RE: Security Vulnerability Question

Upgrade to latest? -Original Message- From: Kenaw, Seretseab Sent: Wednesday, October 13, 2021 12:16 PM To: users@tomcat.apache.org Subject: Security Vulnerability Question Hello, Our IT team just notified us with a severe security vulnerability on our web application with the

tcnative windows binaries link needs to be corrected

The links and mirrors for the windows binaries at "https://tomcat.apache.org/download-native.cgi; are all messed up. Some are point to binaries compiled with openssl-1.1.1g where the holding sites have 1.1.1i and vice versa. For example

RE: Tomcat SSO valve implementation

We use spring-security-saml for application-level SP implementation and it works pretty good too. The project is in the process of being rewritten from scratch though with 2.0 in milestone builds. No direct integration with Tomcat though but on application level. George -Original

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Chris -Original Message- From: Christopher Schultz Sent: Friday, December 04, 2020 1:20 PM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? > With the pluggability of Java's crypto interface, I seriously doubt > Oracle is going

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

-Original Message- From: Christopher Schultz Sent: Friday, December 04, 2020 10:58 AM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? George, On 12/3/20 21:59, George Stanchev wrote: > Java's FIPS mode is "expirmental&

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

-Original Message- From: George Stanchev Sent: Thursday, December 03, 2020 7:59 PM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

-Original Message- From: George Stanchev Sent: Thursday, December 03, 2020 7:59 PM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't

RE: Bouncy Castle FIPS on RHEL 7.3

Hi Amit, Consider changing "securerandom.strongAlgorithms" to "NativePRNGNonBlocking:SUN" in your Java's "lib\security\java.security". The default is "NativePRNGBlocking:SUN" and is really enthropy thirsty on startup as it runs it's self tests and seeds its PRNG George -Original

RE: jstl jar location

ubject: Re: jstl jar location вт, 20 окт. 2020 г. в 22:31, George Stanchev : > > > I am hoping someone can shed some lights on a question. I did try to search > online and SO but haven't had luck in figure it out so hopefully it is a > quick answer from the people that know that s

jstl jar location

I am hoping someone can shed some lights on a question. I did try to search online and SO but haven't had luck in figure it out so hopefully it is a quick answer from the people that know that stuff. We have an uber-lib folder where we keep shared libraries in our TC85-hosted app. If we put

RE: CVE-2020-1935

xy accepts and doesn't accept. For completeness you might want to test how it responds to all bytes from 0x00 to OxFF in a field name and/or value as well and ensure that it is compliant with RFC 7230. HTH, Mark On 24/07/2020 23:13, George Stanchev wrote: > Chris, > > This is just sil

RE: CVE-2020-1935

. Cheers! George -Original Message- From: Christopher Schultz Sent: Friday, July 24, 2020 3:40 PM To: users@tomcat.apache.org Subject: Re: CVE-2020-1935 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 7/24/20 15:15, George Stanchev wrote: > The description for this

CVE-2020-1935

The description for this CVE is pretty vague (as perhaps necessary) but we have a customer that is trying to assess their risk for this CVE. They are behind a reverse-proxy. Even though the description on Tomcat's security page states that the risk is low it doesn't describe how would a

RE: Tomcat Connector issue

To give some closure to the issue, it turned out to be networking related. Still not clear how cleanup of the hosts file on the client machines fixed it but that's what happened. Thanks to all that chimed in earlier. George -Original Message- From: George Stanchev Sent: Monday, June

RE: Tomcat Connector issue

this behavior. Interestingly the same is observed under othe OSes (Windows Server 2012) procured with their scrips... Any help/ideas is much appreciated George -Original Message- From: George Stanchev Sent: Tuesday, June 23, 2020 10:31 AM To: Tomcat Users List Subject: RE: Tomcat

RE: Tomcat Connector issue

::jk_ajp_common.c (799): (worker-local) Header[4] [Content-Length] = [0] This is pretty standard, I can't see anything wrong... -Original Message- From: George Stanchev Sent: Tuesday, June 23, 2020 10:33 AM To: users@tomcat.apache.org Subject: RE: Tomcat Connector issue Thanks all

RE: Tomcat Connector issue

, Christopher Schultz wrote: >>> George, >>> >>> On 6/22/20 17:13, George Stanchev wrote: >>>> We are getting HSE_REQ_SEND_RESPONSE_HEADER failed with >>>> error=87 (0x0057) on a 302 redirect proxied by TC connector >>>> 1.2.46. >>

Tomcat Connector issue

We are getting HSE_REQ_SEND_RESPONSE_HEADER failed with error=87 (0x0057) on a 302 redirect proxied by TC connector 1.2.46. I can see the 302 response come over from TC and it looks legit. Trace logs below. Anyone else running into a similar error or perhaps some clue as to why this can be

TLS key management

Currently, (in most cases) Tomcat creates an in-memory keystore and initializes kmf as follows: KeyManagementFactory.getInstance(algo).init(keystore, kspass). The in-memory keystore has the key, the certificate and the chain and nothing else. This works fine in most cases but we've ran into a

building tcnative

I am trying to build tcnative on Windows 7 using VS 2017 and it has been nothing but pain so far around the apr and tcnative itself. Any help is appreciated. I did get around the apr issues (which were very similar to what I am about to ask) by compiling via the .sln file. But the nmake route

RE: Client Cert TLS issue

Thanks Mark, will do! -Original Message- From: Mark Thomas Sent: Thursday, October 31, 2019 3:04 PM To: Tomcat Users List ; George Stanchev Subject: Re: Client Cert TLS issue On 16/10/2019 18:55, George Stanchev wrote: > And this is not where it hangs. I stepped through the c

RE: tomcat service app

My question about the source stays, but I guess I should've RTFM where it states that the wrapper uses # *or* ; as separator and if you want to embed those character you need to wrap them in single quotes... From: George Stanchev Sent: Wednesday, October 30, 2019 1:33 PM To: Tomcat Users List

tomcat service app

I am trying to troubleshoot an issue where when I call tomcat8.exe with following parameters it writes [2] to the registry (newline where the semicolon was) and I am having trouble locating the source code repository for the Windows service app. Can someone point me to it? (Or tell me what I've

RE: Client Cert TLS issue

To: users@tomcat.apache.org Subject: Re: Client Cert TLS issue Just a note to say I haven't forgotten this. I hope to look at this this week unless someone beats me to it. Mark On 16/10/2019 17:55, George Stanchev wrote: > > On 15/10/2019 22:15, George Stanchev wrote: >> Hi, >> &g

RE: Client Cert TLS issue

56 George, On 10/16/19 12:55, George Stanchev wrote: > > On 15/10/2019 22:15, George Stanchev wrote: >> Hi, >> >> I would need some help with tracking an issue with TC 8.5.47 (windows >> x64, java: azul 1.8.0_222) configured with [1] and tcnative-1.dll. >> When

RE: Client Cert TLS issue

On 15/10/2019 22:15, George Stanchev wrote: > Hi, > > I would need some help with tracking an issue with TC 8.5.47 (windows x64, > java: azul 1.8.0_222) configured with [1] and tcnative-1.dll. When a simple > client tries to connect to the server, the server hangs on SSL han

Client Cert TLS issue

Hi, I would need some help with tracking an issue with TC 8.5.47 (windows x64, java: azul 1.8.0_222) configured with [1] and tcnative-1.dll. When a simple client tries to connect to the server, the server hangs on SSL handshake until either the client times out on read or the server times out

RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8

So it seems to work. For whoever is interested to try, the openjsse comes prebundled with Azul's distro, all you need to do is run with -XX:+UseOpenJSSE command line option. On TC side, I added "TLSv1.3" to "sslEnabledProtocols": sslEnabledProtocols="+TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3" Also not

RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8

George, On 8/1/19 16:42, George Stanchev wrote: > As of recently Azul has backported the JSSE from Java 11 into Java > 8 [1] and it is currently offering TLSv1.3 support in its Java 8 > distro [2]. Good for them. It's too bad Oracle is so conservative with its policies. I have Azul o

TLSv1.3 in TC8.5 + Azul Java 8

As of recently Azul has backported the JSSE from Java 11 into Java 8 [1] and it is currently offering TLSv1.3 support in its Java 8 distro [2]. Does this help TC with JSSE SSL engine to also offer TLSv1.3 on its SSL listeners? [1] https://github.com/openjsse/openjsse [2]

RE: AW: Outbound SSL?

What is your webapp using as HTTP client that handles the SSL? -Original Message- From: James Lampert Sent: Friday, May 31, 2019 3:41 PM To: Tomcat Users List Subject: Re: AW: Outbound SSL? This just keeps getting weirder and weirder. I extracted the actual request >

RE: OS

FWIW someone is submitting the same identical question (with only the project name different) in the dozen or so Apache projects I am on mailing list of... Just google "Hello, I am doing an investigation. Does Windows Server 2019 support" and see for yourself It looks like a troll

RE: Tomcat 8.5.39 on maven central

Thanks Mark! -Original Message- From: Mark Thomas Sent: Thursday, March 21, 2019 3:13 PM To: users@tomcat.apache.org Subject: Re: Tomcat 8.5.39 on maven central On 21/03/2019 21:00, George Stanchev wrote: > Hi, > > The announcement went out few days ago but 8.5.39 is stil

Tomcat 8.5.39 on maven central

Hi, The announcement went out few days ago but 8.5.39 is still not out there [1]. I know it takes a bit for maven central to pick it up but with the git migration perhaps something got broken? George [1] https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-catalina

Invalid URL characters via AJP

In light of recent changes around allowing and subsequent relaxation of the invalid characters handling in TC, I just noticed that TC behind IIS (via JK connector/AJP) happily accepts ";<> etc while the HTTP connector rejects them. Is this how the AJP connector it is supposed to work? Is the

NIO vs NIO2

Hi, We are currently on the latest TC 8.5.37 but soon will be moving to latest 9. Currently we use NIO connectors. I am having hard time evaluating the need (if necessary) to switch to NIO2. Can someone point me to a good resource/link where the two connectors are compared and which situations

RE: Number of Web Applications in one Tomcat: THANKS!

This is an interesting discussion. Are there any guides to alleviating management work of such deployments? For example, how do you deal with the port mapping? Or logs - do you collect at a common location or let each app log in its corner ? Can you share configuration across instances such as

RE: log4j

Depends on what you're asking. If you're asking to use log4j to capture Tomcat logging, then the answer is - you can't but you can use Log4j2 or JULI. If the question is how to use log4j for your apps deployed under Tomcat, then answer can be found easily... From: Cheltenham, Chris

client cert authentication

I guess I am looking for some pointers how to approach a certain scenario from "the right way" of implementing it. Say you have a standard login form with user/pass edits and "Login" and "Smartcard" buttons. The "Login" button does Its obvious thing. The "Smartcard" button authenticates the

RE: Security of AJP

It is used, for example, if you want to front Tomcat by Apache Web Server or by IIS (among others). In those cases the HTTP processing is done in the front system and if necessary it is proxied to Tomcat via AJP. You take HTTP request from that system, put it in an AJP record and send it over

RE: Using Environment variables instead of Java -D properties for context.xml substitution

Can you use catalina.properties? From the docs [1] " All system properties are available including those set using the -D syntax, those automatically made available by the JVM and those configured in the $CATALINA_BASE/conf/catalina.properties file." [1]

RE: building TC 8.5 with checkstyle

>On 07/12/17 21:12, Mark Thomas wrote: >> On 07/12/17 20:48, George Stanchev wrote: >>> I am trying to build TC 8.5.24 from source and running into checkstyle >>> validation issues [1]. I looked at >>> https://tomcat.apache.org/tomcat-8.5-doc/building.

building TC 8.5 with checkstyle

I am trying to build TC 8.5.24 from source and running into checkstyle validation issues [1]. I looked at https://tomcat.apache.org/tomcat-8.5-doc/building.html and couldn't find anything that suggest that the default target would not build, neither checkstyle is mentioned. It is not a

RE: ISAPI and IIS 10 Logging Issue

> Note that also in the course of my investigations, somewhere I found a phrase > to the effect that Mirosoft would be discouraging the future use of ISAPI > modules in IIS, and recommends some other architecture instead now. Do you remember where you saw that? Can you provide a link?

RE: Issue with static file in Tomcat 8.5.17

>> The problem is related to the new code that handles the case when a >> file is stored in one encoding but served in another. Since changing >> encodings can change the value and number of bytes served (for example >> serving £ in UTF-8 requires two bytes but only one in ISO-8859-1). >>

RE: Issue with static file in Tomcat 8.5.17

On 07/07/2017 20:56, George Stanchev wrote: > Sorry, I didn't realize there is a -d option that gives you the full request > and response. Here is the dump: Thanks for the extra information. I can't reproduce this yet. I'm going to hold off on closing the currently running votes until

RE: Issue with static file in Tomcat 8.5.17

Sorry, I didn't realize there is a -d option that gives you the full request and response. Here is the dump: c:\>wget -d -S http://hostname:8085/testapp/javascript/jquery-1.8.3.min.js SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\bin\gnuwin32/etc/wgetrc Setting --server-response

RE: Issue with static file in Tomcat 8.5.17

-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Friday, July 07, 2017 1:05 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Issue with static file in Tomcat 8.5.17 On 07/07/2017 19:09, George Stanchev wrote: > Hi, .. > Please let

Issue with static file in Tomcat 8.5.17

Hi, The current Tomcat 8.5.17 is under vote for release with +1s only. I took the liberty to download the distributable before officially announced and am running into an issue with it. Static file that used to download in 8.5.16 and below now it doesn't. Chrome reports: jquery-1.8.3.min.js:1

jk connector + http2

Hi, Is a HTTP/2 call to Tomcat proxied via IIS / JK Connector (Tomcat Connector) expected to succeed? George

RE: warning in tomcat logs

>> This has been fixed in 8.5.x for 8.5.15 onwards and 9.0.x for 9.0.0.M21 >> onwards. Thanks Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org

RE: warning in tomcat logs

-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Sunday, April 30, 2017 5:02 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: warning in tomcat logs On 29/04/17 15:13, George Stanchev wrote: > TC 8.5.14 and noticed in the logs the followin

warning in tomcat logs

TC 8.5.14 and noticed in the logs the following warning: "The truststoreProvider [AnyCert] does not support the certificateVerificationDepth configuration option" In our case, we're using Shib's AnyCert trust manager to accept any client cert on a particular connector as described here [1]. I

RE: Apache Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore expires, any webclient request is still accepted by server and not refused

Mark, Apologies for top posting. We have our own trust manager that is attached to the connector because we want client certificates to be passed in the application for validation and authentication rather than the connector. If we switch to the OpenSSL/APR based certificate processing, would

log4j in Tomcat 8.5

Hi, I am transitioning from Tomcat 7.0 to Tomcat 8.5 and I was wondering what do I need to do to use log4j in 8.5. Reading this bug [1], it states that the support for the for log4j has been dropped since it is EOLed. Now, there is a comment on this issue from Mark that says that it is applied

RE: NullPointerExceptions from Coyote over SSL

Peter, Depending at which slot you plug in BC in the Security context it might or it might not get used depending on the cipher suites used by you SSL connection. JSSE will ask Java for crypto implementation from the list of JCE providers and if your BC is high on the list, it will get used.

RE: sadfasdf

It could be someone’s kids. I know mine has done similar damage. With tablets and iphones hosting parent’s work pluce junior’s entertainment it could have happened. Let us be gentle :) From: Nick Childs [mailto:nchi...@ramsoft.com] Sent: Tuesday, April 19, 2016 8:55 PM To: Tomcat Users List

RE: Understanding how to controlling what data is written to log4j appenders

If you run tomcat via the windows server wrapper, you can "%TOMCAT_EXE%" //US//%TOMCAT_SERVICE_NAME% --StdOutput "%TOMCAT_CONSOLE_LOG%" --StdError "%TOMCAT_CONSOLE_LOG%" Which will redirect the stderr and stdoout to the corresponding log files George -Original Message- From: Joleen

RE: AJP protocol auto-switching default

-Original Message- From: Rémy Maucherat [mailto:r...@apache.org] Sent: Thursday, March 10, 2016 4:41 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: AJP protocol auto-switching default 2016-03-11 0:38 GMT+01:00 George Stanchev <gstanc...@serena.com>: >

RE: AJP protocol auto-switching default

> Perhaps I am overlooking something, but the documentation for AJP [1] > states for "protocol" > > > The standard protocol value for an AJP connector is AJP/1.3 which uses > an auto-switching mechanism to select either a Java based connector or > an APR/native based connector. If the PATH

AJP protocol auto-switching default

Perhaps I am overlooking something, but the documentation for AJP [1] states for "protocol" The standard protocol value for an AJP connector is AJP/1.3 which uses an auto-switching mechanism to select either a Java based connector or an APR/native based connector. If the PATH (Windows) or

RE: Windows Authentication

It does not look like HTTP Basic. Did you try different browsers? IE, Chrome, FF? Do you get same behavior with all? Is the user logging in member of the domain your IWA is set up to? If you set up a 3rd party IWA provider (such as Waffle), does it act the same on all 3 browsers? There was a

RE: Relative redirects in light of recent changes

> > However, with useRelativeRedirects="false" I see > > > > GET http://hostname/myapp?m=n=p > > ==> 302: "http://hostname/login?a=b=d; > > > > The questions I have are 2: First, what happened with the trailing slash > redirect. I vaguely remember discussions around it but I couldn't

RE: Relative redirects in light of recent changes

> However, with useRelativeRedirects="false" I see > > GET http://hostname/myapp?m=n=p > ==> 302: "http://hostname/login?a=b=d; > > The questions I have are 2: First, what happened with the trailing slash > redirect. I vaguely remember discussions around it but I couldn't find

RE: Relative redirects in light of recent changes

In Tomcat 7.0.67 with no "useRelativeRedirects" set on the context (which defaults it to "true"), I see GET http://hostname/myapp?m=n=p ==> 302: "login?a=b=d" Now, this is expected behavior given the fix for [1] [1] http://bz.apache.org/bugzilla/show_bug.cgi?id=56917 I reread

Relative redirects in light of recent changes

Hi, Recent changes to Tomcat altered the behavior of our applications a bit so I've got couple of questions. The versions in questions are 7.0.64 and 7.0.67. I am aware of which is also described in the changelog for 7.0.67. I have a filter acts on application "/myapp" that does a redirect in

RE: Relative redirects in light of recent changes

Hi, Recent changes to Tomcat altered the behavior of our applications a bit so I've got couple of questions. The versions in questions are 7.0.64 and 7.0.67. I am aware of which is also described in the changelog for 7.0.67. I have a filter acts on application "/myapp" that does a redirect

RE: Unable to find IIS Tomcat Connector 1.2.41 dll

You might want to explore this thread: http://marc.info/?l=tomcat-user=145399491702444=2 which also points to this thread http://tomcat.markmail.org/message/lyxmf5zof5csf6bn Regards, George -Original Message- From: McKenzie, Mitch [mailto:mmcken...@markelcorp.com] Sent: Wednesday,

RE: client ssl renegotiation after invalidating session

-logout-relogin : http://stackoverflow.com/questions/10229027/how-to-trigger-ssl-rehandshake-on-a-web-browser For the time being I'll just warn the users that they are not being truly logged out until they close all browser windows. 2016-01-29 18:56 GMT+01:00 George Stanchev <gst

RE: client ssl renegotiation after invalidating session

-Original Message- From: Gael Abadin [mailto:gael.aba...@imatia.com] Sent: Friday, January 29, 2016 10:33 AM To: Tomcat Users List Subject: client ssl renegotiation after invalidating session I want to invalidate the client ssl cert authentication after the user logs out of my

RE: AW: AW: Suppress or replace WWW-Authorization header

On 28.10.2015 17:42, Torsten Rieger wrote: > -Ursprüngliche Nachricht- > Von: Aurélien Terrestris [mailto:aterrest...@gmail.com] > Gesendet: Mittwoch, 28. Oktober 2015 16:45 > An: Tomcat Users List > Betreff: Re: AW: Suppress or replace WWW-Authorization header >

RE: Tomcat Server and PHP Extensions

You need Apache, not Tomcat -Original Message- From: Chris Thompson [mailto:cthomp...@conveyor-dynamics.com] Sent: Wednesday, October 28, 2015 5:20 PM To: users@tomcat.apache.org Subject: Tomcat Server and PHP Extensions Does Tomcat Server support PHP extensions? I am looking at

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

Aurélien, I added good_run.pcap and bad_run.pcap to that dropbox location [1]. I also think this needs to be looked at by MS engineers. I am following up on my support case but really not getting anywhere... George [1] https://www.dropbox.com/sh/az1r3agxx4w8r7e/AACRGedBG3G5oh4-qE9652WNa?dl=0

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

on algorithm and the cryptographic hash function negotiated during the client hello and server hello, and using the secret key that the client sent to the server during the client key exchange. The handshake can be renegotiated at this time. See the next section for details." 2015-10-1

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

of the ClientHello record, not how it is wrapped which happens later when the record is being serialized to the socket... Anyways, thanks to all for the tip but it doesn't make a difference...still bad mac record... George -Original Message- From: George Stanchev [mailto:gstanc

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

/15 12:46 PM, George Stanchev wrote: > One more clarification: on point [6] below I stated that Java is able > to recover with a retry on a cached connection. Unfortunately that is > only valid for higher level classes like HttpUrlConnection which makes > 1 retry on IOException (and o

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

have some movement forward. George [1] http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html -Original Message----- From: George Stanchev [mailto:gstanc...@serena.com] Sent: Tuesday, October 13, 2015 10:26 AM To: Tomcat Users List Subject: RE: [OT] Tomcat 7.0.5

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

d_record_mac -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 10/13/15 12:35 PM, George Stanchev wrote: > [1] states: " JDK 7-9 enables SSLv2Hello on the server side only. > (Will not send, but will accept SSLv2Hellos)" Interesting. This absolutely makes sense, thoug

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

[OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac George, do you have any network capture that we can see ? 2015-10-13 22:10 GMT+02:00 George Stanchev <gstanc...@serena.com>: > >> It might be doable with OpenSSL s_client or something. Tough to >

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

Aurélien Terrestris <aterrest...@gmail.com>: > George, > > do you have any network capture that we can see ? > > 2015-10-13 22:10 GMT+02:00 George Stanchev <gstanc...@serena.com>: > >> >> It might be doable with OpenSSL s_client or something. Tough to >> r

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

produces the problem, I'll try with JTouch ( jtouch.sourceforge.net ) or write a small client. 2015-10-13 22:22 GMT+02:00 Aurélien Terrestris <aterrest...@gmail.com>: > George, > > do you have any network capture that we can see ? > > 2015-10-13 22:10 GMT+02:00 George Stanchev

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

sourceforge.net ) or write a small client. > > > > > 2015-10-13 22:22 GMT+02:00 Aurélien Terrestris <aterrest...@gmail.com>: > >> George, >> >> do you have any network capture that we can see ? >> >> 2015-10-13 22:10 GMT+02:00 George Stanchev <

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

ut to write a TLS client using a SSLv2Hello, you will call getInstance("TLS") and setEnabledProtocols("SSLv2"). I hope things are more understandable :) 2015-10-13 23:12 GMT+02:00 George Stanchev <gstanc...@serena.com>: > Ok, may be you are ahead of me on t

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

's working. Not making advertisement for my software here, but,.. ;) 2015-10-13 23:20 GMT+02:00 George Stanchev <gstanc...@serena.com>: > Just as a side note, https.protocols is read by HttpsUrlConnection > which feeds it down through setEnabledProtocols() on the SSL socket. "

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

Just for the record, https.protocols is a property used by the HttpsUrlConnection class. If your app is using a client that doesn't rely on the internal Oracle HTTP client, it's better to use " jdk.tls.client.protocols" which is read directly by the socket/SSL classes. Apache Http Client is one

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

-level sockets just throw and that’s it... -Original Message- From: George Stanchev [mailto:gstanc...@serena.com] Sent: Friday, October 09, 2015 10:40 AM To: Tomcat Users List Subject: RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac Just for the record

RE: Demand CLIENT-CERT only on certain pages but demand SSL in all pages

Mark, What are the possible issues with renegotiation? We're on NIO connectors, is there anything known? George -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, October 05, 2015 8:32 AM To: Tomcat Users List Subject: Re: Demand CLIENT-CERT only on certain

RE: Tomcat 7.0.55 Not loading truststore or keystore

Hi Diarmuid, We have run similar issue with client cert SSL. Is your 3rd party web service hosted on Windows/IIS? George -Original Message- From: dmccrthy [mailto:dmccr...@gmail.com] Sent: Tuesday, September 01, 2015 11:07 AM To: Tomcat Users List Subject: Tomcat 7.0.55 Not loading

RE: [OT] Re: Filter behaviour

For SOAP, you *MUST* send back 500 or 400 with your SOAP fault back. [1] http://www.w3.org/TR/soap12-part2/#tabresstatereccodes -Original Message- From: Leo Donahue [mailto:donahu...@gmail.com] Sent: Saturday, June 27, 2015 11:45 PM To: Tomcat Users List Subject: [OT] Re: Filter

RE: [OT] Re: Filter behaviour

processing error. George [1] http://www.w3.org/TR/2000/NOTE-SOAP-2508/#_Toc478383529 -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, June 29, 2015 8:56 AM To: Tomcat Users List Subject: Re: [OT] Re: Filter behaviour George Stanchev wrote: For SOAP, you

RE: Forcing SSL Renotiation

: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, June 26, 2015 10:06 AM To: Tomcat Users List Subject: Re: Forcing SSL Renotiation -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 6/26/15 10:04 AM, George Stanchev wrote: You didn't specify your Tomcat version

RE: Forcing SSL Renotiation

Hi Steffen You didn't specify your Tomcat version. In Tomcat 7 or 8 or 9 we use the following code. Not sure if it will work on 6. For a long time until very recently we were stuck on 5.5 and the attribute below is not available. So I had to write a reflection introspection to drill down to

RE: useServerCipherSuitesOrder in 7.0.62

-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, June 24, 2015 8:37 AM To: Tomcat Users List Subject: Re: useServerCipherSuitesOrder in 7.0.62 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 6/15/15 10:08 AM, George Stanchev wrote

RE: useServerCipherSuitesOrder in 7.0.62

Is there any chance for the OpenSSL-style ciphers to be backported to the 7 release line? -Original Message- From: George Stanchev [mailto:gstanc...@serena.com] Sent: Saturday, June 13, 2015 11:41 AM To: Tomcat Users List Subject: RE: useServerCipherSuitesOrder in 7.0.62 Thanks

RE: useServerCipherSuitesOrder in 7.0.62

Subject: Re: useServerCipherSuitesOrder in 7.0.62 2015-06-13 15:36 GMT+03:00 George Stanchev gstanc...@serena.com: Hi, I was looking at [1] and it looks the new attribute is available in 7.0.61 onwards as per Violeta's comment. However I cannot find this new attribute in the HTTP connector

useServerCipherSuitesOrder in 7.0.62

Hi, I was looking at [1] and it looks the new attribute is available in 7.0.61 onwards as per Violeta's comment. However I cannot find this new attribute in the HTTP connector documentation [2] nor the changelog [3]. Can someone confirm or deny the availability of this attribute

RE: Problem specifying cipher suites in tomcat6

Chris, thanks for sharing this. I've recently ran across a similar tool: http://www.bolet.org/TestSSLServer/ That does the same thing as your code but may be a little bit more elaborate. It also has a source code on link. Since you has shared your code, I might as well share this - the more

RE: Problem specifying cipher suites in tomcat6

I don't see where he blamed the developers for anything. The poster even admitted it was their fault. I think it is reasonable to warn the OP that any change can result in issue. Even if you're doing everything correctly, there is a change of running in a new Tomcat issue or a regression or

Tomcat Connectors release

Hello, What is the schedule for Connectors release? Is a release scheduled when a critical mass of issues fixed or a major problem is resolved or a regular time-based release? George

  1   2   >