Re: Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error

2016-04-08 Thread Lyallex 
On 8 April 2016 at 13:12, Mark Thomas  wrote:
> On 8 April 2016 12:43:56 BST, Lyallex  wrote:
>>On 8 April 2016 at 12:31, Violeta Georgieva  wrote:
>>> Hi,

>
> Jasper is configured to default to the minimum Java version required by the 
> version of the JSP specification  it implements.

Thank you

> Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Appscan Issues

2016-04-08 Thread Olaf Kock 
Am 08.04.2016 um 15:40 schrieb Kikkeri, Amith:
> Thanks... I will me more detailed.
> We don't use Apache HTTPD or ngnix. It's just tomcat7. Below is my connector 
> configuration.
>
>   maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS" 
>keystoreFile=" "
>keystorePass=" "/>
You'll have to explicitly configure the ciphers. That can be done by
configuring the connector
(https://wiki.apache.org/tomcat/HowTo/SSLCiphers) to use or prohibit one
or the other cipher (https://wiki.apache.org/tomcat/Security/Ciphers) -
or use one of the links that I've posted in my previous answer.

I'm typically configuring a HTTPS end point in Apache httpd and forward
to tomcat. I feel that the documentation for explicit cipher-choice in
Apache httpd is a lot better (and more widespread up to date) than for
tomcat, but you definitely can correctly configure it in tomcat as well.

I just hope you're not running as root in order to bind to port 443 - in
that case you have different (and bigger) problems.

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Appscan Issues

2016-04-08 Thread Kikkeri, Amith 
Thanks... I will me more detailed.
We don't use Apache HTTPD or ngnix. It's just tomcat7. Below is my connector 
configuration.

  



Regards,
Amith



-Original Message-
From: Olaf Kock [mailto:tom...@olafkock.de] 
Sent: Friday, April 08, 2016 9:29 AM
To: users@tomcat.apache.org
Subject: Re: Appscan Issues



Am 08.04.2016 um 15:17 schrieb Kikkeri, Amith:
> Hi,
> Appscan was performed on our application and 2 issues were encountered. Could 
> anyone please let me know how to resolve these issues ? We use tomcat7.
>
> Browser Exploit Against SSL/TLS (a.k.a. BEAST)
> RC4 cipher suites were detected
> (Remove support of SSLv3/TLS1.0 cipher suites with CBC.)
Sure. Remove SSL support.

Seriously: With the level of information that you give, what's the level of 
detail that you expect back?

Are you using tomcat only? Do you front it with Apache httpd? nginx? Any 
loadbalancer or SSL-Terminator (pardon the use of SSL here)? If you only have 
tomcat, what's the configuration of your https connector? Which of the options 
that are documented in the connector's documentation 
(http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support or 
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html among others) do you 
need help with?

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Appscan Issues

2016-04-08 Thread Olaf Kock 


Am 08.04.2016 um 15:17 schrieb Kikkeri, Amith:
> Hi,
> Appscan was performed on our application and 2 issues were encountered. Could 
> anyone please let me know how to resolve these issues ? We use tomcat7.
>
> Browser Exploit Against SSL/TLS (a.k.a. BEAST)
> RC4 cipher suites were detected
> (Remove support of SSLv3/TLS1.0 cipher suites with CBC.)
Sure. Remove SSL support.

Seriously: With the level of information that you give, what's the level
of detail that you expect back?

Are you using tomcat only? Do you front it with Apache httpd? nginx? Any
loadbalancer or SSL-Terminator (pardon the use of SSL here)? If you only
have tomcat, what's the configuration of your https connector? Which of
the options that are documented in the connector's documentation
(http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support or
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html among others) do
you need help with?

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Appscan Issues

2016-04-08 Thread Kikkeri, Amith 
Hi,
Appscan was performed on our application and 2 issues were encountered. Could 
anyone please let me know how to resolve these issues ? We use tomcat7.

Browser Exploit Against SSL/TLS (a.k.a. BEAST)
RC4 cipher suites were detected
(Remove support of SSLv3/TLS1.0 cipher suites with CBC.)

Regards,
Amith

Re: Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error

2016-04-08 Thread David kerber 

On 4/8/2016 7:43 AM, Lyallex wrote:

On 8 April 2016 at 12:31, Violeta Georgieva  wrote:

Hi,

2016-04-08 14:28 GMT+03:00 Lyallex :


Apache Tomcat 7.0.42 running under jsvc against jdk1.7.0.45
on 64 bit Ubuntu Linux 12.10 built and deployed with Ant in Eclipse
JUNO set to 1.7 compliance

Please don't moan at me for using JSP scriptlets, I'm just doing some
throwaway prototyping so save the bandwidth. Thank You

I have been switching on Strings in 1.7 projects for a while now, I
use it in application classes running on the above with no problems at
all.

This morning I tried switching on Strings in jsp and got the following
compiler error

org.apache.jasper.JasperException Unable to compile class for JSP
etc etc
Cannot switch on a value of type String for source level below 1.7 ...

Hmm, interesting

Configured Jasper to compile against 1.7 and it all worked fine

It seems a little strange that running Tomcat against 1.7 wouldn't
automatically configure Jasper to compile against 1.7 ... doesn't it ?

Or does it?

I'm sure there is a good reason, I just can't think of it :-(



This behavior is correct. Check this
http://tomcat.apache.org/tomcat-7.0-doc/jasper-howto.html

compilerSourceVM - What JDK version are the source files compatible with?
(Default value: 1.6)
compilerTargetVM - What JDK version are the generated files compatible
with? (Default value: 1.6)

Regards,
Violeta


Well I'm sure it is ... but you miss the point entirely I'm afraid

I'll try again

I said

" It seems a little strange that running Tomcat against 1.7 wouldn't
   automatically configure Jasper to compile against 1.7 ... doesn't it"

I'm not sure how you interpret this statement as an assertion that
the behavior is incorrect.

Once again.

Why is it that when Tomcat is run against Java 1.7 and obviously
interprets classes
written in 1.7 correctly Jasper isn't configure to compile at 1.7
compliance level.

It's just a question, I found it interesting.


And the answer, if I interpret Violeta's response correctly, is that it 
will compile for Java 6 unless you *explicitly* tell it to use something 
else.  It won't know you want to use 7 unless you say so.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error

2016-04-08 Thread Mark Thomas 
On 8 April 2016 12:43:56 BST, Lyallex  wrote:
>On 8 April 2016 at 12:31, Violeta Georgieva  wrote:
>> Hi,
>>
>> 2016-04-08 14:28 GMT+03:00 Lyallex :
>>>
>>> Apache Tomcat 7.0.42 running under jsvc against jdk1.7.0.45
>>> on 64 bit Ubuntu Linux 12.10 built and deployed with Ant in Eclipse
>>> JUNO set to 1.7 compliance
>>>
>>> Please don't moan at me for using JSP scriptlets, I'm just doing
>some
>>> throwaway prototyping so save the bandwidth. Thank You
>>>
>>> I have been switching on Strings in 1.7 projects for a while now, I
>>> use it in application classes running on the above with no problems
>at
>>> all.
>>>
>>> This morning I tried switching on Strings in jsp and got the
>following
>>> compiler error
>>>
>>> org.apache.jasper.JasperException Unable to compile class for JSP
>>> etc etc
>>> Cannot switch on a value of type String for source level below 1.7
>...
>>>
>>> Hmm, interesting
>>>
>>> Configured Jasper to compile against 1.7 and it all worked fine
>>>
>>> It seems a little strange that running Tomcat against 1.7 wouldn't
>>> automatically configure Jasper to compile against 1.7 ... doesn't it
>?
>>>
>>> Or does it?
>>>
>>> I'm sure there is a good reason, I just can't think of it :-(
>>>
>>
>> This behavior is correct. Check this
>> http://tomcat.apache.org/tomcat-7.0-doc/jasper-howto.html
>>
>> compilerSourceVM - What JDK version are the source files compatible
>with?
>> (Default value: 1.6)
>> compilerTargetVM - What JDK version are the generated files
>compatible
>> with? (Default value: 1.6)
>>
>> Regards,
>> Violeta
>
>Well I'm sure it is ... but you miss the point entirely I'm afraid
>
>I'll try again
>
>I said
>
>" It seems a little strange that running Tomcat against 1.7 wouldn't
>  automatically configure Jasper to compile against 1.7 ... doesn't it"
>
>I'm not sure how you interpret this statement as an assertion that
>the behavior is incorrect.
>
>Once again.
>
>Why is it that when Tomcat is run against Java 1.7 and obviously
>interprets classes
>written in 1.7 correctly Jasper isn't configure to compile at 1.7
>compliance level.

Jasper is configured to default to the minimum Java version required by the 
version of the JSP specification  it implements.

Mark

>
>It's just a question, I found it interesting.
>
>Is that OK
>
>Lyallex
>
>
>>>
>>
>>> Lyallex
>>>
>>>
>-
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error

2016-04-08 Thread Lyallex 
On 8 April 2016 at 12:31, Violeta Georgieva  wrote:
> Hi,
>
> 2016-04-08 14:28 GMT+03:00 Lyallex :
>>
>> Apache Tomcat 7.0.42 running under jsvc against jdk1.7.0.45
>> on 64 bit Ubuntu Linux 12.10 built and deployed with Ant in Eclipse
>> JUNO set to 1.7 compliance
>>
>> Please don't moan at me for using JSP scriptlets, I'm just doing some
>> throwaway prototyping so save the bandwidth. Thank You
>>
>> I have been switching on Strings in 1.7 projects for a while now, I
>> use it in application classes running on the above with no problems at
>> all.
>>
>> This morning I tried switching on Strings in jsp and got the following
>> compiler error
>>
>> org.apache.jasper.JasperException Unable to compile class for JSP
>> etc etc
>> Cannot switch on a value of type String for source level below 1.7 ...
>>
>> Hmm, interesting
>>
>> Configured Jasper to compile against 1.7 and it all worked fine
>>
>> It seems a little strange that running Tomcat against 1.7 wouldn't
>> automatically configure Jasper to compile against 1.7 ... doesn't it ?
>>
>> Or does it?
>>
>> I'm sure there is a good reason, I just can't think of it :-(
>>
>
> This behavior is correct. Check this
> http://tomcat.apache.org/tomcat-7.0-doc/jasper-howto.html
>
> compilerSourceVM - What JDK version are the source files compatible with?
> (Default value: 1.6)
> compilerTargetVM - What JDK version are the generated files compatible
> with? (Default value: 1.6)
>
> Regards,
> Violeta

Well I'm sure it is ... but you miss the point entirely I'm afraid

I'll try again

I said

" It seems a little strange that running Tomcat against 1.7 wouldn't
  automatically configure Jasper to compile against 1.7 ... doesn't it"

I'm not sure how you interpret this statement as an assertion that
the behavior is incorrect.

Once again.

Why is it that when Tomcat is run against Java 1.7 and obviously
interprets classes
written in 1.7 correctly Jasper isn't configure to compile at 1.7
compliance level.

It's just a question, I found it interesting.

Is that OK

Lyallex


>>
>
>> Lyallex
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error

2016-04-08 Thread Violeta Georgieva 
Hi,

2016-04-08 14:28 GMT+03:00 Lyallex :
>
> Apache Tomcat 7.0.42 running under jsvc against jdk1.7.0.45
> on 64 bit Ubuntu Linux 12.10 built and deployed with Ant in Eclipse
> JUNO set to 1.7 compliance
>
> Please don't moan at me for using JSP scriptlets, I'm just doing some
> throwaway prototyping so save the bandwidth. Thank You
>
> I have been switching on Strings in 1.7 projects for a while now, I
> use it in application classes running on the above with no problems at
> all.
>
> This morning I tried switching on Strings in jsp and got the following
> compiler error
>
> org.apache.jasper.JasperException Unable to compile class for JSP
> etc etc
> Cannot switch on a value of type String for source level below 1.7 ...
>
> Hmm, interesting
>
> Configured Jasper to compile against 1.7 and it all worked fine
>
> It seems a little strange that running Tomcat against 1.7 wouldn't
> automatically configure Jasper to compile against 1.7 ... doesn't it ?
>
> Or does it?
>
> I'm sure there is a good reason, I just can't think of it :-(
>

This behavior is correct. Check this
http://tomcat.apache.org/tomcat-7.0-doc/jasper-howto.html

compilerSourceVM - What JDK version are the source files compatible with?
(Default value: 1.6)
compilerTargetVM - What JDK version are the generated files compatible
with? (Default value: 1.6)

Regards,
Violeta

> Lyallex
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Tomcat running against Java 1.7 barfs with Java < 1.7 Jasper error

2016-04-08 Thread Lyallex 
Apache Tomcat 7.0.42 running under jsvc against jdk1.7.0.45
on 64 bit Ubuntu Linux 12.10 built and deployed with Ant in Eclipse
JUNO set to 1.7 compliance

Please don't moan at me for using JSP scriptlets, I'm just doing some
throwaway prototyping so save the bandwidth. Thank You

I have been switching on Strings in 1.7 projects for a while now, I
use it in application classes running on the above with no problems at
all.

This morning I tried switching on Strings in jsp and got the following
compiler error

org.apache.jasper.JasperException Unable to compile class for JSP
etc etc
Cannot switch on a value of type String for source level below 1.7 ...

Hmm, interesting

Configured Jasper to compile against 1.7 and it all worked fine

It seems a little strange that running Tomcat against 1.7 wouldn't
automatically configure Jasper to compile against 1.7 ... doesn't it ?

Or does it?

I'm sure there is a good reason, I just can't think of it :-(

Lyallex

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 8 - enable OCSP Stapling for HTTPS connections

2016-04-08 Thread Altug Tekin 
Hi,

I have an Apache Tomcat/8.0.32 instance running on my server.

Our Security Department requires me to implement OCSP Stapling on all
programs, which communicate over HTTPS on ports exposed to the
Internet, one of which being tomcat.

How can I configure OCSP-Stapling on my Tomcat Server?

I have searched through the documentation (
https://tomcat.apache.org/tomcat-8.0-doc/config/http.html ), but it
seems that there is no OCSP-Stapling at all.


Regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org