jsvc - non root - log as root

2020-06-26 Thread Jürgen Weber
Hi, when you run tomcat with jsvc and have jsvc drop privileges to a different user, stdout and stderr log files are still created with root as owner. Can you make jsvc create them as the -user ? weberjn@beo:~/apache-tomcat-9.0.36/logs$ ll total 20 -rw--- 1 weberjn weberjn 4630 Jun 26 08:28

Re: Connection Closure due to Fatal Stream with HTTP2

2020-06-26 Thread Chirag Dewan
Thanks Mark. *What is the typical response size for one of these requests? * It' basically a dummy response JSON of ~300bytes. I expect 2300bytes of response in my production use case, but the purpose here was to isolate as many things as possible. Hence a dummy response. *How long does a

Re: Connection Closure due to Fatal Stream with HTTP2

2020-06-26 Thread Mark Thomas
Hi, Thanks for the additional information. The GC roots were particularly informative. Those RequestInfo objects are associated with HTTP/1.1 requests, not HTTP/2 requests. Some further questions to try and track down what is going on: - Are you using h2c or h2 in your test? - Do you see the

Re: Question around catalina.policy change back with 9.0.33, etc.

2020-06-26 Thread Mark Thomas
On 26/06/2020 00:15, jonmcalexan...@wellsfargo.com.INVALID wrote: > I have a developer that is asking WHY the following policies were set to read > only. The Change Log doesn't illuminate why. > > // The cookie code needs these. > permission java.util.PropertyPermission >

Re: Tomcat 9.0.36 - JDK 13/14

2020-06-26 Thread Mark Thomas
On 26/06/2020 05:45, Kiran Badi wrote: > Hi All, > > I wanted to check if tomcat 9.0.36 supports open jdk 13/14. Supported Java versions are listed at: http://tomcat.apache.org/whichversion.html "Java 8 and later" includes Java 13 and Java 14. > I created a simple spring boot war file and

Re: Connection Closure due to Fatal Stream with HTTP2

2020-06-26 Thread Chirag Dewan
Absolutely Mark. Shouldn't take long. On Fri, 26 Jun, 2020, 4:16 pm Mark Thomas, wrote: > Aha! > > h2c could be the significant factor here. Let me take a look. > > Are you in a position to test against a dev build if the need arises? > > Mark > > > On 26/06/2020 11:30, Chirag Dewan wrote: > >

Re: CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service

2020-06-26 Thread Mark Thomas
On 26/06/2020 13:35, Kasteleijn, Wilco wrote: > Hello, we would like to know if this vulnerability is only applicable for > usage of the coyote http connector? It only applies when using the HTTP/2 protocol. That is only available with an HTTP connector. > We are using Tomcat 8.5.55 in

Re: Connection Closure due to Fatal Stream with HTTP2

2020-06-26 Thread Mark Thomas
On 26/06/2020 12:48, Mark Thomas wrote: > On 26/06/2020 12:45, Chirag Dewan wrote: >> Absolutely Mark. Shouldn't take long. > > Great. I think I have found a potential root cause. If I am right, NIO > will show the same issues NIO2 did. > > I should have a test build for you shortly. Try this:

How to encrypt db password in tomcat context.xml

2020-06-26 Thread FANG YAP
Hi Tomcat, I would like to know how to encrypt and decrypt the database password in context.xml when the application is running which also allow me to change the db password for the purpose of security. Database driver is Oracle JDK: 1.8.0_251 Tomcat Version: 8.5.55 Appreciate ya help. Rgs,

Re: jsvc - non root - log as root

2020-06-26 Thread Mark Thomas
On 26/06/2020 08:21, Jürgen Weber wrote: > Hi, > > when you run tomcat with jsvc and have jsvc drop privileges to a > different user, stdout and stderr log files are still created with > root as owner. > Can you make jsvc create them as the -user ? I'm no C expert but my reading of

Re: Connection Closure due to Fatal Stream with HTTP2

2020-06-26 Thread Chirag Dewan
Hey Mark, *Are you using h2c or h2 in your test?* We are using h2c *Do you see the same issue if you switch the the NIO connector? Note performance differences between NIO and NIO2 are very small.* I havent tried with NIO honestly. Can quickly execute and check. Will update the results. *How

Re: Connection Closure due to Fatal Stream with HTTP2

2020-06-26 Thread Mark Thomas
Aha! h2c could be the significant factor here. Let me take a look. Are you in a position to test against a dev build if the need arises? Mark On 26/06/2020 11:30, Chirag Dewan wrote: > Hey Mark, > > *Are you using h2c or h2 in your test?* > We are using h2c > > > *Do you see the same issue

Re: Connection Closure due to Fatal Stream with HTTP2

2020-06-26 Thread Mark Thomas
On 26/06/2020 12:45, Chirag Dewan wrote: > Absolutely Mark. Shouldn't take long. Great. I think I have found a potential root cause. If I am right, NIO will show the same issues NIO2 did. I should have a test build for you shortly. Mark > > On Fri, 26 Jun, 2020, 4:16 pm Mark Thomas, wrote:

CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service

2020-06-26 Thread Kasteleijn, Wilco
Hello, we would like to know if this vulnerability is only applicable for usage of the coyote http connector? We are using Tomcat 8.5.55 in combination with a apache HTTPD proxy setup that is connected via the AJP connector. Are we also affected in that case? Regards, Wilco. This message

Re: How to encrypt db password in tomcat context.xml

2020-06-26 Thread Olaf Kock
On 26.06.20 15:05, FANG YAP wrote: > Hi Tomcat, > > I would like to know how to encrypt and decrypt the database password in > context.xml when the application is running which also allow me to change > the db password for the purpose of security.

Re: Tomcat 9.0.36 - JDK 13/14

2020-06-26 Thread Kiran Badi
we fixed the issue Mark. Actually tomcat was running on JDK 1.8 and applications were built using JDK 13/14.So when they were deployed to tomcat running with 1.8, they were giving 404. Now plan is to explore and upgrade tomcat to at least jdk 13. It would have been nice really to have at least

Re: jsvc - non root - log as root

2020-06-26 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark and Jürgen, On 6/26/20 06:23, Mark Thomas wrote: > On 26/06/2020 08:21, Jürgen Weber wrote: >> Hi, >> >> when you run tomcat with jsvc and have jsvc drop privileges to a >> different user, stdout and stderr log files are still created >> with

Re: SSL error

2020-06-26 Thread calder
In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. wrote: > We are running tomcat-7.0.52(old I know) and java 1.7.0_80. > yea, BOTH are very old. When the app makes calls to an external webservice. It keeps throwing this > error: > > javax.net.ssl.SSLException : javax.net.ssl.SSLException: >

RE: SSL error [EXTERNAL]

2020-06-26 Thread John.E.Gregg
Shawn, -Original Message- From: Beard, Shawn M. Sent: Friday, June 26, 2020 11:57 AM To: Tomcat Users List Subject: RE: SSL error [EXTERNAL] The code is calling a new webservice. It has godaddy as its ca signer. It was getting the error before I added those java options. Those java

RE: SSL error [EXTERNAL]

2020-06-26 Thread Beard, Shawn M.
I was able to resolve this. I used keytool to create a new keystore/trust store, then imported the previous truststore that had all the CA certs in it. That seemed to work. So even though the previous truststore had the certs in it and was not empty, it must have had some kind of linking

RE: SSL error [EXTERNAL]

2020-06-26 Thread Beard, Shawn M.
The code is calling a new webservice. It has godaddy as its ca signer. It was getting the error before I added those java options. Those java options were my attempt to resolve it. Ive also tried adding the godaddy ca certs to java's cacert file without those java options. Same result. Shawn

RE: Question around catalina.policy change back with 9.0.33, etc.

2020-06-26 Thread jonmcalexander
Thank you so much Mark!!! Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell

SSL error

2020-06-26 Thread Beard, Shawn M.
We are running tomcat-7.0.52(old I know) and java 1.7.0_80. When the app makes calls to an external webservice. It keeps throwing this error: javax.net.ssl.SSLException : javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: