Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384
Documentation aside, none of these cipher-suites are supported in Oracle Java 7. The AES_CBC ciphers I had there are supported in Java 7. I have already concluded as much regarding the AES_x_GCM. Using Java 8 one have access to these higher GCM ciphers, but only very few obscure browsers supports them. Therefore neither AES_256_GCM nor SHA384 can be used yet. Also because of the the JSSE cipher ordering it will always choose AES_x_CBC instead over AES_x_GCM if both are in the Connector cipher list. See table: Default Enabled Cipher Suites http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider Same ordering you get from getDefaultCipherSuites(); SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); String[] cipherSuites = factory.getDefaultCipherSuites(); for (String cipher : cipherSuites) { if ((cipher.startsWith(TLS_ECDHE) || cipher.startsWith(TLS_DHE)) !cipher.contains(ECDSA) //Need Elliptic Curve Certificates for this !cipher.contains(RC4) !cipher.contains(DES) !cipher.contains(DSS) !cipher.contains(NULL)) { System.out.println(cipher); } } TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 From one of my previous post where I listed the available ciphers that Chromium supports, only these can be used: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 But Tomcat will never choose a GCM cipher because they are last in the list. 2014-05-26 3:34 GMT+02:00 Tim Whittington t...@apache.org: On 21/05/2014, at 10:21 pm, Sverre Moe sverre@gmail.com wrote: snip ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 / Documentation aside, none of these cipher-suites are supported in Oracle Java 7. Oracle Java 7 has no GCM support (AIX does I think, but from memory the cipher suite names are different), and some of the cipher-suites don’t exist (see below). GCM was originally targeted for JDK 7 (which is why the cipher suite names and AEAD APIs in the JCE are there) but the implementation didn’t show up until JDK 8. I have tried running Tomcat with Java 7 and Java 8. Both of these should support CBC_SHA256 and CBC_SHA384, but only Java 8 supports GCM_SHA384. I have downloaded the Java cryptographic extensions policy files for both Java 7 and Java 8. The only way I get a connection is when I add the following ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA According to the specification all these ciphers are correct names: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites This is not true for TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265 or TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 in Java 7 or 8 (only SHA/ SHA384 or AES_128 variants of these are listed in the docs and reported by the JRE). i.e. for whatever reason, SHA384 and SHA are coupled with AES_256, and SHA256 and SHA are coupled with AES_128. The email trail Christopher linked should help you discover what’s available on the system you’re running on. cheers tim For the record, these are the ECDHE cipher suites supported in Oracle Java 7, excluding those that use SHA(1): Cipher Kx Au EncMode Key Str MacSize Unsafe TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHEECDSAAESCBC 256 (256) SHA384 384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384ECDHERSA AESCBC 256 (256) SHA384 384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHEECDSAAESCBC 128 (128) SHA256 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256ECDHERSA AESCBC 128 (128) SHA256 256 Oracle Java 8 adds the following ECDHE + GCM cipher suites (again not including SHA(1)) to the list above: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHEECDSAAESGCM 256 (256) SHA384 384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHEECDSAAESGCM 128 (128) SHA256 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ECDHERSA AESGCM 256 (256) SHA384 384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256ECDHERSA
Re: realm, access to Request object
Hello. -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/20/14, 4:28 AM, Mark Thomas wrote: On 20/05/2014 09:11, Jan Vávra wrote: Hello. I write my own realm implementation for Tomcat 7.x. In the method Principal authenticate(X509Certificate[] certs) I'd like to read request headers. My authentication would be based on client certificate + custom http request value. Is it possible? In Tomcat, the Authenticator is responsible for gathering the credentials. This often requires interaction with the Request and related objects. The Realm is responsible for validating credentials. Therefore the Realm does not need access to the Request and related objects. This is something that securityfilter supports using a sub-interface of the Realm (analog) interface that has the ability to access the request directly. It's a bad architecture, but very useful for doing things such as recording login failures and their source IP addresses, etc. Is there some way that additional information (e.g. source IP address) could be provided to the Realm for things such as this? It's one of the reasons we still use sf instead of Tomcat's built-in realms. (Another is the lack of decent password-checking algorithms, but I'm working on that: https://issues.apache.org/bugzilla/show_bug.cgi?id=56403). Well, I looked at Chris's SecurityFilter and I'll go the same way. I'll get rid of realm and write my own simple security filter. We also plan to support OAuth 2.0 authentication where is transferred auth. header in form Authorization: Bearer x. And in other cases I need to combine clicert auth with basic auth. In the other project we' re also behind an authentication system that sends my tomcat X-Authorized-As header. So I have many reasons to access the Request object and writing the filter seems me as the only way how to authenticate web service method (server side). Jan. * Thanks, - -chris
Re: How to monitor performance of tomcat
Hi, I increased the Heap PermGen memory as per trail mail but the performance seemed to deteriorate. On the day I increased the memory in the morning, the system hung 3 times in the day whereas the maximum times it has got hang before is 2 times in a day. I changed the memory settings for Heap PermGen back to before when it hung again the next day, I reverted to the old memory values. The catalina.out showed the entries like below when I monitored it twice after the system hung with the new memory values: [ 22-May-2014 03:15:40 ] [ TRACE ] [http-30080-56] [ CHECK SESSION ] : Inside doInit Method May 22, 2014 3:16:14 PM org.zkoss.zk.ui.impl.UiEngineImpl handleError:1351 SEVERE: org.zkoss.zk.ui.UiException: org.jboss.remoting.InvocationFailureException: Socket timed out. Waited 30 milliseconds for response while calling on InvokerLocator [socket:// bssossapp01.snl.com:4173/?invokerDestructionDelay=5000timeout=30]; nested exception is: java.net.SocketTimeoutException: Read timed out org.jboss.remoting.InvocationFailureException: Socket timed out. Waited 30 milliseconds for response while calling on InvokerLocator [socket:// bssossapp01.snl.com:4173/?invokerDestructionDelay=5000timeout=30]; nested exception is: java.net.SocketTimeoutException: Read timed out java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) I would be eager to respond in case of any clarification. Requesting a reply to resolve this as the attempt to resolve this by increasing Heap PermGen memory has failed. I have worked on this issue a lot and have been trying to interact with the experts on the forum. Regards On Wed, May 21, 2014 at 6:01 PM, Randhir Singh randhir.si...@sterlite.comwrote: Hi, There is a correction as JAVA_OPTS variable is defined in catalina.sh under $CATALINA_HOME/bin and we use $CATALINA_HOME/bin/startup.sh to start tomcat. $CATALINA_HOME/bin/startup.sh has the code like below , -- PRGDIR=`dirname $PRG` EXECUTABLE=catalina.sh # Check that target executable exists if $os400; then # -x will Only work on the os400 if the files are: # 1. owned by the user # 2. owned by the PRIMARY group of the user # this will not work if the user belongs in secondary groups eval else if [ ! -x $PRGDIR/$EXECUTABLE ]; then echo Cannot find $PRGDIR/$EXECUTABLE echo The file is absent or does not have execute permission echo This file is needed to run this program exit 1 fi fi -- I had changed catalina.sh in our development environment like a week back and want to implement it in the production environment but I got this doubt. I feel catalina.sh is invoked by startup.sh but am not sure. I have already taken downtime for production tomorrow but I got this doubt whether changing the JAVA_OPTS=$JAVA_OPTS -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 to JAVA_OPTS=$JAVA_OPTS -Xms2048m -Xmx2048m -XX:MaxPermSize=512m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 in catalina.sh would have the affect of increasing the heap Permgen memory in Tomcat. I hope my query is clear as am quite anxious as I have a downtime scheduled tomorrow. Requesting a reply on priority. randhir.si...@sterlite.com wrote: Thanks a lot for your detailed reply. The JAVA_OPTS variable in $CATALINA_HOME/bin/startup.sh has the value as: JAVA_OPTS=$JAVA_OPTS -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 I checked for free space on the VM instance with Red Hat Linux as the OS on which the Tomcat is hosted with a total memory of 19 GB, I found that there is around 8 GB of free space in the server. As per your inputs, I am planning to increase the memory allocation for Heap size and PermGen size to almost double as below: JAVA_OPTS=$JAVA_OPTS -Xms2048m -Xmx2048m -XX:MaxPermSize=512m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 I hope, this should avoid the hang-up issues where Tomcat does not seem to respond. I plan to implement this in the UAT environment at first and see how it goes. Regards -Original Message- From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Monday, April 28, 2014 7:39 PM To:
RE: Tomcat is down or refused connection
Thanks for information.. Sorry i missed adding important information. I can see below message for only 1 or 2 second and it got recovered automatically. [Tue May 20 06:48:43 2014] [57070:140373099702016] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet) [Tue May 20 06:48:43 2014] [56884:140373020112640] [error] ajp_service::jk_ajp_common.c (2643): (worker1) connecting to tomcat failed. Let me know if you need any other information. With Regards, Akshay From: ext Mark Eggers [its_toas...@yahoo.com] Sent: Saturday, May 24, 2014 6:22 AM To: users@tomcat.apache.org Subject: Re: Tomcat is down or refused connection On 5/23/2014 5:34 PM, Terence M. Bandoian wrote: On 5/23/2014 1:22 AM, Ballarpure, Akshay (EXT-Tata Consultancy Ser - IN/Hyderabad) wrote: Hello, Soap request is failing with below message in our application. 2014/05/20 06:48:43 [ERROR] (browse_csl) failed to reach startSearch service, soapRC 502 2014/05/20 06:48:43 [ERROR] (soap)Error 502 fault: SOAP-ENV:Server [no subcode] I am seeing below messages in Apache's Mod JK log file. [Tue May 20 06:48:43 2014] [57070:140373099702016] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet) [Tue May 20 06:48:43 2014] [56884:140373020112640] [error] ajp_service::jk_ajp_common.c (2643): (worker1) connecting to tomcat failed. Could you please check and let me know the reason for the above ? Thanks, Akshay Sounds like Tomcat is down. -Terence Bandoian Sounds like your application is broken, or Tomcat is down, or someone unplugged a network cable, or someone changed firewall rules, or . . . Seriously, you have given us no information. And by no, I mean all of this is missing: 1. architecture a. Apache HTTPD (I'm guessing yes) b. mod_jk versus mod_proxy_ajp c. intervening firewalls d. number of Tomcats being supported e. load balancing or not f. using Tomcat native or not 2. versions - of anything a. Apache HTTPD (or whatever else you're using here) b. Tomcat version - exact, please c. Java version - exact, please d. OS and version - exact please 3. Tomcat settings - primarily JVM settings 4. Configurations a. server.xml b. workers.properties - if that's what you're using c. Apache HTTPD configuration - if that's what you're using 5. Log files - more than what you've provided a. catalina logs (Tomcat logs around the time of the event) b. application logs (around the time of the event) 6. What is this application supposed to be doing?? There is more, but this is a good start. A 502 normally means that servers can't talk to each other. This could mean that Tomcat is down, it could mean that an intervening firewall has dropped connections, it could mean many, many things. Don't know without lots more information. . . . . it's Friday, welcome to more than my 2 cents /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384
On 26/05/2014, at 6:58 pm, Sverre Moe sverre@gmail.com wrote: Documentation aside, none of these cipher-suites are supported in Oracle Java 7. The AES_CBC ciphers I had there are supported in Java 7. I have already concluded as much regarding the AES_x_GCM. Using Java 8 one have access to these higher GCM ciphers, but only very few obscure browsers supports them. Therefore neither AES_256_GCM nor SHA384 can be used yet. Latest versions of Firefox and Chrome (and others I suspect) use GCM ciphers (gmail seems to prefer them for example). Also because of the the JSSE cipher ordering it will always choose AES_x_CBC instead over AES_x_GCM if both are in the Connector cipher list. See table: Default Enabled Cipher Suites http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider Same ordering you get from getDefaultCipherSuites(); You don’t have to accept the default ciphers, or ordering. Check the docs for the HTTP connector to see how to configure this. tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384
Latest versions of Firefox and Chrome (and others I suspect) use GCM ciphers (gmail seems to prefer them for example). Yes, but it only supports AES_128_GCM_SHA256. No Chromium support for AES_256_GCM_SHA384. Neither does it support SHA256/SHA384 for AES_X_CBC. You don’t have to accept the default ciphers, or ordering. Check the docs for the HTTP connector to see how to configure this. If one use the APR Connector with OpenSSL and sets SSLHonorCipherOrder, but the JSSE Connector does not have such a parameter. I realize I didn't specify that in my original post, but I need to use JSSE since I am running SLES (which has an old version of OpenSSL). 2014-05-26 11:25 GMT+02:00 Tim Whittington t...@apache.org: On 26/05/2014, at 6:58 pm, Sverre Moe sverre@gmail.com wrote: Documentation aside, none of these cipher-suites are supported in Oracle Java 7. The AES_CBC ciphers I had there are supported in Java 7. I have already concluded as much regarding the AES_x_GCM. Using Java 8 one have access to these higher GCM ciphers, but only very few obscure browsers supports them. Therefore neither AES_256_GCM nor SHA384 can be used yet. Latest versions of Firefox and Chrome (and others I suspect) use GCM ciphers (gmail seems to prefer them for example). Also because of the the JSSE cipher ordering it will always choose AES_x_CBC instead over AES_x_GCM if both are in the Connector cipher list. See table: Default Enabled Cipher Suites http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider Same ordering you get from getDefaultCipherSuites(); You don’t have to accept the default ciphers, or ordering. Check the docs for the HTTP connector to see how to configure this. tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to monitor performance of tomcat
Randhir Singh wrote: Hi, I increased the Heap PermGen memory as per trail mail but the performance seemed to deteriorate. On the day I increased the memory in the morning, the system hung 3 times in the day whereas the maximum times it has got hang before is 2 times in a day. I changed the memory settings for Heap PermGen back to before when it hung again the next day, I reverted to the old memory values. The catalina.out showed the entries like below when I monitored it twice after the system hung with the new memory values: [ 22-May-2014 03:15:40 ] [ TRACE ] [http-30080-56] [ CHECK SESSION ] : Inside doInit Method May 22, 2014 3:16:14 PM org.zkoss.zk.ui.impl.UiEngineImpl handleError:1351 SEVERE: org.zkoss.zk.ui.UiException: org.jboss.remoting.InvocationFailureException: Socket timed out. Waited 30 milliseconds for response while calling on InvokerLocator [socket:// bssossapp01.snl.com:4173/?invokerDestructionDelay=5000timeout=30]; nested exception is: java.net.SocketTimeoutException: Read timed out org.jboss.remoting.InvocationFailureException: Socket timed out. Waited 30 milliseconds for response while calling on InvokerLocator [socket:// bssossapp01.snl.com:4173/?invokerDestructionDelay=5000timeout=30]; nested exception is: java.net.SocketTimeoutException: Read timed out java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) I would be eager to respond in case of any clarification. Requesting a reply to resolve this as the attempt to resolve this by increasing Heap PermGen memory has failed. I have worked on this issue a lot and have been trying to interact with the experts on the forum. Regards Hi. I am jumping in here in the middle, and have not followed the previous correspondence. (Which is hard anyway, considering that you keep on top-posting). (And I do not know Jboss at all, so maybe I am misinterpreting all of this). But if I go by what you are mentioning above - and despite the apparent subject - it looks to me as follows : - the application (not part of any Tomcat code per se) is trying to connect to, and read from, some (for Tomcat) external server - and that external service is not responding, within the timeout set for this connection (300,000 ms = 5 minutes) - thus you see the above exceptions happening So it is a bit hard from there, to figure out what the Tomcat Heap and Permgen sizes (or Tomcat performance for that matter) have to do with this. Intuitively, I would tend to think that if you give more memory to Tomcat to play with, then maybe it tries to handle more simultaneous requests that cause more of these external connections to be opened, all of them ultimately failing because the external server does not respond. Should you not look at what causes the external server to be slow to respond, first of all ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat is down or refused connection
Please do not top post. On 5/26/2014 2:15 AM, Ballarpure, Akshay (EXT-Tata Consultancy Ser - IN/Hyderabad) wrote: Thanks for information.. Sorry i missed adding important information. I can see below message for only 1 or 2 second and it got recovered automatically. [Tue May 20 06:48:43 2014] [57070:140373099702016] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet) [Tue May 20 06:48:43 2014] [56884:140373020112640] [error] ajp_service::jk_ajp_common.c (2643): (worker1) connecting to tomcat failed. Let me know if you need any other information. With Regards, Akshay I gave you a long list of information that would help people on the list understand your system (by the way, we're all volunteers here, most with other jobs and duties). All of this information should be available for more than 1 or 2 seconds. I also find it difficult to believe that the logging information is only available for 1 or 2 seconds. It is probably stored somewhere. Fill out (answer) the 6 questions and their components. Without that, it's doubtful that even meaningful questions concerning what's going on can be asked. . . . . just my two cents. /mde/ From: ext Mark Eggers [its_toas...@yahoo.com] Sent: Saturday, May 24, 2014 6:22 AM To: users@tomcat.apache.org Subject: Re: Tomcat is down or refused connection On 5/23/2014 5:34 PM, Terence M. Bandoian wrote: On 5/23/2014 1:22 AM, Ballarpure, Akshay (EXT-Tata Consultancy Ser - IN/Hyderabad) wrote: Hello, Soap request is failing with below message in our application. 2014/05/20 06:48:43 [ERROR] (browse_csl) failed to reach startSearch service, soapRC 502 2014/05/20 06:48:43 [ERROR] (soap)Error 502 fault: SOAP-ENV:Server [no subcode] I am seeing below messages in Apache's Mod JK log file. [Tue May 20 06:48:43 2014] [57070:140373099702016] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet) [Tue May 20 06:48:43 2014] [56884:140373020112640] [error] ajp_service::jk_ajp_common.c (2643): (worker1) connecting to tomcat failed. Could you please check and let me know the reason for the above ? Thanks, Akshay Sounds like Tomcat is down. -Terence Bandoian Sounds like your application is broken, or Tomcat is down, or someone unplugged a network cable, or someone changed firewall rules, or . . . Seriously, you have given us no information. And by no, I mean all of this is missing: 1. architecture a. Apache HTTPD (I'm guessing yes) b. mod_jk versus mod_proxy_ajp c. intervening firewalls d. number of Tomcats being supported e. load balancing or not f. using Tomcat native or not 2. versions - of anything a. Apache HTTPD (or whatever else you're using here) b. Tomcat version - exact, please c. Java version - exact, please d. OS and version - exact please 3. Tomcat settings - primarily JVM settings 4. Configurations a. server.xml b. workers.properties - if that's what you're using c. Apache HTTPD configuration - if that's what you're using 5. Log files - more than what you've provided a. catalina logs (Tomcat logs around the time of the event) b. application logs (around the time of the event) 6. What is this application supposed to be doing?? There is more, but this is a good start. A 502 normally means that servers can't talk to each other. This could mean that Tomcat is down, it could mean that an intervening firewall has dropped connections, it could mean many, many things. Don't know without lots more information. . . . . it's Friday, welcome to more than my 2 cents /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tim, On 5/25/14, 9:34 PM, Tim Whittington wrote: On 21/05/2014, at 10:21 pm, Sverre Moe sverre@gmail.com wrote: snip ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 / Documentation aside, none of these cipher-suites are supported in Oracle Java 7. If you run the code I referenced elsewhere in this thread, you'll see that some of the components are available, just not in the combinations you have above: $ java -showversion -classpath build/ SSLInfo | grep '\(256\|384\)' java version 1.7.0_55 Java(TM) SE Runtime Environment (build 1.7.0_55-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode) Supported SSL Protocols: TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) TLSv1.2 (SunJSSE) Default Cipher Name * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 So, you can get ECDHE_(ECDSA|RSA)_AES, but not with a 256-bit cipher. You can get a 128-bit cipher and a 256-bit hash, but not higher-bit hash functions. Oracle Java 7 has no GCM support (AIX does I think, but from memory the cipher suite names are different), and some of the cipher-suites don’t exist (see below). GCM was originally targeted for JDK 7 (which is why the cipher suite names and AEAD APIs in the JCE are there) but the implementation didn’t show up until JDK 8. I find no ciphers with 384-bit hashes in Oracle Java 8, but there are 256-bit ones -- at least in the Mac OS X build: $ /Library/Java/JavaVirtualMachines/disabled/jdk1.8.0.jdk/Contents/Home/bin/java - -showversion -classpath build/ SSLInfo | grep '\(256\|384\)' java version 1.8.0-ea Java(TM) SE Runtime Environment (build 1.8.0-ea-b99) Java HotSpot(TM) 64-Bit Server VM (build 25.0-b41, mixed mode) * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 * TLS_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_NULL_SHA256 So as Tim says, Oracle Java 7 doesn't support this stuff. And neither does Java 8. If you want higher-grade encryption (and you want it to run faster), consider switching to the OpenSSL-based APR connector: performance is one of the major reasons for using the APR connector, and its a bit more efficient than the NIO connector and certainly better than the BIO connector. - -chris I have tried running Tomcat with Java 7 and Java 8. Both of these should support CBC_SHA256 and CBC_SHA384, but only Java 8 supports GCM_SHA384. I have downloaded the Java cryptographic extensions policy files for both Java 7 and Java 8. The only way I get a connection is when I add the following ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA According to the specification all these ciphers are correct names: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites This is not true for TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265 or TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 in Java 7 or 8 (only SHA/ SHA384 or AES_128 variants of these are listed in the docs and reported by the JRE). i.e. for whatever reason, SHA384 and SHA are coupled with AES_256, and SHA256 and SHA are coupled with AES_128. The email trail Christopher linked should help you discover what’s available on the system you’re running on. cheers tim For the record, these are the ECDHE cipher suites supported in Oracle Java 7, excluding those that use SHA(1): Cipher Kx Au Enc Mode Key Str MacSize Unsafe TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHEECDSAAES CBC 256 (256) SHA384 384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHERSA AESCBC 256 (256) SHA384 384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHEECDSAAES CBC 128 (128) SHA256 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHERSA AESCBC 128 (128) SHA256 256 Oracle Java 8 adds the following ECDHE + GCM cipher
Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sverre, On 5/26/14, 5:42 AM, Sverre Moe wrote: Latest versions of Firefox and Chrome (and others I suspect) use GCM ciphers (gmail seems to prefer them for example). Yes, but it only supports AES_128_GCM_SHA256. No Chromium support for AES_256_GCM_SHA384. Neither does it support SHA256/SHA384 for AES_X_CBC. You don’t have to accept the default ciphers, or ordering. Check the docs for the HTTP connector to see how to configure this. If one use the APR Connector with OpenSSL and sets SSLHonorCipherOrder, but the JSSE Connector does not have such a parameter. Right: JSSE doesn't support server-preferred cipher ordering, but the cipher order in Java 7 looks reasonable to me: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites Unfortunately, explicitly setting the server's preferred cipher order requires the use of Java 8: http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html (See the final bullet point on that page) There's a bug to support this in Bugzilla: https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 Vote for the bug if you want it fixed. ;) I realize I didn't specify that in my original post, but I need to use JSSE since I am running SLES (which has an old version of OpenSSL). How old? 0.9.8 is okay, but has fewer ciphers and does not support TLS 1.2. As a bonus, it never had heartbeat support ;) - -chris 2014-05-26 11:25 GMT+02:00 Tim Whittington t...@apache.org: On 26/05/2014, at 6:58 pm, Sverre Moe sverre@gmail.com wrote: Documentation aside, none of these cipher-suites are supported in Oracle Java 7. The AES_CBC ciphers I had there are supported in Java 7. I have already concluded as much regarding the AES_x_GCM. Using Java 8 one have access to these higher GCM ciphers, but only very few obscure browsers supports them. Therefore neither AES_256_GCM nor SHA384 can be used yet. Latest versions of Firefox and Chrome (and others I suspect) use GCM ciphers (gmail seems to prefer them for example). Also because of the the JSSE cipher ordering it will always choose AES_x_CBC instead over AES_x_GCM if both are in the Connector cipher list. See table: Default Enabled Cipher Suites http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider Same ordering you get from getDefaultCipherSuites(); You don’t have to accept the default ciphers, or ordering. Check the docs for the HTTP connector to see how to configure this. tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTg4dhAAoJEBzwKT+lPKRYuAkP/jyuUuAEMo1NMHwZaYytCSK1 i41hYRdPjY4bDoSK48cPWZLu+ZHm7FzPyrfUTx2t7lX2Fb7jxkQZ6ph94P/4Rh4T TmMPleeECVfWFCT0aIbuGfduX4DpXX2gwZrFopmScGyFpYBl8K6vfLGFafM8k1w5 Pp+cRBKlXoYRwoKboaWv+xbPpwcmTJrNkr/TcFu7b3r25uxGVaT5ASSKrUP8gTFU rCzMTpCJE6GFCLID4xd6pzFW7AB3Yy3hrzJHu7udPg2nP+e7qS+rEf9f3bwDQJet 2qNqJAoVopSGo/gNRua0RFx+NcQtW63X56kKszSrifK2M4ef8h5jw5ti/X000Zaf L21o4LtzhpmvvE1RNjE+T6yXHkiWLzUREp5s8LuYvw/4oarL88IHeadRgLsDFOYb k3tNsAdFRhiS0bSsPkjSaUdsn4jryohJK5ExBibIJcXwWFdW/fmi/6gcSPU4sBXZ ADBo5sqZrtlhS7uQRVdpbCT8d9SsaBaCSjap85f/ETTI0vXDqdIntjIciC8uOqXb upVZycrBuFSbGIKRqZug+7MtKLp37KtXBmoiW7tHNKw8Q+ABLM+DX/BuqJx9sa+N cQUNbZRl3DZnsThB1CY+xowIS0vZJss/Qyz880TrYa80/RgUCOcHrsrpo1EYl0Ws wISpL4l0AiMzr71iCcIA =DWt5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat is down or refused connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/26/14, 10:25 AM, Mark Eggers wrote: Please do not top post. On 5/26/2014 2:15 AM, Ballarpure, Akshay (EXT-Tata Consultancy Ser - IN/Hyderabad) wrote: Thanks for information.. Sorry i missed adding important information. I can see below message for only 1 or 2 second and it got recovered automatically. [Tue May 20 06:48:43 2014] [57070:140373099702016] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet) [Tue May 20 06:48:43 2014] [56884:140373020112640] [error] ajp_service::jk_ajp_common.c (2643): (worker1) connecting to tomcat failed. Let me know if you need any other information. With Regards, Akshay I gave you a long list of information that would help people on the list understand your system (by the way, we're all volunteers here, most with other jobs and duties). All of this information should be available for more than 1 or 2 seconds. I also find it difficult to believe that the logging information is only available for 1 or 2 seconds. It is probably stored somewhere. Fill out (answer) the 6 questions and their components. Without that, it's doubtful that even meaningful questions concerning what's going on can be asked. Yes, but it's a simple question, Mark. Sheesh: just tell him why his stuff don't work. Open Source means free tech support for unspecified problems, right? Chop chop! - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTg4frAAoJEBzwKT+lPKRY08UP/3QnJGzZyuUGyvokjRocp1ND yLVCZqCAUSCtvzMBNjrUlF2NbluHy9EMcSM5sfjukC4KJ1MxFqg89CE/HzJBrnXr 2fvhlbmiOX1OFtBiu7cBfGKDZhfJO9LVHOI3htE666Xo1nqZAXgSjbHrfNX7Vo6G jXiu8PmGWIiyMW0MtXlkUr/7qYXb68aJlhWAkM78GwWUIJMEc1hxCS4ffHRGzdeM SGYz9i/yaLJuvJymedFgV160ZSoftZtaryoEP0MC7MEtiRyXae8Wsb5IUmmxM1Sv v8Gc4CnhFXb/MeiCCiGpcg5b+XxN9M5ri+sfHLd4WbLndeL4LzFXsFxQb/DkIOVj tLyloFd+bnkkhSsarwt31c7NJOWGrObCmrHT+liwqLazM0YN7c73qjAQtRvakVr/ i4+YQzdVGy4pY0c/5FVTLET2Hhmqa/j+k804wEQ5X5g1tZHodyy9G4F0516VSt1P TQmtHT1wKARJfidhAHEtrm5IfGQj5Cb4ezu8dt4rSGDVjD1JzJZshalD1woyavAI 8vZsUNhooJ9QlDDq/0Wnkuc504HtGRTiqMkRLCm23JoYL9sTDdfqrPxncAMB0JpS Yj8/cZwbDt+BW6xFmz1hI62sV4Gb+KWbQj4vTb35qY26HaFv1KfYi4wDOwPX0iX8 MqnT4sT6ZnVrmr22C78s =Kn66 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Well well well. Thank you all so much !!! Since Struts upgrade i got not intrussion on my servers =) =) Thank you list for the support, for the time and for helpme with this issue. Yours, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-20 12:45 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Hello all, again its me =) Just for you that today we deployed our apps using struts 2.3.16.2 So since today i will monitor those server very closely =) Thanks all people. I will tell you how things go. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-07 12:28 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com : Hello all ! Developers are still estimating the effort for upgrading struts i will let you know how things are going. Thanks all for replying me. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com: Subject: Re: Regarding i think an intrusion From: lsantagost...@gmail.com To: users@tomcat.apache.org Hello Chris, but this logfile was only one day. MGAy Caramba! Maybe i had a concept mismatch trying to capture the exact moment when the execution begins. My command was while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v 127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done Maybe too many dumps all togheter, now im trying to get a live capture without luck =( If you know a better method, please letme know it. Thanks for your effort, knid regards, Leonardo Saludos.- Leonardo Santagostini MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK @ 1.7 (ahora) MGesto ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10 tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000] java.lang.Thread.State: TIMED_WAITING (sleeping) at java.lang.Thread.sleep(Native Method) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508) at java.lang.Thread.run(Thread.java:662) MGEstos registros informativos producen MUCHO ruido MGlog4j.properties MGlog4j.logger.org.quartz=OFF //(Callate Quartz) MGeso ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656 runnable [0x46f34000] java.lang.Thread.State: RUNNABLE at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763) at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345) at java.util.regex.Pattern$Curly.match0(Pattern.java:3770) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at
Re: realm, access to Request object
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jan, On 5/26/14, 2:58 AM, Jan Vávra wrote: Hello. -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/20/14, 4:28 AM, Mark Thomas wrote: On 20/05/2014 09:11, Jan Vávra wrote: Hello. I write my own realm implementation for Tomcat 7.x. In the method Principal authenticate(X509Certificate[] certs) I'd like to read request headers. My authentication would be based on client certificate + custom http request value. Is it possible? In Tomcat, the Authenticator is responsible for gathering the credentials. This often requires interaction with the Request and related objects. The Realm is responsible for validating credentials. Therefore the Realm does not need access to the Request and related objects. This is something that securityfilter supports using a sub-interface of the Realm (analog) interface that has the ability to access the request directly. It's a bad architecture, but very useful for doing things such as recording login failures and their source IP addresses, etc. Is there some way that additional information (e.g. source IP address) could be provided to the Realm for things such as this? It's one of the reasons we still use sf instead of Tomcat's built-in realms. (Another is the lack of decent password-checking algorithms, but I'm working on that: https://issues.apache.org/bugzilla/show_bug.cgi?id=56403). Well, I looked at Chris's SecurityFilter and I'll go the same way. I'll get rid of realm and write my own simple security filter. We also plan to support OAuth 2.0 authentication where is transferred auth. header in form Authorization: Bearer x. And in other cases I need to combine clicert auth with basic auth. In the other project we' re also behind an authentication system that sends my tomcat X-Authorized-As header. So I have many reasons to access the Request object and writing the filter seems me as the only way how to authenticate web service method (server side). You haven't done your homework. Read about CombinedRealm. I thought someone contributed an OAuth provider at some point, but I can't find that reference, so you might need to do that outside of Tomcat anyway. But since you can use ServletRequest.login(), you can probably make it work as long as the user always uses OAuth to authenticate (which is pretty much the whole point). But re-writing the whole authentication and authorization system is a big task if all you want to do is add OAuth to the things that Tomcat can already do. You should try to find a way to get ServletRequest.login() to do what you need so that you don't have to write your own URL pattern handler, session management code, etc. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTg4pEAAoJEBzwKT+lPKRYwOEP/iOMSS0zoOM0NtlUckkAsaiS 4J8US8L4eeJHXm+YRoo6mEJMn4jgfzy8/E9Htj8zayX66rbZ8E0v0zhj50jSu9hh 44Eo+DNHPQFYv5QvcHjr99SWliB1sTakVX7cUo2XJt6dLRaYHk5iMs7vrcAOy9qE BonA+Niqb5UuoIPC5WHc7ykMOKq0Px4xj3VvXWjuNCOVob5I9nBeRKRG99GaaXgQ CK+0iE94kpOHWW33XkNAIpRIFsBajO2zsh8jaNRntfHVOb4hU/Fw7n+Yh14P2Zlr uGJhsSWenQfSDyOL0oxm7mmoOJcY1rRg9UO0a1yDoOzDa+CZli5W4MESorJ8BQBv eHcMmw/Cfcs0a/OUkJsMkV3M3RvVP2s8oQoEAmMIZBAcIFu2wyn01zV9epWB77ma /esqvhBVce/V3L168X/HqI1eQC8op2ZabXU9RJINLxqkzjZikFfe1BN/nBTCUswf 87muowpF8zOfcz4zstoFf70N6ptCPkv85NL6An6BF+SwDiQIwVu4nOB8Z/VXdlAC K//K47LLqNHtjT5dT18D9TnUsl94JuwK3IvioMmN1iTpIw65/cxuUhN4C4HWGqgR nRhY9fsOcg5TDI+Ir4wUz3qqXttKg6M/J5KBYqFxiZok9P+6B3GIB1B9SHISZSQk rcYMz1/IttWrKapOnQxV =lxbP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP protocol with Apache Tomcat Version 7.0.52
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Pradeep, On 5/23/14, 2:26 PM, pradeepgm wrote: You have a blocking AJP connector (BIO) with maxThreads of 250. Therefore that connector can support a maximum of 250 connections. You have httpd with MaxClients 1536 and - since AJP uses persistent connections - you have httpd trying to create up to 1536 persistent connections. The first 250 attempts will be fine. Attempt 251 are going to fail. As I mentioned above this is our staging environment. We have 2 apache httpd servers serving 8-10 tomcat applications. This is running fine for past 3-4 years with Tomcat 6. We have upgraded one of those 10 applications into Tomcat 7 and now we are facing this Tomcat hung state on that 7.x instance. That doesn't necessarily mean that the upgrade to Tomcat 7 is to blame. You may not have replicated your production environment properly. These types of systems are very chaotic. At a high level is there any direct relationship between maxThread from Tomcat with ServerLimit and MaxClients from httpd. Yes. Yes there is. Hint: it's a mathematical relationship. Assume that we configure 250 maxThread for all those 10 Tomcat instances, what will be the ideal value for ServerLimit and MaxClients? Is it like 250 X 10? You are asking the question the wrong way. What you need to ask is how many connections you need on the Tomcat side given the number of connections you are trying to support on the httpd side. Remember the following: 1. AJP connections are persistent and have a read-timeout. Re-read Mark's message until you understand this. 2. Each httpd instance has its own set of workers (by whatever name: prefork, worker, event, etc.). 3. Any httpd instance can potentially route a request to an Tomcat instance. The number of httpd instances is significant in the equation. 4. On the Tomcat side, Thread == Connection for BIO, but not for NIO. The math is easy. You just need to determine the right numbers to use in it and you'll get the number you want. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTg4x3AAoJEBzwKT+lPKRYjPYQAMJReQRgxRzok0yeFmlUkkVI 5S+BZ0HDXBHZcjKqTB8twWFIGm9a4Ec93iQd6kyyeoiSzQsAcYbD4yc5p6UI2iq7 4gYmDjOLzIpcWD4ERggDZ+1Q22VSg3zKTrjxgTh3xm9xTAbMjPd9wZuwgrjPD/fi OS0JVmopNlKbX36L8JU/y21HoG2HUAKXORuEsoMGqc/cbdwyuG6Ysht4EJMn7MS4 3ZIdS7I17WFpUw0fFKtmwQSIVLBwQMVZ/oI5XNs0v2ohnq4HKemy6Dxk9lDgT6bn /tkeU8c5Dqbw0aUU8lgmPA5Upjci5g+752QlTLfUPyFXzPBN1eoXI37ITaYWKFap b8KNQlSVM69Fgpqe/5SOlJrsF+81eHghCP4T9JAE0yfMJM/qy/1hxSAIV1aNEplv 2Nv2dWSswCLj/cQImU4fZE/6MLD8MfwTGSe+imdOhIHcmMxNIjckbr2ObSDwKkAn wh0ACfp6sxqks3WiMOZMpygml67MZcvjgQXY639mrxB/sOUkgVzi2zFplRByg3Zx gPfF5G8+NgzT3V5pICTEJLlYHmIJA0/fGYzQCKPpJ5Q+boNz0OmOaxoj3xONN0SC wHtcM1aLR6/T2s6poZcrYH5Dq5+/kALIm7ZJkxNQ+wdrWlGBJ1oAGoy4mMlAMX6J GBKvryuksncEEzQ7BPr/ =6/NN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CATALINA_PID != real PID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Арсений, On 5/23/14, 7:24 AM, Арсений Зинченко wrote: Hi, Leon. Thanks for replay. Don't know why - but now it works good :-) If Tomcat was already running, you might have cloberred your PID file, but not actually successfully-launched Tomcat. Since this scripts manage the PID file but can not verify that Tomcat started successfully, bad things can easily happen in these cases. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTg40EAAoJEBzwKT+lPKRYCp4P/0JNCfjLmK3NsAaHAO6DqP/i RpATdXeN9TNwxfA0TyT0oZdSFIddyD05ClDt6VloiAbUc38PyC8n0/HACcL4HLU4 Bx9jLAv+HuKxeY48xPdKlagMerG0wDge7CDqo3fH18o+1SpWYjyNJ6ODVyFb23sb KiM1Nty47Rq6xRu10UJeOJm75DlgSFrojjuHeZPOOEsFlnkOkR3K8H80AtDfLOIy uuHkNSOz0GgnbjgAeWs1CuXuK5SNwCTE8s5yAUTyFNhqlbrdc99R/xHh8EG56HCE L7hnkWSiHdn/i6F8l0fkK038w1ZgxI+U86P0NimeRE/TPypavGgK6UqnMENGocOt E91pTi291V4Innq4fzgwmL28czck3QTks1h8M6SSAkOx2VtAQApgetVB5QIkZK75 XZKPW4DKVRzDJZ+CVWi6hU3wlHuEdlKzM+q3F9JSSKMBZ909R2p5rYCasyWzMywj s5mBFXpetQ/ClEpjlL3YPf8SG9YQNPY118UPdGaw48JjzSaa8lFkYLyEpD3MM8JH pAcukIsnTqk+kR5lBo4Mj1uPaciu4IEtK90IeZW7/LMi9ZrzheM7U4OwvoWGHyeg LaSIuklXOORNvNjWBID4ezg6AZJddu/JjTuG0NUPaDDyIII/YoN1wdKEtOiQCVXJ yKvR8olc7MZohbztSOzL =pLQm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 Cluster with load balancing only needs to run a service periodically
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Suhas, On 5/21/14, 9:46 AM, Suhaas Lang wrote: Thanks for your response. No. I am not allowed to use cron :-) One thing I have been asked to look at is nodes co-ordinating by sending events to each other. But again I am wondering how coordination would take place in case one node goes down. In that case, when it is started again and becomes a part of the cluster, it would try to start services that shoukd run periodically. But its intervals woukd be out of sync wit rest of the clusters. Sounds like you need to do some research. - -chris Suhaas On May 20, 2014 9:11 PM, Christopher Schultz ch...@christopherschultz.net wrote: Suhaas, On 5/19/14, 11:40 AM, Suhaas Lang wrote: The Tomcat cluster is configured as load balancer only. There is no session replication. So in case a Tomcat node on which the user session is running, dies in that case the session is lost. We do need to run a service on that cluster periodically. Obviously it cannot run on both servers, but at the same time one has to ensure it has to be run on at least one server after certain interval. What is an elegant solution in this case? Use cron with a non-web-based tool? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTg41EAAoJEBzwKT+lPKRY7gsQAJgd8gyKsWU+mAMYKvxAaH0m d0a9pYfQgAJAxfXQWT1Rvu4fJ1ECk/nKVzC7Onx3tWEP+3ddoMA0BIi5U/eaU/Og gqhMCeW4Y5LRPtVeiviTg2qUAir9fSv8P9NBJd0EiYQ//MwFr0OF2acnPW9dmPpk nZX+Q9aVJsztoz0wqlRth0+ty0kksXaET09L+oIKnlvaPUh26qf+8ySwPYFewVRi J3A0VkknAj3u9PUjGbAQG1NpPfUMBx5DKViPfhix2tEnTuLN6I+YKUQXUJDZeqYB Dwe5NpdscZD2WfjULetGiP4TxzT9uUfuEnWnXPDSN+FoexEkbUEMQ1TDu/Ireypp E0rM5UHfR5NuzlmF/CfUHbIrwvlY6Onc8eyoCaC6IuKOHUWy/L3dtcuoSK90BW0Q WnsrZE1uICHzi5akLFkMRvimrQfTnXEKW9qkMwVTBLBCvsHl8y4eJRQa7Lh6T20a XqJgKlauC4jfIJBPowBUVfkrAL8IDSKUO0xyO9aVGhhAG+gC8foGzuKHn1aaBzAc eXUnc/NkI7GNTKOBqPcsjB3tnZD0Em8XhJrZU34B1xJU1OfZnwJUo131IKL+xoWb QME5+Nx16Dy6QoId+RnvHy4WyFDzZ86UQlgV2IkwYMG/GzGsZWPoMa2heUb0TeNa wfGoGVByfoJZlwQ6rxEo =EdQJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384
AES GCM mode is not in Java 7, that is right. These higher cipher suites are supported and implemented in Java 8. There is just that none of the major browsers support them. *http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites* Made my own Java code for listing out the default ciphers. It uses the same piece of code as SSLInfo does. As you can see the 256bit ciphers are there. Java 7 does support the AES 256-bit ciphers, but in CBC mode and not GCM mode. SSLServerSocketFactory ssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); String[] defaultCiphers = ssf.getDefaultCipherSuites(); for (String cipher : defaultCiphers) { if ((cipher.startsWith(TLS_DHE) || cipher.startsWith(TLS_ECDHE)) !cipher.contains(DSS) !cipher.contains(RC4) !cipher.contains(DES)) { System.out.println(cipher); } } *TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384* *TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA *TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 *TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 2014-05-26 20:09 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tim, On 5/25/14, 9:34 PM, Tim Whittington wrote: On 21/05/2014, at 10:21 pm, Sverre Moe sverre@gmail.com wrote: snip ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 / Documentation aside, none of these cipher-suites are supported in Oracle Java 7. If you run the code I referenced elsewhere in this thread, you'll see that some of the components are available, just not in the combinations you have above: $ java -showversion -classpath build/ SSLInfo | grep '\(256\|384\)' java version 1.7.0_55 Java(TM) SE Runtime Environment (build 1.7.0_55-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode) Supported SSL Protocols: TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) TLSv1.2 (SunJSSE) Default Cipher Name * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 So, you can get ECDHE_(ECDSA|RSA)_AES, but not with a 256-bit cipher. You can get a 128-bit cipher and a 256-bit hash, but not higher-bit hash functions. Oracle Java 7 has no GCM support (AIX does I think, but from memory the cipher suite names are different), and some of the cipher-suites don’t exist (see below). GCM was originally targeted for JDK 7 (which is why the cipher suite names and AEAD APIs in the JCE are there) but the implementation didn’t show up until JDK 8. I find no ciphers with 384-bit hashes in Oracle Java 8, but there are 256-bit ones -- at least in the Mac OS X build: $ /Library/Java/JavaVirtualMachines/disabled/jdk1.8.0.jdk/Contents/Home/bin/java - -showversion -classpath build/ SSLInfo | grep '\(256\|384\)' java version 1.8.0-ea Java(TM) SE Runtime Environment (build 1.8.0-ea-b99) Java HotSpot(TM) 64-Bit Server VM (build 25.0-b41, mixed mode) * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 * TLS_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_NULL_SHA256 So as Tim says, Oracle Java 7 doesn't support this stuff. And neither does Java 8. If you want higher-grade encryption (and you want it to run
Re: Tomcat is down or refused connection
Chris, On 5/26/2014 11:28 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/26/14, 10:25 AM, Mark Eggers wrote: Please do not top post. On 5/26/2014 2:15 AM, Ballarpure, Akshay (EXT-Tata Consultancy Ser - IN/Hyderabad) wrote: Thanks for information.. Sorry i missed adding important information. I can see below message for only 1 or 2 second and it got recovered automatically. [Tue May 20 06:48:43 2014] [57070:140373099702016] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet) [Tue May 20 06:48:43 2014] [56884:140373020112640] [error] ajp_service::jk_ajp_common.c (2643): (worker1) connecting to tomcat failed. Let me know if you need any other information. With Regards, Akshay I gave you a long list of information that would help people on the list understand your system (by the way, we're all volunteers here, most with other jobs and duties). All of this information should be available for more than 1 or 2 seconds. I also find it difficult to believe that the logging information is only available for 1 or 2 seconds. It is probably stored somewhere. Fill out (answer) the 6 questions and their components. Without that, it's doubtful that even meaningful questions concerning what's going on can be asked. Yes, but it's a simple question, Mark. Sheesh: just tell him why his stuff don't work. Open Source means free tech support for unspecified problems, right? Chop chop! - -chris Ah, I can do quick (OK, sort of, kind of, maybe). 1. If your Tomcat is down, restart it 2. If your network is down, fix it (this is not a network forum) 3. If your firewall drops connections a. tell it to not drop connections (this is not a firewall forum) b. send enough traffic so that connections aren't dropped If you want more (volunteer) help, then I think two things are in order: 1. Provide the information requested (as a start) 2. Be prepared to put in some effort . . . . not quite short, but it'll do. /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 Cluster with load balancing only needs to run a service periodically
Yes, Christopher, I know. Any pointers? Any open source libraries that might be worth looking at? Regards, Suhaas On May 26, 2014 2:52 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Suhas, On 5/21/14, 9:46 AM, Suhaas Lang wrote: Thanks for your response. No. I am not allowed to use cron :-) One thing I have been asked to look at is nodes co-ordinating by sending events to each other. But again I am wondering how coordination would take place in case one node goes down. In that case, when it is started again and becomes a part of the cluster, it would try to start services that shoukd run periodically. But its intervals woukd be out of sync wit rest of the clusters. Sounds like you need to do some research. - -chris Suhaas On May 20, 2014 9:11 PM, Christopher Schultz ch...@christopherschultz.net wrote: Suhaas, On 5/19/14, 11:40 AM, Suhaas Lang wrote: The Tomcat cluster is configured as load balancer only. There is no session replication. So in case a Tomcat node on which the user session is running, dies in that case the session is lost. We do need to run a service on that cluster periodically. Obviously it cannot run on both servers, but at the same time one has to ensure it has to be run on at least one server after certain interval. What is an elegant solution in this case? Use cron with a non-web-based tool? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTg41EAAoJEBzwKT+lPKRY7gsQAJgd8gyKsWU+mAMYKvxAaH0m d0a9pYfQgAJAxfXQWT1Rvu4fJ1ECk/nKVzC7Onx3tWEP+3ddoMA0BIi5U/eaU/Og gqhMCeW4Y5LRPtVeiviTg2qUAir9fSv8P9NBJd0EiYQ//MwFr0OF2acnPW9dmPpk nZX+Q9aVJsztoz0wqlRth0+ty0kksXaET09L+oIKnlvaPUh26qf+8ySwPYFewVRi J3A0VkknAj3u9PUjGbAQG1NpPfUMBx5DKViPfhix2tEnTuLN6I+YKUQXUJDZeqYB Dwe5NpdscZD2WfjULetGiP4TxzT9uUfuEnWnXPDSN+FoexEkbUEMQ1TDu/Ireypp E0rM5UHfR5NuzlmF/CfUHbIrwvlY6Onc8eyoCaC6IuKOHUWy/L3dtcuoSK90BW0Q WnsrZE1uICHzi5akLFkMRvimrQfTnXEKW9qkMwVTBLBCvsHl8y4eJRQa7Lh6T20a XqJgKlauC4jfIJBPowBUVfkrAL8IDSKUO0xyO9aVGhhAG+gC8foGzuKHn1aaBzAc eXUnc/NkI7GNTKOBqPcsjB3tnZD0Em8XhJrZU34B1xJU1OfZnwJUo131IKL+xoWb QME5+Nx16Dy6QoId+RnvHy4WyFDzZ86UQlgV2IkwYMG/GzGsZWPoMa2heUb0TeNa wfGoGVByfoJZlwQ6rxEo =EdQJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384
On 27/05/2014, at 6:09 am, Christopher Schultz ch...@christopherschultz.net wrote: snip If you run the code I referenced elsewhere in this thread, you'll see that some of the components are available, just not in the combinations you have above: $ java -showversion -classpath build/ SSLInfo | grep '\(256\|384\)' java version 1.7.0_55 Java(TM) SE Runtime Environment (build 1.7.0_55-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode) Supported SSL Protocols: TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) TLSv1.2 (SunJSSE) Default Cipher Name * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 So, you can get ECDHE_(ECDSA|RSA)_AES, but not with a 256-bit cipher. You can get a 128-bit cipher and a 256-bit hash, but not higher-bit hash functions. Oracle Java 7 has no GCM support (AIX does I think, but from memory the cipher suite names are different), and some of the cipher-suites don’t exist (see below). GCM was originally targeted for JDK 7 (which is why the cipher suite names and AEAD APIs in the JCE are there) but the implementation didn’t show up until JDK 8. I find no ciphers with 384-bit hashes in Oracle Java 8, but there are 256-bit ones -- at least in the Mac OS X build: Do you have the unrestricted crypto policy files installed? Without those, 128 bit security ciphers (== 256 bit hashes) are suppressed. Cipher suites with SHA384 are definitely available on both JDK 7 and JDK 8 on OS X. I’m using the interactive mode of https://github.com/timw/groktls to dump these. tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org