gt;> My question is: Does this removal occur during compile time or runtime?
>
> Runtime. You can even re-enable the vulnerability if you want :)
>
> It's worth repeating what David Weisgerber said in his reply: even if
> the runtime JDK/JRE provides a mitigation of sorts, you ma
Hi,
as far as I read through the details, it is a runtime option of the JRE. So, it
does not need any recompilation.
However, some websites pointed out that if you are using Tomcat you could
bypass the JRE protection.
Best regards,
David
From: Scott,Tim
Sent: Monday, 13 December 2021 09:57
).
-Original Message-
From: David Weisgerber
Sent: Thursday, 17 September 2020 09:29
To: Tomcat Users List
Subject: RE: Truststore in HTTPS Connector does not work with Linux
Hi,
> Ugh. That *does* point toward a bug in Tomcat itself or something odd with
> the JVM.
Yep.
>
Hi,
> Ugh. That *does* point toward a bug in Tomcat itself or something odd with
> the JVM.
Yep.
>> No, we automatically ship the latest 8.5 tomcat version. However for
>> our docker based distribution I was sure that this feature worked at
>> some time (I think I used tomcat 8.0 for this).
Hi Christopher,
> This should be okay, though it is a little unusual to use the same keystore
> for both "keys" and "trusted certs".
> Can you confirm the contents + types of everything in the keystore?
After your approach from the end of your response, I exported the certificate
of main and
process (tomcat) can not access
the truststore file. May I ask you to check permissions and ownership of
the truststore file? You can always add -Djavax.net.debug=all to your
CATALINA_OPTS, it will give you way more information about the issue.
Hope it helps,
Luis
El mar., 8 sept. 202
Hi,
I have some weird problem or bug with the HTTPS Connector. In our product, that
ships with tomcat we want to achieve the following:
There is one keystore where the customer puts its server certificate for HTTPs
as well as (if intended) zero or one certificate for client authentication. The
