Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5
On 02/07/2021 01:10, James H. H. Lampert wrote: On 7/1/21 4:55 PM, in response to: I will note, however, that the Tomcat servers in question are *not* configured to listen on any ports other than HTTPS (either 443, 8443, or something else in that vein) and the shutdown port. Shawn Heisey wrote: In that case, you don't need h2c, and probably don't want it. O. . . . k. That makes sense, so far, but how is it even enabled? Is there some way I could have h2c enabled, with the situation I described (no HTTP at all, not even as a redirect), and not *know* I have it enabled? With no HTTP configured, there is no way h2c can be enabled. You have to explicitly add an appropriate element to an HTTP connector. You then see a log message on Tomcat start along the lines of: The ["http-nio-8080"] connector has been configured to support HTTP upgrade to [h2c] Configuration h2 (the standard encrypted version of HTTP/2) works the same way but you add the to a connector configured for HTTPS. In that case the log message on start looks something like: The ["https-jsse-nio-8443"] connector has been configured to support negotiation to [h2] via ALPN Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5
On 7/1/2021 6:10 PM, James H. H. Lampert wrote: On 7/1/21 4:55 PM, Shawn Heisey wrote: In that case, you don't need h2c, and probably don't want it. O. . . . k. That makes sense, so far, but how is it even enabled? Is there some way I could have h2c enabled, with the situation I described (no HTTP at all, not even as a redirect), and not *know* I have it enabled? I am a lurker on this list. Although I used Tomcat quite a bit in a past job, it's not something I configure these days. All my past Tomcat experience was before HTTP/2 became widespread, so I have no idea how to configure it. Google has a number of hits that look useful if you search for "tomcat http/2". I don't imagine it's difficult to do. I do know that for full http/2 functionality it's best if you have a Java version newer than Java 8. Java 11 is probably a good choice. Note that if you use Oracle Java, they have changed their licensing, and most people actually are required to pay to use it. Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Question about directory listing sorting ..
Doesn't seem to work for me on 9.0.41 (it's an older development box). I found these interesting: ow with patch v3: 1. "s=NA" name=asc 2. "s=ND" name=dsc 3. "s=SA" size=asc 4. "s=SD" size=dsc 5. "s=MA" modify=asc 6. "s=MD" modify=dsc >From here: https://bz.apache.org/bugzilla/show_bug.cgi?id=57287 Before I get too far down the road, I thought I would reach out. Params don't seem to affect listing sort order. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5
On 7/1/21 4:55 PM, in response to: I will note, however, that the Tomcat servers in question are *not* configured to listen on any ports other than HTTPS (either 443, 8443, or something else in that vein) and the shutdown port. Shawn Heisey wrote: In that case, you don't need h2c, and probably don't want it. O. . . . k. That makes sense, so far, but how is it even enabled? Is there some way I could have h2c enabled, with the situation I described (no HTTP at all, not even as a redirect), and not *know* I have it enabled? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5
On 7/1/2021 3:24 PM, James H. H. Lampert wrote: On 6/21/21 9:42 AM, Christopher Schultz wrote: If you are using h2c, you'll definitely want to 8.5.63 or later, as there is a critical fix there. My understanding, based on what I looked up a week and a half ago, is that we're not using h2c, but at the same time, don't think I fully understand what "h2c" is. h2c means HTTP/2 cleartext -- that is, without the TLS encryption that HTTPS provides. If Tomcat is reached directly by clients and the traffic doesn't go through a load balancer or proxy, then generally you don't want to enable h2c, you just want to enable h2. Technically h2c isn't in line with the goals of HTTP/2 ... encryption is assumed. But there are situations where it's what you really do want. With a load balancer or proxy in the mix, things get a little more complicated. I personally would want the backend connection as fast as possible, and all the encryption handled by the front end -- the proxy or load balancer. So my backend connections are h2c, not h2. But I have run into web applications that only work right if the back end connection is encrypted. Up until about a week ago, one such application for me was WordPress. Then I figured out the right config to make WordPress always assume https even if the connections coming into the web server (Apache httpd in this case) were not encrypted ... so I immediately got rid of the double encryption by using h2c on the back end. A bit of trivia that doesn't affect these answers, but some might want to know: I use haproxy in front of my web services. It's lightning fast, does awesome TLS, and is extremely configurable. I will note, however, that the Tomcat servers in question are *not* configured to listen on any ports other than HTTPS (either 443, 8443, or something else in that vein) and the shutdown port. In that case, you don't need h2c, and probably don't want it. Also, I've got somebody complaining about CVE-2021-25329. I'm not sure I understand what CVE-2021-25329 is, or what the underlying CVE-2020-9484 is. I can't tell what those vulnerabilities are about, but I don't think they have anything to do with h2c. Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OpenSSL issues with Tomcat 9.0 on Corretto
Hello. On Fri, Jul 2, 2021 at 1:04 AM Pawel Veselov wrote: > > Hello. > > We've been using Tomcat 9 OpenJDK(8) images for a while, but are now > trying to switch to Corretto. I sincerely apologize. I didn't realize that Tomcat images weren't maintained by the Tomcat group. I probably need to take this here: https://github.com/docker-library/tomcat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
OpenSSL issues with Tomcat 9.0 on Corretto
Hello. We've been using Tomcat 9 OpenJDK(8) images for a while, but are now trying to switch to Corretto. The problem we ran into is that tomcat-native is built with OpenSSL 1.0 libraries. That makes it impossible to use Ed25519 certificates. I don't think it's possible to rectify that at runtime. Are there any plans to switch to using OpenSSL 1.1 instead? Especially considering that the OpenJDK variant is built with 1.1? Thank you! -- With best of best regards Pawel S. Veselov - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5
On 6/21/21 9:42 AM, Christopher Schultz wrote: If you are using h2c, you'll definitely want to 8.5.63 or later, as there is a critical fix there. My understanding, based on what I looked up a week and a half ago, is that we're not using h2c, but at the same time, don't think I fully understand what "h2c" is. I will note, however, that the Tomcat servers in question are *not* configured to listen on any ports other than HTTPS (either 443, 8443, or something else in that vein) and the shutdown port. Also, I've got somebody complaining about CVE-2021-25329. I'm not sure I understand what CVE-2021-25329 is, or what the underlying CVE-2020-9484 is. And https://nvd.nist.gov/vuln/detail/CVE-2020-9484 doesn't exactly help a whole lot: it talks about "PersistenceManager," and I'm not entirely sure what that even *is.* -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JSESSION ID
Dear All, We are using tomcat 8.5.35 on Linux. We are getting two session ID for the same Http request.. Similar session ID is marked in yellow This is the session ID in startup JSESSIONID=FFE8F98C012CDB4461FC8E68C109298E This is the session ID in dispatcher JSESSIONID=7CAFF4519565D00381DF792E375D241C; JSESSIONID=FFE8F98C012CDB4461FC8E68C109298E Request for any inputs on this Thanks Mohan DISCLAIMER: This communication contains information which is confidential and the copyright of Ramco Systems Ltd, its subsidiaries or a third party ("Ramco"). This email may also contain legally privileged information. Confidentiality and legal privilege attached to this communication are not waived or lost by reason of mistaken delivery to you.This email is intended to be read or used by the addressee only. If you are not the intended recipient, any use, distribution, disclosure or copying of this email is strictly prohibited without the express written approval of Ramco. Please delete and destroy all copies and email Ramco at le...@ramco.com immediately. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of Ramco. Except as required by law, Ramco does not represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference. If you do not wish to receive such communications, please forward this communication to market...@ramco.com and express your wish not to receive such communications henceforth.
Re: Strange error with JSP
вт, 29 июн. 2021 г. в 19:35, Christopher Schultz : > > Konstantin, > > On 6/29/21 10:21, Konstantin Kolinko wrote: > > ср, 2 июн. 2021 г. в 23:16, Christopher Schultz > > : > [...] > > Has the page been compiled once, or its modification time is being > > checked over and over, or even worse: being recompiled? > > Probably not being recompiled. The source JSP has a file-date in 2016 > and the generated .java and .class files also have a date in 2016. File dates do not matter: Tomcat resets them to match the original file, as that is a way to track the changes. That is why I asked about the file system and its supported time precision. The time when the java file was generated is shown with a comment, "Generated at: " at the top of the file. Also note "_jspx_dependants.put(...)" lines in the java file. Those are dependencies whose modification timestamps are checked as well. > > Are "webapps" and "work" directories on the same kind of file system > > (with the same supported precision for file modification times)? > > Exactly the same filesystem. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Possible bug in http2 window size handling in tomcat 9.0.45
On 01/07/2021 08:41, Erik Nilsson wrote: Tx. It looks like there are multiple issues going on here then - in additional to the sendfile issue I already fixed. I'll fix the issue I'm currently seeing and then try again to recreate the issue you are seeing. I'll keep the thread updated with how I get on. Mark Den tors 1 juli 2021 kl 09:32 skrev Mark Thomas : On 01/07/2021 07:16, Erik Nilsson wrote: Hmm I can still get the same exceptions even if I set useAsyncIO="false", but with maxConcurrentStreamExecution="1" it's stable. Can you provide your entire Connector configuration that includes useAsyncIO="false" please? Thanks, Mark /Erik Den ons 30 juni 2021 kl 18:41 skrev Mark Thomas : On 30/06/2021 16:49, Erik Nilsson wrote: Perfect that u can reproduce this with another webapp. Thankful for your quick response. As I pointed out in the beginning of the conversation we also got this problem behind our f5 loadbalancer. But not with if we connect to Tomcat directly without a loadbalancer. Yes, this is a Tomcat bug. You should be able to work-around it with: useAsyncIO="false" on the Connector. I know where the problem is. I "just" need to figure out the fix. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Possible bug in http2 window size handling in tomcat 9.0.45
Den tors 1 juli 2021 kl 09:32 skrev Mark Thomas : > On 01/07/2021 07:16, Erik Nilsson wrote: > > Hmm I can still get the same exceptions even if I set useAsyncIO="false", > > but with maxConcurrentStreamExecution="1" it's stable. > > Can you provide your entire Connector configuration that includes > useAsyncIO="false" please? > > Thanks, > > Mark > > > > /Erik > > > > Den ons 30 juni 2021 kl 18:41 skrev Mark Thomas : > > > >> On 30/06/2021 16:49, Erik Nilsson wrote: > >>> Perfect that u can reproduce this with another webapp. Thankful for > your > >>> quick response. As I pointed out in the beginning of the conversation > we > >>> also got this problem behind our f5 loadbalancer. But not with if we > >>> connect to Tomcat directly without a loadbalancer. > >> > >> Yes, this is a Tomcat bug. You should be able to work-around it with: > >> > >> useAsyncIO="false" on the Connector. > >> > >> I know where the problem is. I "just" need to figure out the fix. > >> > >> Mark > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --
Re: Possible bug in http2 window size handling in tomcat 9.0.45
On 01/07/2021 07:16, Erik Nilsson wrote: Hmm I can still get the same exceptions even if I set useAsyncIO="false", but with maxConcurrentStreamExecution="1" it's stable. Can you provide your entire Connector configuration that includes useAsyncIO="false" please? Thanks, Mark /Erik Den ons 30 juni 2021 kl 18:41 skrev Mark Thomas : On 30/06/2021 16:49, Erik Nilsson wrote: Perfect that u can reproduce this with another webapp. Thankful for your quick response. As I pointed out in the beginning of the conversation we also got this problem behind our f5 loadbalancer. But not with if we connect to Tomcat directly without a loadbalancer. Yes, this is a Tomcat bug. You should be able to work-around it with: useAsyncIO="false" on the Connector. I know where the problem is. I "just" need to figure out the fix. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org