Re: mod-jk (1.2.37) crashes Apache 2 (2.4.7) occasionally with a buffer overflow on Ubuntu 14.04 x64

2016-07-05 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Michael,

On 7/5/16 11:31 AM, Michael Diener wrote:
> Alright, I did my homework this time and worked with a self
> compiled version of mod_jk (1.2.41). Still the same error is
> happening. I traced the buffer overflow down to line 291 in
> jk_connect.c (nb_connect):
> 
> 280>   do { 281>rc = connect(sd, (const struct sockaddr
> *)>sa.sin, addr->salen); 282>} while (rc == -1 && errno
> == EINTR); 283> 284>if ((rc == -1) && (errno == EINPROGRESS ||
> errno == EALREADY) 285>   && (timeout > 0)) { 286>
> fd_set wfdset; 287>struct timeval tv; 288>socklen_t
> rclen = (socklen_t)sizeof(rc); 289> 290>FD_ZERO(); 
> *291>FD_SET(sd, );* 292>tv.tv_sec = timeout
> / 1000; 293>tv.tv_usec = (timeout % 1000) * 1000; 294>
> rc = select(sd + 1, NULL, , NULL, );
> 
> 
> From what I understand a buffer overflow would only happen for
> FD_SET if the fd_set gets over 1024 descriptors. I made sure that
> my ulimit for open files is set and applied large enough, so that's
> not it.

There's nothing magic about the ulimit. An fd_set should size
appropriately for your OS. On my Linux system, FD_SETSIZE happens to
be set to 1024. Reading through the byzantine labyrinth of includes,
it appears that FD_SET has zero boundary-checking, so it's therefore
possible that overflow will occur.

> I tried to switch FD_SET to poll and it seems to work now also for
> sd > 1024:
> 
> struct pollfd pfd_read; pfd_read.fd = sd; pfd_read.events =
> POLLOUT; rc = poll(_read, 1, timeout);
> 
> As C/C++ is not my preferred language and I understand the
> internals for mod_jk not well enough for a change like this, I have
> a few questions:
> 
> 1. Is it normal/expected for nb_connect() to evaluate the IF in
> line 284 to TRUE? I wonder if this might be the real cause for my
> problems in the first place.
> 
> 2. In line 305 of the original jk_connect.c there is a FD_ISSET
> inside an IF. Is there an equivalent operation for poll or is the
> whole IF unnecessary then?

IMHO poll() is superior to select() but unfortunately somewhat less
portable (and also requires a bit more maintenance). It means being
able to handle more than some arbitrary limit of fds (1024 in my case).

I'm unsure if the goal for tcnative is to get away from more
dependencies on APR, but presumably APR has a portable-poll() function
of some kind?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXfDAwAAoJEBzwKT+lPKRYT7YQAIPsBTAx+zk2SYVJHzP/86v4
6p7mmUDCcb/EAuyMsWkIqueYlDEGJ5syox4JnoQ987wFBzmrTpuLAnn2x3HcrzE6
ruNjxKtqnDhWwBkLHd8ZzlfiTTP+xRAiWlxb1kA+EHJxSaMeimJSBHJvzjP3sTG6
jJg8XJqz4IeGc3oSf0VdxPEFLDlpA8ixPffnfq2yZry+ux8Y3NuW3S9k1mORNavm
gdJs7fhEj1hzSGtb788LQwmXFH5HXC1mprFvnDQQs47wY72ELe4nk03AT1LNEGeE
dNLvREPRqG+fDglcbJH9UctfyOZZAu67a1sdy71SW2Coa1Od8TlidXACO2L/0NXK
dJMmf1i19wumwZPmTvZP+MXk9qp1OYFN4mG1hWIOA6A/8KfUcYi221tIYqAc8L1w
rm8W0Rf/QlyyZdWOeu1FG4XWmJEg2rf79YlD1sDj5VO7K2Po92rFlaDxaESoiFmb
qa+mDRFQVAYxti25jGuawnHLMdRcaa/j86buwVn9xSwI9Ij4UVxNv5tqWSPG6K9V
rZ4SG8dcoR8roGWAXtm5oLPtDutXvvm4VxFC3sbxzDiwZHzix6k/lbaIT13GG5aJ
3VGpNAqCnwsOeTMjoN5amuWnJJo8Hrb3Qw/Jr6AhYlofKvwizukmjBT0qXuhggpw
IxOdAPzXMS0ppcc9Nsbb
=YviT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: mod-jk (1.2.37) crashes Apache 2 (2.4.7) occasionally with a buffer overflow on Ubuntu 14.04 x64

2016-07-05 Thread Michael Diener 
Alright, I did my homework this time and worked with a self compiled
version of mod_jk (1.2.41). Still the same error is happening. I traced the
buffer overflow down to line 291 in jk_connect.c (nb_connect):

280>   do {
281>rc = connect(sd, (const struct sockaddr *)>sa.sin,
addr->salen);
282>} while (rc == -1 && errno == EINTR);
283>
284>if ((rc == -1) && (errno == EINPROGRESS || errno == EALREADY)
285>   && (timeout > 0)) {
286>fd_set wfdset;
287>struct timeval tv;
288>socklen_t rclen = (socklen_t)sizeof(rc);
289>
290>FD_ZERO();
*291>FD_SET(sd, );*
292>tv.tv_sec = timeout / 1000;
293>tv.tv_usec = (timeout % 1000) * 1000;
294>rc = select(sd + 1, NULL, , NULL, );


>From what I understand a buffer overflow would only happen for FD_SET if
the fd_set gets over 1024 descriptors. I made sure that my ulimit for open
files is set and applied large enough, so that's not it.

I tried to switch FD_SET to poll and it seems to work now also for sd >
1024:

struct pollfd pfd_read;
pfd_read.fd = sd;
pfd_read.events = POLLOUT;
rc = poll(_read, 1, timeout);

As C/C++ is not my preferred language and I understand the internals for
mod_jk not well enough for a change like this, I have a few questions:

1. Is it normal/expected for nb_connect() to evaluate the IF in line 284 to
TRUE? I wonder if this might be the real cause for my problems in the first
place.

2. In line 305 of the original jk_connect.c there is a FD_ISSET inside an
IF. Is there an equivalent operation for poll or is the whole IF
unnecessary then?

Thanks,
Michael


On 30 June 2016 at 12:16, Michael Diener  wrote:

> Thank you Rainer!
>
> On 29 June 2016 at 14:50, Rainer Jung  wrote:
>
>> Can you reproduce? Does it also happen on a test system?
>
>
> It only happens on a live system and I'm not able to reproduce it.
>
>
>
>> Latest we provide in the project is 1.2.41. It is pretty easy to compile
>> yourself and would be an interesting check to see, whether it is just an
>> old already fixed problem.
>
>
>
> You are right, I will test and get back.
>
>
> Viele Grüße,
> Michael
>
>
> --
>
>


-- 

__
NEW GAME! http://www.dig-pig.com

Michael Diener - Software e.K.

mdie...@mdiener.de
+49 178 501 601 8
www.mdiener.de

@mdienersoftware

Grünberger Str. 62,
10245 Berlin, Germany

Sitz Berlin, Amtsgericht Charlottenburg, HRA 46760 B
USt-IdNr. DE233968393

Re: Need help setting up SSL on Tomcat 8

2016-07-05 Thread Sean Son 
On Fri, Jul 1, 2016 at 6:14 PM, Daniel Savard 
wrote:

> 2016-07-01 16:08 GMT-04:00 Christopher Schultz <
> ch...@christopherschultz.net
> >:
>
> >
> > >
> > > Thank you for the reply.  How would I go about specifying the alias
> > > of the certificate?
> >
> > You may have to re-import it, but I've had bad experiences with Java
> > keystores so ALWAYS keep a backup in case you host something.
> >
> > The first item in your keystore certainly looks like a certificate to
> > me. It's the *second* item that is a private key.
> >
> > What if you add these attributes to your connector:
> >
> > keyAlias="root"
> >
> > ?
> >
> > If that doesn't work, try using a tool like Portecle to try to adjust
> > some things (like the "aliases"). It's much better and safer than
> > using keytool IMO. Remember ALWAYS KEEP A BACKUP!
> >
> >
> Chris,
>
> in a keystore, the entry with the certificate created using the private key
> from that keystore is a single entry identified as PrivateKey. If you have
> a single certificate created from a private key in that keystore you will
> have only one entry, not two and it will be labeled as private key.
>
> In fact, it can be checked using the -v option to print details about each
> entry. This should be enough to identify without ambiguity which entry is
> what. This is what I recommend to do in order to understand what really is
> in the keystore. I doubt the alias root with the first entry in the
> keystore is actually the certificate needed here.
>
> Sean,
>
> print the details and you will have the alias and Common Name clearly
> identified on the output in a verbose format. Use the -v option to the
> keytool command for this. No need to post everything here if you are
> unsure.
>
> -
> Daniel Savard
>



Hello Daniel and all

Here is the output.. the full output

http://pastebin.com/AQckw6ig

Re: Suggestions for deploying context.xml for different environments?

2016-07-05 Thread Paul Roubekas 
Will the context.xml file meet your requirement?

http://javabeat.net/tomcat-jndi/



On 7/4/2016 10:42 AM, Philip Hachey wrote:
> Hello.  I am seeking some advice for the best ways to deploy Java web
> applications to different Tomcat environments.
>
> In particular, my application requires that a JNDI resource be defined
> for a database, where the database server address and credentials will
> vary depending on the environment the application is deployed to.
>
> * Tomcat: 8.0.36
> * OS: varies depending on the environment deployed to
>
> If I include in the WAR file, a META-INF/context.xml that includes the
> Resource element, Tomcat will use that to create the file:
> $CATALINA_HOME/conf/engine/host/my-application.xml
>
> The context file my-application.xml can then be modified so that the
> Resource settings are appropriate for the environment.
>
> However, if, for any reason, the application is undeployed and then
> re-deployed, my-application.xml will be recreated with the settings as
> they originally appeared in the WAR file.
>
> The options that seem evident to me are:
>
> 1) Create a different WAR file for each environment.  This strikes me
> as a bit onerous.
>
> 2) Use environment variables in my-application.xml such as:
> url="${databaseurl}" and then define those environment variables using
> the Environment element in the GlobalNamingResources of Tomcat's
> server.xml.
>
> Regarding #2, would it be possible to instead use a properties file to
> define the variables?  I assume adding entries to catalina.properties
> would work, but is it possible to define a properties file separate
> from catalina.properties which deals more with system properties
> rather than application properties?
>
> I haven't been able to find a documented standard methodology for
> Tomcat deployments to different environments, but I'm certain there
> must be some common and elegant ways of doing this.  I'm interested in
> hearing what others have done.
>
> Thank you,
> Philip
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


-- 
The people that bring you Usque .

Re: need latest tomcat stable versions

2016-07-05 Thread Violeta Georgieva 
Hi

2016-07-05 13:30 GMT+03:00 Vijay Kumar :
>
> Hi Team,
>
> We have a Product in Production which we are using Tomcat as web-server.
>
> Now we want to upgrade Tomcat to the latest version where we have
> identified below two versions as the latest one.
>
> Tomcat 8.0.36
> Tomcat 8.5.3
>
> Could you please update whether these are stable enough to use or please
> suggest which one is the stable one to use in Production.
>

Check the links below:
http://tomcat.apache.org/whichversion.html
http://wiki.apache.org/tomcat/TomcatVersions

Regards,
Violeta

>
> Thanks,
> Vijay G

need latest tomcat stable versions

2016-07-05 Thread Vijay Kumar 
Hi Team,

We have a Product in Production which we are using Tomcat as web-server.

Now we want to upgrade Tomcat to the latest version where we have
identified below two versions as the latest one.

Tomcat 8.0.36
Tomcat 8.5.3

Could you please update whether these are stable enough to use or please
suggest which one is the stable one to use in Production.


Thanks,
Vijay G

Re: Suggestions for deploying context.xml for different environments?

2016-07-05 Thread Christoph Nenning 
> Hello.  I am seeking some advice for the best ways to deploy Java web 
> applications to different Tomcat environments.
> 
> In particular, my application requires that a JNDI resource be defined 
> for a database, where the database server address and credentials will 
> vary depending on the environment the application is deployed to.
> 
> * Tomcat: 8.0.36
> * OS: varies depending on the environment deployed to
> 
> If I include in the WAR file, a META-INF/context.xml that includes the 
> Resource element, Tomcat will use that to create the file:
> $CATALINA_HOME/conf/engine/host/my-application.xml
> 
> The context file my-application.xml can then be modified so that the 
> Resource settings are appropriate for the environment.
> 
> However, if, for any reason, the application is undeployed and then 
> re-deployed, my-application.xml will be recreated with the settings as 
> they originally appeared in the WAR file.
> 
> The options that seem evident to me are:
> 
> 1) Create a different WAR file for each environment.  This strikes me as 

> a bit onerous.
> 
> 2) Use environment variables in my-application.xml such as: 
> url="${databaseurl}" and then define those environment variables using 
> the Environment element in the GlobalNamingResources of Tomcat's 
server.xml.
> 
> Regarding #2, would it be possible to instead use a properties file to 
> define the variables?  I assume adding entries to catalina.properties 
> would work, but is it possible to define a properties file separate from 

> catalina.properties which deals more with system properties rather than 
> application properties?
> 

We set such system properties in setenv.sh, e.g.:

JAVA_OPTS="$JAVA_OPTS -Ddatabase.password=$DATABASE_PASSWORD"


The environment variable $DATABASE_PASSWORD is used because we wrap our 
applications along with tomcat and jvm in docker images. Operations 
specify environment specific parameters (as database passwords) when they 
launch the docker container with -e switch, e.g.:

docker run -d -e DATABASE_PASSWORD=secret .


Due to docker we don't need context.xml files inside WARs. Instead we have 
application specific tomcat config files in our source trees. Our build 
process includes them in the docker image as top level tomcat config. As 
we build application specific images there is just one app per image and 
thus per tomcat instance.


Of course that is linux only.


regards,
Christoph



> I haven't been able to find a documented standard methodology for Tomcat 

> deployments to different environments, but I'm certain there must be 
> some common and elegant ways of doing this.  I'm interested in hearing 
> what others have done.
> 
> Thank you,
> Philip
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 






This Email was scanned by Sophos Anti Virus

Re: Introdution

2016-07-05 Thread Mark Thomas 
On 05/07/2016 06:10, Lahiru Wijewardana wrote:
> Hi all,
> 
> I am a 3rd year undergraduate student of Department of Computer
> Engineering, University of Peradeniya,  Sri Lanka. I am interesting in open
> source contribution. I pick Tomcat 8 as my new project.
> 
> I have install Tomcat and used it. I installed the ant 1.9.7 and clone the
> project from the svn repository accoring to the Building Tomcat page. Now I
> am stuck with building. The downloaded lib giving error ecj-4.5.jar can't
> compile and when I try to develop it with eclipse, eclipse say it can't
> read the ecj-4.5.jar file.

Please provide the exact error message.

It sounds like ecj-4.5.jar is corrupted. Try deleting it and running the
build again. If that doesn't work, you can replace it with an
ecj-4.5.jar from a Tomcat release distribution.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org