Re: CONNECTION_CLOSED 200 Error with HTTP/2 Enabled
Thanks Mark, Will have a look to enable debug mode. Probably need to do some investigation as Tomcat is embedded in the full product and some probably some standard logging configuration is changed. Tom On Wed, May 22, 2019 at 5:01 PM Mark Thomas wrote: > On 22/05/2019 15:47, Tom Coudyzer wrote: > > Hi, > > > > We wanted to upgrade our application to start using HTTP/2. We added the > > necessary and we see that the browser is using HTTP/2 in the browsers' > > development tools. > > > > However since we activated it we get random CONNECTION_CLOSED 200 Errors > in > > Chrome. It's not always on the same files and sometimes there are more, > > sometimes there are less, sometimes it works. When we disable HTTP/2 > > (remove the upgradeprotocol tag) everything works fine. > > > > We are running Tomcat 9.0.20 (x64) on a Windows Server 2008 R2 server. > > > > Did we configure something incorrectly, is this an HTTP/2 issue or should > > we look at network issues on our end? > > > > If you need more information or we need to run something to be able to > > troubleshoot it better please let me know. > > > > Help is much appreciated ! > > You can try enabling debug logging if the issue is fairly easy to > reproduce. That might shed some light on what Tomcat is doing and why. > > There are also some HTTP/2 fixes due in the next set of releases that > might help. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: OCSP with openSSL
Chris, [root] ~# openssl version OpenSSL 1.1.1a 20 Nov 2018 [root] ~# openssl help Standard commands asn1parse caciphers cms crl crl2pkcs7 dgst dhparam dsa dsaparam ececparam enc engineerrstrgendsa genpkey genrsahelp list nseq ocsp passwdpkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand rehash req rsa rsautls_client s_server s_timesess_id smime speed spkac srp storeutl tsverifyversion x509 Message Digest commands (see the `dgst' command for more details) blake2b512blake2s256gost md4 md5 mdc2 rmd160sha1 sha224sha256sha3-224 sha3-256 sha3-384 sha3-512 sha384sha512 sha512-224sha512-256shake128 shake256 sm3 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1 aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8 aria-256-ctr aria-256-ecb aria-256-ofb base64 bfbf-cbcbf-cfbbf-ecb bf-ofbcamellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbcrc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40seed seed-cbc seed-cfb seed-ecb seed-ofb sm4-cbc sm4-cfb sm4-ctr sm4-ecb sm4-ofb zlib [root] ~# openssl ocsp -help Usage: ocsp [options] Valid options are: -help Display this summary -out outfileOutput filename -timeout +int Connection timeout (in seconds) to the OCSP responder -url valResponder URL -host val TCP/IP hostname:port to connect to -port +int Port to run responder on -ignore_err Ignore error on OCSP request or response and continue running -noverify Don't verify response at all -nonce Add OCSP nonce to request -no_nonce Don't add OCSP nonce to request -resp_no_certs Don't include any certificates in response -resp_key_idIdentify response by signing certificate key ID -multi +int run multiple responder processes -no_certs Don't include any certificates in signed request -no_signature_verifyDon't check signature on response -no_cert_verify Don't check signing certificate -no_chain Don't chain verify response -no_cert_checks Don't do additional checks on signing certificate -no_explicitDo not explicitly check the chain, just verify the root -trust_otherDon't verify additional certificates -no_intern Don't search certificates contained in response for signer -badsig Corrupt last byte of loaded OSCP response signature (for test) -text Print text form of request and response -req_text Print text form of request -resp_text Print text form of response -reqin val File with the DER-encoded request -respin val File with the DER-encoded response -signer infile Certificate to sign OCSP request with -VAfile infile Validator certificates file -sign_other infile Additional certificates to include in signed request -verify_other infileAdditional certificates to search for signer -CAfile infile Trusted certificates file -CApath infile Trusted certificates directory -no-CAfile Do not load the default certificates file -no-CApath Do not load certificates from the default certificates directory -validity_period ulong Maximum validity discrepancy in seconds -status_age +int
Re: OCSP with openSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 5/22/19 07:28, Усманов Азат Анварович wrote: > Mark, I installed it just by downloading tcnative src tar.gz > file from tomcat website and issued ./configure > --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 > -with-ssl=/usr/local/openssl && make && make install && make clean > I'm not sure how to specify any ocsp related configure options > when building tomcat nativefrom source What is your OpenSSL version and capabilities? $ openssl version $ openssl -help $ openssl ocsp -help - -chris > От: Mark Thomas > Отправлено: 22 мая 2019 г. 13:41 Кому: > users@tomcat.apache.org Тема: Re: OCSP with openSSL > > On 22/05/2019 11:28, Усманов Азат Анварович wrote: >> Hi everyone! I have a web app running on tomcat and java 7 using >> apr for TLS related issues. I m still unable to have OCSP >> verification working with tomcat. > > > >> I have tried running tcpdump on the server but don't' see any >> Comodo related IP addresses in the output when I access the >> server in question in the browser. At this point I don't know >> what else to do, If it was java I would just put some >> System.out.println statements in OCSP SSL related source code and >> recompile the tomcat source, but since in my case tomcat uses >> OpenSSL and tomcat native I'm not sure how/where to do that. the >> only places I found in the TC-native source that mentions OCSP >> is sslutils.c source file. I'm not sure when/ if it is actually >> gets called in my case. Maybe be someone with more c experience >> c++ would help me with that. I really want to get to the bottom >> of this. Any help is appreciated my tomcat version is 8.5.39 APR >> based Apache Tomcat Native library [1.2.21] using APR version >> [1.6.5]. Openssl version is [OpenSSL 1.1.1a 20 Nov 2018 OS: >> Linux RHEL 6.6 > > How did you build the Tomcat Native library? Was OCSP enabled? > > Mark > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzlfKEACgkQHPApP6U8 pFjWvBAAhHnL9esNEDViUB6nBIzQtcgsn0FxKWVTlrM+mv1JMlZWeD1zpKAPGuOr ip3Dl/HlHANR8poi8l3NpIUUNq74UqXRHu0ETdjl2vyCl96pYHrmXWLwYuyDeFN4 cN4bm6dm1MkpNyxIv4ig9gJ1/GfAhZW22wcJTKaxu/QyKPVJwejGf3Xbtb4lEjoS FxEbcE+IJENXME/5+KYyVJdpuRlrbY4P4DXPeZjVcw0yOCB33jNxY9SJtImuXTtl wiWDPW/8/NM5FUIdbZGUCXx76k2g71iYPZdAcZ94R86pOoFjbAmu6LxSddDeQDZ7 cswpq1wNeTql7aLYCVBG0/I6FgmRBEQvSeS9StuWhjwogdSzK2CmyJuct+y1UBLm uY4SH5+DvbM57HZdQZ2WHHyjp+VEMI2qQypmVsZf7MqoCYypegOFNwtXqjgRzvmd PReFjxz6orHlczJ4psjbpKA+BrSNWyeFJu8wBxjfhFuIzsAQyWL3nDwoxSJFQeuq d1TIDuq5yHRnUWqqf6Tn33qOZvbjKwaeA4XPLCcfZOGWtgIaEYPLfiPSHZujmo7q jM8EBQGraOChT+P35aNtzxiDac09Ow1wT3hnpDnMdOgWdwwWGR7lLvLUHp/JC+Vn eUt1mv+bzq0JOpfPpRpCDa5/5LoMh1YJnRw/3JnqhyQ5lpUrB40= =Bl8+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running sudo from a servlet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Claude, On 5/21/19 14:20, Claude Brisson wrote: > (responding to myself) > > The culprit is the option > > NoNewPrivileges=true > > in the file > /etc/systemd/system/multi-user.target.wants/tomcat8.service > > When changed to false, one must also call 'systemctl daemon-reload' > and after a tomcat restart, the problem is solved. I'd seriously consider whether or not you want to actually do this. It might be better to write a tiny daemon which has elevated privileges to perform whatever operation you want and have your web application ping it to do some work, rather than making the whole Tomcat process able to elevate its privileges. At least lock-down the sudo command so that only that exact necessary command is possible. - -chris > On 21/05/2019 19:52, Claude Brisson wrote: >> Hi all. >> >> I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu >> 19.04). Tomcat was installed by apt-get and runs as a service. >> >> If I open a shell as the tomcat8 user, I can launch a Java >> program which successfully executes a sudo command in a >> sub-process. >> >> But from a Java servlet, the code fails with this error from the >> sudo executable: >> >> sudo: effective uid is not 0, is /usr/bin/sudo on a file system >> with the 'nosuid' option set or an NFS file system without root >> privileges? >> >> which means that somehow, the tomcat process was unable or >> unwilling to honor the setuid flag of the sudo command. >> >> Is it a special security measure ? >> >> If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 >> service packaging? In systemd config? >> >> And is there any configuration option to relax it? >> >> Thanks, >> >> Claude >> >> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzleWwACgkQHPApP6U8 pFihng/+IdTMdCmN1Bk8gA8BvBma9/IF5/wxwlSOnfMf63fxoMuwArrhCJ8LdqLD M5S1A94d9Cj+kjwRHCU0yX18j9ZcnEfB6Lvu5GTsnNEyWSeLT4xbxF10DlSB8qCs qjUPJFoG+6DQNvExZwBOAMkiwFq5AB8gsQjUxTnrqly622n+3/6BB/jMEAFbH5U8 2BbUu2aMpbjJODHQ15uNdAZrEX0xGqA5vGLOgsVmGizRGFZaFOnvP0rzh2sJdGUA uvJzOxMScZV9dl7xVd9eQ8lOAffpAX2xZWESFEikpPjQJ3K/7CVHu0Hxrxzdkvw/ NDEVxSw05k2DeNSfeoqKGv7jU8SWhjMchJkB8FRArSJnyYy4YT+Bd1BwSO82FG1A HOGXxgVSCyWHZn7aQySC4DN0ywHedSIBP4sjrjUwwrIgHEDRcSLf8xr/pR5GsZLy b8grRHHjAryQbEzL5F5398B3AfBxK51jyoT/nIeFqvyIcCv5fF/galDOpNzc/kGK rAFiB6t4RKQJhkGuuos3S7mE7/piL1d04N8jHlChBpYagYTm+Raf8eAPMBsH1PnD FIJEz2YsKtA1SDlJmD5Yrv9IGhLPNkt/VIm+KtEgwEjdHWFKpclVJKiYVXVXiGyY 2Y9Att8O2rW+1pk3kHTszHwGXJCba0hF3Jc9ay/V1dOePPx8h9Y= =1994 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ApacheCon agenda?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Israel, On 5/20/19 13:46, Israel Timoteo wrote: > It would be very interesting having a talk where I can experiment > (like in a lab) building a configuration for HTTPD as a proxy for > a Tomcat cluster; something where I can see details for best > practices on how to calculate the number of clients > (ThreadsPerChild, MaxRequestWorkers, MaxConnectionsPerChild, etc) > in apache that matches number of clients in Tomcat (maxThreads, > maxConnections, acceptCount, etc) and then know how to adjust that > number when the number of Tomcat instances changes. > > From my experience in past conferences, sessions for HTTPD are > normally separated from the ones with Tomcat content; I cannot > recall attended one where this expertise is shared - maybe there > was one last year but I had to interrupt my attendance on the first > day, then I might have missed it. I've sat through several variations on "how to proxy / load balance httpd+Tomcat" which cover all the topics you raise above. For example, see Tomcat's presentations page[1] and search for "prox" (without a trailing "y", so you find both "proxy" and "proxies"). There is also a 3-part series from Mark in 2015 called "Tomcat Clustering" which separately covers reverse proxies, load-balancing, and clustering. We could present updated versions of that material if it would be helpful to the community. > However, the intention of my asking is to show my manager the > knowledge to be offered on this conference so I can justify > attending the event. Understood. - -chris [1] http://tomcat.apache.org/presentations.html >> On May 20, 2019, at 11:56 AM, Christopher Schultz >> wrote: >> > Israel, > > On 5/20/19 09:27, Israel Timoteo wrote: When can we expect to see the ApacheCon agenda published? > > The call-for-papers just ended 7 days ago, so it might be a few > weeks before we find out. > > Is there a Tomcat-related topic you'd especially like to see > presented? We are assembling a concurrent TomcatCon and anything > we can do to encourage members of this community to attend > ApacheCon this year, we'll consider. > > -chris >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzleN0ACgkQHPApP6U8 pFijQRAAw5IXAg0FosDejFubM4QtwEnqrg+AInzNYZUeNCZW8T0faz+JP8gamsUK RrkDFrN0KZAPLZjkXmzLLCLlvykyZtekp+SsoiWBIaMSbgr+Z/3v4j+EKHV5O0Ig /BOJnNJbD599Ucz+PAeMfM84TNGhP77t5tFiecTbiVKPJz8knULlb6rpfJHP7Q2O 87OOnWH3+SEMomM7rH2F484SYlH6ZszEkSFoW/ia2yEh+lrSkPhFlJ3KoC3bnKqr Q+ho103M8y/AspdAy3RR9z849II6G9cu/jriuhjxtaQs55ORi+XwlkjpFKQ7nviM u9Sv9S9CABWcnogSQNs0zAvyuhvvdjeYIc+499AI+uj8/CUo+FpALhoF0tkKM2bO I8+NpVcPeEr6460uxrWhReg8LG+WooOfIumwhDepY0+MLIWQBIvXbJ0Aeb3AfM5Z Dgea2pKOLYlOSY6YV4LHbdseNJvoGxSezkEEB5KnjjdVj6lBiCi5sRlYJyfEvHS0 8ev5ujmp4Gumm3ajgxlkpprs2QVewuREV5jooM36j9grz8amPVpRkCJ58DOzP7rt YcLCGsNSnRt5XyxwF5VzLZFcZtTDe6Qnc/KAFVF1LeVL1LeTFx0YHwSH5jFfkWBO j32KMfHdXtEDZtC8uJ5dMP1iCxZGUjcyS1tA87V/I+aVfwXxw+0= =ljGN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Latest Best Practices for Tomcat Tuning
On 22.05.19 16:36, Louis Zipes wrote: > Hi Experts, > I know that if you Google 'Tomcat Tuning' you will get some hits (ex. > https://www.mulesoft.com/tcat/tomcat-performance) but I would like to see if > we can have a discussion of best practices for Tomcat tuning from the group > of experts here. Is there an updated top 10 list or something similar or > what people have found have greatly helped their performance. Note that I > have looked through the archives but most of the hits I get date back 10 > years. > > My personal situation is I'm running Tomcat 8.5.x on Windows with a third > party application. Since it is a third party application I feel I can't open > up the actual coding itself so I'm left to tune around the margins (ex. > Parameters in service.bat, maybe try to switch our odbc.jar to a different > one, etc) but maybe I'm wrong. > > Basically, is there an updated list of best practices that we can discuss > here or is this not the appropriate venue. I'm looking for a more generic > conversation that would benefit all users on this forum and if it helps me > personally then of course that is great! > > Or is the answer always get the stack dumps and analyze from there. : ) IMHO the generic answer for tuning problems is always: (1) Identify the #1 bottleneck (2) Fix it (3) Now bottleneck #2 has gotten a promotion: If you still feel the need to continue tuning, continue at (1) The bottleneck might be: # CPU (in which case you might be out of luck with a 3rd party application) # Memory # I/O # Database (a specific case of I/O) # Network throughput, latency or anything else, e.g. other backend systems. Sorry, this is pragmatic, but might not be too helpful. It's the long form of the consultant's standard answer "it depends". Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CONNECTION_CLOSED 200 Error with HTTP/2 Enabled
On 22/05/2019 15:47, Tom Coudyzer wrote: > Hi, > > We wanted to upgrade our application to start using HTTP/2. We added the > necessary and we see that the browser is using HTTP/2 in the browsers' > development tools. > > However since we activated it we get random CONNECTION_CLOSED 200 Errors in > Chrome. It's not always on the same files and sometimes there are more, > sometimes there are less, sometimes it works. When we disable HTTP/2 > (remove the upgradeprotocol tag) everything works fine. > > We are running Tomcat 9.0.20 (x64) on a Windows Server 2008 R2 server. > > Did we configure something incorrectly, is this an HTTP/2 issue or should > we look at network issues on our end? > > If you need more information or we need to run something to be able to > troubleshoot it better please let me know. > > Help is much appreciated ! You can try enabling debug logging if the issue is fairly easy to reproduce. That might shed some light on what Tomcat is doing and why. There are also some HTTP/2 fixes due in the next set of releases that might help. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Latest Best Practices for Tomcat Tuning
On 22/05/2019 15:36, Louis Zipes wrote: > Hi Experts, > I know that if you Google 'Tomcat Tuning' you will get some hits (ex. > https://www.mulesoft.com/tcat/tomcat-performance) but I would like to see if > we can have a discussion of best practices for Tomcat tuning from the group > of experts here. Is there an updated top 10 list or something similar or > what people have found have greatly helped their performance. Note that I > have looked through the archives but most of the hits I get date back 10 > years. > > My personal situation is I'm running Tomcat 8.5.x on Windows with a third > party application. Since it is a third party application I feel I can't open > up the actual coding itself so I'm left to tune around the margins (ex. > Parameters in service.bat, maybe try to switch our odbc.jar to a different > one, etc) but maybe I'm wrong. > > Basically, is there an updated list of best practices that we can discuss > here or is this not the appropriate venue. I'm looking for a more generic > conversation that would benefit all users on this forum and if it helps me > personally then of course that is great! > > Or is the answer always get the stack dumps and analyze from there. : ) I'd start with a profiler. Unless the application is doing something very strange, I'd be surprised if there was much mileage in Tomcat specific tuning. Most issues are in the app. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CONNECTION_CLOSED 200 Error with HTTP/2 Enabled
Hi, We wanted to upgrade our application to start using HTTP/2. We added the necessary and we see that the browser is using HTTP/2 in the browsers' development tools. However since we activated it we get random CONNECTION_CLOSED 200 Errors in Chrome. It's not always on the same files and sometimes there are more, sometimes there are less, sometimes it works. When we disable HTTP/2 (remove the upgradeprotocol tag) everything works fine. We are running Tomcat 9.0.20 (x64) on a Windows Server 2008 R2 server. Did we configure something incorrectly, is this an HTTP/2 issue or should we look at network issues on our end? If you need more information or we need to run something to be able to troubleshoot it better please let me know. Help is much appreciated ! Regards, Tom
Latest Best Practices for Tomcat Tuning
Hi Experts, I know that if you Google 'Tomcat Tuning' you will get some hits (ex. https://www.mulesoft.com/tcat/tomcat-performance) but I would like to see if we can have a discussion of best practices for Tomcat tuning from the group of experts here. Is there an updated top 10 list or something similar or what people have found have greatly helped their performance. Note that I have looked through the archives but most of the hits I get date back 10 years. My personal situation is I'm running Tomcat 8.5.x on Windows with a third party application. Since it is a third party application I feel I can't open up the actual coding itself so I'm left to tune around the margins (ex. Parameters in service.bat, maybe try to switch our odbc.jar to a different one, etc) but maybe I'm wrong. Basically, is there an updated list of best practices that we can discuss here or is this not the appropriate venue. I'm looking for a more generic conversation that would benefit all users on this forum and if it helps me personally then of course that is great! Or is the answer always get the stack dumps and analyze from there. : ) Thanks in advance --- CONFIDENTIALITY NOTICE: This message is for intended addressee(s) only and may contain information that is confidential, proprietary or exempt from disclosure. If you are not the intended recipient, please contact the sender immediately. Unauthorized use or distribution is prohibited and may be unlawful.
RE: OCSP with openSSL
Mark, I installed it just by downloading tcnative src tar.gz file from tomcat website and issued ./configure --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl && make && make install && make clean I'm not sure how to specify any ocsp related configure options when building tomcat nativefrom source От: Mark Thomas Отправлено: 22 мая 2019 г. 13:41 Кому: users@tomcat.apache.org Тема: Re: OCSP with openSSL On 22/05/2019 11:28, Усманов Азат Анварович wrote: > Hi everyone! I have a web app running on tomcat and java 7 using apr for TLS > related issues. I m still unable to have OCSP verification working with > tomcat. > I have tried running tcpdump on the server but don't' see any Comodo related > IP addresses in the output when I access the server in question in the > browser. > At this point I don't know what else to do, If it was java I would just put > some System.out.println statements in OCSP SSL related source code and > recompile the tomcat source, but since in my case tomcat uses OpenSSL and > tomcat native I'm not sure how/where to do that. the only places I found in > the TC-native source that mentions OCSP is sslutils.c source file. I'm not > sure when/ if it is actually gets called in my case. Maybe be someone with > more c experience c++ would help me with that. I really want to get to the > bottom of this. Any help is appreciated > my tomcat version is 8.5.39 > APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.5]. > Openssl version is [OpenSSL 1.1.1a 20 Nov 2018 > OS: Linux RHEL 6.6 How did you build the Tomcat Native library? Was OCSP enabled? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Usage of Tomcat Logo combined with own logo.
On 21/05/2019 14:31, bernd.sch...@daimler.com wrote: > Hi, > > We created a library that offers an easy integration in our internal oidc > infrastructure. > It is based on jaspic so it would work on any application server that support > it, > But we want to push the use of open source application server like tomcat > Instead of closed source application server. > > Therefore we want to advertise with an internal ,,Java Free and Open Source'' > Logo combined with a small tomcat logo inside, is this allowed? > > The logo will be used in te intranet but will be also visible > For all suppliers that work for us. > > Thx in advance. Hi, Generally, the ASF does permit project logos to be combined with other logos. There are also restrictions on using ASF logos alongside other logos. If you can show us an example of what you want to do, the Tomcat PMC can consider granting an exception. Thanks, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP with openSSL
On 22/05/2019 11:28, Усманов Азат Анварович wrote: > Hi everyone! I have a web app running on tomcat and java 7 using apr for TLS > related issues. I m still unable to have OCSP verification working with > tomcat. > I have tried running tcpdump on the server but don't' see any Comodo related > IP addresses in the output when I access the server in question in the > browser. > At this point I don't know what else to do, If it was java I would just put > some System.out.println statements in OCSP SSL related source code and > recompile the tomcat source, but since in my case tomcat uses OpenSSL and > tomcat native I'm not sure how/where to do that. the only places I found in > the TC-native source that mentions OCSP is sslutils.c source file. I'm not > sure when/ if it is actually gets called in my case. Maybe be someone with > more c experience c++ would help me with that. I really want to get to the > bottom of this. Any help is appreciated > my tomcat version is 8.5.39 > APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.5]. > Openssl version is [OpenSSL 1.1.1a 20 Nov 2018 > OS: Linux RHEL 6.6 How did you build the Tomcat Native library? Was OCSP enabled? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
OCSP with openSSL
Hi everyone! I have a web app running on tomcat and java 7 using apr for TLS related issues. I m still unable to have OCSP verification working with tomcat. I'm NOT talking about the client- certificate based auth here, just the opposite. I want tomcat to present it's OCSP status to the client(browser) when it connects to the server. Since the options on OCSP section tomcat docs talk about client-auth I figured I don't need to add anything on my HTTPS connector to get OCSP working. So here is my https connector our ocsp certificate has ocsp responder address http://ocsp.comodoca.com I thought that my issues were caused by the fact the server in question sits behind a proxy but I just tested ocsp stapling manually via OpenSSL ocsp utility and it working properly when invoked through the command line openssl ocsp -no_nonce -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt -url http://ocsp.comodoca.com/ -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: May 15 19:34:39 2019 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 Cert Status: good This Update: May 15 19:34:39 2019 GMT Next Update: May 22 19:34:39 2019 GMT Signature Algorithm: sha256WithRSAEncryption 37:ee:ae:ed:35:ea:2f:f5:3c:d6:4e:4b:60:fd:5b:8b:f6:24: 90:e4:da:11:d7:57:9c:22:d6:fe:53:2f:48:a3:cb:7a:1e:c0: 82:70:28:c9:bb:d5:07:31:c3:33:d2:0b:09:12:96:68:ed:a1: 3f:d7:d6:46:9d:dc:9a:d8:55:27:0b:5e:c2:56:fc:47:42:de: f0:e6:5f:75:f1:c0:b4:42:76:f4:e6:30:b9:a8:9a:75:8f:5f: 0c:e6:5b:1e:6b:6d:8e:66:3c:7f:73:df:22:98:4d:40:aa:e1: d5:fb:27:8d:9b:e6:67:ae:40:3d:1f:29:da:23:7d:74:ad:b3: e6:76:f9:be:18:ad:df:be:ee:7d:1a:ab:26:5b:0c:4a:3b:d3: 7e:f4:7d:c6:6d:f4:93:90:90:ec:25:b1:d1:4a:c8:1e:47:fb: 67:5e:50:42:97:cf:26:2e:d4:21:9f:e1:4a:a9:a1:ba:8c:0a: 0f:f6:1e:d8:2e:f7:25:32:89:c7:af:b7:81:39:9b:57:72:9c: 28:1b:9d:b1:58:aa:e2:47:bc:f9:5b:23:d2:f2:cb:9d:ac:72: cf:d9:75:12:a2:94:c3:78:d6:59:f7:96:12:18:9a:3b:b8:84: d2:fd:b5:54:e7:4c:51:17:01:f2:0a:0d:fa:52:e7:5e:51:6a: d9:14:1a:e3 Response verify OK /home/idis/STAR_ieml_ru.crt: good This Update: May 15 19:34:39 2019 GMT Next Update: May 22 19:34:39 2019 GMT However, then I test the server both manually and via ssllabs server test ocsp stapling still shows no openssl s_client -connect debug.ieml.ru:8443 -tls1_2 -status CONNECTED(0004) depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify error:num=20:unable to get local issuer certificate OCSP response: no response sent --- Certificate chain 0 s:OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.ieml.ru i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root --- Server certificate -BEGIN CERTIFICATE- MIIFQzCCBCugAwIBAgIRAPB4y44vTlpni/uQZalhG1cwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg Q0EwHhcNMTcwNjI5MDAwMDAwWhcNMTkwODI5MjM1OTU5WjBWMSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp bGRjYXJkMRIwEAYDVQQDDAkqLmllbWwucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDDPvJ/lpxUzUyI6xAI4vm+fJG76JPJ3PjVPWshE6DQ8FSOX1tz x/77d7DHH3o73I1fZL26o8feq1tscHg5Hn/L4S+N3pPAqz3Q6Q98O3r6lzJtK5Yz gfWCEx6tFNvuQ96G2rN6b+wwpbo42e+Ml9HejTH3F3tdgkZ9++jq2/xge/82tRfm F7OdKpOl0HJhjyKb4ehck032lACLLzKaiVXwuvm0PFeNVMfGli6esVjvf6qUvXIe dxfgJu5emAdFwAWSwJYQ61sUPt/o4G5SLFx4xaDaA0W5cK8Wtd2BGe12kDVstVft hP7KKj/giXFQSIrC5JmIE4wr8c4yiHBcrwdjAgMBAAGjggHPMIIByzAfBgNVHSME
RE: Configuring log format for console output (catalina.out)
Dear Joan, by use of the common scripts, the file catalina.out will contain the console output (stdout/tderr) of the *JVM* process and -- if not configured in another way -- of the applications. Therefore, you have to deal with the features of output formatting of current JVMs. Or -- as me -- you might pipe this file descriptors through a tiny script that will prepend a timestamp in a format of your choice. This will have the advantage that it also handle "console" output of Java application; despite of the fact that using stdout/stderr instead of a java logging mechanism is a very bad style. If you don't need to process thousands of lines per second, a simple shell script may do the job: while read line; do echo "`date -Ins` $line"; done To avoid "double-stamping", you may add an heuristic check of the incoming line; please adjust the RegExpr to your neeeds while read line; do [[ ! "$line" =~ ^\d\d\d\d ]] && echo -n "[`date -Ins`] "; echo $line; done Guido
