RE: CVE-2020-1935

2020-07-27 Thread George Stanchev
xy accepts and doesn't accept. For completeness you might want to test how it responds to all bytes from 0x00 to OxFF in a field name and/or value as well and ensure that it is compliant with RFC 7230. HTH, Mark On 24/07/2020 23:13, George Stanchev wrote: > Chris, > > This is just sil

RE: CVE-2020-1935

2020-07-24 Thread George Stanchev
. Cheers! George -Original Message- From: Christopher Schultz Sent: Friday, July 24, 2020 3:40 PM To: users@tomcat.apache.org Subject: Re: CVE-2020-1935 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 7/24/20 15:15, George Stanchev wrote: > The description for this

CVE-2020-1935

2020-07-24 Thread George Stanchev
The description for this CVE is pretty vague (as perhaps necessary) but we have a customer that is trying to assess their risk for this CVE. They are behind a reverse-proxy. Even though the description on Tomcat's security page states that the risk is low it doesn't describe how would a

RE: Tomcat Connector issue

2020-07-02 Thread George Stanchev
To give some closure to the issue, it turned out to be networking related. Still not clear how cleanup of the hosts file on the client machines fixed it but that's what happened. Thanks to all that chimed in earlier. George -Original Message- From: George Stanchev Sent: Monday, June

RE: Tomcat Connector issue

2020-06-29 Thread George Stanchev
this behavior. Interestingly the same is observed under othe OSes (Windows Server 2012) procured with their scrips... Any help/ideas is much appreciated George -Original Message- From: George Stanchev Sent: Tuesday, June 23, 2020 10:31 AM To: Tomcat Users List Subject: RE: Tomcat

RE: Tomcat Connector issue

2020-06-23 Thread George Stanchev
::jk_ajp_common.c (799): (worker-local) Header[4] [Content-Length] = [0] This is pretty standard, I can't see anything wrong... -Original Message- From: George Stanchev Sent: Tuesday, June 23, 2020 10:33 AM To: users@tomcat.apache.org Subject: RE: Tomcat Connector issue Thanks all

RE: Tomcat Connector issue

2020-06-23 Thread George Stanchev
, Christopher Schultz wrote: >>> George, >>> >>> On 6/22/20 17:13, George Stanchev wrote: >>>> We are getting HSE_REQ_SEND_RESPONSE_HEADER failed with >>>> error=87 (0x0057) on a 302 redirect proxied by TC connector >>>> 1.2.46. >>

Tomcat Connector issue

2020-06-22 Thread George Stanchev
We are getting HSE_REQ_SEND_RESPONSE_HEADER failed with error=87 (0x0057) on a 302 redirect proxied by TC connector 1.2.46. I can see the 302 response come over from TC and it looks legit. Trace logs below. Anyone else running into a similar error or perhaps some clue as to why this can be

TLS key management

2019-11-11 Thread George Stanchev
Currently, (in most cases) Tomcat creates an in-memory keystore and initializes kmf as follows: KeyManagementFactory.getInstance(algo).init(keystore, kspass). The in-memory keystore has the key, the certificate and the chain and nothing else. This works fine in most cases but we've ran into a

building tcnative

2019-11-07 Thread George Stanchev
I am trying to build tcnative on Windows 7 using VS 2017 and it has been nothing but pain so far around the apr and tcnative itself. Any help is appreciated. I did get around the apr issues (which were very similar to what I am about to ask) by compiling via the .sln file. But the nmake route

RE: Client Cert TLS issue

2019-11-01 Thread George Stanchev
Thanks Mark, will do! -Original Message- From: Mark Thomas Sent: Thursday, October 31, 2019 3:04 PM To: Tomcat Users List ; George Stanchev Subject: Re: Client Cert TLS issue On 16/10/2019 18:55, George Stanchev wrote: > And this is not where it hangs. I stepped through the c

RE: tomcat service app

2019-10-30 Thread George Stanchev
My question about the source stays, but I guess I should've RTFM where it states that the wrapper uses # *or* ; as separator and if you want to embed those character you need to wrap them in single quotes... From: George Stanchev Sent: Wednesday, October 30, 2019 1:33 PM To: Tomcat Users List

tomcat service app

2019-10-30 Thread George Stanchev
I am trying to troubleshoot an issue where when I call tomcat8.exe with following parameters it writes [2] to the registry (newline where the semicolon was) and I am having trouble locating the source code repository for the Windows service app. Can someone point me to it? (Or tell me what I've

RE: Client Cert TLS issue

2019-10-20 Thread George Stanchev
To: users@tomcat.apache.org Subject: Re: Client Cert TLS issue Just a note to say I haven't forgotten this. I hope to look at this this week unless someone beats me to it. Mark On 16/10/2019 17:55, George Stanchev wrote: > > On 15/10/2019 22:15, George Stanchev wrote: >> Hi, >> &g

RE: Client Cert TLS issue

2019-10-16 Thread George Stanchev
56 George, On 10/16/19 12:55, George Stanchev wrote: > > On 15/10/2019 22:15, George Stanchev wrote: >> Hi, >> >> I would need some help with tracking an issue with TC 8.5.47 (windows >> x64, java: azul 1.8.0_222) configured with [1] and tcnative-1.dll. >> When

RE: Client Cert TLS issue

2019-10-16 Thread George Stanchev
On 15/10/2019 22:15, George Stanchev wrote: > Hi, > > I would need some help with tracking an issue with TC 8.5.47 (windows x64, > java: azul 1.8.0_222) configured with [1] and tcnative-1.dll. When a simple > client tries to connect to the server, the server hangs on SSL han

Client Cert TLS issue

2019-10-15 Thread George Stanchev
Hi, I would need some help with tracking an issue with TC 8.5.47 (windows x64, java: azul 1.8.0_222) configured with [1] and tcnative-1.dll. When a simple client tries to connect to the server, the server hangs on SSL handshake until either the client times out on read or the server times out

RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8

2019-08-06 Thread George Stanchev
So it seems to work. For whoever is interested to try, the openjsse comes prebundled with Azul's distro, all you need to do is run with -XX:+UseOpenJSSE command line option. On TC side, I added "TLSv1.3" to "sslEnabledProtocols": sslEnabledProtocols="+TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3" Also not

RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8

2019-08-02 Thread George Stanchev
George, On 8/1/19 16:42, George Stanchev wrote: > As of recently Azul has backported the JSSE from Java 11 into Java > 8 [1] and it is currently offering TLSv1.3 support in its Java 8 > distro [2]. Good for them. It's too bad Oracle is so conservative with its policies. I have Azul o

TLSv1.3 in TC8.5 + Azul Java 8

2019-08-01 Thread George Stanchev
As of recently Azul has backported the JSSE from Java 11 into Java 8 [1] and it is currently offering TLSv1.3 support in its Java 8 distro [2]. Does this help TC with JSSE SSL engine to also offer TLSv1.3 on its SSL listeners? [1] https://github.com/openjsse/openjsse [2]

RE: AW: Outbound SSL?

2019-06-03 Thread George Stanchev
What is your webapp using as HTTP client that handles the SSL? -Original Message- From: James Lampert Sent: Friday, May 31, 2019 3:41 PM To: Tomcat Users List Subject: Re: AW: Outbound SSL? This just keeps getting weirder and weirder. I extracted the actual request >

RE: OS

2019-04-21 Thread George Stanchev
FWIW someone is submitting the same identical question (with only the project name different) in the dozen or so Apache projects I am on mailing list of... Just google "Hello, I am doing an investigation. Does Windows Server 2019 support" and see for yourself It looks like a troll

RE: Tomcat 8.5.39 on maven central

2019-03-21 Thread George Stanchev
Thanks Mark! -Original Message- From: Mark Thomas Sent: Thursday, March 21, 2019 3:13 PM To: users@tomcat.apache.org Subject: Re: Tomcat 8.5.39 on maven central On 21/03/2019 21:00, George Stanchev wrote: > Hi, > > The announcement went out few days ago but 8.5.39 is stil

Tomcat 8.5.39 on maven central

2019-03-21 Thread George Stanchev
Hi, The announcement went out few days ago but 8.5.39 is still not out there [1]. I know it takes a bit for maven central to pick it up but with the git migration perhaps something got broken? George [1] https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-catalina

Invalid URL characters via AJP

2019-02-06 Thread George Stanchev
In light of recent changes around allowing and subsequent relaxation of the invalid characters handling in TC, I just noticed that TC behind IIS (via JK connector/AJP) happily accepts ";<> etc while the HTTP connector rejects them. Is this how the AJP connector it is supposed to work? Is the

NIO vs NIO2

2018-12-23 Thread George Stanchev
Hi, We are currently on the latest TC 8.5.37 but soon will be moving to latest 9. Currently we use NIO connectors. I am having hard time evaluating the need (if necessary) to switch to NIO2. Can someone point me to a good resource/link where the two connectors are compared and which situations

RE: Number of Web Applications in one Tomcat: THANKS!

2018-10-31 Thread George Stanchev
This is an interesting discussion. Are there any guides to alleviating management work of such deployments? For example, how do you deal with the port mapping? Or logs - do you collect at a common location or let each app log in its corner ? Can you share configuration across instances such as

RE: log4j

2018-05-18 Thread George Stanchev
Depends on what you're asking. If you're asking to use log4j to capture Tomcat logging, then the answer is - you can't but you can use Log4j2 or JULI. If the question is how to use log4j for your apps deployed under Tomcat, then answer can be found easily... From: Cheltenham, Chris

client cert authentication

2018-05-04 Thread George Stanchev
I guess I am looking for some pointers how to approach a certain scenario from "the right way" of implementing it. Say you have a standard login form with user/pass edits and "Login" and "Smartcard" buttons. The "Login" button does Its obvious thing. The "Smartcard" button authenticates the

RE: Security of AJP

2018-02-28 Thread George Stanchev
It is used, for example, if you want to front Tomcat by Apache Web Server or by IIS (among others). In those cases the HTTP processing is done in the front system and if necessary it is proxied to Tomcat via AJP. You take HTTP request from that system, put it in an AJP record and send it over

RE: Using Environment variables instead of Java -D properties for context.xml substitution

2018-01-22 Thread George Stanchev
Can you use catalina.properties? From the docs [1] " All system properties are available including those set using the -D syntax, those automatically made available by the JVM and those configured in the $CATALINA_BASE/conf/catalina.properties file." [1]

RE: building TC 8.5 with checkstyle

2017-12-07 Thread George Stanchev
>On 07/12/17 21:12, Mark Thomas wrote: >> On 07/12/17 20:48, George Stanchev wrote: >>> I am trying to build TC 8.5.24 from source and running into checkstyle >>> validation issues [1]. I looked at >>> https://tomcat.apache.org/tomcat-8.5-doc/building.

building TC 8.5 with checkstyle

2017-12-07 Thread George Stanchev
I am trying to build TC 8.5.24 from source and running into checkstyle validation issues [1]. I looked at https://tomcat.apache.org/tomcat-8.5-doc/building.html and couldn't find anything that suggest that the default target would not build, neither checkstyle is mentioned. It is not a

RE: ISAPI and IIS 10 Logging Issue

2017-10-05 Thread George Stanchev
> Note that also in the course of my investigations, somewhere I found a phrase > to the effect that Mirosoft would be discouraging the future use of ISAPI > modules in IIS, and recommends some other architecture instead now. Do you remember where you saw that? Can you provide a link?

RE: Issue with static file in Tomcat 8.5.17

2017-07-20 Thread George Stanchev
>> The problem is related to the new code that handles the case when a >> file is stored in one encoding but served in another. Since changing >> encodings can change the value and number of bytes served (for example >> serving £ in UTF-8 requires two bytes but only one in ISO-8859-1). >>

RE: Issue with static file in Tomcat 8.5.17

2017-07-07 Thread George Stanchev
On 07/07/2017 20:56, George Stanchev wrote: > Sorry, I didn't realize there is a -d option that gives you the full request > and response. Here is the dump: Thanks for the extra information. I can't reproduce this yet. I'm going to hold off on closing the currently running votes until

RE: Issue with static file in Tomcat 8.5.17

2017-07-07 Thread George Stanchev
Sorry, I didn't realize there is a -d option that gives you the full request and response. Here is the dump: c:\>wget -d -S http://hostname:8085/testapp/javascript/jquery-1.8.3.min.js SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\bin\gnuwin32/etc/wgetrc Setting --server-response

RE: Issue with static file in Tomcat 8.5.17

2017-07-07 Thread George Stanchev
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Friday, July 07, 2017 1:05 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Issue with static file in Tomcat 8.5.17 On 07/07/2017 19:09, George Stanchev wrote: > Hi, .. > Please let

Issue with static file in Tomcat 8.5.17

2017-07-07 Thread George Stanchev
Hi, The current Tomcat 8.5.17 is under vote for release with +1s only. I took the liberty to download the distributable before officially announced and am running into an issue with it. Static file that used to download in 8.5.16 and below now it doesn't. Chrome reports: jquery-1.8.3.min.js:1

jk connector + http2

2017-05-25 Thread George Stanchev
Hi, Is a HTTP/2 call to Tomcat proxied via IIS / JK Connector (Tomcat Connector) expected to succeed? George

RE: warning in tomcat logs

2017-05-02 Thread George Stanchev
>> This has been fixed in 8.5.x for 8.5.15 onwards and 9.0.x for 9.0.0.M21 >> onwards. Thanks Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org

RE: warning in tomcat logs

2017-05-02 Thread George Stanchev
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Sunday, April 30, 2017 5:02 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: warning in tomcat logs On 29/04/17 15:13, George Stanchev wrote: > TC 8.5.14 and noticed in the logs the followin

warning in tomcat logs

2017-04-29 Thread George Stanchev
TC 8.5.14 and noticed in the logs the following warning: "The truststoreProvider [AnyCert] does not support the certificateVerificationDepth configuration option" In our case, we're using Shib's AnyCert trust manager to accept any client cert on a particular connector as described here [1]. I

RE: Apache Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore expires, any webclient request is still accepted by server and not refused

2017-02-07 Thread George Stanchev
Mark, Apologies for top posting. We have our own trust manager that is attached to the connector because we want client certificates to be passed in the application for validation and authentication rather than the connector. If we switch to the OpenSSL/APR based certificate processing, would

log4j in Tomcat 8.5

2017-02-02 Thread George Stanchev
Hi, I am transitioning from Tomcat 7.0 to Tomcat 8.5 and I was wondering what do I need to do to use log4j in 8.5. Reading this bug [1], it states that the support for the for log4j has been dropped since it is EOLed. Now, there is a comment on this issue from Mark that says that it is applied

RE: NullPointerExceptions from Coyote over SSL

2016-07-27 Thread George Stanchev
Peter, Depending at which slot you plug in BC in the Security context it might or it might not get used depending on the cipher suites used by you SSL connection. JSSE will ask Java for crypto implementation from the list of JCE providers and if your BC is high on the list, it will get used.

RE: sadfasdf

2016-04-19 Thread George Stanchev
It could be someone’s kids. I know mine has done similar damage. With tablets and iphones hosting parent’s work pluce junior’s entertainment it could have happened. Let us be gentle :) From: Nick Childs [mailto:nchi...@ramsoft.com] Sent: Tuesday, April 19, 2016 8:55 PM To: Tomcat Users List

RE: Understanding how to controlling what data is written to log4j appenders

2016-03-10 Thread George Stanchev
If you run tomcat via the windows server wrapper, you can "%TOMCAT_EXE%" //US//%TOMCAT_SERVICE_NAME% --StdOutput "%TOMCAT_CONSOLE_LOG%" --StdError "%TOMCAT_CONSOLE_LOG%" Which will redirect the stderr and stdoout to the corresponding log files George -Original Message- From: Joleen

RE: AJP protocol auto-switching default

2016-03-10 Thread George Stanchev
-Original Message- From: Rémy Maucherat [mailto:r...@apache.org] Sent: Thursday, March 10, 2016 4:41 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: AJP protocol auto-switching default 2016-03-11 0:38 GMT+01:00 George Stanchev <gstanc...@serena.com>: >

RE: AJP protocol auto-switching default

2016-03-10 Thread George Stanchev
> Perhaps I am overlooking something, but the documentation for AJP [1] > states for "protocol" > > > The standard protocol value for an AJP connector is AJP/1.3 which uses > an auto-switching mechanism to select either a Java based connector or > an APR/native based connector. If the PATH

AJP protocol auto-switching default

2016-03-10 Thread George Stanchev
Perhaps I am overlooking something, but the documentation for AJP [1] states for "protocol" The standard protocol value for an AJP connector is AJP/1.3 which uses an auto-switching mechanism to select either a Java based connector or an APR/native based connector. If the PATH (Windows) or

RE: Windows Authentication

2016-03-04 Thread George Stanchev
It does not look like HTTP Basic. Did you try different browsers? IE, Chrome, FF? Do you get same behavior with all? Is the user logging in member of the domain your IWA is set up to? If you set up a 3rd party IWA provider (such as Waffle), does it act the same on all 3 browsers? There was a

RE: Relative redirects in light of recent changes

2016-02-10 Thread George Stanchev
> > However, with useRelativeRedirects="false" I see > > > > GET http://hostname/myapp?m=n=p > > ==> 302: "http://hostname/login?a=b=d; > > > > The questions I have are 2: First, what happened with the trailing slash > redirect. I vaguely remember discussions around it but I couldn't

RE: Relative redirects in light of recent changes

2016-02-09 Thread George Stanchev
> However, with useRelativeRedirects="false" I see > > GET http://hostname/myapp?m=n=p > ==> 302: "http://hostname/login?a=b=d; > > The questions I have are 2: First, what happened with the trailing slash > redirect. I vaguely remember discussions around it but I couldn't find

RE: Relative redirects in light of recent changes

2016-02-08 Thread George Stanchev
In Tomcat 7.0.67 with no "useRelativeRedirects" set on the context (which defaults it to "true"), I see GET http://hostname/myapp?m=n=p ==> 302: "login?a=b=d" Now, this is expected behavior given the fix for [1] [1] http://bz.apache.org/bugzilla/show_bug.cgi?id=56917 I reread

Relative redirects in light of recent changes

2016-02-08 Thread George Stanchev
Hi, Recent changes to Tomcat altered the behavior of our applications a bit so I've got couple of questions. The versions in questions are 7.0.64 and 7.0.67. I am aware of which is also described in the changelog for 7.0.67. I have a filter acts on application "/myapp" that does a redirect in

RE: Relative redirects in light of recent changes

2016-02-08 Thread George Stanchev
Hi, Recent changes to Tomcat altered the behavior of our applications a bit so I've got couple of questions. The versions in questions are 7.0.64 and 7.0.67. I am aware of which is also described in the changelog for 7.0.67. I have a filter acts on application "/myapp" that does a redirect

RE: Unable to find IIS Tomcat Connector 1.2.41 dll

2016-02-03 Thread George Stanchev
You might want to explore this thread: http://marc.info/?l=tomcat-user=145399491702444=2 which also points to this thread http://tomcat.markmail.org/message/lyxmf5zof5csf6bn Regards, George -Original Message- From: McKenzie, Mitch [mailto:mmcken...@markelcorp.com] Sent: Wednesday,

RE: client ssl renegotiation after invalidating session

2016-02-01 Thread George Stanchev
-logout-relogin : http://stackoverflow.com/questions/10229027/how-to-trigger-ssl-rehandshake-on-a-web-browser For the time being I'll just warn the users that they are not being truly logged out until they close all browser windows. 2016-01-29 18:56 GMT+01:00 George Stanchev <gst

RE: client ssl renegotiation after invalidating session

2016-01-29 Thread George Stanchev
-Original Message- From: Gael Abadin [mailto:gael.aba...@imatia.com] Sent: Friday, January 29, 2016 10:33 AM To: Tomcat Users List Subject: client ssl renegotiation after invalidating session I want to invalidate the client ssl cert authentication after the user logs out of my

RE: AW: AW: Suppress or replace WWW-Authorization header

2015-10-28 Thread George Stanchev
On 28.10.2015 17:42, Torsten Rieger wrote: > -Ursprüngliche Nachricht- > Von: Aurélien Terrestris [mailto:aterrest...@gmail.com] > Gesendet: Mittwoch, 28. Oktober 2015 16:45 > An: Tomcat Users List > Betreff: Re: AW: Suppress or replace WWW-Authorization header >

RE: Tomcat Server and PHP Extensions

2015-10-28 Thread George Stanchev
You need Apache, not Tomcat -Original Message- From: Chris Thompson [mailto:cthomp...@conveyor-dynamics.com] Sent: Wednesday, October 28, 2015 5:20 PM To: users@tomcat.apache.org Subject: Tomcat Server and PHP Extensions Does Tomcat Server support PHP extensions? I am looking at

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-15 Thread George Stanchev
Aurélien, I added good_run.pcap and bad_run.pcap to that dropbox location [1]. I also think this needs to be looked at by MS engineers. I am following up on my support case but really not getting anywhere... George [1] https://www.dropbox.com/sh/az1r3agxx4w8r7e/AACRGedBG3G5oh4-qE9652WNa?dl=0

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-14 Thread George Stanchev
on algorithm and the cryptographic hash function negotiated during the client hello and server hello, and using the secret key that the client sent to the server during the client key exchange. The handshake can be renegotiated at this time. See the next section for details." 2015-10-1

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-13 Thread George Stanchev
of the ClientHello record, not how it is wrapped which happens later when the record is being serialized to the socket... Anyways, thanks to all for the tip but it doesn't make a difference...still bad mac record... George -Original Message- From: George Stanchev [mailto:gstanc

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-13 Thread George Stanchev
/15 12:46 PM, George Stanchev wrote: > One more clarification: on point [6] below I stated that Java is able > to recover with a retry on a cached connection. Unfortunately that is > only valid for higher level classes like HttpUrlConnection which makes > 1 retry on IOException (and o

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-13 Thread George Stanchev
have some movement forward. George [1] http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html -Original Message----- From: George Stanchev [mailto:gstanc...@serena.com] Sent: Tuesday, October 13, 2015 10:26 AM To: Tomcat Users List Subject: RE: [OT] Tomcat 7.0.5

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-13 Thread George Stanchev
d_record_mac -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 10/13/15 12:35 PM, George Stanchev wrote: > [1] states: " JDK 7-9 enables SSLv2Hello on the server side only. > (Will not send, but will accept SSLv2Hellos)" Interesting. This absolutely makes sense, thoug

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-13 Thread George Stanchev
[OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac George, do you have any network capture that we can see ? 2015-10-13 22:10 GMT+02:00 George Stanchev <gstanc...@serena.com>: > >> It might be doable with OpenSSL s_client or something. Tough to >

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-13 Thread George Stanchev
Aurélien Terrestris <aterrest...@gmail.com>: > George, > > do you have any network capture that we can see ? > > 2015-10-13 22:10 GMT+02:00 George Stanchev <gstanc...@serena.com>: > >> >> It might be doable with OpenSSL s_client or something. Tough to >> r

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-13 Thread George Stanchev
produces the problem, I'll try with JTouch ( jtouch.sourceforge.net ) or write a small client. 2015-10-13 22:22 GMT+02:00 Aurélien Terrestris <aterrest...@gmail.com>: > George, > > do you have any network capture that we can see ? > > 2015-10-13 22:10 GMT+02:00 George Stanchev

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-13 Thread George Stanchev
sourceforge.net ) or write a small client. > > > > > 2015-10-13 22:22 GMT+02:00 Aurélien Terrestris <aterrest...@gmail.com>: > >> George, >> >> do you have any network capture that we can see ? >> >> 2015-10-13 22:10 GMT+02:00 George Stanchev <

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-13 Thread George Stanchev
ut to write a TLS client using a SSLv2Hello, you will call getInstance("TLS") and setEnabledProtocols("SSLv2"). I hope things are more understandable :) 2015-10-13 23:12 GMT+02:00 George Stanchev <gstanc...@serena.com>: > Ok, may be you are ahead of me on t

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-13 Thread George Stanchev
's working. Not making advertisement for my software here, but,.. ;) 2015-10-13 23:20 GMT+02:00 George Stanchev <gstanc...@serena.com>: > Just as a side note, https.protocols is read by HttpsUrlConnection > which feeds it down through setEnabledProtocols() on the SSL socket. "

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-09 Thread George Stanchev
Just for the record, https.protocols is a property used by the HttpsUrlConnection class. If your app is using a client that doesn't rely on the internal Oracle HTTP client, it's better to use " jdk.tls.client.protocols" which is read directly by the socket/SSL classes. Apache Http Client is one

RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-10-09 Thread George Stanchev
-level sockets just throw and that’s it... -Original Message- From: George Stanchev [mailto:gstanc...@serena.com] Sent: Friday, October 09, 2015 10:40 AM To: Tomcat Users List Subject: RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac Just for the record

RE: Demand CLIENT-CERT only on certain pages but demand SSL in all pages

2015-10-06 Thread George Stanchev
Mark, What are the possible issues with renegotiation? We're on NIO connectors, is there anything known? George -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, October 05, 2015 8:32 AM To: Tomcat Users List Subject: Re: Demand CLIENT-CERT only on certain

RE: Tomcat 7.0.55 Not loading truststore or keystore

2015-09-01 Thread George Stanchev
Hi Diarmuid, We have run similar issue with client cert SSL. Is your 3rd party web service hosted on Windows/IIS? George -Original Message- From: dmccrthy [mailto:dmccr...@gmail.com] Sent: Tuesday, September 01, 2015 11:07 AM To: Tomcat Users List Subject: Tomcat 7.0.55 Not loading

RE: [OT] Re: Filter behaviour

2015-06-29 Thread George Stanchev
For SOAP, you *MUST* send back 500 or 400 with your SOAP fault back. [1] http://www.w3.org/TR/soap12-part2/#tabresstatereccodes -Original Message- From: Leo Donahue [mailto:donahu...@gmail.com] Sent: Saturday, June 27, 2015 11:45 PM To: Tomcat Users List Subject: [OT] Re: Filter

RE: [OT] Re: Filter behaviour

2015-06-29 Thread George Stanchev
processing error. George [1] http://www.w3.org/TR/2000/NOTE-SOAP-2508/#_Toc478383529 -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, June 29, 2015 8:56 AM To: Tomcat Users List Subject: Re: [OT] Re: Filter behaviour George Stanchev wrote: For SOAP, you

RE: Forcing SSL Renotiation

2015-06-26 Thread George Stanchev
: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, June 26, 2015 10:06 AM To: Tomcat Users List Subject: Re: Forcing SSL Renotiation -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 6/26/15 10:04 AM, George Stanchev wrote: You didn't specify your Tomcat version

RE: Forcing SSL Renotiation

2015-06-26 Thread George Stanchev
Hi Steffen You didn't specify your Tomcat version. In Tomcat 7 or 8 or 9 we use the following code. Not sure if it will work on 6. For a long time until very recently we were stuck on 5.5 and the attribute below is not available. So I had to write a reflection introspection to drill down to

RE: useServerCipherSuitesOrder in 7.0.62

2015-06-24 Thread George Stanchev
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, June 24, 2015 8:37 AM To: Tomcat Users List Subject: Re: useServerCipherSuitesOrder in 7.0.62 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 6/15/15 10:08 AM, George Stanchev wrote

RE: useServerCipherSuitesOrder in 7.0.62

2015-06-15 Thread George Stanchev
Is there any chance for the OpenSSL-style ciphers to be backported to the 7 release line? -Original Message- From: George Stanchev [mailto:gstanc...@serena.com] Sent: Saturday, June 13, 2015 11:41 AM To: Tomcat Users List Subject: RE: useServerCipherSuitesOrder in 7.0.62 Thanks

RE: useServerCipherSuitesOrder in 7.0.62

2015-06-13 Thread George Stanchev
Subject: Re: useServerCipherSuitesOrder in 7.0.62 2015-06-13 15:36 GMT+03:00 George Stanchev gstanc...@serena.com: Hi, I was looking at [1] and it looks the new attribute is available in 7.0.61 onwards as per Violeta's comment. However I cannot find this new attribute in the HTTP connector

useServerCipherSuitesOrder in 7.0.62

2015-06-13 Thread George Stanchev
Hi, I was looking at [1] and it looks the new attribute is available in 7.0.61 onwards as per Violeta's comment. However I cannot find this new attribute in the HTTP connector documentation [2] nor the changelog [3]. Can someone confirm or deny the availability of this attribute

RE: Problem specifying cipher suites in tomcat6

2015-05-29 Thread George Stanchev
Chris, thanks for sharing this. I've recently ran across a similar tool: http://www.bolet.org/TestSSLServer/ That does the same thing as your code but may be a little bit more elaborate. It also has a source code on link. Since you has shared your code, I might as well share this - the more

RE: Problem specifying cipher suites in tomcat6

2015-05-29 Thread George Stanchev
I don't see where he blamed the developers for anything. The poster even admitted it was their fault. I think it is reasonable to warn the OP that any change can result in issue. Even if you're doing everything correctly, there is a change of running in a new Tomcat issue or a regression or

Tomcat Connectors release

2015-05-14 Thread George Stanchev
Hello, What is the schedule for Connectors release? Is a release scheduled when a critical mass of issues fixed or a major problem is resolved or a regular time-based release? George

Issue with a principal and remote_user

2015-04-17 Thread George Stanchev
I posted this on the dev list but I must have placed it on the wrong list... I am running IIS+jk_connect+Tomcat 7.0.59 but this issue was replicated on Tomcat 5.5.36. We are using a security filter from a 3rd party that is failing to engage while requests are sent over AJP via jk_connect. I was