Re: Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error
On 8 April 2016 at 13:12, Mark Thomaswrote: > On 8 April 2016 12:43:56 BST, Lyallex wrote: >>On 8 April 2016 at 12:31, Violeta Georgieva wrote: >>> Hi, > > Jasper is configured to default to the minimum Java version required by the > version of the JSP specification it implements. Thank you > Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Appscan Issues
Am 08.04.2016 um 15:40 schrieb Kikkeri, Amith: > Thanks... I will me more detailed. > We don't use Apache HTTPD or ngnix. It's just tomcat7. Below is my connector > configuration. > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" >keystoreFile=" " >keystorePass=" "/> You'll have to explicitly configure the ciphers. That can be done by configuring the connector (https://wiki.apache.org/tomcat/HowTo/SSLCiphers) to use or prohibit one or the other cipher (https://wiki.apache.org/tomcat/Security/Ciphers) - or use one of the links that I've posted in my previous answer. I'm typically configuring a HTTPS end point in Apache httpd and forward to tomcat. I feel that the documentation for explicit cipher-choice in Apache httpd is a lot better (and more widespread up to date) than for tomcat, but you definitely can correctly configure it in tomcat as well. I just hope you're not running as root in order to bind to port 443 - in that case you have different (and bigger) problems. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Appscan Issues
Thanks... I will me more detailed. We don't use Apache HTTPD or ngnix. It's just tomcat7. Below is my connector configuration. Regards, Amith -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: Friday, April 08, 2016 9:29 AM To: users@tomcat.apache.org Subject: Re: Appscan Issues Am 08.04.2016 um 15:17 schrieb Kikkeri, Amith: > Hi, > Appscan was performed on our application and 2 issues were encountered. Could > anyone please let me know how to resolve these issues ? We use tomcat7. > > Browser Exploit Against SSL/TLS (a.k.a. BEAST) > RC4 cipher suites were detected > (Remove support of SSLv3/TLS1.0 cipher suites with CBC.) Sure. Remove SSL support. Seriously: With the level of information that you give, what's the level of detail that you expect back? Are you using tomcat only? Do you front it with Apache httpd? nginx? Any loadbalancer or SSL-Terminator (pardon the use of SSL here)? If you only have tomcat, what's the configuration of your https connector? Which of the options that are documented in the connector's documentation (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support or http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html among others) do you need help with? Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Appscan Issues
Am 08.04.2016 um 15:17 schrieb Kikkeri, Amith: > Hi, > Appscan was performed on our application and 2 issues were encountered. Could > anyone please let me know how to resolve these issues ? We use tomcat7. > > Browser Exploit Against SSL/TLS (a.k.a. BEAST) > RC4 cipher suites were detected > (Remove support of SSLv3/TLS1.0 cipher suites with CBC.) Sure. Remove SSL support. Seriously: With the level of information that you give, what's the level of detail that you expect back? Are you using tomcat only? Do you front it with Apache httpd? nginx? Any loadbalancer or SSL-Terminator (pardon the use of SSL here)? If you only have tomcat, what's the configuration of your https connector? Which of the options that are documented in the connector's documentation (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support or http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html among others) do you need help with? Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Appscan Issues
Hi, Appscan was performed on our application and 2 issues were encountered. Could anyone please let me know how to resolve these issues ? We use tomcat7. Browser Exploit Against SSL/TLS (a.k.a. BEAST) RC4 cipher suites were detected (Remove support of SSLv3/TLS1.0 cipher suites with CBC.) Regards, Amith
Re: Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error
On 4/8/2016 7:43 AM, Lyallex wrote: On 8 April 2016 at 12:31, Violeta Georgievawrote: Hi, 2016-04-08 14:28 GMT+03:00 Lyallex : Apache Tomcat 7.0.42 running under jsvc against jdk1.7.0.45 on 64 bit Ubuntu Linux 12.10 built and deployed with Ant in Eclipse JUNO set to 1.7 compliance Please don't moan at me for using JSP scriptlets, I'm just doing some throwaway prototyping so save the bandwidth. Thank You I have been switching on Strings in 1.7 projects for a while now, I use it in application classes running on the above with no problems at all. This morning I tried switching on Strings in jsp and got the following compiler error org.apache.jasper.JasperException Unable to compile class for JSP etc etc Cannot switch on a value of type String for source level below 1.7 ... Hmm, interesting Configured Jasper to compile against 1.7 and it all worked fine It seems a little strange that running Tomcat against 1.7 wouldn't automatically configure Jasper to compile against 1.7 ... doesn't it ? Or does it? I'm sure there is a good reason, I just can't think of it :-( This behavior is correct. Check this http://tomcat.apache.org/tomcat-7.0-doc/jasper-howto.html compilerSourceVM - What JDK version are the source files compatible with? (Default value: 1.6) compilerTargetVM - What JDK version are the generated files compatible with? (Default value: 1.6) Regards, Violeta Well I'm sure it is ... but you miss the point entirely I'm afraid I'll try again I said " It seems a little strange that running Tomcat against 1.7 wouldn't automatically configure Jasper to compile against 1.7 ... doesn't it" I'm not sure how you interpret this statement as an assertion that the behavior is incorrect. Once again. Why is it that when Tomcat is run against Java 1.7 and obviously interprets classes written in 1.7 correctly Jasper isn't configure to compile at 1.7 compliance level. It's just a question, I found it interesting. And the answer, if I interpret Violeta's response correctly, is that it will compile for Java 6 unless you *explicitly* tell it to use something else. It won't know you want to use 7 unless you say so. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error
On 8 April 2016 12:43:56 BST, Lyallexwrote: >On 8 April 2016 at 12:31, Violeta Georgieva wrote: >> Hi, >> >> 2016-04-08 14:28 GMT+03:00 Lyallex : >>> >>> Apache Tomcat 7.0.42 running under jsvc against jdk1.7.0.45 >>> on 64 bit Ubuntu Linux 12.10 built and deployed with Ant in Eclipse >>> JUNO set to 1.7 compliance >>> >>> Please don't moan at me for using JSP scriptlets, I'm just doing >some >>> throwaway prototyping so save the bandwidth. Thank You >>> >>> I have been switching on Strings in 1.7 projects for a while now, I >>> use it in application classes running on the above with no problems >at >>> all. >>> >>> This morning I tried switching on Strings in jsp and got the >following >>> compiler error >>> >>> org.apache.jasper.JasperException Unable to compile class for JSP >>> etc etc >>> Cannot switch on a value of type String for source level below 1.7 >... >>> >>> Hmm, interesting >>> >>> Configured Jasper to compile against 1.7 and it all worked fine >>> >>> It seems a little strange that running Tomcat against 1.7 wouldn't >>> automatically configure Jasper to compile against 1.7 ... doesn't it >? >>> >>> Or does it? >>> >>> I'm sure there is a good reason, I just can't think of it :-( >>> >> >> This behavior is correct. Check this >> http://tomcat.apache.org/tomcat-7.0-doc/jasper-howto.html >> >> compilerSourceVM - What JDK version are the source files compatible >with? >> (Default value: 1.6) >> compilerTargetVM - What JDK version are the generated files >compatible >> with? (Default value: 1.6) >> >> Regards, >> Violeta > >Well I'm sure it is ... but you miss the point entirely I'm afraid > >I'll try again > >I said > >" It seems a little strange that running Tomcat against 1.7 wouldn't > automatically configure Jasper to compile against 1.7 ... doesn't it" > >I'm not sure how you interpret this statement as an assertion that >the behavior is incorrect. > >Once again. > >Why is it that when Tomcat is run against Java 1.7 and obviously >interprets classes >written in 1.7 correctly Jasper isn't configure to compile at 1.7 >compliance level. Jasper is configured to default to the minimum Java version required by the version of the JSP specification it implements. Mark > >It's just a question, I found it interesting. > >Is that OK > >Lyallex > > >>> >> >>> Lyallex >>> >>> >- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error
On 8 April 2016 at 12:31, Violeta Georgievawrote: > Hi, > > 2016-04-08 14:28 GMT+03:00 Lyallex : >> >> Apache Tomcat 7.0.42 running under jsvc against jdk1.7.0.45 >> on 64 bit Ubuntu Linux 12.10 built and deployed with Ant in Eclipse >> JUNO set to 1.7 compliance >> >> Please don't moan at me for using JSP scriptlets, I'm just doing some >> throwaway prototyping so save the bandwidth. Thank You >> >> I have been switching on Strings in 1.7 projects for a while now, I >> use it in application classes running on the above with no problems at >> all. >> >> This morning I tried switching on Strings in jsp and got the following >> compiler error >> >> org.apache.jasper.JasperException Unable to compile class for JSP >> etc etc >> Cannot switch on a value of type String for source level below 1.7 ... >> >> Hmm, interesting >> >> Configured Jasper to compile against 1.7 and it all worked fine >> >> It seems a little strange that running Tomcat against 1.7 wouldn't >> automatically configure Jasper to compile against 1.7 ... doesn't it ? >> >> Or does it? >> >> I'm sure there is a good reason, I just can't think of it :-( >> > > This behavior is correct. Check this > http://tomcat.apache.org/tomcat-7.0-doc/jasper-howto.html > > compilerSourceVM - What JDK version are the source files compatible with? > (Default value: 1.6) > compilerTargetVM - What JDK version are the generated files compatible > with? (Default value: 1.6) > > Regards, > Violeta Well I'm sure it is ... but you miss the point entirely I'm afraid I'll try again I said " It seems a little strange that running Tomcat against 1.7 wouldn't automatically configure Jasper to compile against 1.7 ... doesn't it" I'm not sure how you interpret this statement as an assertion that the behavior is incorrect. Once again. Why is it that when Tomcat is run against Java 1.7 and obviously interprets classes written in 1.7 correctly Jasper isn't configure to compile at 1.7 compliance level. It's just a question, I found it interesting. Is that OK Lyallex >> > >> Lyallex >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error
Hi, 2016-04-08 14:28 GMT+03:00 Lyallex: > > Apache Tomcat 7.0.42 running under jsvc against jdk1.7.0.45 > on 64 bit Ubuntu Linux 12.10 built and deployed with Ant in Eclipse > JUNO set to 1.7 compliance > > Please don't moan at me for using JSP scriptlets, I'm just doing some > throwaway prototyping so save the bandwidth. Thank You > > I have been switching on Strings in 1.7 projects for a while now, I > use it in application classes running on the above with no problems at > all. > > This morning I tried switching on Strings in jsp and got the following > compiler error > > org.apache.jasper.JasperException Unable to compile class for JSP > etc etc > Cannot switch on a value of type String for source level below 1.7 ... > > Hmm, interesting > > Configured Jasper to compile against 1.7 and it all worked fine > > It seems a little strange that running Tomcat against 1.7 wouldn't > automatically configure Jasper to compile against 1.7 ... doesn't it ? > > Or does it? > > I'm sure there is a good reason, I just can't think of it :-( > This behavior is correct. Check this http://tomcat.apache.org/tomcat-7.0-doc/jasper-howto.html compilerSourceVM - What JDK version are the source files compatible with? (Default value: 1.6) compilerTargetVM - What JDK version are the generated files compatible with? (Default value: 1.6) Regards, Violeta > Lyallex > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error
Apache Tomcat 7.0.42 running under jsvc against jdk1.7.0.45 on 64 bit Ubuntu Linux 12.10 built and deployed with Ant in Eclipse JUNO set to 1.7 compliance Please don't moan at me for using JSP scriptlets, I'm just doing some throwaway prototyping so save the bandwidth. Thank You I have been switching on Strings in 1.7 projects for a while now, I use it in application classes running on the above with no problems at all. This morning I tried switching on Strings in jsp and got the following compiler error org.apache.jasper.JasperException Unable to compile class for JSP etc etc Cannot switch on a value of type String for source level below 1.7 ... Hmm, interesting Configured Jasper to compile against 1.7 and it all worked fine It seems a little strange that running Tomcat against 1.7 wouldn't automatically configure Jasper to compile against 1.7 ... doesn't it ? Or does it? I'm sure there is a good reason, I just can't think of it :-( Lyallex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 8 - enable OCSP Stapling for HTTPS connections
Hi, I have an Apache Tomcat/8.0.32 instance running on my server. Our Security Department requires me to implement OCSP Stapling on all programs, which communicate over HTTPS on ports exposed to the Internet, one of which being tomcat. How can I configure OCSP-Stapling on my Tomcat Server? I have searched through the documentation ( https://tomcat.apache.org/tomcat-8.0-doc/config/http.html ), but it seems that there is no OCSP-Stapling at all. Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org