[ANN] End of life for Apache Tomcat 8.0.x

2017-06-30 Thread Mark Thomas
Resending with correct dates. Apologies for the noise.

The Apache Tomcat team announces that support for Apache Tomcat 8.0.x
will end on 30 June 2018.

This means that after 30 June 2018:
- releases from the 8.0.x branch are highly unlikely
- bugs affecting only the 8.0.x branch will not be addressed
- security vulnerability reports will not be checked against the 8.0.x
  branch

Three months later (i.e. after 30 September 2018)
- the 8.0.x download links will be removed
- the latest 8.0.x release will be removed from the mirror system
- the 8.0.x branch in svn will move from /tomcat/tc8.0.x to
  /tomcat/archive/tc8.0.x
- the links to the 8.0.x documentation will be removed from
  tomcat.apache.org

Note that all 8.0.x releases will always be available from the archive.

It is anticipated that the final 8.0.x release will be made shortly
before 30 June 2018.

The Tomcat team is aware that a number of Linux distributions support
Tomcat 8.0.x and that that support for Tomcat 8.0.x is scheduled to
continue in those distributions beyond June 2018. The Tomcat team will
therefore:
- work with those distributions to address any issues preventing the
  update to 8.5.x from 8.0.x
- where an update to 8.5.x is not possible, the Tomcat team will
  endeavour to provide advice on back-porting security fixes to 8.0.x

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [ANN] End of life for Apache Tomcat 8.0.x

2017-06-30 Thread Mark Thomas
On 30/06/17 22:47, Bob Hall wrote:
> On Friday, June 30, 2017 2:32 PM, Mark Thomas  wrote:
>  
> 
>  
> The Apache Tomcat team announces that support for Apache Tomcat 8.0.xwill end 
> on 30 June 2018.
> This means that after 30 June 2018:- releases from the 8.0.x branch are 
> highly unlikely- bugs affecting only the 8.0.x branch will not be addressed- 
> security vulnerability reports will not be checked against the 8.0.x  branch
> Three months later (i.e. after 30 September 2017)- the 8.0.x download links 
> will be removed- the latest 8.0.x release will be removed from the mirror 
> system- the 8.0.x branch in svn will move from /tomcat/tc8.0.x to  
> /tomcat/archive/tc8.0.x- the links to the 8.0.x documentation will be removed 
> from  tomcat.apache.org
> Note that all 8.0.x releases will always be available from the archive.
> It is anticipated that the final 8.0.x release will be made shortlybefore 30 
> June 2016.
> The Tomcat team is aware that a number of Linux distributions supportTomcat 
> 8.0.x and that that support for Tomcat 8.0.x is scheduled tocontinue in those 
> distributions beyond June 2018. The Tomcat team willtherefore:- work with 
> those distributions to address any issues preventing the  update to 8.5.x 
> from 8.0.x- where an update to 8.5.x is not possible, the Tomcat team will  
> endeavour to provide advice on back-porting security fixes to 8.0.x
> 
> ===
> Hi Mark,
> Seems to something amiss with the year values in this EOL message?

Thanks. Copy and paste error on my part. I'll fix that and resend.
Thanks for the heads up.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [ANN] End of life for Apache Tomcat 8.0.x

2017-06-30 Thread Bob Hall
On Friday, June 30, 2017 2:32 PM, Mark Thomas  wrote:
 

 
The Apache Tomcat team announces that support for Apache Tomcat 8.0.xwill end 
on 30 June 2018.
This means that after 30 June 2018:- releases from the 8.0.x branch are highly 
unlikely- bugs affecting only the 8.0.x branch will not be addressed- security 
vulnerability reports will not be checked against the 8.0.x  branch
Three months later (i.e. after 30 September 2017)- the 8.0.x download links 
will be removed- the latest 8.0.x release will be removed from the mirror 
system- the 8.0.x branch in svn will move from /tomcat/tc8.0.x to  
/tomcat/archive/tc8.0.x- the links to the 8.0.x documentation will be removed 
from  tomcat.apache.org
Note that all 8.0.x releases will always be available from the archive.
It is anticipated that the final 8.0.x release will be made shortlybefore 30 
June 2016.
The Tomcat team is aware that a number of Linux distributions supportTomcat 
8.0.x and that that support for Tomcat 8.0.x is scheduled tocontinue in those 
distributions beyond June 2018. The Tomcat team willtherefore:- work with those 
distributions to address any issues preventing the  update to 8.5.x from 8.0.x- 
where an update to 8.5.x is not possible, the Tomcat team will  endeavour to 
provide advice on back-porting security fixes to 8.0.x

===
Hi Mark,
Seems to something amiss with the year values in this EOL message?
- Bob


   

[ANN] End of life for Apache Tomcat 8.0.x

2017-06-30 Thread Mark Thomas
The Apache Tomcat team announces that support for Apache Tomcat 8.0.x
will end on 30 June 2018.

This means that after 30 June 2018:
- releases from the 8.0.x branch are highly unlikely
- bugs affecting only the 8.0.x branch will not be addressed
- security vulnerability reports will not be checked against the 8.0.x
  branch

Three months later (i.e. after 30 September 2017)
- the 8.0.x download links will be removed
- the latest 8.0.x release will be removed from the mirror system
- the 8.0.x branch in svn will move from /tomcat/tc8.0.x to
  /tomcat/archive/tc8.0.x
- the links to the 8.0.x documentation will be removed from
  tomcat.apache.org

Note that all 8.0.x releases will always be available from the archive.

It is anticipated that the final 8.0.x release will be made shortly
before 30 June 2016.

The Tomcat team is aware that a number of Linux distributions support
Tomcat 8.0.x and that that support for Tomcat 8.0.x is scheduled to
continue in those distributions beyond June 2018. The Tomcat team will
therefore:
- work with those distributions to address any issues preventing the
  update to 8.5.x from 8.0.x
- where an update to 8.5.x is not possible, the Tomcat team will
  endeavour to provide advice on back-porting security fixes to 8.0.x

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-30 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Todd,

On 6/30/17 1:30 PM, Todd wrote:
> Christopher Schultz-2 wrote
>> Yup: if you use iptables (ipchains hasn't been used in ...
>> decades?) to do port-redirection, then you are in fact hitting
>> Tomcat / JVM (essentially) directly.
> 
> Yes - iptables, sorry brain fart.
> 
> 
> Christopher Schultz-2 wrote
>> Can you confirm whether or not you are using the OpenSSL
>> provider?
> 
> How can I verify my provider?
> 
> 
> Christopher Schultz-2 wrote
>> What version of OpenSSL are you using? These cipher suites should
>> have well-known names and numeric identifiers (which is how the
>> TLS handshake works), but it looks like the cipher suite names
>> are somehow being confused.
> 
> OpenSSL 1.0.2g
> 
> 
> Christopher Schultz-2 wrote
>> What happens if you narrow your cipher suite list down to a
>> single cipher? Does ssllabs report just a single available cipher
>> (even if it's not the one you configured)?
>> 
>> - -chris
> 
> Whether I put in a single cipher, literal garbage text, or the list
> that I want - ssllabs reports the same list of ciphers detected as
> I posted above. I also get the same cipher on Chrome that is not in
> the list I'm putting in my configuration as well.

This really sounds like something else is going on.

Are you *sure* that your hostname/IP from the outside world is really
routing to the place you think it is?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZVrO+AAoJEBzwKT+lPKRYbeoP/AiCGHKWkgWmX3uzs7L1wJua
HKXscjgWmf+1VxPt5k8ZG6rBeRX9io0LQOwIpfBmXQVibkPaP1X/Kyb3kqvpdSz/
R0sHy13DHMRA30DhVlPhvcnLpfHkI0tU/CwmS6YG8VgiA1VReuD4q+CPxFRy+LvZ
vetuK2nG0hRU0yijQx0tsox3g2mTEorn+ysTvTaDhKA6ZDK1ph64RqoWe6jfPmKR
FOfWrDv+JZSwdaOJZXgrV0YB60yxoklcUQYAa+BpAgf0DUOw94v0t0pFHCNStJhK
MTeaRFX6YEAixeJXXkZx9oYk9FIQnVOGH5doc+JTxNjk/Z2kHjohDny7ZYrM9jFD
jTUaiqb1rHVDvSxRMnBbCb32w31J+sBuqj8OmsZu86Xbk0nrQX8445dhqEiKkFAl
MvKWYJbIrLUWBmpFPqkmD7/yc+TfAExpNN2CeVSCle2+jlHiN7pA2AhMlHa31McY
xCMygqy7esewNMULTx0u3GUwhEeyqYWAmtC6fXX1UJcypQIQ/AVHPBpcJiG9q50W
XukLlzak0xTmv+d/sEBl/BEjwCpE67pEISnfp7i/6fuADZ6xtr+qAMiyw/WHTFLb
NeW++I1LvUCsy1Ihq6T3hRQf+5c97HBqSm0mO+p9Rn+QWN80x56KL85C4JTDI9Ls
tTwl6338NrElYKrQVgZk
=Fpm8
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-30 Thread logo
Todd

>> Peter Kreuser wrote
>>> 
>>> Can you provide a clean configuration that exhibits this behavior?
>>> 
>>> What are you using to test the effective configuration?
>> 
>> Another question: are you sure that you hit the Connector that you
>> configure? Tomcat should be reasonably configured in defaults with a
>> current JDK...
>> 
>> 8443 or the like are not scanned with ssllabs! So it may as well hit an
>> apache on the same machine!
>> 
>> Can you show detail on what ssllabs is complaining about?
>> 
>> Best regards
>> 
>> Peter
> 
> Thank you Peter and Chris.
> 
> I'm utilizing sslabs to check as well as just going to the site with Chrome
> and looking in developer tools to see the protocol that was selected.
> 
> I understand that 8443 is not a normal port, I'm using ipchains to redirect
> traffic from 443 to 8443.  I believe that traffic is specifically hitting
> this webserver, as changes such as adding SSL or removing TLS 1.0 in the
> configuration file take immediate effect after restarting the Tomcat
> service.
> 
> My current SSLHostConfig looks like this:
> 
>honorCipherOrder="true" 
>ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384, 
> TLS_RSA_WITH_AES_256_CBC_SHA256, 
> TLS_RSA_WITH_AES_256_CBC_SHA, 
> TLS_RSA_WITH_AES_128_GCM_SHA256, 
> TLS_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_RSA_WITH_AES_128_CBC_SHA, 
> TLS_RSA_WITH_3DES_EDE_CBC_SHA, 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"> 
>certificateKeystorePassword="" 
>type="RSA" /> 
>
> 
> But ssllabs reports the following ciphers:
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> 
> None of these ciphers are included in my list, and changes to my cipher list
> has no effect at all on what is displayed by ssllabs.
> 
> I'm stuck, so any ideas or guidance is appreciated, thank you!
> -Todd
> 

Tomcat 8.5.14   
OpenJDK on debian stretch 1.8.0_131 


Using your conf I get the following - which is exactly what you ask for:

A- with:

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)  256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)  256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)  128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)  128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH sect571r1 (eq. 15360 bits 
RSA)   FS   128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH sect571r1 (eq. 15360 bits 
RSA)   FS   256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK  112
These include the numbers Chris is referring to.

- YIKES, do you need 3DES for IE8? Put that last with honorCipherOrder=true 
then SSLlabs will not punish you in the ranking. 
- the cipher list is not optimal - as you are ranked A- with “ The server does 
not support Forward Secrecy with the reference browsers. Grade reduced to A-. “
but we’ll work on that later





   

It would be interesting to get more details on the connector and the underlying 
java version. We can see your SSL provider in the Connector... 

BTW I do a NAT port forwarding from 443 to 8443.

Best regards

Peter


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-30 Thread Todd
Christopher Schultz-2 wrote
> Yup: if you use iptables (ipchains hasn't been used in ... decades?) 
> to do port-redirection, then you are in fact hitting Tomcat / JVM 
> (essentially) directly. 

Yes - iptables, sorry brain fart.


Christopher Schultz-2 wrote
> Can you confirm whether or not you are using the OpenSSL provider?

How can I verify my provider?


Christopher Schultz-2 wrote
> What version of OpenSSL are you using? These cipher suites should have
> well-known names and numeric identifiers (which is how the TLS
> handshake works), but it looks like the cipher suite names are somehow
> being confused.

OpenSSL 1.0.2g


Christopher Schultz-2 wrote
> What happens if you narrow your cipher suite list down to a single
> cipher? Does ssllabs report just a single available cipher (even if
> it's not the one you configured)?
> 
> - -chris

Whether I put in a single cipher, literal garbage text, or the list that I
want - ssllabs reports the same list of ciphers detected as I posted above. 
I also get the same cipher on Chrome that is not in the list I'm putting in
my configuration as well.



--
View this message in context: 
http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064960.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 8.5.16 - can't use Java keystore with multiple entries having different keypass for each entry?

2017-06-30 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Frank,

On 6/30/17 8:43 AM, Frank Taffelt wrote:
> Hi all,
> 
> while playing with some ssl setups i stumbled upon the following
> behaviour that seems like bug to me ? As long as all keyentries in
> a keystore have the same password all is fine. Using entries with
> different password tomcat doesnt startup.
> 
> For testing: At first create 2 different keystores (same.jks and
> different.jks) having each 2 entries:
> 
> # create 2 entries with same keypass for each entry keytool
> -genkeypair -alias tomcat1 -storepass storepass  -keystore same.jks
> -keyalg RSA -keypass keypass  -ext san=dns:tomcat1 -dname
> CN=tomcat1 keytool -genkeypair -alias tomcat2 -storepass storepass
> -keystore same.jks  -keyalg RSA -keypass keypass  -ext
> san=dns:tomcat2 -dname CN=tomcat2
> 
> # create 2 entries with different keypass for each entry keytool
> -genkeypair -alias tomcat1 -storepass storepass  -keystore
> different.jks  -keyalg RSA -keypass tomcat1  -ext san=dns:tomcat1
> -dname CN=tomcat1 keytool -genkeypair -alias tomcat2 -storepass
> storepass  -keystore different.jks  -keyalg RSA -keypass tomcat2
> -ext san=dns:tomcat2 -dname CN=tomcat2

What is the password for the keystore itself?

> setup a SSL Connector to use that keystore:
> 
>  secure="true" SSLEnabled="true"
>> 
>   ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA" 
> protocols="all">
> 
>   certificateKeystoreFile="different.jks" 
> certificateKeystorePassword="storepass" 
> certificateKeyAlias="tomcat2" certificateKeystoreType="JKS" 
> certificateKeyPassword="tomcat2" type="RSA" />

... and why don't you have the keystore password set, here? Or did you
just use "changeit"?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZVoa1AAoJEBzwKT+lPKRYQXMP/0QBF/wO8y3yYnJprjKDxy5i
JXI8KdEQoYfYS3JccIoBOZu684+IWKvGI2BKVqJl9cGw2jygpO0MURhUZ8UkMqhO
vyk1dX8TNmFFmdSMohR6fB0aOsf+y+RD7IqhXNRLTM/eYEJoCjtRu3eGXGVNsxyJ
yOBO2SOzKotuo/zANeSr2mQ9P2cuV9WriixdPeA1X4/4Dn30RbiIGka3b7MClvLl
fnl6c3gCcxs0CoGSnt5DevJPv3SiIUn3YAyrWLMvgUYY9k6kYRdnRc/e/mfrM02f
NTWH7JE/Jt7vZaM/ITVkfz0xJTgBMqK4Upflq2Vk3gniQgNtPWGOSsd0o4lSNTC7
xrK7mgtt1zPol5HgaYGYWAsj1QLMTQ+i6hkx1CaF0XMgoR+oGkdUZyy2GIZSkNTq
OpIRSXEg2JhU/Hkr1YkCUP62sf3mlczQGR5A3LQSXWxKmAiRMZRkSJrTV/74GKDi
jY3fwbZPHJfWLXK09/cvbacX0+xhUMNgdolEjtemnWOXypnBNs8uA9XS6MCpfH/M
op+xzvaTcQN8Bof8O/BVwmPyPdnu+/3uvxdKM/0U24W9RXFCVfXt6UYLuxre28pw
QkJcu9D1b5w82VbvXRoR1Cl/DXa5Jbls1sHge3i+7rSJWTsFNz76rw6HfdH20beE
bVPQwviGYAzH5wYhgxQz
=xLoF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-30 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Todd,

On 6/30/17 10:21 AM, Todd wrote:
> Peter Kreuser wrote
>>> 
>>> Can you provide a clean configuration that exhibits this
>>> behavior?
>>> 
>>> What are you using to test the effective configuration?
>> 
>> Another question: are you sure that you hit the Connector that
>> you configure? Tomcat should be reasonably configured in defaults
>> with a current JDK...
>> 
>> 8443 or the like are not scanned with ssllabs! So it may as well
>> hit an apache on the same machine!
>> 
>> Can you show detail on what ssllabs is complaining about?
>> 
>> Best regards
>> 
>> Peter
> 
> Thank you Peter and Chris.
> 
> I'm utilizing sslabs to check as well as just going to the site
> with Chrome and looking in developer tools to see the protocol that
> was selected.
> 
> I understand that 8443 is not a normal port, I'm using ipchains to
> redirect traffic from 443 to 8443.  I believe that traffic is
> specifically hitting this webserver, as changes such as adding SSL
> or removing TLS 1.0 in the configuration file take immediate effect
> after restarting the Tomcat service.

Yup: if you use iptables (ipchains hasn't been used in ... decades?)
to do port-redirection, then you are in fact hitting Tomcat / JVM
(essentially) directly.

> My current SSLHostConfig looks like this:
> 
>  honorCipherOrder="true" ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384, 
> TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, 
> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384">  certificateKeystoreFile="" certificateKeystorePassword="" 
> type="RSA" /> 

So, with that configuration you should get an NIO connector and, if
libtcnative is nearby, you should get the OpenSSL crypto provider.

> But ssllabs reports the following ciphers: 
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256>
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> 
> None of these ciphers are included in my list, and changes to my
> cipher list has no effect at all on what is displayed by ssllabs.
> 
> I'm stuck, so any ideas or guidance is appreciated, thank you!

Can you confirm whether or not you are using the OpenSSL provider?

What version of OpenSSL are you using? These cipher suites should have
well-known names and numeric identifiers (which is how the TLS
handshake works), but it looks like the cipher suite names are somehow
being confused.

What happens if you narrow your cipher suite list down to a single
cipher? Does ssllabs report just a single available cipher (even if
it's not the one you configured)?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZVoWeAAoJEBzwKT+lPKRYL24P/13G5Ci+ipCnBmB9xJjRePrb
85eXRDWsda/b8bjbqvSL5ISJ/xo7GUdbeWo8alQ91Ms75iI12FXIasPDK7EBoMsc
vhlecYY9ujevNroD0LEcEyiczo+DFh9NFc5nQEbpnNlkzcL8p1IJmpCjXKcPWI1k
XObq5eqPbaSDtQnJ4P0Whu3qNo+PowrGk+vZxsZwBpgtHambkCSDXO4ACkdBBHse
BmL3Acz4InT85UrYBVPkBm5JkoxibJLlY9xoW1UYs/9HoNMDfXsVhV3Ef4g+2DAM
sB7gpEzgfo4CeYh0W7w7PBmKGSQ8LU+x5kMLE6Va6DFYQhFR9yMaFcuGxSPN7W1T
rJcXh0W9li87HHgdfVkYZhnut+i6ScK0l7noZircQHst2iflIpnKQMJid/TBpKt4
UeIXmaFfpFFZRQlytVhITY+6y7IWlVzKSiJu614sYyvxC+C8/NzmX2pSYsMJOK8f
mVyukWgzQOlYPXPwtOhDnHNsrgzJzEZs6pFdcFnNzEJU9HSV/SUiYzdHpq7eYsFG
59MBVRIq65M/8EWiojuM0EoBTwKUf0TvirrLG0SiJVkWBCaRpeJR99hIyPPJFzyZ
e109n4BkG99mnYSLlG5VpU8QLpGS7sKT9V+wMf8o0f2eMNBCXBZkMsjBuo/OaDZQ
cVKn7EwicNBygApz7iJu
=56ql
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat managed server

2017-06-30 Thread Subhro Paul

Thanks & Regards
Subhro Paul
Tata Consultancy Services
Cell:- +919051415167
Mailto: subhro.p...@tcs.com
Website: http://www.tcs.com

Experience certainty.   IT Services
Business Solutions
Consulting



-Niranjan Babu Bommu  wrote: -
To: Tomcat Users List 
From: Niranjan Babu Bommu 
Date: 06/30/2017 12:08PM
Subject: Re: Tomcat managed server

Hi Subhro,

tomcat document has the all the info you are looking for.

https://tomcat.apache.org/tomcat-7.0-doc/RUNNING.txt
https://tomcat.apache.org/tomcat-8.0-doc/RUNNING.txt

look for "Advanced Configuration - Multiple Tomcat Instances" in that page.

thanks
Niranjan

On Fri, Jun 30, 2017 at 11:18 AM, Subhro Paul  wrote:

> -Christopher Schultz  wrote: -
> To: users@tomcat.apache.org
> From: Christopher Schultz 
> Date: 06/29/2017 12:35PM
> Subject: Re: Tomcat managed server
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Subhro,
>
> On 6/29/17 11:57 AM, Subhro Paul wrote:
> > Can you tell me if we can create manged server in tomcat like we
> > can do in Weblogic server?
> >
> > I have Googled that and found information which is about setting
> > up different tomcat instances but not the managed server which we
> > can do in Weblogic.
> For those of us unfamiliar with WebLogic... can you explain what a
> "managed server in Tomcat" is?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllVLFMACgkQHPApP6U8
> pFg8Vw//WcSo7+ynxMQvNsiJdiJ+HP+qPrkH5reYUvyYfj5D0f0W8RfCt5yvB1Um
> jdww+T9tpYbt2nt5iWYjBx27x9DbhTuJt/OnUNfZQw7PAP2S4L0Q6Amim7yQNzau
> 1nbRxpfSL4rBzR2aQvwNokyd1Uqy1Wwujkf8x4ozphAhtrpeX0ctYHJupusUAXZf
> ijQgDypgwWkPk2LpWkOQDF3jfsFqim/JRsw6DhRvV/u9jfPWGThmKUGF0JkilB+W
> kkiIjA3eH03HS/S+wIJBQ3tJoEbTo5H8Xg786hdO3Z1fCyUV13THK+wihLM1WlcA
> OLvBQlEn/Ms2tQKV1HOfMr4O4EOsxh+1yAz0Wh7oli0dOC8uurSxqI3J0oYbRP99
> d8RJbbNumMXuK0OYo6Gihs/M9dAtafLV1gamACFCBl4HSMTYUBn0NulImcznnX9X
> bue+lO2c+yeg2RAC5gOQnlq9VVcf+bOYRlak9rz5kdA9tp1XPQn9A3112HI0ebe3
> kuIe8eZMO0hbw/lrPG+kjdnjjCrFzeU6QQodnsZh6oZ1V1rB+A9acn9UeMuXOe6F
> gT9GPuxSCRciU3CScNd+9KjT5uEFXvGmP7Dmb7XFCsE4VRIDRFNhE7zRRsmrZfkX
> 4ProlRh9mryxJUyf1r+OLGK7kJOFccb+e4q19+7sVqfswHU+9xc=
> =sxgZ
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> Hi Chris,
> Managed Server is like instance of a server. Like one single Tomcat
> installation can have multiple instances. Each instance can run separately
> and can have different setup and configuration. You can configure them as a
> cluster as well. But all this instance is linked with single server. But i
> am not sure if Tomcat support that facility.
>
> Thanks,
> Subhro Paul
>
> =-=-=
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
>


-- 
*Thanks*
*Niranjan*


Thanks Niranjan. That information helps me.

Thanks & Regards,
Subhro

Re: Tomcat managed server

2017-06-30 Thread Niranjan Babu Bommu
Hi Subhro,

tomcat document has the all the info you are looking for.

https://tomcat.apache.org/tomcat-7.0-doc/RUNNING.txt
https://tomcat.apache.org/tomcat-8.0-doc/RUNNING.txt

look for "Advanced Configuration - Multiple Tomcat Instances" in that page.

thanks
Niranjan

On Fri, Jun 30, 2017 at 11:18 AM, Subhro Paul  wrote:

> -Christopher Schultz  wrote: -
> To: users@tomcat.apache.org
> From: Christopher Schultz 
> Date: 06/29/2017 12:35PM
> Subject: Re: Tomcat managed server
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Subhro,
>
> On 6/29/17 11:57 AM, Subhro Paul wrote:
> > Can you tell me if we can create manged server in tomcat like we
> > can do in Weblogic server?
> >
> > I have Googled that and found information which is about setting
> > up different tomcat instances but not the managed server which we
> > can do in Weblogic.
> For those of us unfamiliar with WebLogic... can you explain what a
> "managed server in Tomcat" is?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllVLFMACgkQHPApP6U8
> pFg8Vw//WcSo7+ynxMQvNsiJdiJ+HP+qPrkH5reYUvyYfj5D0f0W8RfCt5yvB1Um
> jdww+T9tpYbt2nt5iWYjBx27x9DbhTuJt/OnUNfZQw7PAP2S4L0Q6Amim7yQNzau
> 1nbRxpfSL4rBzR2aQvwNokyd1Uqy1Wwujkf8x4ozphAhtrpeX0ctYHJupusUAXZf
> ijQgDypgwWkPk2LpWkOQDF3jfsFqim/JRsw6DhRvV/u9jfPWGThmKUGF0JkilB+W
> kkiIjA3eH03HS/S+wIJBQ3tJoEbTo5H8Xg786hdO3Z1fCyUV13THK+wihLM1WlcA
> OLvBQlEn/Ms2tQKV1HOfMr4O4EOsxh+1yAz0Wh7oli0dOC8uurSxqI3J0oYbRP99
> d8RJbbNumMXuK0OYo6Gihs/M9dAtafLV1gamACFCBl4HSMTYUBn0NulImcznnX9X
> bue+lO2c+yeg2RAC5gOQnlq9VVcf+bOYRlak9rz5kdA9tp1XPQn9A3112HI0ebe3
> kuIe8eZMO0hbw/lrPG+kjdnjjCrFzeU6QQodnsZh6oZ1V1rB+A9acn9UeMuXOe6F
> gT9GPuxSCRciU3CScNd+9KjT5uEFXvGmP7Dmb7XFCsE4VRIDRFNhE7zRRsmrZfkX
> 4ProlRh9mryxJUyf1r+OLGK7kJOFccb+e4q19+7sVqfswHU+9xc=
> =sxgZ
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> Hi Chris,
> Managed Server is like instance of a server. Like one single Tomcat
> installation can have multiple instances. Each instance can run separately
> and can have different setup and configuration. You can configure them as a
> cluster as well. But all this instance is linked with single server. But i
> am not sure if Tomcat support that facility.
>
> Thanks,
> Subhro Paul
>
> =-=-=
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
>


-- 
*Thanks*
*Niranjan*


Re: Tomcat managed server

2017-06-30 Thread Subhro Paul
-Christopher Schultz  wrote: -
To: users@tomcat.apache.org
From: Christopher Schultz 
Date: 06/29/2017 12:35PM
Subject: Re: Tomcat managed server

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Subhro,

On 6/29/17 11:57 AM, Subhro Paul wrote:
> Can you tell me if we can create manged server in tomcat like we
> can do in Weblogic server?
> 
> I have Googled that and found information which is about setting
> up different tomcat instances but not the managed server which we
> can do in Weblogic.
For those of us unfamiliar with WebLogic... can you explain what a
"managed server in Tomcat" is?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllVLFMACgkQHPApP6U8
pFg8Vw//WcSo7+ynxMQvNsiJdiJ+HP+qPrkH5reYUvyYfj5D0f0W8RfCt5yvB1Um
jdww+T9tpYbt2nt5iWYjBx27x9DbhTuJt/OnUNfZQw7PAP2S4L0Q6Amim7yQNzau
1nbRxpfSL4rBzR2aQvwNokyd1Uqy1Wwujkf8x4ozphAhtrpeX0ctYHJupusUAXZf
ijQgDypgwWkPk2LpWkOQDF3jfsFqim/JRsw6DhRvV/u9jfPWGThmKUGF0JkilB+W
kkiIjA3eH03HS/S+wIJBQ3tJoEbTo5H8Xg786hdO3Z1fCyUV13THK+wihLM1WlcA
OLvBQlEn/Ms2tQKV1HOfMr4O4EOsxh+1yAz0Wh7oli0dOC8uurSxqI3J0oYbRP99
d8RJbbNumMXuK0OYo6Gihs/M9dAtafLV1gamACFCBl4HSMTYUBn0NulImcznnX9X
bue+lO2c+yeg2RAC5gOQnlq9VVcf+bOYRlak9rz5kdA9tp1XPQn9A3112HI0ebe3
kuIe8eZMO0hbw/lrPG+kjdnjjCrFzeU6QQodnsZh6oZ1V1rB+A9acn9UeMuXOe6F
gT9GPuxSCRciU3CScNd+9KjT5uEFXvGmP7Dmb7XFCsE4VRIDRFNhE7zRRsmrZfkX
4ProlRh9mryxJUyf1r+OLGK7kJOFccb+e4q19+7sVqfswHU+9xc=
=sxgZ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Hi Chris,
Managed Server is like instance of a server. Like one single Tomcat 
installation can have multiple instances. Each instance can run separately and 
can have different setup and configuration. You can configure them as a cluster 
as well. But all this instance is linked with single server. But i am not sure 
if Tomcat support that facility.

Thanks,
Subhro Paul

=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you




Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-30 Thread Todd
Peter Kreuser wrote
>> 
>> Can you provide a clean configuration that exhibits this behavior?
>> 
>> What are you using to test the effective configuration?
> 
> Another question: are you sure that you hit the Connector that you
> configure? Tomcat should be reasonably configured in defaults with a
> current JDK...
> 
> 8443 or the like are not scanned with ssllabs! So it may as well hit an
> apache on the same machine!
> 
> Can you show detail on what ssllabs is complaining about?
> 
> Best regards
> 
> Peter

Thank you Peter and Chris.

I'm utilizing sslabs to check as well as just going to the site with Chrome
and looking in developer tools to see the protocol that was selected.

I understand that 8443 is not a normal port, I'm using ipchains to redirect
traffic from 443 to 8443.  I believe that traffic is specifically hitting
this webserver, as changes such as adding SSL or removing TLS 1.0 in the
configuration file take immediate effect after restarting the Tomcat
service.

My current SSLHostConfig looks like this:

 
 


But ssllabs reports the following ciphers:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

None of these ciphers are included in my list, and changes to my cipher list
has no effect at all on what is displayed by ssllabs.

I'm stuck, so any ideas or guidance is appreciated, thank you!
-Todd



--
View this message in context: 
http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064952.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Tomcat 8.5.16 - can't use Java keystore with multiple entries having different keypass for each entry?

2017-06-30 Thread Frank Taffelt
Hi all,

while playing with some ssl setups i stumbled upon the following behaviour that 
seems like bug to me ?
As long as all keyentries in a keystore have the same password all is fine. 
Using entries with different password tomcat doesnt startup.

For testing:
At first create 2 different keystores (same.jks and different.jks) having each 
2 entries:

# create 2 entries with same keypass for each entry
keytool -genkeypair -alias tomcat1 -storepass storepass  -keystore same.jks  
-keyalg RSA -keypass keypass  -ext san=dns:tomcat1 -dname CN=tomcat1
keytool -genkeypair -alias tomcat2 -storepass storepass  -keystore same.jks  
-keyalg RSA -keypass keypass  -ext san=dns:tomcat2 -dname CN=tomcat2

# create 2 entries with different keypass for each entry
keytool -genkeypair -alias tomcat1 -storepass storepass  -keystore 
different.jks  -keyalg RSA -keypass tomcat1  -ext san=dns:tomcat1 -dname 
CN=tomcat1
keytool -genkeypair -alias tomcat2 -storepass storepass  -keystore 
different.jks  -keyalg RSA -keypass tomcat2  -ext san=dns:tomcat2 -dname 
CN=tomcat2

setup a SSL Connector to use that keystore:












using the config snippet tomcat fails on startup with the following excpetion:
java.lang.IllegalArgumentException: java.security.UnrecoverableKeyException: 
Cannot recover key
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at 
sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
at 
sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
at 
sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
at 
sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at 
sun.security.ssl.SunX509KeyManagerImpl.(SunX509KeyManagerImpl.java:133)
at 
sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
at 
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:216)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 20 more


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Change socket timeout in server side

2017-06-30 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ivan,

On 6/29/17 9:32 PM, Yin, Ivan wrote:
> I am using Tomcat7 and have deployed a web server on it.
> 
> Currently the client side is running into the error 
> “*java.net.SocketTimeoutException: Read timed out*” after running 
> the web service for one minute.
> 
> I understand that this can be set in the client side but I would
> like to change this default value in the server side. Is it
> possible?

No.

> I have found a related page as below:
> 
> https://axis.apache.org/axis2/java/core/docs/http-transport.html
> 
> Two timeout instances exist in the transport level, Socket timeout 
> and Connection timeout. These can be configured either at
> deployment or run time. If configuring at deployment time, the user
> has to add the following lines in axis2.xml.
> 
> For Socket timeout:
> 
> some_integer_value
> 
> According to this , I tried to add this line in the axis2.xml file 
> and restart tomcat but it didn’t work. Has anyone done this before
> or is there anything way to change it in the server side?
> 
> Any comment would be appreciated.

You can't change client TCP settings from the server.

The two timeouts mentioned there are for two different socket
operations: connection and read-after-the-connection-has-been-made.
There are two timeouts because sometimes your connection to a server
might have to wait in line (called the "backlog") to acquire a
connection, but once connected you think that communication should be
pretty fast. So you can set a connect-timeout of e.g. 60 seconds but
then a socket timeout (read) of maybe 5 seconds.

But the server cannot tell the client "your read timeout should be
30s" -- at least, not as a part of TCP. If you want to do that at the
application layer, you are free to do so. For example, if you were
using HTTP and knew that the response headers would be available to
the client very quickly but that the complete response might take a
long time to generate and send to the client, you might be able to set
a response header like:

  X-Client-Timeout-Hint: 12

Since I'm making this up, I chose ms as the unit, so 12 = 2 minutes.

The client would make the connection, read the headers, and then,
seeing the X-Client-Timeout-Hint header, would change its own socket
timeout setting and then make subsequent reads.

There are no clients I know of that implement anything like this
automatically, so you'd have to customize all your clients.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZVkVXAAoJEBzwKT+lPKRYWCkQAIlObkgqLUPwDly2+SPu/bMy
4S8YwyeG/rPrwqoYmF9PyI+CjXgQkfzZD1KnvdHWZ9Z2oOK8QqWkCA2dL0vD++5w
S9+5ZBwriDsCb7ODVowMUw1NR+tXVr2JBt/m8pytazYsZjlm7EnoM5A5Ox5hAt1z
ktAdgDRA1Ys32Ei3IftCSNhm/ejgpT3y3Dr/0x7gLMGkkRofFN9mEbNnxyA6FyRr
z4uVXW2IB8WZQ2DRjgVf801vWNmKmUIlrfU9RXjgnZsom+q54tEVmllDDb/UPgql
8+Y1pR9SJlcSaxaRH0VcZ5MmEWdRjslwldrlXOjcXrkZ3akixRlguHhra398lp/4
PQwnEspYoYXMJeRjuPutMfbg94h9t4ePeAO7/LxzQv+UJTIFOCzjHFjXAwYvW4wu
cgWDAUuPCOUhrt9exVdhE3QAbNldtA2GwhIUBl6ywDdYVpucMWquipFEdYs9CKDo
dOyIAodcslqQX43JfAN7I3HmfIz6MiEHlLLTqEB+EWPBv/Kv6hDf373/WzZu+EKI
mWCS5ta+ZaxXy8g9q/CVsk0jspbTCgVNkJrEfa8pGhYvn2ARWG4WCPWdMq2vgMxV
7LSr1FfzwJoh6N/TnPU16FYPGwDsqpmpw7h6XnOyU4lY+C228q2HbUCuLTnp7zAN
dKc82EobVp/6lF0frkuI
=HccB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: RemoteEndpoint.Async sendText blocking

2017-06-30 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 6/29/17 5:22 PM, Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
>> Subject: Re: RemoteEndpoint.Async sendText blocking
> 
>> When the BIO connector is in use, you end up with weird things
>> like this. I would switch to BIO if you want to use async.
> 
> Might want to rephrase that...  Presumably Chris meant "switch to
> NIO".

In fact, I did intend to say NIO. :)

> Note that the BIO connector is removed (yay!) in Tomcat 8.5 and
> above.

Yes, and I think most of the bugs have also finally been worked out.
(*ducks*)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZVkPUAAoJEBzwKT+lPKRYlR4QAIV46xvoOPW9WgjaZxM95upC
Kx6gRwUz9Bmc+8R4yhrMbpX2G48s2TjjYnJSX3IDfao6AjWQNMFIexwydh3L3hka
2iO+DX7TP8J02rZbytrqJ+upGtS+6NEvsBQeAMCLOC5HsKXLVJxOWKQJiTQO7Qg4
YKxI+GpINsVsUM4Ei9HGlQiTSDEN320Sr6RnEoDQstZvZHGH+FxOasJnm748epdI
jNBFpCrtdw0cksTdkt7oyDHySMoD4NIGbbEaHm0My3eHVLGTtHmGHFYVP9lvlaWG
u73dYqXyqYaqCExvUFuW3m7TsTaKGGul2U8cqMSiBSewTbJ67G3OVMNgJrRq04Hc
RImCHEjuEdXP63H4xHeowv8AoAxn+LW2HXmJHl4wlXpYmn2zvtoLr6Sh8upMXSUt
o6EIGp5uI3/PKyzj3b4T668zDOA5846ArzNt5mycfaGZFuPs6lERGpmjw3JjYof8
/l0CWasK30wk/uxA4vNYI3LtmNEYbq40wnLJQxEVvCCTyqEstVhK4ZxK7lLb5Pc3
0+i7r4dQ8NZq568xgUohOJQ/TRH999jr2GRob+QWKetMd4qfdRdsdRkabkgykg84
0lnXvpPCxHmJXpN1B/ziD/vU+0/gNG1yYe6DFVoGmWw80SdI5uN7Omk4K7sGTwFi
z7sLYGOyxb2yqgitB7T7
=IgtG
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org