Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)
Hello Team, We received vulnerability alert from Security team for "Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)" and for remediation they suggested to updated tomcat with latest version. Can you please help to resolve same without upgrading the existing version i.e tomcat 8.5 -- Regards, NK
Re: mod_proxy_ajp equivalent for JK_LB_ACTIVATION?
Hi Chris, no, the status unfortunately is not available as an Apache env var. mod_proxy_ajp has a builtin provision for automatic env var forwarding: alle env vars named AJP_SOMETHING will be forwarded as request attribute SOMETHING. But I see no easy way of detecting drain mode and setting an env var and there seems to be nothing builtin. I remember having added the forwarding for the LB activation to mod_jk many years ago but well after mod_proxy_ajp was done by Mladen. It seems to be one of the missing features in mod_proxy_ajp. But of course it could be added ... Regards, Rainer Am 06.03.2020 um 16:34 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, At $work, we use mod_jk for proxying and I'd like to move to mod_proxy_ajp with an eye toward moving to mod_proxy_http eventually. We use the JK_LB_ACTIVATION state to perform load-balanced node-draining[1] for maintenance and I'm trying to find out how to get mod_proxy to give me its current status. I don't see anything in the documentation for mod_proxy_balancer or mod_proxy_ajp. - From the balancer-manager, I can see that there are several items of status metadata that might be useful: - - worker "draining mode" - - worker "disabled" state - - worker "hot standby" state - - worker "stopped" state Each worker has a "status" value, which can be any of D/S/I/R/H/E/N but it also looks like each of those can be set independently. So the worker can be in "hot standby" + "error" states. Hmm. Is that state available in an environment variable I can forward-over to the origin node? - -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: issue faced in tomcat 8.5.51
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/4/20 05:55, Dave Ford wrote: > On Fri, 2020-02-28 at 13:39 +, Rathore, Rajendra wrote: >> Caused by: java.lang.IllegalArgumentException: The AJP Connector >> is configured with secretRequired="true" but the secret attribute >> is either null or "". This combination is not valid. > > Are you talking to this via an apache webserver using > mod_proxy_ajp? Only, the current stable release of apache (2.4.41) > doesn't support 'secret' AFAIK. > > See > > https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html > > and > > https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=53098 > > Note the above 'bug' in Apache is only 12 years old :-( It is actually just under 8 years old. The initial release of Apache httpd 2.4 was on 2012-02-21 and this enhancement request was filed by Dmitry on 2012-04-18, 2 months later. The httpd team takes stability VERY seriously and it looks like there was basically zero interest in applying this patch for the following (nearly) 8 years. Most AJP connections are being used as a proxying protocol across "trusted" networks, and so the whole "secret" thing is just a small band-aid to keep unauthorized users out. The "secret" provides about as much security as putting a sign on the front door of your home which says "please don't come in unless invited," and then not bothering to put a lock on the door. If you are considering locking-down your AJP endpoints by requiring a "secret" then you are probably not really locking-down your AJP endpoints. You are only pretending to do so. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5ikh8ACgkQHPApP6U8 pFjKyg//ZcmxLCDOobzXBldG3kzuMKTdiaVaCLmsf7AkD9AaTAU/Fu936vd2lxp9 6VoMicN7oCPXyYYpWvAyN7iSqNtDlv4wnNpvxI8PzC9ugdNRsjJ257mMzNxpw6PN y1YPIbTOSiEvc/3i0ieZz/MoMMUiPvGEK2z/7fERnWPQxCCEmzROqoMZ2llEDPrx xMMl2hjUwDZIEfxC7O4t0sL3FBlDk/vlYqbxY36zaA8XqlYwKGWdwghkzTnl8L4w 5Qt4PhZDSlkjQq4MP6FETc22lri0ccW9gr0M77xceuEh1jg5jhwfgu1t8rD47OZU HauCFILgXK/Pmvel7HYdBz1HOM6lC+NB5m5DPjg6b3jNW2cuK5akysqrBlZXPEZy 0cqkNzA4erlc1GnwlGzd6ZdH63euJB4afQxvM2OsDxEJrqajZVst88gQIQ5rfxb8 bzn+Sw0uWjKXW/X9OmW8UORRNjL7YnU+oFZuTAlLPts1X71OQ+ikvOmCgsGlY4U+ dERxZGZUQWoQUCFN9KNJaZvdoWssIGTe0tN1Hix/OT8HvSp5eLU3MdgbDe0p28zW zgaYYRIgQ6NkaWFoByAcLihumNaWE6fKJMn/rqQQGYof1a6WMVv+QZwK3EpTYCRx sZ8ql0FiscazKvo1Em1DZiix19O3AtIPibOSl0OtQKUnZAaKinY= =l0o1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
mod_proxy_ajp equivalent for JK_LB_ACTIVATION?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, At $work, we use mod_jk for proxying and I'd like to move to mod_proxy_ajp with an eye toward moving to mod_proxy_http eventually. We use the JK_LB_ACTIVATION state to perform load-balanced node-draining[1] for maintenance and I'm trying to find out how to get mod_proxy to give me its current status. I don't see anything in the documentation for mod_proxy_balancer or mod_proxy_ajp. - From the balancer-manager, I can see that there are several items of status metadata that might be useful: - - worker "draining mode" - - worker "disabled" state - - worker "hot standby" state - - worker "stopped" state Each worker has a "status" value, which can be any of D/S/I/R/H/E/N but it also looks like each of those can be set independently. So the worker can be in "hot standby" + "error" states. Hmm. Is that state available in an environment variable I can forward-over to the origin node? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5ibZQACgkQHPApP6U8 pFgAnA//W4YL1edSOGE3P11DcgAbmAkemxi+h6gjM9oU54S5Yc+/3rwwg1Hxnnam t5PeAiO8OyEl3eq/Vr2gF87Xco04x1YEFmj844+TPC8VdGx5Em6hFWxFYBvLNY30 pzt2jKMVKUf+wdtZMvhT2uQYdtTxUbc3aVuCaaXBcR62ihAQ39CaRDalX2vr903Y 8fqT2YQXsYZlO0h6zX0vK37WB1DG4/iqYohcKKtEOvvwL9ZB5iMS40r+MqDulur+ 1q9WQPF25oemieC2G9pzRf014ftBdcnzJ5P7xQtWj5xy2b7+WQ7ZNlMyLNEc336K 1iVdM8AtyS4B2tax7hJIPDLlNQUUVTr1SAp1Jj6brEQFVFM+K0ilWjQnSWKBZdW1 lzs7KBzRTxDrsxl92G9cKBX3+2LqOLwjzWTwnjS7dA5P1mWvXGUkKuZLreaeyDod +WDjPhgK3lxAAXj+WP4NJPSrEbmzZZigN+Ad1BgRk0wsaXejudwYB1fvFnYMWHJC F9Ty16GlQGtaVI6aACeDX7zV2lO8kKXszKcPks0tZG7abpgom3s99WJvaeGfYEhh h+YC1Wjyym8EQdCjO0hQU1RiJvRifCuuJbI+DyupxsFEJLjM2zGSkaRYMEn9b2/V mkQeNPnsDCCr2NADdp1e0mRbAYUs9O0EsVrDs2wTKRw6HiUx1pk= =XKMA -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat won't use TLSv1.2
Am 06.03.20 um 15:41 schrieb Christopher Schultz: > Markus, > > On 3/5/20 13:44, i...@flyingfischer.ch wrote: > > Try SSLProtocol="TLSv1.2" (mind the case) instead of > > sslProtocol="-all +TLSv1.2". > > This is correct when using either OpenSSL or JSSE. "sslProtocol" will > only work for JSSE configuration, and basically only allows a single > value: "TLS". > > It's better to use where it's always just "protocols". > > > Had this issue too. The connector parameters for SSL are a huge > > mess and have been changed constantly. > > Really? Can you give an example? Other than the change from > to , everything has been pretty stable for > ... decades. > > -chris > Well, yes. If I remember correctly this was: Server is also built with TC native. Always using latest stable version of TC 8.5. OpenJDK 64-Bit Server VM Zulu13.29+9-CA (build 13.0.2+6-MTS, mixed mode, sharing). Chrome could not cope with HTTP2 with this configuration. So I switched back to HTTP1.1 TLSv1.2 only started to work after correcting sslProtocol to SSLProtocol. Best Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [semi-OT] tomcat 7.0.100 AJP connector with mod_jk on another host
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thomas, On 3/4/20 19:37, Thomas Glanzmann wrote: > allowedRequestAttributesPattern=JK_LB_ACTIVATION Note that JK_LB_ACTIVATION is already in the list of white-listed attribute names. You should probably not have to set this configuration attribute. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iaHIACgkQHPApP6U8 pFhBjg//Un1JwuTVjpcLHOi+Tat3alJg4X4wGUuLs0N99OX7SHhum7O6WAOw0h0H 0onbgHAk8AKuCOJgJnndh5pcV5iFIF45fSMd5exhq1SBOAdKf01LHqqeuL7FuIpk 37nTduULel8KOqb7i05eGBrelcZAJTu1MoeL6+4DGAFGWHb9IgD1R7CxhYCSVvIf Ud1QtwRpr2SBpQVTmu54FFJhhGJfe48UPGge4Pu/i/r7ahAL/0Y26OMJ53xMN7Q3 sYPjF1/HUJSG4ogyxWatVw1w02bY0mwtbzcaeHnv5ItOJzzxzdweRgpKJUgPUC+y ungG3cYcUeNCsT9aJcPt6m3OEivK3emuOWPhgnEtRUH09WG5XmuRkvOGa7+krxEj xCEa4XDq2OK32NWJFDyGJHfvVv42mgKCcPNupVUZ8ap35T4RqccMzGLfkvi14Hmn mLxYgHz9f5nb0T95fPSu+R7jzSEYy3jiwzjAcVte27fvCyJhTTGQep95FXOacp34 Efxrt+w9p1P5yzzExK99WQ9IYp/gA94GiXz+jv5lJIt4Zc0PSyTnUcH8ZAslSF8Z ZKp73664o04RnKHNYF6TiyQEtZtsq4i2W0HhcAgOoGL3S0KU35G8h4B2oQnRKwrS sUGG7cVhNGbuDdpShqgak3iw3U0Hdui9FNfS0YYI3ZFHSdIGvnE= =V+Hw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Piyush, On 3/5/20 14:40, Piyush Kumar Nayak wrote: > Thanks Mark, Two connector configs works. Any ideas, on why the > behavior if different for ISAPI and mod_jk modules? What do your configurations look like for each module? - -chris > -Original Message- From: Mark H. Wood > Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org > Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 > > On Thu, Mar 05, 2020 at 01:52:57PM +, Piyush Kumar Nayak > wrote: >> Is there a way to get Tomcat's AJP connector to bind to both IPv4 >> and IPv6 loopback addresses. >> >> By default, it seems that Tomcat binds to IPv4 loopback Default >> connector config : > redirectPort="8447" packetSize="65535" secret="xxx" >> tomcatAuthentication="false"/> >> >> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0 >> LISTENING 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED >> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800 >> >> Introducing the address attribute like so : > protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447" >> packetSize="65535" secret="xxx" tomcatAuthentication="false"/> >> binds it to IPv6 loopback TCP [::1]:8014 [::]:0 LISTENING 8616 >> TCP [::1]:8014 [::1]:57522 ESTABLISHED 8616 TCP [::1]:57522 >> [::1]:8014 ESTABLISHED 6564 >> >> Is there a way to make it bind to both the loopbacks. The problem >> we are facing is our Tomcat installations can have connector >> configured with IIS or Apache HTTPD. Apache connector, by default >> seems to make a socket connection using the address ::1 (IPv6 >> loop back address), whereas IIS connector tries to bind to the >> IPv4 loopback. > > Two things I would try: > > 1. Two connectors, one with address='::1' and the other with > address='127.0.0.1', both with port='8014'. > > 2. Configure the other end explicitly: tell HTTPD and IIS which > address to use, and then configure your AJP Connector to match. > > -- Mark H. Wood Lead Technology Analyst > > University Library Indiana University - Purdue University > Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 > 317-274-0749 www.ulib.iupui.edu > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYv0ACgkQHPApP6U8 pFj1zQ//ad7HvYwxxRINeF0UFw2bA1cIOcvJ2E5tFqDvdEtu52RIkQQaqNF2cMlA VCE3M2HZFL2WvazAAVWFpzt3pIU0fe7BPAJneNF850maFHQ+05Agh3MKd/2VUjhe 5rad1JeNqRlXAAmPCEqOCewxj2z9+yEyNu/x2hHlEpFVdSpeTjGQbhiAEBL50qjk FICEtw9QrCXw9JHCtPC5XBcbbkoUboejbeTdKz6n31djkwFpLigISgEds8haF7Kl E7jx46/rqXxOUyRR9JFzWjGUC5Aim51WDn+gJruUhkd/CLAUcIHbbG6G3J7FKQGp kYah8/sBCjCxuHVQtzmj6CopuYr+EkLNTe9GZyLnVDlQCv5GGSmwlsNSehRMEVbC rDjoRbbaG/tDjtO9dao8w1Okae91DobzwdpM1XIKIuYgUuU83f+bz4P0KfCfeVzH OH/YEmSFChynlYU31dd7HJTqdJUOVT2kTK3qncon2PEDHBoyEC+/F1wTFb16WlG9 XCG31UqhxGXxJ5p8Z5ts4jgaTRgNEMJQk19MCKfQcF6TAE8zXrOIRaTArB5eh1Ch QgvUU2MFAYIoAup+5vQtaX52+9YM2CMPFy6IMdikNFCsy1O/2K11H7vf+K18xsmm TOYf6up+AfAkcPTlzKfBhY0zjInVuYRZpM+oXqZm6oAC/TNH2G8= =/AOd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat won't use TLSv1.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 3/5/20 13:30, rugman66 . wrote: > I have both Apache and Tomcat running on the same RHEL. I have > successfully configured Apache to use OpenSSL TLSv1.2, but I cannot > get Tomcat to use TLSv1.2. Tomcat for some reason > > will only use TLV 1.0, and that is no good. No matter what > parameter I set in the server.xml sslProtocol directive it won’t > change. Seems like it’s getting that directive somewhere else but I > can't locate. > > > > > port="8443" > > scheme="https" > > secure="true" > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > SSLEnabled="true" > > SSLCertificateFile="/auto/englearn-web/ssl_certificate/server.cer" > > > SSLCertificateChainFile="/auto/englearn-web/ssl_certificate/chain.cer" > > > > SSLCertificateKeyFile="/auto/englearn-web/ssl_certificate/server.key" > > SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW" > > SSLHonorCipherOrder="true" > > maxThreads="150" > > clientAuth="false" > > sslProtocol="-all +TLSv1.2" For Tomcat 7, use: sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" For JSSE (if you are using NIO, which you are NOT, but might want to consider) and, for OpenSSL: SSLProtocol="TLSv1.2" Case matters, here. Note that your version of Java must support TLSv1.2 in order for this to work. What version of Java are you running? > OpenSSL 1.0.2d > > Tomcat 7.0.39 (I know it’s old, but it's what I have to work with > at this time) Are you able to upgrade to a later Tomcat 7.0.x? There are lots of things fixed between 7.0.39 and 7.0.100. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYnAACgkQHPApP6U8 pFgSmw//d4g9Y7+M3kdikpAiEu0Mv5Bd5Ks3vEuABMu0EdsMKrksl1DCOEwzT6XU ySYngMrZo5Tmgxgtl5Hw5U6JLB2TG/VXjqB8HYhGYfNkiKcXahR0YFRtlcAz6htp U923yle2ugtMEUGhLeeA2D92MeAlabMiHTADsKCb6/tLqXxym9DZ0FiwQYiOsFYl hL6SR88Cbkb+zFvUbn7b6MviR5tnZx6QHn0WVKH96uqMR4j/HgeFK8ouzc/E/VIT HjbFn6xxrDNaAPgDLCNR0Lgypb1B2OeDMFc0kjgoTof/E7c7Mc12CKk5JP3DSfWB +azwdqdtwgLdtYFZhKwNMEKUWm+JD9uC70DYK2R9HDWfebHVXSjhLYm32wxTAFHu OKHg1BubYC5RGsNTzbcsckzD3udq5CozvPHPLy6B9wtn/VmsPUowjcVwYjcl8fOv HOxG4ly7KgnuhMTpp9tBQ10fujR13HJDJmLRo576xzExMOxWSDi0OeWuIvV6zVpV tauYh9wPtxC1i6seveDEQzjcoju7DJT532/DHjdxLZX9mrNkvl2GPSEeymQVbxH6 lwrfWqxckBAD2LAGo7pp+/wTDBNb4o2BX+3bKzePBLo38zkXrlGWX1x2WYpKjSlb 7wxZQfhDvncJ7FmNmyDZlY4Snm1Fo9oiUKx02ldlP03MKurSHpU= =9UNH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat won't use TLSv1.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Markus, On 3/5/20 13:44, i...@flyingfischer.ch wrote: > Try SSLProtocol="TLSv1.2" (mind the case) instead of > sslProtocol="-all +TLSv1.2". This is correct when using either OpenSSL or JSSE. "sslProtocol" will only work for JSSE configuration, and basically only allows a single value: "TLS". It's better to use where it's always just "protocols". > Had this issue too. The connector parameters for SSL are a huge > mess and have been changed constantly. Really? Can you give an example? Other than the change from to , everything has been pretty stable for ... decades. - -chris > Am 05.03.20 um 19:30 schrieb rugman66 .: >> Hello, >> >> >> >> I have both Apache and Tomcat running on the same RHEL. I have >> successfully configured Apache to use OpenSSL TLSv1.2, but I >> cannot get Tomcat to use TLSv1.2. Tomcat for some reason >> >> will only use TLV 1.0, and that is no good. No matter what >> parameter I set in the server.xml sslProtocol directive it won’t >> change. Seems like it’s getting that directive somewhere else but >> I can't locate. >> >> >> >> > >> port="8443" >> >> scheme="https" >> >> secure="true" >> >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> >> SSLEnabled="true" >> >> SSLCertificateFile="/auto/englearn-web/ssl_certificate/server.cer" >> >> >> >> SSLCertificateChainFile="/auto/englearn-web/ssl_certificate/chain.cer" >> >> >> SSLCertificateKeyFile="/auto/englearn-web/ssl_certificate/server.key" >> >> >> SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW" >> >> SSLHonorCipherOrder="true" >> >> maxThreads="150" >> >> clientAuth="false" >> >> sslProtocol="-all +TLSv1.2" >> >> /> >> >> >> >> OpenSSL 1.0.2d >> >> Tomcat 7.0.39 (I know it’s old, but it's what I have to work with >> at this time) >> >> >> Thank you for any insight. >> >> -John >> > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYQ4ACgkQHPApP6U8 pFgDAxAAgyVgOSV3Mqi0BMjfvHUTY50HSZ8htUMCN7dM6nJcQeKaiC0tVRYMQUgt BNS4gW+1zGxIZwgWxGVPL9bB7kiS8BLv1aRZwFADlrYdkFosGy/+cnITJqqs3HRu jNRp9gqvxtzBnwBt5vEggp72QiV9b1gx174XexQYmmTwyPeT+Sb3SS9QZpbew2wM SiV7NXkYynFm3veRw4b22ljpKMMUEdod8jQUEmW+fD5/ykmrTqHVWk3Pv5Ywnv+W idnyoJ8LDB8sU3bhXobbVomyH2gKWQTGSoDcM/HzS2wmaVA3WCl/9MdOs62ZyPx/ g2JDDANl/WJZzfbBcUrufJA7dvFrU0xYa1MzQRH6mMfuXuMNghs32PvpZu82U50o 1YTs7+vMIMbQceWXejX0rlyqI1sPCPYGJrLQQQ0Oq0qHxoMIsCXBGyhKomqWIi1/ ScyysqnWgGToWQ0BzFcKsX+d6+v+R/EZaYvZK3FotZ8/ilfplsBojAqIdCrAa3i2 xeRi36abxKnj0muVqcvo0D73XJeDVMXfs8puhzsBRxcL9O2kWScG7ZXwxPoViMfN EM2Rg/tgXLp/IeJ7FIMxUNpBhyWllpNR9C01p6CL7Jug9P4V3MiggTmqvNlrQ+Uv e1k5wF3xDbXA50c5ne3q1qCQ8IXajKXeT2iaZrasK+snaMRF9ok= =/cZ+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
On 06/03/2020 06:46, Thomas Glanzmann wrote: > the issue seems to be that mod_jk no longer works without a password > with tomcat7. So you need to set a password on both sites, and than > everything works again. This is not the case. Tomcat can be configured so a secret is not required. > server.xml: > > secret="verysecure" secretRequired="true"/> > > workers.properties of mod_jk > > worker.tomcat-06.secret=verysecure That won't work when httpd/mod_jk is on a separate host to Tomcat (as per the subject of this thread). > If I do _not_ set a password I'm getting a 403 no matter what I do. That is a configuration issue. The equivalent Tomcat configuration to that quoted above that will not require a password is: Note: With 7.0.100 if you specify a secret, even an empty string, the client must provide a matching secret irrespective of the setting of secretRequired. secretRequired determines if the secret attribute must be set in the configuration, not whether the client has to provide a secret. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat won't use TLSv1.2
> . wrote: >>On 2020-03-05 at 23:10 rugman66 wrote: > On Thu, Mar 5, 2020 at 10:44 AM i...@flyingfischer.ch > wrote: >> Try SSLProtocol="TLSv1.2" (mind the case) instead of sslProtocol="-all >> +TLSv1.2". >> >> Had this issue too. The connector parameters for SSL are a huge mess and >> have been changed constantly. >> >> Best >> Markus >> >> On 2020-03-05 at 19:30 rugman66 wrote: >>> Hello, >>> >>> I have both Apache and Tomcat running on the same RHEL. I have successfully >>> configured Apache to use OpenSSL TLSv1.2, but I cannot get Tomcat to use >>> TLSv1.2. Tomcat for some reason >>> >>> will only use TLV 1.0, and that is no good. No matter what parameter I set >>> in the server.xml sslProtocol directive it won’t change. Seems like it’s >>> getting that directive somewhere else but I can't locate. >>> >>> >> scheme="https" >>> secure="true" >>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> SSLEnabled="true" >>> SSLCertificateFile="/auto/englearn-web/ssl_certificate/server.cer" >>> >>> SSLCertificateChainFile="/auto/englearn-web/ssl_certificate/chain.cer" >>> >>> SSLCertificateKeyFile="/auto/englearn-web/ssl_certificate/server.key" >>> SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW" >>> SSLHonorCipherOrder="true" >>> maxThreads="150" >>> clientAuth="false" >>> sslProtocol="-all +TLSv1.2" /> >>> >>> >>> >>> OpenSSL 1.0.2d >>> >>> Tomcat 7.0.39 (I know it’s old, but it's what I have to work with at this >>> time) >>> >>> >>> Thank you for any insight. >>> >>> -John >>> > Sorry, that last reply sent before I was done for some reason. > >> Thanks Markus, >> >> One final issue. One version of the URL is still using TLS 1.0, and I >> need to disable or force it to TLS v1.2 and can't find where to do >> that. >> >> https ://server.domain.com (TLSv 1.2) >> https ://server.domain.com/foo (Apache proxy TLSv1.2 >> https ://server.domain.com:8443 (TLS 1.0) >> >> Thanks >> -John >> > These three URLs do use two different connectors: on Port 443 and on Port > 8443. > Make sure you have configured both connectors accordingly. > Best > Markus --- Keep in mind that the Java JVM may need help as well (depending on which version of the Java JVM runtime is hosting the Apache Tomcat). Oracle documentation covers this topic well at the URL See: https://www.java.com/en/configure_crypto.html https:// www. java .com /en/configure_crypto.html Scroll down to the paragraph "Changing default TLS protocol version for client end points : TLS 1.0 to TLS 1.2". Cheers! Simba Engineering
