Re: Operation has timed out

[Fady Haikal]

below is the server.xml configuration, as mentioened earlier the issue
is related to the cluster configuration, and as per my research i can
see that some users are facing the same issue but i didnt  found the
solution of it






  
  
  
  
  
  
  
  

  
  


  

  
  




















  
  


  

  
  
  

 
  




  



  

  
  

  

  








  

  


On Mon, Feb 6, 2017 at 6:51 PM, André Warnier (tomcat)  wrote:
> On 06.02.2017 17:45, Fady Haikal wrote:
>>
>> Hi,
>> What is the host OS ? Windows Server 2012
>> What is the Tomcat version ? Apache Tomcat/8.0.30
>>
>> Is this problem new ? was this working before ? how long ? Since
>> cluster implementation
>>
>
> I still don't know tribes, but then my non-educated guess at this point
> would be that there is something wrong in your configuration.
> Can you copy/paste it here ? (remove sensible things like passwords, public
> IP addresses etc..)(but not to the point of making it uncheckable).
>
> Then maybe some tribes-specialist can take over ?
>
>
>>
>> Is there actually something listening on that address/port ? Tomcat
>> cluster
>>
>> the Port 4000 is listening and there is no disconnection between 2
>> nodes ping and telnet are OK
>>
>> On Mon, Feb 6, 2017 at 6:42 PM, André Warnier (tomcat) 
>> wrote:
>>>
>>> On 06.02.2017 17:24, Fady Haikal wrote:


 Plz can i get some help here?
 This issue is still occurring and it's filling the log file in the
 Production server

 Regards,
 Fady
>>>
>>>
>>>
>>> Hi.
>>> If you want quick answers, you should provide more information.
>>> What is the host OS ?
>>> What is the Tomcat version ?
>>> Is this problem new ? was this working before ? how long ?
>>>
>>> I do not know tribes at all, but according to the logfile below, it seems
>>> that something is trying to "ping" the address 10.114.43.103, port 4000,
>>> and
>>> never getting a response (or at least not within 3000ms).
>>> Is there actually something listening on that address/port ?
>>> The "netstat" command (available both on Linux and Windows) can tell you.
>>> If there is something listening there, can it respond to whatever is
>>> ping-ing it ?
>>> (routing, firewall, ..)
>>>

 On Mon, Feb 6, 2017 at 8:52 AM, Fady Haikal 
 wrote:
>
>
> Guys, we are facing the below errors in Tomcat cluster, please advise
>
>
> 06-Feb-2017 01:14:20.718 SEVERE [GroupChannel-Heartbeat-1]
> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat
> Unable to send AbstractReplicatedMap.ping message
>org.apache.catalina.tribes.ChannelException: Operation has timed
> out(3000 ms.).; Faulty members:tcp://{10, 114, 43, 103}:4000;
> at
>
> org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:108)
> at
>
> org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:48)
> at
>
> org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:54)
> at
>
> org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:82)
> at
>
> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
> at
>
> org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:81)
> at
>
> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
> at
>
> org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:93)
> at
>
> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
> at
>
> org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:233)
> at
>
> org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:186)
> at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:99)
> at
>
> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.ping(AbstractReplicatedMap.java:267)
> at
>
> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat(AbstractReplicatedMap.java:885)
> at
>
> org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.java:161)
> at
>
> org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupChannel.java:697)
>
>
> 06-Feb-2017 01:20:51.437 SEVERE [NioReceiver]
> org.apache.catalina.tribes.transport.nio.NioReceiver.listen 

Re: TomcatCon @ ApacheCon

[Keiichi Fujino]

Hi,

I've submitted a proposal for Tomcat Clustering.
http://events.linuxfoundation.org/cfp/proposals/6216/13474



> --
> Keiichi.Fujino
> 
> 
>

Re: Operation has timed out

[tomcat]

On 06.02.2017 17:45, Fady Haikal wrote:

Hi,
What is the host OS ? Windows Server 2012
What is the Tomcat version ? Apache Tomcat/8.0.30

Is this problem new ? was this working before ? how long ? Since
cluster implementation



I still don't know tribes, but then my non-educated guess at this point would be that 
there is something wrong in your configuration.
Can you copy/paste it here ? (remove sensible things like passwords, public IP addresses 
etc..)(but not to the point of making it uncheckable).


Then maybe some tribes-specialist can take over ?



Is there actually something listening on that address/port ? Tomcat cluster

the Port 4000 is listening and there is no disconnection between 2
nodes ping and telnet are OK

On Mon, Feb 6, 2017 at 6:42 PM, André Warnier (tomcat)  wrote:

On 06.02.2017 17:24, Fady Haikal wrote:


Plz can i get some help here?
This issue is still occurring and it's filling the log file in the
Production server

Regards,
Fady



Hi.
If you want quick answers, you should provide more information.
What is the host OS ?
What is the Tomcat version ?
Is this problem new ? was this working before ? how long ?

I do not know tribes at all, but according to the logfile below, it seems
that something is trying to "ping" the address 10.114.43.103, port 4000, and
never getting a response (or at least not within 3000ms).
Is there actually something listening on that address/port ?
The "netstat" command (available both on Linux and Windows) can tell you.
If there is something listening there, can it respond to whatever is
ping-ing it ?
(routing, firewall, ..)



On Mon, Feb 6, 2017 at 8:52 AM, Fady Haikal  wrote:


Guys, we are facing the below errors in Tomcat cluster, please advise


06-Feb-2017 01:14:20.718 SEVERE [GroupChannel-Heartbeat-1]
org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat
Unable to send AbstractReplicatedMap.ping message
   org.apache.catalina.tribes.ChannelException: Operation has timed
out(3000 ms.).; Faulty members:tcp://{10, 114, 43, 103}:4000;
at
org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:108)
at
org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:48)
at
org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:54)
at
org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:82)
at
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
at
org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:81)
at
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
at
org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:93)
at
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
at
org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:233)
at
org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:186)
at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:99)
at
org.apache.catalina.tribes.tipis.AbstractReplicatedMap.ping(AbstractReplicatedMap.java:267)
at
org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat(AbstractReplicatedMap.java:885)
at
org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.java:161)
at
org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupChannel.java:697)


06-Feb-2017 01:20:51.437 SEVERE [NioReceiver]
org.apache.catalina.tribes.transport.nio.NioReceiver.listen Unable to
process request in NioReceiver
   java.io.IOException: A non-blocking socket operation could not be
completed immediately
at sun.nio.ch.SocketDispatcher.close0(Native Method)
at sun.nio.ch.SocketDispatcher.close(Unknown Source)
at sun.nio.ch.SocketChannelImpl.kill(Unknown Source)
at sun.nio.ch.WindowsSelectorImpl.implDereg(Unknown Source)
at sun.nio.ch.SelectorImpl.processDeregisterQueue(Unknown Source)
at sun.nio.ch.WindowsSelectorImpl.doSelect(Unknown Source)
at sun.nio.ch.SelectorImpl.lockAndDoSelect(Unknown Source)
at sun.nio.ch.SelectorImpl.select(Unknown Source)
at
org.apache.catalina.tribes.transport.nio.NioReceiver.listen(NioReceiver.java:272)
at
org.apache.catalina.tribes.transport.nio.NioReceiver.run(NioReceiver.java:425)
at java.lang.Thread.run(Unknown Source)

Regards,
Fady



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Operation has timed out

[Fady Haikal]

Hi,
What is the host OS ? Windows Server 2012
What is the Tomcat version ? Apache Tomcat/8.0.30

Is this problem new ? was this working before ? how long ? Since
cluster implementation


Is there actually something listening on that address/port ? Tomcat cluster

the Port 4000 is listening and there is no disconnection between 2
nodes ping and telnet are OK

On Mon, Feb 6, 2017 at 6:42 PM, André Warnier (tomcat)  wrote:
> On 06.02.2017 17:24, Fady Haikal wrote:
>>
>> Plz can i get some help here?
>> This issue is still occurring and it's filling the log file in the
>> Production server
>>
>> Regards,
>> Fady
>
>
> Hi.
> If you want quick answers, you should provide more information.
> What is the host OS ?
> What is the Tomcat version ?
> Is this problem new ? was this working before ? how long ?
>
> I do not know tribes at all, but according to the logfile below, it seems
> that something is trying to "ping" the address 10.114.43.103, port 4000, and
> never getting a response (or at least not within 3000ms).
> Is there actually something listening on that address/port ?
> The "netstat" command (available both on Linux and Windows) can tell you.
> If there is something listening there, can it respond to whatever is
> ping-ing it ?
> (routing, firewall, ..)
>
>>
>> On Mon, Feb 6, 2017 at 8:52 AM, Fady Haikal  wrote:
>>>
>>> Guys, we are facing the below errors in Tomcat cluster, please advise
>>>
>>>
>>> 06-Feb-2017 01:14:20.718 SEVERE [GroupChannel-Heartbeat-1]
>>> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat
>>> Unable to send AbstractReplicatedMap.ping message
>>>   org.apache.catalina.tribes.ChannelException: Operation has timed
>>> out(3000 ms.).; Faulty members:tcp://{10, 114, 43, 103}:4000;
>>> at
>>> org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:108)
>>> at
>>> org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:48)
>>> at
>>> org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:54)
>>> at
>>> org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:82)
>>> at
>>> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
>>> at
>>> org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:81)
>>> at
>>> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
>>> at
>>> org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:93)
>>> at
>>> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
>>> at
>>> org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:233)
>>> at
>>> org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:186)
>>> at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:99)
>>> at
>>> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.ping(AbstractReplicatedMap.java:267)
>>> at
>>> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat(AbstractReplicatedMap.java:885)
>>> at
>>> org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.java:161)
>>> at
>>> org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupChannel.java:697)
>>>
>>>
>>> 06-Feb-2017 01:20:51.437 SEVERE [NioReceiver]
>>> org.apache.catalina.tribes.transport.nio.NioReceiver.listen Unable to
>>> process request in NioReceiver
>>>   java.io.IOException: A non-blocking socket operation could not be
>>> completed immediately
>>> at sun.nio.ch.SocketDispatcher.close0(Native Method)
>>> at sun.nio.ch.SocketDispatcher.close(Unknown Source)
>>> at sun.nio.ch.SocketChannelImpl.kill(Unknown Source)
>>> at sun.nio.ch.WindowsSelectorImpl.implDereg(Unknown Source)
>>> at sun.nio.ch.SelectorImpl.processDeregisterQueue(Unknown Source)
>>> at sun.nio.ch.WindowsSelectorImpl.doSelect(Unknown Source)
>>> at sun.nio.ch.SelectorImpl.lockAndDoSelect(Unknown Source)
>>> at sun.nio.ch.SelectorImpl.select(Unknown Source)
>>> at
>>> org.apache.catalina.tribes.transport.nio.NioReceiver.listen(NioReceiver.java:272)
>>> at
>>> org.apache.catalina.tribes.transport.nio.NioReceiver.run(NioReceiver.java:425)
>>> at java.lang.Thread.run(Unknown Source)
>>>
>>> Regards,
>>> Fady
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: 

Re: Operation has timed out

[tomcat]

On 06.02.2017 17:24, Fady Haikal wrote:

Plz can i get some help here?
This issue is still occurring and it's filling the log file in the
Production server

Regards,
Fady


Hi.
If you want quick answers, you should provide more information.
What is the host OS ?
What is the Tomcat version ?
Is this problem new ? was this working before ? how long ?

I do not know tribes at all, but according to the logfile below, it seems that something 
is trying to "ping" the address 10.114.43.103, port 4000, and never getting a response (or 
at least not within 3000ms).

Is there actually something listening on that address/port ?
The "netstat" command (available both on Linux and Windows) can tell you.
If there is something listening there, can it respond to whatever is ping-ing 
it ?
(routing, firewall, ..)



On Mon, Feb 6, 2017 at 8:52 AM, Fady Haikal  wrote:

Guys, we are facing the below errors in Tomcat cluster, please advise


06-Feb-2017 01:14:20.718 SEVERE [GroupChannel-Heartbeat-1]
org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat
Unable to send AbstractReplicatedMap.ping message
  org.apache.catalina.tribes.ChannelException: Operation has timed
out(3000 ms.).; Faulty members:tcp://{10, 114, 43, 103}:4000;
at 
org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:108)
at 
org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:48)
at 
org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:54)
at 
org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:82)
at 
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
at 
org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:81)
at 
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
at 
org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:93)
at 
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:233)
at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:186)
at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:99)
at 
org.apache.catalina.tribes.tipis.AbstractReplicatedMap.ping(AbstractReplicatedMap.java:267)
at 
org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat(AbstractReplicatedMap.java:885)
at 
org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.java:161)
at 
org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupChannel.java:697)


06-Feb-2017 01:20:51.437 SEVERE [NioReceiver]
org.apache.catalina.tribes.transport.nio.NioReceiver.listen Unable to
process request in NioReceiver
  java.io.IOException: A non-blocking socket operation could not be
completed immediately
at sun.nio.ch.SocketDispatcher.close0(Native Method)
at sun.nio.ch.SocketDispatcher.close(Unknown Source)
at sun.nio.ch.SocketChannelImpl.kill(Unknown Source)
at sun.nio.ch.WindowsSelectorImpl.implDereg(Unknown Source)
at sun.nio.ch.SelectorImpl.processDeregisterQueue(Unknown Source)
at sun.nio.ch.WindowsSelectorImpl.doSelect(Unknown Source)
at sun.nio.ch.SelectorImpl.lockAndDoSelect(Unknown Source)
at sun.nio.ch.SelectorImpl.select(Unknown Source)
at 
org.apache.catalina.tribes.transport.nio.NioReceiver.listen(NioReceiver.java:272)
at 
org.apache.catalina.tribes.transport.nio.NioReceiver.run(NioReceiver.java:425)
at java.lang.Thread.run(Unknown Source)

Regards,
Fady


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Operation has timed out

[Fady Haikal]

Plz can i get some help here?
This issue is still occurring and it's filling the log file in the
Production server

Regards,
Fady

On Mon, Feb 6, 2017 at 8:52 AM, Fady Haikal  wrote:
> Guys, we are facing the below errors in Tomcat cluster, please advise
>
>
> 06-Feb-2017 01:14:20.718 SEVERE [GroupChannel-Heartbeat-1]
> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat
> Unable to send AbstractReplicatedMap.ping message
>  org.apache.catalina.tribes.ChannelException: Operation has timed
> out(3000 ms.).; Faulty members:tcp://{10, 114, 43, 103}:4000;
> at 
> org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:108)
> at 
> org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:48)
> at 
> org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:54)
> at 
> org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:82)
> at 
> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
> at 
> org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:81)
> at 
> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
> at 
> org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:93)
> at 
> org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:76)
> at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:233)
> at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:186)
> at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:99)
> at 
> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.ping(AbstractReplicatedMap.java:267)
> at 
> org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat(AbstractReplicatedMap.java:885)
> at 
> org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.java:161)
> at 
> org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupChannel.java:697)
>
>
> 06-Feb-2017 01:20:51.437 SEVERE [NioReceiver]
> org.apache.catalina.tribes.transport.nio.NioReceiver.listen Unable to
> process request in NioReceiver
>  java.io.IOException: A non-blocking socket operation could not be
> completed immediately
> at sun.nio.ch.SocketDispatcher.close0(Native Method)
> at sun.nio.ch.SocketDispatcher.close(Unknown Source)
> at sun.nio.ch.SocketChannelImpl.kill(Unknown Source)
> at sun.nio.ch.WindowsSelectorImpl.implDereg(Unknown Source)
> at sun.nio.ch.SelectorImpl.processDeregisterQueue(Unknown Source)
> at sun.nio.ch.WindowsSelectorImpl.doSelect(Unknown Source)
> at sun.nio.ch.SelectorImpl.lockAndDoSelect(Unknown Source)
> at sun.nio.ch.SelectorImpl.select(Unknown Source)
> at 
> org.apache.catalina.tribes.transport.nio.NioReceiver.listen(NioReceiver.java:272)
> at 
> org.apache.catalina.tribes.transport.nio.NioReceiver.run(NioReceiver.java:425)
> at java.lang.Thread.run(Unknown Source)
>
> Regards,
> Fady

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TomcatCon @ ApacheCon

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Coty,

On 2/6/17 8:36 AM, Coty Sutherland wrote:
> OK, I submitted a proposal for the linux packaging talk here 
> http://events.linuxfoundation.org/cfp/proposals/14925/13455 . I
> can't update the Confluence page though.

I've updated the page.

Thanks,
- -chris

> On Fri, Feb 3, 2017 at 2:31 PM, Coty Sutherland
>  wrote:
>> Hi Emmanuel,
>> 
>>> If you already have a draft of your presentation you can send
>>> it to me and I'll insert a few slides about Debian.
>> 
>> I haven't even started yet :( I need to block out some time to
>> submit the abstract and start the presentation soon. If you can
>> just give me a few slides on the basic layout of the debian
>> distro I can add them to the presentation I create and then send
>> it to you to review. If you'd rather add to my presentation
>> yourself, I'll just send it over when I start working on it and
>> we can go from there.
>> 
>> On Fri, Feb 3, 2017 at 9:44 AM, Emmanuel Bourg
>>  wrote:
>>> Le 1/02/2017 à 20:20, Coty Sutherland a écrit :
 I'm still planning to submit for the linux packaging talk
 (though I haven't heard anything else form the other distro
 maintainers), just haven't done it yet. I suppose I could
 volunteer for one of the others, I'll check the list.
>>> 
>>> Hi Coty,
>>> 
>>> If you already have a draft of your presentation you can send
>>> it to me and I'll insert a few slides about Debian.
>>> 
>>> Emmanuel Bourg
>>> 
>>> 
>>> 
- -
>>>
>>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYmIwjAAoJEBzwKT+lPKRYhm8QAMOf04st28AWTzh7mXGZE5SV
7q9qXCU7JdhdIi/BGAhYBby/STdSuEDKmW1C0k8dTsS+R/hfMq+jfnrFJHtLvAvr
SlkVj2bROJiU+hHu3rSjKTcrl+npBE6lukA3gYF9xU9OM3TiDhNL0eEadABAKJJY
g1XKb1qU470JdOkY52dZNLgITg0JLSGmDmLm+cPZ9ix/dvDoxC2xBFZT7HpRtn0o
ZGw2NMqJAR8eZIlNeTR0zd+sgogUoDCUW1+Swa6uD+3brpK6eFRLTvPOY+L9sklp
jkqocXwP5/YDqqQlX/COTz4epXu/ZF3PfUqgaVtNlBThJ7tpE6NYtHy8+PgRMXfO
ewo4mPQzzqnm3dhz3cRBVua9glFPPmCRGQsB2QYvQyhgmwC4QYkxItmXL+1cN4Z3
+s8FvarrWtvFu9h56T7MSc+N29vLLNp5UvRx4djPP7xGvLPFxM7GvqFd6A2wz/9D
Kp7r/4UEFVzZYnDxdFduzT4KcswILsJru2rvYUAAJcyHlSdy0/cEGcofRJeZPORf
2uB7nre48GyZMpqvvt6OkTodiqj8Q+E05W3Ba2P5duhMEnWukItjR95T3x9y03FX
ksZcbOQL9Bqgj3rNBDbTYFNnnnZHp2MiaCOErjlMyvhXN4SrUEmMXcGWisuetgSa
OUN3Q1JwHzD2iSNPYXMP
=mxOR
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8.5 HTTP/2 connector not supporting GZIP compression

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Konstantin,

On 2/4/17 2:43 PM, Konstantin Kolinko wrote:
> 2017-02-04 18:55 GMT+03:00 Patrizio Munzi
> :
>> It looks like tomcat 8.5 HTTP/2 protocol does not support GZIP
>> compression. Can anyone confirm or give advise on how to enable
>> it?
>> 
>> The following does not work:
>> 
>> > port="8443" connectionTimeout="2" executor="main"
>> SSLEnabled="true" scheme="https" secure="true"
>> URIEncoding="UTF-8" maxHttpHeaderSize="10240" compression="force"
>> SSLCertificateKeyFile="${tomcat.conf.dir}/key.pem"
>> SSLCertificateFile="${tomcat.conf.dir}/cert.pem"
>> SSLPassword="changeit"> > className="org.apache.coyote.http2.Http2Protocol" />
>> 
> 
> When you ask about compression of dynamic content, I think that
> you should read about the following well-known issues first,
> especially the latter one:
> 
> https://en.wikipedia.org/wiki/CRIME_(security_exploit) 
> https://en.wikipedia.org/wiki/BREACH_(security_exploit)

It's BREACH that's worse. CRIME seems to be focused on using
known-plaintext to pick-away at the TLS encryption wrapper. While also
a known-plaintext attack, BREACH uses HTTP compression (where the
headers are not compressed before being encrypted for transfer) and
the compressed content is buried more deeply and is thus (slightly)
more difficult to pull off an attack.

There are also some mitigations, the first of which is to ensure that
your application doesn't have any XSS vulnerabilities (which is
usually a big job). The second is to play games with enabling
compression only under certain circumstances, but I suspect those
circumstances are quite difficult to truly get right, and their
validity will diminish over time.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYmItEAAoJEBzwKT+lPKRYwq4P/jl57G3sUQDPNE3z3/61mf+r
WCdh8+nUmDxfdjuBrV9eJj/7rvM7wElOudT+XvtQ2oNRSO2aPUVkcLuqkDHwg5H5
XCxVqCoj+kLZFxv12WtCWaDpMc54sXDsLF0Mg0jVbnQmuFjA+G0/YCfC7Il4n4nc
VoYG69t9rkduDksDc/KDid9qb2WT/fxYXP3XmuVwIjT52QRpaqO+e9UqZBx/nPnR
zWqr1IcNJYwMZXI/5LHK9WeItlDGhVK47ziXDQ4JNAk2WistMn6k8kZEVogS63VI
8DxrAN3Ob1u5Z3/1ttEUqH8KdAFvHWNn/2S2zB2hKOfhj0PURd1sxZDjORAwVtXR
LjdKsaD/LYQ6Oej58bG+33GT6uGcq6iPXZzOqX186N5kR+D4GK515TKO98GA49Me
QClN7YU6iys+Ymf4xSva8/gNdIRYGSuK5hwhqACThGiKB0kc0pgNfeZq7N/OO5Eh
jsEIkkjy3kAEhFvBikwwUiMgMCEbbsPxmpnEnkBrID6Or94TInKHeZkHEny/ILQu
2TnMiChNnR2W0sJlPOokEyIwKepxNO5Ue4Wt9lqqoDGvKTqK3K+aZSZJqyPYATEv
Tfibkf27qTVT2vvy29B/BUyFomSIk4WfNA/fZrzyw3zatrLddla+5n3yhxK990QL
xIJtAtI8pbeeKwCJEKTU
=gP7O
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore expires, any webclient request is still accepted by server and not refused

[Mark Thomas]

On 06/02/17 13:49, Francesco Leone wrote:

Dear Sirs, To communicate you a behaviour with Apache Tomcat 7.0.59

Apache Tomcat 7.0.59 is running with: - RHEL6.6 - java jdk 1.8.0.74 -
OpenSSL 1.0.2g

We have a client - server communication. The Client certificate is
produced via keytool  and we have same problem highlighted here

http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-7-0-to-reject-connections-with-expired-client-certific

 and

http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates



What we got reading all flow, is that to solve our problem we should
implement a new X509TrustManager which creates our original instance
in its constructor, implements all methods as calls to the original
instance, and adds a call to checkValidity for each certificate in
certs[] inside checkServerTrusted.

Did we get well ? If yes, it sounds to us as a hole in the security
and so a bug in Tomcat, is there any chance to have this behaviour
(refuse connection at expired certificates) as standard in later
Apache tomcat 7.0.x release ? Any of this community can support us ?


This is not a Tomcat bug.

If you tell Java to trust a certificate, it will do so and ignore the 
validity period.


I've looked into this in the past and short of implementing your own 
X509TrustManager I haven't yet found an API Tomcat could use to add an 
additional check on the trusted cert's validity.


A better general solution is to trust the CA(s) issuing the client 
certificates rather than the client certificates. Then, because the 
client cert is not in the trust store, Java checks it more thoroughly - 
including the validity dates.


It is also worth looking at using an OpenSSL based TLS connector. From 
what I recall of my previous testing OpenSSL did check the validity 
dates of trusted certs.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Apache Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore expires, any webclient request is still accepted by server and not refused

[Francesco Leone]

Dear Sirs,
To communicate you a behaviour with Apache Tomcat 7.0.59

Apache Tomcat 7.0.59 is running with:
- RHEL6.6
- java jdk 1.8.0.74
- OpenSSL 1.0.2g

We have a client - server communication. The Client certificate is produced via 
keytool  and we have same problem highlighted here

http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-7-0-to-reject-connections-with-expired-client-certific

and

http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates


What we got reading all flow, is that to solve our problem we should implement 
a new X509TrustManager which creates our original instance in its constructor, 
implements all methods as calls to the original instance, and adds a call to 
checkValidity for each certificate in certs[] inside checkServerTrusted.

Did we get well ? If yes, it sounds to us as a hole in the security and so a 
bug in Tomcat, is there any chance to have this behaviour (refuse connection at 
expired certificates) as standard in later Apache tomcat 7.0.x release ?
Any of this community can support us ?

Best Regards
Francesco


FRANCESCO LEONE Eng.
Ericsson
francesco.le...@ericsson.com
www.ericsson.com




Legal entity: TEI, registered office in Pagani. This Communication is 
Confidential. We only send and receive email on the basis of the terms set out 
at www.ericsson.com/email_disclaimer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Apache Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore expires, any webclient request is still accepted by server and not refused

[Francesco Leone]

Dear Sirs,
To communicate you a behaviour with Apache Tomcat 7.0.59

Apache Tomcat 7.0.59 is running with:
- RHEL6.6 
- java jdk 1.8.0.74
- OpenSSL 1.0.2g

We have a client - server communication. The Client certificate is produced via 
keytool  and we have same problem highlighted here

http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-7-0-to-reject-connections-with-expired-client-certific

and

http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates


What we got reading all flow, is that to solve our problem we should implement 
a new X509TrustManager which creates our original instance in its constructor, 
implements all methods as calls to the original instance, and adds a call to 
checkValidity for each certificate in certs[] inside checkServerTrusted.

Did we get well ? If yes, it sounds to us as a hole in the security and so a 
bug in Tomcat, is there any chance to have this behaviour (refuse connection at 
expired certificates) as standard in later Apache tomcat 7.0.x release ?
Any of this community can support us ?

Best Regards
Francesco


FRANCESCO LEONE Eng. 
Ericsson
francesco.le...@ericsson.com
www.ericsson.com 




Legal entity: TEI, registered office in Pagani. This Communication is 
Confidential. We only send and receive email on the basis of the terms set out 
at www.ericsson.com/email_disclaimer 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TomcatCon @ ApacheCon

[Coty Sutherland]

OK, I submitted a proposal for the linux packaging talk here
http://events.linuxfoundation.org/cfp/proposals/14925/13455 . I can't
update the Confluence page though.

On Fri, Feb 3, 2017 at 2:31 PM, Coty Sutherland  wrote:
> Hi Emmanuel,
>
>> If you already have a draft of your presentation you can send it to me
>> and I'll insert a few slides about Debian.
>
> I haven't even started yet :( I need to block out some time to submit
> the abstract and start the presentation soon. If you can just give me
> a few slides on the basic layout of the debian distro I can add them
> to the presentation I create and then send it to you to review. If
> you'd rather add to my presentation yourself, I'll just send it over
> when I start working on it and we can go from there.
>
> On Fri, Feb 3, 2017 at 9:44 AM, Emmanuel Bourg  wrote:
>> Le 1/02/2017 à 20:20, Coty Sutherland a écrit :
>>> I'm still planning to submit for the linux packaging talk (though I
>>> haven't heard anything else form the other distro maintainers), just
>>> haven't done it yet. I suppose I could volunteer for one of the
>>> others, I'll check the list.
>>
>> Hi Coty,
>>
>> If you already have a draft of your presentation you can send it to me
>> and I'll insert a few slides about Debian.
>>
>> Emmanuel Bourg
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org