Need to upgrade to Tomcat 5.5.26 in JBoss 4.0.5
Greetings; We're using JBoss 4.0.5.GA, bundled with Tomcat 5.5.20. Security vulnerabilities were found in Tomcat 5.5 and Tomcat 6.0 and fixed in Tomcat 5.5.26 and 6.0.16, and users are advised to upgrade. The design of Tomcat folders/files in JBoss 4.0.5.GA doesn't match the full (or embedded) Tomcat 5.5.26 installation, so I don't know how to upgrade Tomcat without upgrading JBoss. I looked at JBoss upgrades, but no stable release is available that includes the required Tomcat version. I asked JBoss Support how to upgrade Tomcat without upgrading JBoss, but didn't get a response. Can Tomcat be upgraded separately from JBoss, or is the upgrade something that JBoss must provide? Can someone point me in the right direction on how to upgrade from Tomcat 5.5.20 to 5.5.26 within JBoss 4.0.5? Thanks, Steve
RE: My web application to use SSL (JSSE - RSA)
We switched from JSSE to the APR and OpenSSL about 6 months. We converted all existing keys and certs to the format required by OpenSSL. It was not hard. Some people say it can't be done, but they're wrong. After 6 months with openSSL, I say it's easier to use than JSSE. We use not only server-side certs, we also require client certificate authentication and perform certificate revocation checking. -Original Message- From: users-return-225336-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-225336-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Pid Sent: Friday, June 10, 2011 1:37 PM To: Tomcat Users List Subject: Re: My web application to use SSL (JSSE - RSA) On 10/06/2011 21:29, Patrick Flaherty wrote: Hi, Is APR/native Connector dramatically faster then Java Nio Blocking Connector or is it marginal ? APR+SSL is a little faster, if I remember correctly, Chris? I'd love faster SSL but all my keys and certs are java based (keytool). Will APR ever support Java SSL ? No. I find Java keytool to be reasonably easy to use. Is OpenSSL as easy to use ? Yes. p Thanks for any input. Pat On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote: Charles, On 6/10/2011 9:25 AM, Charles Van Damme wrote: 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [...] FWIW, that's just an INFO message, but if you are going to be using SSL, you might want to go ahead and install the APR library: your performance will improve measurably. Note that Connector configuration for an APR connector using SSL is completely different if you choose to go this route. If you are not going to be using APR, you can disable the APR lifecycle listener because you aren't using it. java.security.NoSuchAlgorithmException: RSA SSLContext not available As Pid points out, it's pretty obvious that RSA is not a valid algorithm in this situation: at sun.security.jca.GetInstance.getInstance(GetInstance.java:142) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext( JSSESocketFactory.java:490) So, it's an SSL configuration problem. Let's look at your SSL Connector: !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 maxThreads=150 scheme=https secure=true SSLEnabled=true keystoreFile=C:/Documents and Settings/Papa/.keystore keystorePass=changeit clientAuth=false sslProtocol=RSA / SO, you have sslProtocol=RSA... seems like a good place to look. If you check the Connector documentation, you can see that there are only a few recognized protocols you can choose. http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Note that protocol refers to the protocol used for SSL, not for any specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat documentation does not list all the available protocols, nor should it: the protocols available to you are determined by JVM support. The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to documentation for standard names (which takes you through several hops to) here: http://download.oracle.com/javase/6/docs/technotes/guides/security/Sta ndardNames.html#SSLContext Those are the valid ssl protocol names you can choose. If you want use only ciphers that use the RSA algorithm (which is really limiting, IMO), you can look up their names here (after scrolling a bit downward): http://download.oracle.com/javase/6/docs/technotes/guides/security/Sta ndardNames.html#jssenames Just look for stuff like SSL_DH_DSS_blah_blah_blah. Of course, support for a certain algorithm might not be available in your environment. It's best to find out what your JVM supports and use that. I wrote a short bit of code a while back to determine the supported algorithms and the default cipher suite for an SSLSocketFactory. I'll try to dig it up and post it. !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / If you aren't using AJP, then disable the extra connector. Hoping you are not overwhelmed. Anything else ? You had other errors in the log file. After you get SSL working properly, stop Tomcat, delete all your logs and re-launch it. Anything that looks like an error should be investigated and fixed. Feel free to come back to the list for help on those additional issues: just remember start a new thread if you do. -chris - To unsubscribe, e-mail:
RE: SSLSession invalidate
Don't assume your SSL session or connection hasn't been invalidated just because you aren't asked to choose a certificate from your browser certs when you log in again. In our system (Tomcat 5.5.33), I know that our HTTP session and Single Sign-on session are invalidated upon logout, and we see similar behavior (no need to select certificate) upon re-login because the browser caches the user's certificate choice (and smart card PIN). Is your session ID the same when you go back in? If you are using IE and you want to clear the browser cache to select another certificate, go to Tools-Internet Options, select Content tab, and click Clear SSL state. -Original Message- From: users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Jürgen Jakobitsch Sent: Tuesday, September 06, 2011 3:12 PM To: Tomcat Users List Subject: Re: SSLSession invalidate thanks mark, if i understand you correct, it is simply NOT possible to invalidate the SSLSession of which i can get the id with request.getAttribute(javax.servlet.request.ssl_session) (it works with this key in 6.0.32) wkr turnguard - Original Message - From: Mark Thomas ma...@apache.org To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, September 7, 2011 12:08:29 AM Subject: Re: SSLSession invalidate On 06/09/2011 22:42, Jürgen Jakobitsch wrote: apparently there is one, i can get it's id with request.getAttribute(javax.servlet.request.ssl_session) That is a Tomcat bug it should be javax.servlet.request.ssl_session_id in tomcat7 there's the possibility to use SSLSessionManager to invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well. Your wild guess is wrong. That feature is in Tomcat 7 onwards. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- | Jürgen Jakobitsch, | Software Developer | Semantic Web Company GmbH | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22 COMPANY INFORMATION | http://www.semantic-web.at/ PERSONAL INFORMATION | web : http://www.turnguard.com | foaf : http://www.turnguard.com/turnguard | skype : jakobitsch-punkt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL connect to APR fails - bad version
Hi Kobe; I can see why it looks like the server is sending the message, but I think there's some reference that's being missed. The SSL debug should show Client messages and Server messages. One thing that's certain, the SSLv2 ClientHello is a client message sent by the client. This message is never sent by the server. On a separate note, the APR is very strict about enforcing TLSv1. When it's configured for TLSv1, it immediately terminates the connection if it receives any SSLv2 ClientHello or SSLv3 Client Hello. If you have a server with an active APR that's accepting the SSLv2 (or SSLv3) ClientHello, then the value of SSLProtocol is all' (default), SSLv2, SSLv3, or SSLv2+SSLv3. Regards, Steve From: users-return-229208-STEVEN.J.ADAMUS=saic@tomcat.apache.org on behalf of Kobe Sent: Tue 11/8/2011 10:20 PM To: users@tomcat.apache.org Subject: Re: SSL connect to APR fails - bad version thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because ssl debugs show it: // from ${CATALINA_HOME}/bin/setenv.sh: export JAVA_OPTS=... -Djavax.net.debug=ssl //... # sh ${CATALINA_HOME}/bin/startup.sh // from client $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 // from ${CATALINA_HOME}/logs/catalina.out ... sending SSLv2 ClientHello server issues only SSLv2 ClientHello But same openssl version (FIPS) connects with SSLv3 on another machien. so I am thinking there is openssl misconfig on this server. many tahnks. /Kobe Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kobe, On 11/8/11 2:01 PM, Kobe wrote: thank for your help. here is more info on my setup: tomcat version 6.0.29. And tomcat is startin clean; no ererors while loading. if I use tls1, I get same error as before (bad version). when i test with openssl s_client, I check line 293 of s3_pkt.c. it say -- if ((version8) != SSL3_VERSION_MAJOR) { SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto err; } so client is wanting ssl version 3. But i have same error with browser. i donot/cannot find what version browser wants - i Think it is 3. Your web browser likely has SSL 2.0 disabled entirely. You should check which types of SSL/TLS are enabled. So I am thinking, there is misconfigure on this server. i would like to find why this server respond with SSLv2 ClientHello instead of SSLv3 ClientHello. Why do you think you are getting an SSLv2 reply? how do i find this misconfigurn? Are you using the same version of openssl as the client as you are using withing Tomcat? I wonder if the FIPS mode is tripping you up. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org http://gpgtools.org/ Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y tZQAnial2UmsG5FSBSkSclenImxf5YR+ =vgDW -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32808893.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Installing CA cert on SSL enabled webserver
Mike, Sounds like you installed it perfectly, otherwise no https connection to your web server would be possible. The problem with trust is on the client/browser side. You need to install the 3rd party Root CA cert on your client so your browser will trust your server's certificate. Regards, Steve -Original Message- From: users-return-236875-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-236875-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Michael Namaiandeh Sent: Wednesday, September 26, 2012 11:37 AM To: users@tomcat.apache.org Subject: Installing CA cert on SSL enabled webserver Hi all- I have a question about Tomcat 7.0.27. I have a webserver that I enabled S= SL access for. I have purchased a 3rd party cert. However; I am having trouble installing the cert on the server. Whenever, I go to https://myserver.mycompany.com, I receive the This site is untrusted message. My question is: How do you install a 3rd party SSL cert on Tomcat 7? Thanks in advance. Mike - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Installing CA cert on SSL enabled webserver
So, your web server is using a self-signed cert, and not the one you purchased. Installation of your 3rd part cert depends on which HTTPS connector you're using, APR (OpenSSL-based) or the JSSE-based connector. Good documentation on both are out there, but make sure you follow the correct one or you'll get really confused. -Original Message- From: users-return-236878-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-236878-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Michael Namaiandeh Sent: Wednesday, September 26, 2012 12:38 PM To: Tomcat Users List Subject: RE: Installing CA cert on SSL enabled webserver The browser says the cert is issued by the server itself and it should be issued by the 3rd party CA (in this case, GoDaddy), right? -Original Message- From: Adamus, Steven J. [mailto:steven.j.ada...@saic.com] Sent: Wednesday, September 26, 2012 3:34 PM To: Tomcat Users List Subject: RE: Installing CA cert on SSL enabled webserver Mike, Sounds like you installed it perfectly, otherwise no https connection to your web server would be possible. The problem with trust is on the client/browser side. You need to install the 3rd party Root CA cert on your client so your browser will trust your server's certificate. Regards, Steve -Original Message- From: users-return-236875-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-236875-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Michael Namaiandeh Sent: Wednesday, September 26, 2012 11:37 AM To: users@tomcat.apache.org Subject: Installing CA cert on SSL enabled webserver Hi all- I have a question about Tomcat 7.0.27. I have a webserver that I enabled S= SL access for. I have purchased a 3rd party cert. However; I am having trouble installing the cert on the server. Whenever, I go to https://myserver.mycompany.com, I receive the This site is untrusted message. My question is: How do you install a 3rd party SSL cert on Tomcat 7? Thanks in advance. Mike - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to check whether a SSL certificate has been correctly installed
Tom, Most if not all browsers let you view the certificate that was received from the web server. You won't receive one unless you have an https connection. If you can view it and verify it's the correct one, then it's been installed correctly and the connection is encrypted. Steve -Original Message- From: users-return-237053-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-237053-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Tom Anthony Sent: Monday, October 08, 2012 2:36 AM To: users@tomcat.apache.org Subject: How to check whether a SSL certificate has been correctly installed Hi, I just installed a third party certificate on Tomcat and was wondering whether there was a way to check with confidence that the ceritiftcae has been installed correctly on the server and that all communications between client and server are encrypted. Thanks for your help. -- View this message in context: http://tomcat.10.n6.nabble.com/How-to-check-whether-a-SSL-certificate-ha s-been-correctly-installed-tp4987669.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat question
Maxie, You're probably referring to a DoD or similar security requirement. In the Web Server STIG, Rule ID SV-2236r8 says, Installation of compilers on production web server is prohibited. The explanation provided is, The presence of a compiler on a production server facilitates the malicious user's task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker's code can be uploaded and compiled on the server under attack. There are exceptions to this rule, The same STIG says, This check does not prohibit the use of the .Net Framework or the Java compiler for Oracle, and An exception is the Java Development Kit installed in conjunction with a WebSphere service or Java Server Page (JSP). You need to push back and tell your Security Auditors that the Java and Jasper compilers are required for Tomcat. Provide any documentation they require. Steve -Original Message- From: users-return-237320-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-237320-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Wiley, Maxie Sent: Monday, October 22, 2012 6:18 AM To: users-subscr...@tomcat.apache.org; users@tomcat.apache.org Subject: tomcat question ALL, Is it possible to remove an installation of a compiler on a production web server(tomcat)? If there is a way to remove the compiler or is it required in order for the system to function properly. Could you please send me a precise summary of why and any steps that can be taken to mitigate any potential risk associated with the compiler remaining in place.This is for s security issue on my production system. Thanks for your time and support! Maxie Wiley III - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Session Caching
Nothing is going on. When the smartcard is removed, nothing goes across the wire, so how could Tomcat possibly invalidate the session? -Original Message- From: users-return-239719-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-239719-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Mark Thomas Sent: Wednesday, February 13, 2013 11:36 AM To: Tomcat Users List Subject: Re: SSL Session Caching On 13/02/2013 18:49, Will Nordmeyer wrote: I have a scenario right now I need help with. My Tomcat is configured for SSL, client certificate authorization and Certificate Revocation List checking (all outside certificates). We have a scenario (we've found in testing) where we do a transaction in our application, then the user pulls his smart card out (client certificate) and a new user comes up and puts his card in. Tomcat isn't recognizing that a new certificate is in place and is allowing the new user, with the new certificate to transact without validating his credentials. It appears as if the old session is being utilized still by the client (windows or unix, firefox or IE) and Tomcat. Which seems very odd. I would have expected the new cert would have forced a new SSL session to be created and tomcat to puke at an attempt to submit a transaction on the old session. Any thoughts/advice/guidance? Use wireshark. If you provide it with your server's private key (should be doable in a test environment) you'll be able to see exactly what is (or isn't) going on. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat apr openssl logging
Jeremy, I've been down the same road and never found any acceptable logging solution within the APR. Every APR/OpenSSL issue we've had over the last 3 years has been resolved using WireShark. Wireshark is indispensable. Steve -Original Message- From: users-return-241544-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-241544-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Jeremy Bowers Sent: Tuesday, April 30, 2013 10:47 AM To: users@tomcat.apache.org Subject: tomcat apr openssl logging My searches for the answer to this question have so far not turned up a solution. I've found others asking the same question but the only non-answers I've found are to utilize a full apache httpd server or go back to jsse for logging. If this has been answered before, I sincerely apologize, but my search terms haven't found an answer as of yet. I'm hoping someone on here can help: How do I go about setting up server side logging to gain more detailed information about ssl connections when using tomcat with apache tomcat native, apr, and openssl for https? Thanks! -Jeremy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org