Thank you sir!
Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 – 12/31 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Wednesday, February 26, 2020 11:18 AM To: users@tomcat.apache.org Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jon, On 2/26/20 09:25, jonmcalexan...@wellsfargo.com.INVALID wrote: > -----Original Message----- >> From: Mark Thomas <ma...@apache.org> Sent: Wednesday, February 26, >> 2020 5:19 AM To: users@tomcat.apache.org Subject: Re: [OT] At wits >> end: Difficulties with IIS ISAPI connector andTomcat > >> On 26/02/2020 09:00, Mark Thomas wrote: On 25/02/2020 21:47, Ellen >> Meiselman wrote: >>> So it turned out that the logs were mostly set at FINE already, so >> Johann’s suggestion was already done. >>> >>> But I think I now know where the problem lies. Secure IIS >>> request > >> to > non-secire AJP. >>> >>> I don’t think this was a problem on the other servers before >>> but the >> security has probably been tightened, and it just doesn’t produce >> an error - it just won’t allow it. >>> >>> I have had IIS set to require SSL, but I turned it off to test >>> and it >> actually worked all the way through to the simple.html file. so >> it’s some sort of policy about downgrading - which seems quite >> rational in retrospect >> >> Thanks for the new information. >> >> That rules out an issue with the secret settings. >> >> I wonder if IIS (or more likely the ISAPI redirector) is adding >> some unexpected request attributes that is triggering the new >> protection for CVE-2020-1938. If that is the case, adding the >> following to your AJP connector in server.xml should get things >> working for SSL as well: >> >> allowedRequestAttributesPattern=".*" >> >> Meanwhile, I'll configure my local test environment for IIS with >> TLS and see what happens. > >> Confirmed. That is the issue and >> allowedRequestAttributesPattern=".*" works around it. > >> I need to debug further to find out exactly what the attributes >> are. I expect we'll add them to the ones Tomcat accepts by >> default. > >> Mark > >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks Mark, So, to be clear, add > > allowedRequestAttributesPattern=".*" > > to the AJP Connector in server.xml IF you are using IIS as the > Front-End, using the AJP Plugin and having SSL configured in IIS? And also if you can convince yourself that nobody is going to make malicious connections to your AJP port. It looks like Mark found the set of attributes that need to be added to the whitelist; if you look at those patches, you can put just those items into the pattern (e.g. allowedRequestAttributesPattern="(CLIENT_CERT|..." to be as safe as possible. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5WqDoACgkQHPApP6U8 pFhR7w/+IjEhNdUThQtdjfI8AVA/ZhsFTsbnmQq+Ue++fCUmxPbnPPC1alJK1RNx RkaDZTgjUXPZD2H7DgKd0zXpdNEGrDetCY+mOE2UTIyGPM8T9a14nFB7/gOw7hPX +WlnoI5EtV9YaKreM/qniM4kJLY5y//OenzEDKL1MQGqHBm9A7JxkM/L0+5aBn47 tzIKcjX+ZBsDitmyn6rmSGjPnm+7yRsRM84T8uw97LI1mSTNCUhGjTF44kkSbgsf 9nLRRyVXa9/HlJMcbtZm1NOd4UZbsikcP6VHg7RvNxZNrAcWDorCyhlS1xdBMJZe LE+FQKpoE8KLJa9G1bU0ANea7wSo/TSA18HE4Rn7t40XCWsIut3B8cyhXQKoBaoN seoyue1XmqB82YrQAEe31qyINYB9PK/7XV0cznWR80I9CoJa5QQXHKAeDt3Ct/Bx IWHNi5KCOD4c8UwCxnVA05vJIHGsUhsuwDtXDUbcZWD1YkHtL2k6GHXXrWt9xnho jD8WW+wsj1ut85PjyujMAvoYW0aUUAcSsGZF2nqnoIr+2UD+DHAgqfSzrXaNO/BH cjiUbJREjyV7hgsiyWxZBfnxC1825GWfpVEgw1sC7qpC3ik3QdNZJbYbJk1EcK40 blvQ/xxnQ1nb2tdq6Ozn0xX3KlOqhZpl0l+FKs5Wz3QPXbHEqKM= =2eup -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
