Re: internalProxies regex

2018-01-18 Thread Harrie Robins 
Wow that is great as well.

what would the procedure be to get CIDR support into tomcat?
I'm back from holiday, so I will have some time now. I guess I can start of
with testing the current code.

On 12 January 2018 at 16:36, Mark H. Wood <mw...@iupui.edu> wrote:

> On Fri, Jan 12, 2018 at 12:31:39PM +0100, Harrie Robins wrote:
> > Wow, that will be great. And I think that many people would like this to
> be implemented!
> > I volunteer to test this!
> >
> > Also, with many people fronting that machines with cloudflare / load
> balancers, I think demand will increase for this.
> > I could just write a valve to replace the mod_cloudflare module that I
> used in apache (mod cloudflare is mod_remoteip with settings predefined).
> >
> > Regards,
> >
> > Harrie
> >
> > -Oorspronkelijk bericht-
> > Van: Christopher Schultz [mailto:ch...@christopherschultz.net]
> > Verzonden: 09 January 2018 00:25
> > Aan: users@tomcat.apache.org
> > Onderwerp: Re: internalProxies regex
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Harrie,
> >
> > On 1/5/18 3:47 AM, Harrie Robins wrote:
> > > our tomcat application server are fronted by 1. cloudflare, and 2.
> > > amazon load balancer. In apache there is mod_remote IP and I can
> > > simply put in CIDR range: https://www.cloudflare.com/ips/ that will
> > > swallow all those IP and will get the correct IP to tomcat.
> > >
> > > In Tomcat I need
> > > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
> > s/RemoteIpValve.html
> > >
> > >
> > which does not accept CIDR range however.
> >
> > Have a look at this:
> >
> > https://bz.apache.org/bugzilla/show_bug.cgi?id=51953
> >
> > It was never merged into Tomcat, but if it got some additional interest
> and testing, perhaps it could be added.
> >
> > - -chris
>
> There's also this:
>
> https://github.com/mwoodiupui/tomcat-extras
>
> --
> Mark H. Wood
> Lead Technology Analyst
>
> University Library
> Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street
> Indianapolis, IN 46202
> 317-274-0749
> www.ulib.iupui.edu
>

RE: internalProxies regex

2018-01-12 Thread Harrie Robins 
Wow, that will be great. And I think that many people would like this to be 
implemented!
I volunteer to test this!

Also, with many people fronting that machines with cloudflare / load balancers, 
I think demand will increase for this. 
I could just write a valve to replace the mod_cloudflare module that I used in 
apache (mod cloudflare is mod_remoteip with settings predefined).

Regards,

Harrie

-Oorspronkelijk bericht-
Van: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Verzonden: 09 January 2018 00:25
Aan: users@tomcat.apache.org
Onderwerp: Re: internalProxies regex

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Harrie,

On 1/5/18 3:47 AM, Harrie Robins wrote:
> our tomcat application server are fronted by 1. cloudflare, and 2.
> amazon load balancer. In apache there is mod_remote IP and I can 
> simply put in CIDR range: https://www.cloudflare.com/ips/ that will 
> swallow all those IP and will get the correct IP to tomcat.
> 
> In Tomcat I need
> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
s/RemoteIpValve.html
>
> 
which does not accept CIDR range however.

Have a look at this:

https://bz.apache.org/bugzilla/show_bug.cgi?id=51953

It was never merged into Tomcat, but if it got some additional interest and 
testing, perhaps it could be added.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpT/ccdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFg12BAAlFadAURWxtWOlFZr
PT3vWgWBqnaEuqpLVA+S70+PbgAMI9sQkIMQsBHwMvKh4GGkOis+UxY+OAI6UskH
F4093hXWIGHyNgJXy+mRU9f/vrVDgonMjxqj8XELUQzjtw7rjlxYhrTYyuZII9S5
S6v7XF0eNXz0xSC00Xz5SCi53CrDefThLEnok0gMFwmtKZS62HGS4RT2m6NDzNwR
6Vy0Cs3CKB7q782WIFEk/6gyoDKKsjw2g81tGrwA4Bx1B7KjfXYoCHPUhPH06Bjg
rnDwQRguYfWrI3Gcoq8w8WAnFp4iswoHuqaS/fTMM2Xgk8t2h7oLj8moN0oOB1ns
MzAzU1IE2sT/VoTnu0J9l+yA/twiow77z6N1jb96k+Q56XO70pLmGXdMiz+NiRso
eyQvDoZ9gOW6rMo1x/mhtMDnD0R5nL2pKAv+HT2fENye36UXO9UgDE8TeFMAyjfB
+QVIogeFqZYLk+B+XzxbSaQAXt6R0nqxgRdLYHPg/TjrOB7YuupjZH4Fu/BZOMnX
SGZXurWCnQYVGxBcqBO+o6XRLwsv1aGtzraTYxPAEF48R4VhtUPATnBV0jXvxPAw
4yfrBm2L1hhifB3EC0mr0sbgmF6DxussRnu4RinqxsAR2dkoQwFOpwBqxf7IZ19B
Ow8OG5Lx6xTykvfPAesAI5/awGM=
=LLlx
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: internalProxies regex

2018-01-08 Thread Harrie Robins 
Thanks for the update

 

I enabled logging for remoteIpFilter like:

 

org.apache.catalina.filters.RemoteIpFilter.level = ALL

 

I do get matches when visiting. Is it also possible to print the list of IP’s? 
I have no clue how to do that.

 

Regards,

Harrie

 

On 5 January 2018 at 16:32, Felix Schumacher <felix.schumac...@internetallee.de 
<mailto:felix.schumac...@internetallee.de> > wrote:

Am 05.01.2018 um 15:43 schrieb Harrie Robins:

All clear.
I apologize, I was in fact not masking the backslashes, I did a wrong copy
paste from the pattern I was using in my test

I tested the following 2 patterns:

^103\.21\.(2(4[4-7]))\.([0-
9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22
\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))


The regex can be "simplified" to

103\.21\.24[4-7]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))|103\.22\.20[0-3]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

or even

103\.(21\.24[4-7]|22\.20[0-3])\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

But it looks OK, if you want to match IPs from 103.21.244.x-103.21.247.x and 
103.22.200.x-103.22.203.x

Have you enabled debug-logs for the RemoteIpValve? It should print out the IP 
it tries to match.

Regards,
 Felix

 


Regards,

Harrie



On 5 January 2018 at 14:46, Felix Schumacher <
felix.schumac...@internetallee.de <mailto:felix.schumac...@internetallee.de> > 
wrote:

Am 05.01.2018 um 09:47 schrieb Harrie Robins:

Hi Mark,

our tomcat application server are fronted by 1. cloudflare, and 2. amazon
load balancer.
In apache there is mod_remote IP and I can simply put in CIDR range:
https://www.cloudflare.com/ips/ that will swallow all those IP and will
get
the correct IP to tomcat.

In Tomcat I need
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata
lina/valves/RemoteIpValve.html
which does not accept CIDR range however. I wrote a regex to match all the
addresses and it works, it's matching way to many addresses however so I
rewrote the pattern. My new pattern is not functioning however, so I
tested
then pattern in a small application.

In my test I made a list of all addresses  in this range:
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

If you configure the valve through the internalProxies attribute, you are
using 'real' strings and don't need to mask the backslashes as you would
have to do with java strings.

When you look at the documentation, you will find no double backslashes
there.

And  regarding the usage of the anchors '^' and '$'. They are not needed,
either. Tomcat will use match instead of find and thus they are implicitly
added.

Regards,
  Felix

||

I matched all these addresses and it works. When I set in tomcat however
it
does not, I have no understanding why not?

Hope you understand what I am trying to do.

thanks





On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org 
<mailto:ma...@apache.org> > wrote:

On 02/01/18 09:50, Harrie Robins wrote:

I'm still having problems with matching my pattern.

Right now I'm feeding the following to internalProxies:

^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(

[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

I created a list of all involved IP addresses and matched those IP

addresses:

java.util.regex.Matcher / java.util.regex.Pattern, please see

https://pastebin.com/Lija7n9k

All addresses from the list I created are matching, just not in tomcat.

What is the value of the remote IP address that is failing to match? You
might want to look at writing a short custom Valve to log that and
insert it into the Pipeline ahead of the RemoteIpValve.

Another option would be to simply remove the RemoteIpValve and write a
simple servlet that logs the remote IP.

Mark

Regards,

Harrie

-Oorspronkelijk bericht-
Van: Harrie Robins [mailto:har...@eyequestion.nl <mailto:har...@eyequestion.nl> 
]
Verzonden: 21 December 2017 09:55
Aan: 'Tomcat Users List' <users@tomcat.apache.org 
<mailto:users@tomcat.apache.org> >
Onderwerp: RE: internalProxies regex

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com 
<mailto:knst.koli...@gmail.com> ]
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org 
<mailto:users@tomcat.apache.org> >
Onderwerp: Re: internalProxies regex

2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl 
<mailto:har...@eyequestion.nl> >:

Hello everyone,



I have a question about the remoteipvalve in tomcat 8.5

Re: internalProxies regex

2018-01-05 Thread Harrie Robins 
All clear.
I apologize, I was in fact not masking the backslashes, I did a wrong copy
paste from the pattern I was using in my test

I tested the following 2 patterns:

^103\.21\.(2(4[4-7]))\.([0-
9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22
\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))

Regards,

Harrie



On 5 January 2018 at 14:46, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:

> Am 05.01.2018 um 09:47 schrieb Harrie Robins:
>
>> Hi Mark,
>>
>> our tomcat application server are fronted by 1. cloudflare, and 2. amazon
>> load balancer.
>> In apache there is mod_remote IP and I can simply put in CIDR range:
>> https://www.cloudflare.com/ips/ that will swallow all those IP and will
>> get
>> the correct IP to tomcat.
>>
>> In Tomcat I need
>> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata
>> lina/valves/RemoteIpValve.html
>> which does not accept CIDR range however. I wrote a regex to match all the
>> addresses and it works, it's matching way to many addresses however so I
>> rewrote the pattern. My new pattern is not functioning however, so I
>> tested
>> then pattern in a small application.
>>
>> In my test I made a list of all addresses  in this range:
>> ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
>> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
>> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
>>
>
> If you configure the valve through the internalProxies attribute, you are
> using 'real' strings and don't need to mask the backslashes as you would
> have to do with java strings.
>
> When you look at the documentation, you will find no double backslashes
> there.
>
> And  regarding the usage of the anchors '^' and '$'. They are not needed,
> either. Tomcat will use match instead of find and thus they are implicitly
> added.
>
> Regards,
>  Felix
>
> ||
>
>> I matched all these addresses and it works. When I set in tomcat however
>> it
>> does not, I have no understanding why not?
>>
>> Hope you understand what I am trying to do.
>>
>> thanks
>>
>>
>>
>>
>>
>> On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote:
>>
>> On 02/01/18 09:50, Harrie Robins wrote:
>>>
>>>> I'm still having problems with matching my pattern.
>>>>
>>>> Right now I'm feeding the following to internalProxies:
>>>>
>>>> ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
>>>>
>>> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
>>> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
>>>
>>>> I created a list of all involved IP addresses and matched those IP
>>>>
>>> addresses:
>>>
>>>> java.util.regex.Matcher / java.util.regex.Pattern, please see
>>>>
>>> https://pastebin.com/Lija7n9k
>>>
>>>> All addresses from the list I created are matching, just not in tomcat.
>>>>
>>> What is the value of the remote IP address that is failing to match? You
>>> might want to look at writing a short custom Valve to log that and
>>> insert it into the Pipeline ahead of the RemoteIpValve.
>>>
>>> Another option would be to simply remove the RemoteIpValve and write a
>>> simple servlet that logs the remote IP.
>>>
>>> Mark
>>>
>>> Regards,
>>>>
>>>> Harrie
>>>>
>>>> -Oorspronkelijk bericht-
>>>> Van: Harrie Robins [mailto:har...@eyequestion.nl]
>>>> Verzonden: 21 December 2017 09:55
>>>> Aan: 'Tomcat Users List' <users@tomcat.apache.org>
>>>> Onderwerp: RE: internalProxies regex
>>>>
>>>> This makes perfect sense.
>>>> I tested my regex, just against wrong engine.
>>>>
>>>> Thanks for pointing me in the right direction
>>>>
>>>> -Oorspronkelijk bericht-
>>>> Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
>>>> Verzonden: 20 December 2017 15:19
>>>> Aan: Tomcat Users List <users@tomcat.apache.org>
>>>> Onderwerp: Re: internalProxies regex
>>>>
>>>> 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:
>>>>
>>>>> Hello everyone,
>>>>>
>>&g

Re: internalProxies regex

2018-01-05 Thread Harrie Robins 
Hi Mark,

our tomcat application server are fronted by 1. cloudflare, and 2. amazon
load balancer.
In apache there is mod_remote IP and I can simply put in CIDR range:
https://www.cloudflare.com/ips/ that will swallow all those IP and will get
the correct IP to tomcat.

In Tomcat I need
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html
which does not accept CIDR range however. I wrote a regex to match all the
addresses and it works, it's matching way to many addresses however so I
rewrote the pattern. My new pattern is not functioning however, so I tested
then pattern in a small application.

In my test I made a list of all addresses  in this range:
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
I matched all these addresses and it works. When I set in tomcat however it
does not, I have no understanding why not?

Hope you understand what I am trying to do.

thanks





On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote:

> On 02/01/18 09:50, Harrie Robins wrote:
> > I'm still having problems with matching my pattern.
> >
> > Right now I'm feeding the following to internalProxies:
> >
> > ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
> > I created a list of all involved IP addresses and matched those IP
> addresses:
> >
> > java.util.regex.Matcher / java.util.regex.Pattern, please see
> https://pastebin.com/Lija7n9k
> >
> > All addresses from the list I created are matching, just not in tomcat.
>
> What is the value of the remote IP address that is failing to match? You
> might want to look at writing a short custom Valve to log that and
> insert it into the Pipeline ahead of the RemoteIpValve.
>
> Another option would be to simply remove the RemoteIpValve and write a
> simple servlet that logs the remote IP.
>
> Mark
>
> >
> > Regards,
> >
> > Harrie
> >
> > -Oorspronkelijk bericht-
> > Van: Harrie Robins [mailto:har...@eyequestion.nl]
> > Verzonden: 21 December 2017 09:55
> > Aan: 'Tomcat Users List' <users@tomcat.apache.org>
> > Onderwerp: RE: internalProxies regex
> >
> > This makes perfect sense.
> > I tested my regex, just against wrong engine.
> >
> > Thanks for pointing me in the right direction
> >
> > -Oorspronkelijk bericht-
> > Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
> > Verzonden: 20 December 2017 15:19
> > Aan: Tomcat Users List <users@tomcat.apache.org>
> > Onderwerp: Re: internalProxies regex
> >
> > 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:
> >> Hello everyone,
> >>
> >>
> >>
> >> I have a question about the remoteipvalve in tomcat 8.5:
> >> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
> >> s/Remo
> >> teIpValve.html
> >>
> >>
> >>
> >>
> >> internalProxies
> >>
> >> Regular expression that matches the IP addresses of internal proxies.
> >> If they appear in the remoteIpHeader value, they will be trusted and
> >> will not appear in the proxiesHeader value
> >>
> >> RemoteIPInternalProxy
> >>
> >> Regular expression (in the syntax supported by java.util.regex)
> >>
> >> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
> >> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
> >> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
> >> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
> >> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are
> allowed.
> >>
> >>
> >>
> >> I need to convert some CIDR ranges to regex:
> >>
> >>
> >> my concern is that /d{1,3} wil match too many (non exist) addresses
> >>
> >> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
> >> 103\.3
> >> 1\.\d[4-7]\.\d[0-9]\d{1,3}
> >>
> >>
> >>
> >> So I re-wrote using capture groups, below does not function however,
> >> and I assume it is due to OR (|) which tomcat will affectively see as a
> new entry?
> >> So I tried escaping, but I cannot get it to work:
> >>
> >> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
> >> |5[0-5
> >> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0

RE: internalProxies regex

2018-01-02 Thread Harrie Robins 
I'm still having problems with matching my pattern.

Right now I'm feeding the following to internalProxies:
 
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
I created a list of all involved IP addresses and matched those IP addresses:

java.util.regex.Matcher / java.util.regex.Pattern, please see 
https://pastebin.com/Lija7n9k 

All addresses from the list I created are matching, just not in tomcat.

Regards,

Harrie

-Oorspronkelijk bericht-
Van: Harrie Robins [mailto:har...@eyequestion.nl] 
Verzonden: 21 December 2017 09:55
Aan: 'Tomcat Users List' <users@tomcat.apache.org>
Onderwerp: RE: internalProxies regex

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org>
Onderwerp: Re: internalProxies regex

2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:
> Hello everyone,
>
>
>
> I have a question about the remoteipvalve in tomcat 8.5:
> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
> s/Remo
> teIpValve.html
>
>
>
>
> internalProxies
>
> Regular expression that matches the IP addresses of internal proxies. 
> If they appear in the remoteIpHeader value, they will be trusted and 
> will not appear in the proxiesHeader value
>
> RemoteIPInternalProxy
>
> Regular expression (in the syntax supported by java.util.regex)
>
> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed.
>
>
>
> I need to convert some CIDR ranges to regex:
>
>
> my concern is that /d{1,3} wil match too many (non exist) addresses
>
> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
> 103\.3
> 1\.\d[4-7]\.\d[0-9]\d{1,3}
>
>
>
> So I re-wrote using capture groups, below does not function however, 
> and I assume it is due to OR (|) which tomcat will affectively see as a new 
> entry?
> So I tried escaping, but I cannot get it to work:
>
> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
> |5[0-5
> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0
> -9]\|5
> [0-5]))

Your assumption that "tomcat will affectively see as a new entry" is wrong.
The string is used as whole to initialize a java.util.regex.Pattern().
Tomcat does not split it.

You may write a simple program / junit test to test how
java.util.regex.Pattern() processes your value.  Or you may run Tomcat with 
debugger,

https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario

AFAIK, '\|' in a regular expression will be interpreted as expecting literal 
'|' character in the matched string.  No IP address has this character so none 
will match.



Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: internalProxies regex

2017-12-21 Thread Harrie Robins 
This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] 
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org>
Onderwerp: Re: internalProxies regex

2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:
> Hello everyone,
>
>
>
> I have a question about the remoteipvalve in tomcat 8.5:
> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
> s/Remo
> teIpValve.html
>
>
>
>
> internalProxies
>
> Regular expression that matches the IP addresses of internal proxies. 
> If they appear in the remoteIpHeader value, they will be trusted and 
> will not appear in the proxiesHeader value
>
> RemoteIPInternalProxy
>
> Regular expression (in the syntax supported by java.util.regex)
>
> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed.
>
>
>
> I need to convert some CIDR ranges to regex:
>
>
> my concern is that /d{1,3} wil match too many (non exist) addresses
>
> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
> 103\.3
> 1\.\d[4-7]\.\d[0-9]\d{1,3}
>
>
>
> So I re-wrote using capture groups, below does not function however, 
> and I assume it is due to OR (|) which tomcat will affectively see as a new 
> entry?
> So I tried escaping, but I cannot get it to work:
>
> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
> |5[0-5
> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0
> -9]\|5
> [0-5]))

Your assumption that "tomcat will affectively see as a new entry" is wrong.
The string is used as whole to initialize a java.util.regex.Pattern().
Tomcat does not split it.

You may write a simple program / junit test to test how
java.util.regex.Pattern() processes your value.  Or you may run Tomcat with 
debugger,

https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario

AFAIK, '\|' in a regular expression will be interpreted as expecting literal 
'|' character in the matched string.  No IP address has this character so none 
will match.



Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

internalProxies regex

2017-12-20 Thread Harrie Robins 
Hello everyone,

 

I have a question about the remoteipvalve in tomcat 8.5:
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/Remo
teIpValve.html

 


internalProxies

Regular expression that matches the IP addresses of internal proxies. If
they appear in the remoteIpHeader value, they will be trusted and will not
appear in the proxiesHeader value

RemoteIPInternalProxy

Regular expression (in the syntax supported by java.util.regex)

10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} 
By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed.

 

I need to convert some CIDR ranges to regex:


my concern is that /d{1,3} wil match too many (non exist) addresses 

103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|103\.3
1\.\d[4-7]\.\d[0-9]\d{1,3}

 

So I re-wrote using capture groups, below does not function however, and I
assume it is due to OR (|) which tomcat will affectively see as a new entry?
So I tried escaping, but I cannot get it to work:

103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\|5[0-5
]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\|5
[0-5]))

 

Any thoughts?

 

Thanks,

Harrie

Re: Tomcat 7.0.65 + Java 6 Update 121 64-bit - Cipher Suite Names

2016-09-21 Thread Harrie Robins 
Please see: https://community.qualys.com/thread/11882
Disable the weak ciphers.

The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
Policy is needed when you want to run AES256 (you want this).

Regards,

Harrie

On 21 September 2016 at 12:18, Román Valoria  wrote:

> Dear all:
>
> I need to configure Tomcat 7.0.65 with Java 6, both 64-bit.
>
> I have managed to make it work with update 121 in using the SSL protocol
> TLS 1.2.
>
> Now I need to exert some control over the cipher suites used on that
> protocol.
>
> I am unable to come up with the list of supported cipher suite names to
> use.
>
> Both JRE and JDK are in:
>
> https://support.oracle.com/epmos/faces/PatchResultsNDetails?patchId=
> 9553040
>
> I am using both the Java 6 and 7 documentation to come up with the cipher
> suite names:
>
> Java Cryptography Architecture Sun ProvidersDocumentation
>  guides/security/SunProviders.html>
>
>
> Java PKCS#11 Reference Guide
>  guides/security/p11guide.html#ALG>
>
>
> Standard Algorithm Name Documentation
>  guides/security/StandardNames.html#Cipher>
>
>
> Java Cryptography Architecture Oracle ProvidersDocumentation
>  guides/security/SunProviders.html#SunJSSEProvider>
>
>
> As per the above I even tried downloading the Java Cryptography Extension
> for Java 6 from:
>
> Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
> Files 6
>  embedded-se/downloads/jce-6-download-429243.html>
>
>
> But that is for 32-bit and failed anyway.
>
> Am I missing something?
>
> Thanks and regards.
>

HSTS + TLS redirect resulting in error with psi-probe

2016-07-25 Thread Harrie Robins 
I have psi-probe version 2.4.0 deployed in our Tomcat webapps, and made the
following changes to my server.xml  + web.xml

*Web.xml (enable hsts):*























*httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
hstsEnabled
true
hstsMaxAgeSeconds
31536000
   antiClickJackingEnabled
   true
   antiClickJackingOption
   SAMEORIGIN
true*

*Force TLS on our domain:*










*
Protected Context
/*

CONFIDENTIAL
*
*Finally, in server xml, redirect port 80 to port 443:*

**


This works fine for our webapps, but when simultaneous using hsts and the
ssl forward I get the following error in psi-probe:

*You do not have sufficient privileges to access this page. Please use the
navigation bar to choose another area or click "back" button in your
browser. *

Disabling either HSTS or https forward solves this issue, so this has
nothing to do with user roles not being correct. I can't figure out why
this is happening.

Kind regards,

Harrie Robins

RE: Facing issue while configuring SSL

2016-07-12 Thread Harrie Robins 
java.lang.Exception: Unable to load certificate key conf/localhost-key.pem 
(error:02001003:system library:fopen:No such process

If I'm correct you are either missing correct rights to this file or it is not 
in the given location.
A second possibility is missing password for key file.

SSLPassword="pass"

Regards,

Harrie

-Original Message-
From: Devendra Sengar [mailto:dssen...@gmail.com] 
Sent: dinsdag 12 juli 2016 10:50
To: users@tomcat.apache.org
Subject: Facing issue while configuring SSL

Hi,

This is regarding the configuration of Tomcat SSL using the APR library on Java 
6.

While starting the server I am getting the below error:

SEVERE: Failed to initialize end point associated with ProtocolHandler 
["http-apr-443"]
java.lang.Exception: Unable to load certificate key conf/localhost-key.pem 
(error:02001003:system library:fopen:No such process)

I am trying to implement SSL using independent libraries for OpenSSL, Tomcat 
Native and Apache Portable Runtime.

I have downloaded precompiled versions of OpenSSL and Tomcat Native (see them 
attached). I have tried compiling the Apache Portable Runtime using Visual 
Studio (find it also attached).

I am running those libraries on either Tomcat 7.0.6 or 7.0.70 64-bit for 
Windows (using the 64-bit distro, not the installer one).

We are restricted by our applicatioin to use Oracle Java 6 Updated 115 64-bit.

The versions of the libraries I am using are the latest available online, again 
see the binaries attached.

The parameters used in the server.xml file are:

For Tomcat 7.0.6:


For Tomcat 7.0.70



The library files are in the tomcat bin folder as openssl.exe, tcnative-1.dll 
and libapr-1.dll.

tcnative-1.dll:
https://drive.google.com/file/d/0ByilOlQCXOkWQ1ZCckhodHBvQk0/view?usp=sharing
openssl.exe:
https://drive.google.com/file/d/0ByilOlQCXOkWQk9KUUJSb3ZqeW8/view?usp=sharing
libapr-1.dll:
https://drive.google.com/file/d/0ByilOlQCXOkWV09NTi0tNWxhZnM/view?usp=sharing


The same certificates files mentioned in the server.xml file were used and work 
in a brand new Apache web server.

Please let us know your opinion of what can cause those errors?

Can it be because of a APR dll not compiled properly?

Any other idea?

Thanks,
Devendra


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Encrypted jdbc

2016-04-11 Thread Harrie Robins 
Hi!

>From MariaDB manual:

have_openssl

Description: Before MariaDB 10.0.1, have_openssl was an alias for have_ssl. 
Since MariaDB 10.0.1, comparing have_openssl with have_ssl will indicate 
whether YaSSL or openssl was used. If YaSSL, have_ssl will be ON, but 
have_openssl will be OFF.
Scope: Global
Dynamic: No 

have_ssl

Description: If the server supports SSL connections, will be set to YES, 
otherwise will be set to NO. If set to DISABLED, the server was compiled with 
SSL support, but was not started with SSL support (see the mysqld options). See 
also have_openssl.
Scope: Global
Dynamic: No 

Did you start with ssl support? If not: the path to take is to either get an 
ssl enabled binary or recompile with ssl option. 

Regards,




-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: vrijdag 8 april 2016 1:26
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Encrypted jdbc

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Harrie,

On 4/7/16 4:55 PM, Harrie Robins wrote:
> I found MySQL easy to setup. I suspect MariaDB would be setup similar, 
> here a small example:
> 
> Generate keys / certificate's: 
> http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
> 
> Import to keystore (for tomcat): 
> https://dev.mysql.com/doc/connector-j/en/connector-j-reference-using-s
sl.html

This
> 
was always my problem:

mysql> show variables like '%ssl%';
+---+--+
| Variable_name | Value|
+---+--+
| have_openssl  | DISABLED |
| have_ssl  | DISABLED |
...
+---+--+

Debian + Oracle + OpenSSL = :(

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcG7GwACgkQ9CaO5/Lv0PDAbgCbBoJBjiLdQr2iUWLaid93Pfsi
okkAniXVQPgFEJcWf/1r0CGpyXlJoaXK
=E3uJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Encrypted jdbc

2016-04-07 Thread Harrie Robins 
I found MySQL easy to setup. I suspect MariaDB would be setup similar, here a 
small example:

Generate keys / certificate's:
http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html

Import to keystore (for tomcat):
https://dev.mysql.com/doc/connector-j/en/connector-j-reference-using-ssl.html

Enable in mysql config

[mysqld]
ssl-ca=/etc/mysql-ssl/ca-cert.pem
ssl-cert=/etc/mysql-ssl/server-cert.pem
ssl-key=/etc/mysql-ssl/server-key.pem

To enable SSL for JSSE, we need to load trust & keystore, we can do this right 
into Tomcat:

-Djavax.net.ssl.keyStore=path_to_keystore_file
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=path_to_truststore_file
-Djavax.net.ssl.trustStorePassword=password

Or load trough application:

System.setProperty("javax.net.ssl.keyStore","path_to_keystore_file");
System.setProperty("javax.net.ssl.keyStorePassword","password");
System.setProperty("javax.net.ssl.trustStore","path_to_truststore_file");
System.setProperty("javax.net.ssl.trustStorePassword","password");

Add to JDBC connectionstring the following:

connectionURL="jdbc:mysql://example.com:3306/equsers?useSSL=truerequireSSL=true
connectionURL="jdbc:mysql://example.com:3306/equsers?useSSL=truerequireSSL=true

And you are done for mysql.

Regards,

Harrie


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: donderdag 7 april 2016 22:35
To: Tomcat Users List 
Subject: Re: Encrypted jdbc

Mark,

On 4/7/16 12:30 PM, Mark Eggers wrote:
> OSP,
> 
> On 4/7/2016 8:28 AM, Christopher Schultz wrote:
>> OSP,
>>
>> On 4/7/16 10:08 AM, Linux Support wrote:
>>> Greetings all,
>>>
>>> = Server number:  8.0.28.0 OS Name:Linux OS Version:
>>> 2.6.32-573.8.1.el6.x86_64 JVM Version:1.8.0_66-b17 =
>>>
>>> Back end database is mariadb residing on a another remote linux 
>>> instance. I have downloaded and copied the Mariadb jdbc driver to 
>>> the lib directory of the TC server.
>>>
>>> Can you let me know how to encrypt the database connectivity from 
>>> the TC instance to the DB instance.
>>
>> Just to confirm: you want to encrypt the communication channel 
>> between your application (really the JDBC driver) and the database?
>>
>> -chris
> 
> 
> There appears to be at least two ways of doing this.
> 
> 1. Build an SSH tunnel between your Tomcat server and DB server
> 
> This requires ssh and remote access to the DB server. You'll also want 
> to configure a tunnel to come up when your Tomcat server is restarted 
> and resume if the tunnel disconnects. You'll probably want to use a 
> certificate-based authentication for the SSH tunnel so user names and 
> passwords don't have to be entered.

You can also use stunnel which is slightly simpler and IMO more reliable, since 
stunnel has a daemon which can can auto-connect, etc.

> 2. Use SSL at the JDBC level
> 
> MariaDB can be configured to use SSL, and the client can be configured 
> to use a certificate. I've not done this, but it appears that the 
> connection parameters are useSSL=true, requireSSL=true, 
> serverSslCert=certpath. certpath appears to be an absolute file path, 
> a path relative to the current classpath, or a DER-encoded certificate string.
> 
> You may (most probably) have to install JCE for the version of Java 
> that you are using.
> 
> Please note that I've not tried any of this. Hopefully, the above 
> pointers will get you started.

IIRC, *MySQL* is a giant pain in the neck to get going with SSL. I'm not sure 
if MariaDB is any easier.

Your existing Java version should be sufficient to make outgoing SSL 
connections; there's no need to add JCE or anything else, unless you want to 
add the unlimited-strength policy files to allow for ciphers with larger keys.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: HSTS missing from HTTPS server on tomcat 8.0.27

2016-02-08 Thread Harrie Robins 
Hello!

Missing HSTS is not a vulnerability, as Mark pointed out, it is a feature.
In your web.xml

  
httpHeaderSecurity
 
org.apache.catalina.filters.HttpHeaderSecurityFilter

hstsEnabled
true


hstsMaxAgeSeconds
31536000


hstsIncludeSubDomains
true

true


This will NOT activate HSTS for your application, you will need to add this
mapping as well (edit to needs and add to application):


httpHeaderSecurity
/*
REQUEST


Regards,

Harrie

-Original Message-
From: dku...@ccilindia.co.in [mailto:dku...@ccilindia.co.in] 
Sent: maandag 8 februari 2016 15:50
To: 'Tomcat Users List' 
Subject: HSTS missing from HTTPS server on tomcat 8.0.27

Hi,

We are unable to fix the vulnerability of "HSTS missing from HTTPS server" 
on apache tomcat  8.0.27 while running on unix operating system. Below is
the system configuration:

 OS Name:   HP-UX
 OS Version:B.11.31
 Architecture:   IA64N
Java Home:/opt/java8/jre
JVM Version:  1.8.0.04-hp-ux-b2
JVM Vendor:   Hewlett-Packard Company

We have uncommented the httpHeaderSecurity in the filter tag of conf/web.xml
file, but still the vulnerability exists. We have also tried with apache
tomcat 8.0.30, but in vain.


Any help to fix this vulnerability is appreciated.

Thanks & Regards
Deepak Kumar
"Disclaimer and confidentiality clause -  This message and any attachments
relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is
proprietary to CCIL and intended for the original addressee only.
The message may contain information that is confidential and subject to
legal privilege. 
Any views expressed in this message are those of the individual sender. 
If you have received this message in error, please notify the original
sender immediately and destroy the message and copies thereof and any
attachments contained in it .
 If you are not the intended recipient of this message, you are hereby
notified that you must not disseminate, copy, use, distribute, or take any
action in connection therewith. 
 CCIL cannot ensure that the integrity of this communication has been
maintained nor that it is free of errors, viruses, interception and/or
interference. 
CCIL is not liable whatsoever for loss or damage resulting from the opening
of this message and/or attachments and/or the use of the information
contained in this message and/or attachments."


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Client TLS 1.2 error for APR

2016-01-13 Thread Harrie Robins 
Hi!

I'm running Tomcat 7.0.65 with APR connector over port 443. I'm experiencing
trouble with users that connect with IE11 over SSL. Connecting and browsing
works fine, but sometimes a white screen with this error pops up. Once they
disable TLS 1.2 everything works fine:

 

This page can't be displayed

Turn on TLS 1.0, TLS1.1 and TLS 1.2 in Advanced settings and try connecting
to https://sub.example.com again. If this error persists, contact your site
administrator.

 

Right now I'm using SHA-2 encryption (we moved from SHA-1) with A+ rating on
SSLLabs, without any error's.

 

Server.xml configuration. Ciphers following latest intermediate from Mozilla
openssl config:

 



 

Does anyone have a pointer about what could be wrong with this
configuration?

 

Kind regards,

 

Harrie

RE: Client TLS 1.2 error for APR

2016-01-13 Thread Harrie Robins 
Hi Markt,

Sorry, I did not include this since I'm using standard in release (1.1.33).
I know of the more recent releases, but I can't just update (production),
and in release note's I did  not find anything that might help.

Thanks,

Harrie

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: woensdag 13 januari 2016 20:59
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Client TLS 1.2 error for APR

On 13/01/2016 18:36, Harrie Robins wrote:
> Hi!
> 
> I'm running Tomcat 7.0.65 with APR connector over port 443.

Tomcat version - tick
Connector config - tick
Tomcat-Native version ... ?

Mark

> I'm experiencing
> trouble with users that connect with IE11 over SSL. Connecting and 
> browsing works fine, but sometimes a white screen with this error pops 
> up. Once they disable TLS 1.2 everything works fine:
> 
>  
> 
> This page can't be displayed
> 
> Turn on TLS 1.0, TLS1.1 and TLS 1.2 in Advanced settings and try 
> connecting to https://sub.example.com again. If this error persists, 
> contact your site administrator.
> 
>  
> 
> Right now I'm using SHA-2 encryption (we moved from SHA-1) with A+ 
> rating on SSLLabs, without any error's.
> 
>  
> 
> Server.xml configuration. Ciphers following latest intermediate from 
> Mozilla openssl config:
> 
>  
> 
>  
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> 
> connectionTimeout="6000"
> 
> maxThreads="500"
> 
> maxKeepAliveRequests="-1"
> 
> acceptCount="200"
> 
> SSLEnabled="true"
> 
> scheme="https"
> 
> secure="true"
> 
> clientAuth="false"
> 
> enableLookups="false"
> 
> SSLCertificateFile="C:\server\ssl\server.crt"
> 
> SSLCertificateKeyFile="C: \server\ssl\private.key"
> 
> SSLCACertificateFile="C: \server\ssl\intermediate.crt"
> 
> SSLPassword="passw"
> 
> SSLProtocol="all -SSLv2-SSLv3"
> 
> SSLHonorCipherOrder="true"
> SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA
> 256:EC 
> DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128
> -GCM-S 
> HA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:EC
> DHE-EC
> DSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RS
> A-AES2
> 56-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-A
> ES256- 
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE
> -RSA-A
> ES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:A
> ES256- 
> GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMEL
> LIA:DE 
> S-CBC3-SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_1
> 28_CBC
>
_SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:
> !EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE:!EDH"
> 
> />
> 
>  
> 
> Does anyone have a pointer about what could be wrong with this 
> configuration?
> 
>  
> 
> Kind regards,
> 
>  
> 
> Harrie
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org