMap.ping message >org.apache.catalina.tribes.ChannelException: Operation has timed > out(3000 ms.).; Faulty members:tcp://{10, 114, 43, 103}:4000; > at > > org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:108) > at > > org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:48) > at > > org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:54) > at > > org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:82) > at > > org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) > at > > org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:81) > at > > org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) > at > > org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:93) > at > > org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) > at > > org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:233) > at > > org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:186) > at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:99) > at > > org.apache.catalina.tribes.tipis.AbstractReplicatedMap.ping(AbstractReplicatedMap.java:267) > at > > org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat(AbstractReplicatedMap.java:885) > at > > org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.java:161) > at > > org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupChannel.java:697) > > > 06-Feb-2017 01:20:51.437 SEVERE [NioReceiver] > org.apache.catalina.tribes.transport.nio.NioReceiver.listen
Re: TomcatCon @ ApacheCon
Hi, I've submitted a proposal for Tomcat Clustering. http://events.linuxfoundation.org/cfp/proposals/6216/13474 > -- > Keiichi.Fujino >> >
Re: Operation has timed out
On 06.02.2017 17:45, Fady Haikal wrote: Hi, What is the host OS ? Windows Server 2012 What is the Tomcat version ? Apache Tomcat/8.0.30 Is this problem new ? was this working before ? how long ? Since cluster implementation I still don't know tribes, but then my non-educated guess at this point would be that there is something wrong in your configuration. Can you copy/paste it here ? (remove sensible things like passwords, public IP addresses etc..)(but not to the point of making it uncheckable). Then maybe some tribes-specialist can take over ? Is there actually something listening on that address/port ? Tomcat cluster the Port 4000 is listening and there is no disconnection between 2 nodes ping and telnet are OK On Mon, Feb 6, 2017 at 6:42 PM, André Warnier (tomcat)wrote: On 06.02.2017 17:24, Fady Haikal wrote: Plz can i get some help here? This issue is still occurring and it's filling the log file in the Production server Regards, Fady Hi. If you want quick answers, you should provide more information. What is the host OS ? What is the Tomcat version ? Is this problem new ? was this working before ? how long ? I do not know tribes at all, but according to the logfile below, it seems that something is trying to "ping" the address 10.114.43.103, port 4000, and never getting a response (or at least not within 3000ms). Is there actually something listening on that address/port ? The "netstat" command (available both on Linux and Windows) can tell you. If there is something listening there, can it respond to whatever is ping-ing it ? (routing, firewall, ..) On Mon, Feb 6, 2017 at 8:52 AM, Fady Haikal wrote: Guys, we are facing the below errors in Tomcat cluster, please advise 06-Feb-2017 01:14:20.718 SEVERE [GroupChannel-Heartbeat-1] org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat Unable to send AbstractReplicatedMap.ping message org.apache.catalina.tribes.ChannelException: Operation has timed out(3000 ms.).; Faulty members:tcp://{10, 114, 43, 103}:4000; at org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:108) at org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:48) at org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:54) at org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:82) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) at org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:81) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) at org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:93) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:233) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:186) at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:99) at org.apache.catalina.tribes.tipis.AbstractReplicatedMap.ping(AbstractReplicatedMap.java:267) at org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat(AbstractReplicatedMap.java:885) at org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.java:161) at org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupChannel.java:697) 06-Feb-2017 01:20:51.437 SEVERE [NioReceiver] org.apache.catalina.tribes.transport.nio.NioReceiver.listen Unable to process request in NioReceiver java.io.IOException: A non-blocking socket operation could not be completed immediately at sun.nio.ch.SocketDispatcher.close0(Native Method) at sun.nio.ch.SocketDispatcher.close(Unknown Source) at sun.nio.ch.SocketChannelImpl.kill(Unknown Source) at sun.nio.ch.WindowsSelectorImpl.implDereg(Unknown Source) at sun.nio.ch.SelectorImpl.processDeregisterQueue(Unknown Source) at sun.nio.ch.WindowsSelectorImpl.doSelect(Unknown Source) at sun.nio.ch.SelectorImpl.lockAndDoSelect(Unknown Source) at sun.nio.ch.SelectorImpl.select(Unknown Source) at org.apache.catalina.tribes.transport.nio.NioReceiver.listen(NioReceiver.java:272) at org.apache.catalina.tribes.transport.nio.NioReceiver.run(NioReceiver.java:425) at java.lang.Thread.run(Unknown Source) Regards, Fady - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Operation has timed out
Hi, What is the host OS ? Windows Server 2012 What is the Tomcat version ? Apache Tomcat/8.0.30 Is this problem new ? was this working before ? how long ? Since cluster implementation Is there actually something listening on that address/port ? Tomcat cluster the Port 4000 is listening and there is no disconnection between 2 nodes ping and telnet are OK On Mon, Feb 6, 2017 at 6:42 PM, André Warnier (tomcat)wrote: > On 06.02.2017 17:24, Fady Haikal wrote: >> >> Plz can i get some help here? >> This issue is still occurring and it's filling the log file in the >> Production server >> >> Regards, >> Fady > > > Hi. > If you want quick answers, you should provide more information. > What is the host OS ? > What is the Tomcat version ? > Is this problem new ? was this working before ? how long ? > > I do not know tribes at all, but according to the logfile below, it seems > that something is trying to "ping" the address 10.114.43.103, port 4000, and > never getting a response (or at least not within 3000ms). > Is there actually something listening on that address/port ? > The "netstat" command (available both on Linux and Windows) can tell you. > If there is something listening there, can it respond to whatever is > ping-ing it ? > (routing, firewall, ..) > >> >> On Mon, Feb 6, 2017 at 8:52 AM, Fady Haikal wrote: >>> >>> Guys, we are facing the below errors in Tomcat cluster, please advise >>> >>> >>> 06-Feb-2017 01:14:20.718 SEVERE [GroupChannel-Heartbeat-1] >>> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat >>> Unable to send AbstractReplicatedMap.ping message >>> org.apache.catalina.tribes.ChannelException: Operation has timed >>> out(3000 ms.).; Faulty members:tcp://{10, 114, 43, 103}:4000; >>> at >>> org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:108) >>> at >>> org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:48) >>> at >>> org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:54) >>> at >>> org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:82) >>> at >>> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) >>> at >>> org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:81) >>> at >>> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) >>> at >>> org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:93) >>> at >>> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) >>> at >>> org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:233) >>> at >>> org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:186) >>> at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:99) >>> at >>> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.ping(AbstractReplicatedMap.java:267) >>> at >>> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat(AbstractReplicatedMap.java:885) >>> at >>> org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.java:161) >>> at >>> org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupChannel.java:697) >>> >>> >>> 06-Feb-2017 01:20:51.437 SEVERE [NioReceiver] >>> org.apache.catalina.tribes.transport.nio.NioReceiver.listen Unable to >>> process request in NioReceiver >>> java.io.IOException: A non-blocking socket operation could not be >>> completed immediately >>> at sun.nio.ch.SocketDispatcher.close0(Native Method) >>> at sun.nio.ch.SocketDispatcher.close(Unknown Source) >>> at sun.nio.ch.SocketChannelImpl.kill(Unknown Source) >>> at sun.nio.ch.WindowsSelectorImpl.implDereg(Unknown Source) >>> at sun.nio.ch.SelectorImpl.processDeregisterQueue(Unknown Source) >>> at sun.nio.ch.WindowsSelectorImpl.doSelect(Unknown Source) >>> at sun.nio.ch.SelectorImpl.lockAndDoSelect(Unknown Source) >>> at sun.nio.ch.SelectorImpl.select(Unknown Source) >>> at >>> org.apache.catalina.tribes.transport.nio.NioReceiver.listen(NioReceiver.java:272) >>> at >>> org.apache.catalina.tribes.transport.nio.NioReceiver.run(NioReceiver.java:425) >>> at java.lang.Thread.run(Unknown Source) >>> >>> Regards, >>> Fady >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail:
Re: Operation has timed out
On 06.02.2017 17:24, Fady Haikal wrote: Plz can i get some help here? This issue is still occurring and it's filling the log file in the Production server Regards, Fady Hi. If you want quick answers, you should provide more information. What is the host OS ? What is the Tomcat version ? Is this problem new ? was this working before ? how long ? I do not know tribes at all, but according to the logfile below, it seems that something is trying to "ping" the address 10.114.43.103, port 4000, and never getting a response (or at least not within 3000ms). Is there actually something listening on that address/port ? The "netstat" command (available both on Linux and Windows) can tell you. If there is something listening there, can it respond to whatever is ping-ing it ? (routing, firewall, ..) On Mon, Feb 6, 2017 at 8:52 AM, Fady Haikalwrote: Guys, we are facing the below errors in Tomcat cluster, please advise 06-Feb-2017 01:14:20.718 SEVERE [GroupChannel-Heartbeat-1] org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat Unable to send AbstractReplicatedMap.ping message org.apache.catalina.tribes.ChannelException: Operation has timed out(3000 ms.).; Faulty members:tcp://{10, 114, 43, 103}:4000; at org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:108) at org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:48) at org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:54) at org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:82) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) at org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:81) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) at org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:93) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:233) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:186) at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:99) at org.apache.catalina.tribes.tipis.AbstractReplicatedMap.ping(AbstractReplicatedMap.java:267) at org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat(AbstractReplicatedMap.java:885) at org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.java:161) at org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupChannel.java:697) 06-Feb-2017 01:20:51.437 SEVERE [NioReceiver] org.apache.catalina.tribes.transport.nio.NioReceiver.listen Unable to process request in NioReceiver java.io.IOException: A non-blocking socket operation could not be completed immediately at sun.nio.ch.SocketDispatcher.close0(Native Method) at sun.nio.ch.SocketDispatcher.close(Unknown Source) at sun.nio.ch.SocketChannelImpl.kill(Unknown Source) at sun.nio.ch.WindowsSelectorImpl.implDereg(Unknown Source) at sun.nio.ch.SelectorImpl.processDeregisterQueue(Unknown Source) at sun.nio.ch.WindowsSelectorImpl.doSelect(Unknown Source) at sun.nio.ch.SelectorImpl.lockAndDoSelect(Unknown Source) at sun.nio.ch.SelectorImpl.select(Unknown Source) at org.apache.catalina.tribes.transport.nio.NioReceiver.listen(NioReceiver.java:272) at org.apache.catalina.tribes.transport.nio.NioReceiver.run(NioReceiver.java:425) at java.lang.Thread.run(Unknown Source) Regards, Fady - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Operation has timed out
Plz can i get some help here? This issue is still occurring and it's filling the log file in the Production server Regards, Fady On Mon, Feb 6, 2017 at 8:52 AM, Fady Haikalwrote: > Guys, we are facing the below errors in Tomcat cluster, please advise > > > 06-Feb-2017 01:14:20.718 SEVERE [GroupChannel-Heartbeat-1] > org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat > Unable to send AbstractReplicatedMap.ping message > org.apache.catalina.tribes.ChannelException: Operation has timed > out(3000 ms.).; Faulty members:tcp://{10, 114, 43, 103}:4000; > at > org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:108) > at > org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:48) > at > org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:54) > at > org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:82) > at > org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) > at > org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:81) > at > org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) > at > org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:93) > at > org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76) > at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:233) > at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:186) > at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:99) > at > org.apache.catalina.tribes.tipis.AbstractReplicatedMap.ping(AbstractReplicatedMap.java:267) > at > org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat(AbstractReplicatedMap.java:885) > at > org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.java:161) > at > org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupChannel.java:697) > > > 06-Feb-2017 01:20:51.437 SEVERE [NioReceiver] > org.apache.catalina.tribes.transport.nio.NioReceiver.listen Unable to > process request in NioReceiver > java.io.IOException: A non-blocking socket operation could not be > completed immediately > at sun.nio.ch.SocketDispatcher.close0(Native Method) > at sun.nio.ch.SocketDispatcher.close(Unknown Source) > at sun.nio.ch.SocketChannelImpl.kill(Unknown Source) > at sun.nio.ch.WindowsSelectorImpl.implDereg(Unknown Source) > at sun.nio.ch.SelectorImpl.processDeregisterQueue(Unknown Source) > at sun.nio.ch.WindowsSelectorImpl.doSelect(Unknown Source) > at sun.nio.ch.SelectorImpl.lockAndDoSelect(Unknown Source) > at sun.nio.ch.SelectorImpl.select(Unknown Source) > at > org.apache.catalina.tribes.transport.nio.NioReceiver.listen(NioReceiver.java:272) > at > org.apache.catalina.tribes.transport.nio.NioReceiver.run(NioReceiver.java:425) > at java.lang.Thread.run(Unknown Source) > > Regards, > Fady - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TomcatCon @ ApacheCon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Coty, On 2/6/17 8:36 AM, Coty Sutherland wrote: > OK, I submitted a proposal for the linux packaging talk here > http://events.linuxfoundation.org/cfp/proposals/14925/13455 . I > can't update the Confluence page though. I've updated the page. Thanks, - -chris > On Fri, Feb 3, 2017 at 2:31 PM, Coty Sutherland >wrote: >> Hi Emmanuel, >> >>> If you already have a draft of your presentation you can send >>> it to me and I'll insert a few slides about Debian. >> >> I haven't even started yet :( I need to block out some time to >> submit the abstract and start the presentation soon. If you can >> just give me a few slides on the basic layout of the debian >> distro I can add them to the presentation I create and then send >> it to you to review. If you'd rather add to my presentation >> yourself, I'll just send it over when I start working on it and >> we can go from there. >> >> On Fri, Feb 3, 2017 at 9:44 AM, Emmanuel Bourg >> wrote: >>> Le 1/02/2017 à 20:20, Coty Sutherland a écrit : I'm still planning to submit for the linux packaging talk (though I haven't heard anything else form the other distro maintainers), just haven't done it yet. I suppose I could volunteer for one of the others, I'll check the list. >>> >>> Hi Coty, >>> >>> If you already have a draft of your presentation you can send >>> it to me and I'll insert a few slides about Debian. >>> >>> Emmanuel Bourg >>> >>> >>> - - >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYmIwjAAoJEBzwKT+lPKRYhm8QAMOf04st28AWTzh7mXGZE5SV 7q9qXCU7JdhdIi/BGAhYBby/STdSuEDKmW1C0k8dTsS+R/hfMq+jfnrFJHtLvAvr SlkVj2bROJiU+hHu3rSjKTcrl+npBE6lukA3gYF9xU9OM3TiDhNL0eEadABAKJJY g1XKb1qU470JdOkY52dZNLgITg0JLSGmDmLm+cPZ9ix/dvDoxC2xBFZT7HpRtn0o ZGw2NMqJAR8eZIlNeTR0zd+sgogUoDCUW1+Swa6uD+3brpK6eFRLTvPOY+L9sklp jkqocXwP5/YDqqQlX/COTz4epXu/ZF3PfUqgaVtNlBThJ7tpE6NYtHy8+PgRMXfO ewo4mPQzzqnm3dhz3cRBVua9glFPPmCRGQsB2QYvQyhgmwC4QYkxItmXL+1cN4Z3 +s8FvarrWtvFu9h56T7MSc+N29vLLNp5UvRx4djPP7xGvLPFxM7GvqFd6A2wz/9D Kp7r/4UEFVzZYnDxdFduzT4KcswILsJru2rvYUAAJcyHlSdy0/cEGcofRJeZPORf 2uB7nre48GyZMpqvvt6OkTodiqj8Q+E05W3Ba2P5duhMEnWukItjR95T3x9y03FX ksZcbOQL9Bqgj3rNBDbTYFNnnnZHp2MiaCOErjlMyvhXN4SrUEmMXcGWisuetgSa OUN3Q1JwHzD2iSNPYXMP =mxOR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8.5 HTTP/2 connector not supporting GZIP compression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 2/4/17 2:43 PM, Konstantin Kolinko wrote: > 2017-02-04 18:55 GMT+03:00 Patrizio Munzi >: >> It looks like tomcat 8.5 HTTP/2 protocol does not support GZIP >> compression. Can anyone confirm or give advise on how to enable >> it? >> >> The following does not work: >> >> > port="8443" connectionTimeout="2" executor="main" >> SSLEnabled="true" scheme="https" secure="true" >> URIEncoding="UTF-8" maxHttpHeaderSize="10240" compression="force" >> SSLCertificateKeyFile="${tomcat.conf.dir}/key.pem" >> SSLCertificateFile="${tomcat.conf.dir}/cert.pem" >> SSLPassword="changeit"> > className="org.apache.coyote.http2.Http2Protocol" /> >> > > When you ask about compression of dynamic content, I think that > you should read about the following well-known issues first, > especially the latter one: > > https://en.wikipedia.org/wiki/CRIME_(security_exploit) > https://en.wikipedia.org/wiki/BREACH_(security_exploit) It's BREACH that's worse. CRIME seems to be focused on using known-plaintext to pick-away at the TLS encryption wrapper. While also a known-plaintext attack, BREACH uses HTTP compression (where the headers are not compressed before being encrypted for transfer) and the compressed content is buried more deeply and is thus (slightly) more difficult to pull off an attack. There are also some mitigations, the first of which is to ensure that your application doesn't have any XSS vulnerabilities (which is usually a big job). The second is to play games with enabling compression only under certain circumstances, but I suspect those circumstances are quite difficult to truly get right, and their validity will diminish over time. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYmItEAAoJEBzwKT+lPKRYwq4P/jl57G3sUQDPNE3z3/61mf+r WCdh8+nUmDxfdjuBrV9eJj/7rvM7wElOudT+XvtQ2oNRSO2aPUVkcLuqkDHwg5H5 XCxVqCoj+kLZFxv12WtCWaDpMc54sXDsLF0Mg0jVbnQmuFjA+G0/YCfC7Il4n4nc VoYG69t9rkduDksDc/KDid9qb2WT/fxYXP3XmuVwIjT52QRpaqO+e9UqZBx/nPnR zWqr1IcNJYwMZXI/5LHK9WeItlDGhVK47ziXDQ4JNAk2WistMn6k8kZEVogS63VI 8DxrAN3Ob1u5Z3/1ttEUqH8KdAFvHWNn/2S2zB2hKOfhj0PURd1sxZDjORAwVtXR LjdKsaD/LYQ6Oej58bG+33GT6uGcq6iPXZzOqX186N5kR+D4GK515TKO98GA49Me QClN7YU6iys+Ymf4xSva8/gNdIRYGSuK5hwhqACThGiKB0kc0pgNfeZq7N/OO5Eh jsEIkkjy3kAEhFvBikwwUiMgMCEbbsPxmpnEnkBrID6Or94TInKHeZkHEny/ILQu 2TnMiChNnR2W0sJlPOokEyIwKepxNO5Ue4Wt9lqqoDGvKTqK3K+aZSZJqyPYATEv Tfibkf27qTVT2vvy29B/BUyFomSIk4WfNA/fZrzyw3zatrLddla+5n3yhxK990QL xIJtAtI8pbeeKwCJEKTU =gP7O -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore expires, any webclient request is still accepted by server and not refused
On 06/02/17 13:49, Francesco Leone wrote: Dear Sirs, To communicate you a behaviour with Apache Tomcat 7.0.59 Apache Tomcat 7.0.59 is running with: - RHEL6.6 - java jdk 1.8.0.74 - OpenSSL 1.0.2g We have a client - server communication. The Client certificate is produced via keytool and we have same problem highlighted here http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-7-0-to-reject-connections-with-expired-client-certific and http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates What we got reading all flow, is that to solve our problem we should implement a new X509TrustManager which creates our original instance in its constructor, implements all methods as calls to the original instance, and adds a call to checkValidity for each certificate in certs[] inside checkServerTrusted. Did we get well ? If yes, it sounds to us as a hole in the security and so a bug in Tomcat, is there any chance to have this behaviour (refuse connection at expired certificates) as standard in later Apache tomcat 7.0.x release ? Any of this community can support us ? This is not a Tomcat bug. If you tell Java to trust a certificate, it will do so and ignore the validity period. I've looked into this in the past and short of implementing your own X509TrustManager I haven't yet found an API Tomcat could use to add an additional check on the trusted cert's validity. A better general solution is to trust the CA(s) issuing the client certificates rather than the client certificates. Then, because the client cert is not in the trust store, Java checks it more thoroughly - including the validity dates. It is also worth looking at using an OpenSSL based TLS connector. From what I recall of my previous testing OpenSSL did check the validity dates of trusted certs. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Apache Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore expires, any webclient request is still accepted by server and not refused
Dear Sirs, To communicate you a behaviour with Apache Tomcat 7.0.59 Apache Tomcat 7.0.59 is running with: - RHEL6.6 - java jdk 1.8.0.74 - OpenSSL 1.0.2g We have a client - server communication. The Client certificate is produced via keytool and we have same problem highlighted here http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-7-0-to-reject-connections-with-expired-client-certific and http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates What we got reading all flow, is that to solve our problem we should implement a new X509TrustManager which creates our original instance in its constructor, implements all methods as calls to the original instance, and adds a call to checkValidity for each certificate in certs[] inside checkServerTrusted. Did we get well ? If yes, it sounds to us as a hole in the security and so a bug in Tomcat, is there any chance to have this behaviour (refuse connection at expired certificates) as standard in later Apache tomcat 7.0.x release ? Any of this community can support us ? Best Regards Francesco FRANCESCO LEONE Eng. Ericsson francesco.le...@ericsson.com www.ericsson.com Legal entity: TEI, registered office in Pagani. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Apache Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore expires, any webclient request is still accepted by server and not refused
Dear Sirs, To communicate you a behaviour with Apache Tomcat 7.0.59 Apache Tomcat 7.0.59 is running with: - RHEL6.6 - java jdk 1.8.0.74 - OpenSSL 1.0.2g We have a client - server communication. The Client certificate is produced via keytool and we have same problem highlighted here http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-7-0-to-reject-connections-with-expired-client-certific and http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates What we got reading all flow, is that to solve our problem we should implement a new X509TrustManager which creates our original instance in its constructor, implements all methods as calls to the original instance, and adds a call to checkValidity for each certificate in certs[] inside checkServerTrusted. Did we get well ? If yes, it sounds to us as a hole in the security and so a bug in Tomcat, is there any chance to have this behaviour (refuse connection at expired certificates) as standard in later Apache tomcat 7.0.x release ? Any of this community can support us ? Best Regards Francesco FRANCESCO LEONE Eng. Ericsson francesco.le...@ericsson.com www.ericsson.com Legal entity: TEI, registered office in Pagani. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TomcatCon @ ApacheCon
OK, I submitted a proposal for the linux packaging talk here http://events.linuxfoundation.org/cfp/proposals/14925/13455 . I can't update the Confluence page though. On Fri, Feb 3, 2017 at 2:31 PM, Coty Sutherlandwrote: > Hi Emmanuel, > >> If you already have a draft of your presentation you can send it to me >> and I'll insert a few slides about Debian. > > I haven't even started yet :( I need to block out some time to submit > the abstract and start the presentation soon. If you can just give me > a few slides on the basic layout of the debian distro I can add them > to the presentation I create and then send it to you to review. If > you'd rather add to my presentation yourself, I'll just send it over > when I start working on it and we can go from there. > > On Fri, Feb 3, 2017 at 9:44 AM, Emmanuel Bourg wrote: >> Le 1/02/2017 à 20:20, Coty Sutherland a écrit : >>> I'm still planning to submit for the linux packaging talk (though I >>> haven't heard anything else form the other distro maintainers), just >>> haven't done it yet. I suppose I could volunteer for one of the >>> others, I'll check the list. >> >> Hi Coty, >> >> If you already have a draft of your presentation you can send it to me >> and I'll insert a few slides about Debian. >> >> Emmanuel Bourg >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org