You'll want to set the protocols, ciphers, and honorCipherOrder attributes
on either the Connector or the SSLHostConfig objects in your server.xml
file to restrict the available TLS/SSL protocols and ciphers available to
avoid using weak ones.
See the documentation here for details:
I am trying to configure Tomcat 9.0.37 (or later if I need to) to use both
an RSA and an ECC certificate for the same host.
Platform is Windows 2008 R2, with the Tomcat Native 1.2.24 library
installed.
My configuration is roughly as follows:
The
y either.
Robert
On Wed, Dec 9, 2020 at 8:38 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Robert,
>
> On 12/9/20 17:54, Robert Turner wrote:
> > I am trying to configure Tomcat 9.0.37 (or later if I need to) to use
> both
> > an RSA and an ECC cer
broken).
Sorry about that.
Robert
On Wed, Dec 9, 2020 at 9:22 PM Robert Turner wrote:
> Thanks Chris for replying.
>
> I'm pretty sure I'm using the APR connector. Without double-checking how
> things are configured... the startup logs show:
>
> 09-Dec-2020 21:05
:56 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Robert,
>
> On 12/9/20 21:31, Robert Turner wrote:
> > Actually, one incorrect statement in my previous response. testssl.sh
> > didn't report the details of the certificate chain, only that it w
I would check permissions on the folders/files. The account running the
windows service may not have permissions to execute the programs or maybe
access the directories. That's the first thing I would check. (Also check
Event Viewer for any related messages).
On Fri, Jan 15, 2021 at 8:24 AM Igor
Have a look at https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html
. The documentation includes the recommendations made by your internal
security team, along with others.
You may also want to upgrade to 8.5.61 or 9.0.41 to pick up the latest
security updates for Tomcat. (latest versions
diate the findings or still we need to delete these files as
> suggested.
>
> Also, is this upgrade is straightforward, or do we need to perform the same
> with any specific steps, Please suggest.
>
> I am from a Windows Administrator background and hence facing these
> challenges
It's saying port 80 is already in use. Make sure another process (like IIS)
isn't using the port already, or change your configuration to a different
port.
You can use 'netstat' (with options) to determine which process is using
the port already.
On Tue., Mar. 16, 2021, 07:36 , wrote:
> Dear
Your more recent exception log didn't include the "caused by" exception --
which is the actual failure details. Double-check that and make sure it's
the same issue.
Also, use netstat to confirm you aren't using the ports already. Changing
it may just find another conflict (although less likely).
If you look at the stack trace, it tells you what the problem is:
Caused by: java.lang.IllegalArgumentException: No SSLHostConfig
element was found with the hostName [_default_] to match the
defaultSSLHostConfigName for the connector [https-openssl-nio-8443]
So it no longer looks like you are
). As far as I can tell it's free to use as it's an MIT-style License.
And at least, one can get at the code and "fix" things if needed.
On Tue, Mar 16, 2021 at 4:19 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Robert,
>
> On 3/16/21 14:33, Rober
I suggest you have a read here:
https://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support
The documentation covers the details you need to correctly configure Tomcat
and SSL and links to a related page about SSL configuration.
Notice the line:
Each secure connector must define at
Chris,
I'm not sure if it will do what you want, but when sourcing Java-based SAML
libraries for our use as an SP, I too found that most of the libraries were
much larger and more complicated that I thought necessary. We went with the
(limited but simple to use) OneLogin libraries for our use
Have you tried enabling heap dumps on OOM exceptions (
https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/clopts001.html
; HeapDumpOnOutOfMemoryError) and then looking at the heap dump? It should
help you identify where the allocated heap is going to, and give you some
ideas of
> that the web application would be included in the container in production.
>
> If you do continue to use this approach in development, keep in mind that:
> - you may see issues like the original EL issue you reported
> - security testing may report false positives
>
> HTH,
>
>
On Thu, Mar 3, 2022 at 1:10 PM Berneburg, Cris J. - US
wrote:
> > Running Tomcat in a container via Docker Desktop on a Windows host
> > with the web application served from a location on the host mounted
> > /bound to the container is insecure.
>
> So the app resides on the "host" OS file
M Rob Sargent wrote:
>
>
> On 2/7/22 14:50, Robert Turner wrote:
> > All
> >
> > I'm hoping that someone can point me in the right direction as this issue
> > has been baffling me all day, and I'm starting to run out of ideas of
> what
> > to look at next.
All
I'm hoping that someone can point me in the right direction as this issue
has been baffling me all day, and I'm starting to run out of ideas of what
to look at next.
The logic below is working without issue until I move our test environment
into a Docker container. I'm using the same Tomcat
(build 11.0.13+8-LTS, mixed
mode)
JDK on Windows is:
openjdk 11.0.14 2022-01-18 LTS
OpenJDK Runtime Environment Corretto-11.0.14.9.1 (build 11.0.14+9-LTS)
OpenJDK 64-Bit Server VM Corretto-11.0.14.9.1 (build 11.0.14+9-LTS, mixed
mode)
JDK on Docker with AWS Linux 2 is:
openjdk 11.0.14 2022-01
a trivial application reproduction, along with docker layout,
and see if anyone else can reproduce... (assuming anyone else has time to
do that of course...)
Anyone got any suggestions of what to look into next?
On Mon, Feb 7, 2022 at 5:05 PM Rob Sargent wrote:
>
>
> On 2/7/22 14:50, Robert Tu
containing a class name will be
resolved against the static members of the class.
So, as to why it is different between the two environments, maybe it's as
Rob S suggested (a classpath issue of some sort) -- I will continue looking
in this direction
On Mon, Feb 7, 2022 at 5:07 PM Robert Turner
Neil,
I'm not actually trying to have the class loaded. I want it to return
"null" in the EL evaluation as though the attribute is missing.
The "problem" is that I'm seeing a different behaviour in one environment
than another, and it's proving difficult to track down why.
I'm still working on
ntext.setAttribute("failing", failing);
%>
Hello World!
field1=${failing.field1}
$ cat src/main/java/com/example/rt/Failing.java
package com.example.rt;
public class Failing {
private final String field1 = "field1_value";
public String getField1() {
return field
ng failing = null;
pageContext.setAttribute("failing", failing);
%>
Hello World!
field1=${failing.field1}
On Mon, Feb 7, 2022 at 10:14 PM Robert Turner wrote:
> So back to a divide and conquer approach I think.
>
> I just created a trivial "example" [1] and
led.
>
> - Which AMI you used to create the AWS instance. I'm using the AWS free
>tier so I used a t2.micro instance with
>amzn2-ami-kernel-5.10-hvm-2.0.20220121.0-x86_64-gp2
>
> Thanks,
>
> Mark
>
>
> On 08/02/2022 13:24, Robert Turner wrote:
> >
a debugger up on the Expression Resolvers, you will at least narrow it down
quickly...)
On Tue, Feb 8, 2022 at 7:55 AM Robert Turner wrote:
> Thanks Mark. Much appreciated.
>
> On Tue., Feb. 8, 2022, 04:06 Mark Thomas, wrote:
>
>> Robert,
>>
>> Thank yo
t in the expect
page being displayed (and no exception).
Robert
On Tue, Feb 8, 2022 at 9:39 AM Robert Turner wrote:
> Mark,
>
> Thanks for the quick follow up.
>
> Based on your comments I have some ideas on what it might be, and I should
> be able to narrow that down furth
expect consistent
> behaviour across platforms irrespective of the case sensitivity of the
> file system in use.
>
> I'm going to use your test case to investigate this further. I'll report
> back here with my findings - hopefully later today.
>
> Mark
>
>
> On 08/02/2022
; Just a note:
>
> On 2/8/2022 8:32 AM, Rob Sargent wrote:
> >
> >
> > On 2/8/22 08:11, Robert Turner wrote:
> >> Okay. Yep, my most recent suspicion was correct -- it's related to the
> >> Docker bind to a local folder containing the webapps. As such, I belie
I think you need to use an ARM-based JVM -- IIRC, you will need Corretto
JDK 18 I think, otherwise it will be running in emulation.
On Tue, Apr 5, 2022 at 1:56 PM Paquin, Brian wrote:
> After compiling Tomcat Native (that comes with Tomcat 9.0.62, version
> 1.2.32) on a (ARM) M1 Mac (with
with server
> version in responses), though the remediation listed here is from looong
> time ago, when the was no ErrorReportValve to purge the version info.
>
> So the CIS Tomcat 8(!) Guide is pretty outdated! Probably in more than
> this spot...
>
> Peter
>
> > Am 05.09.20
While I think I know the answer to my question, I wanted to double-check
with the group to confirm.
I have been asked to perform the CIS Apache Tomcat 8 Benchmark (v1.1.0) on
our production Tomcat installation, and I am looking through the questions
/ information extraction requests, and I
e of
> options as set out in the Tomcat 8.5 security guide. That guide also
> provides the correct way to override the version number (if you really
> need to) without editing the JAR contents. In short, you can simply
> override the individual file by placing at the right place in the fi
You can try adding:
-XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=C:\HeapDump\java_pid.hprof
to the Java options (in "Configure Tomcat") to capture heap dumps on out of
memory errors (adjust path to suit your configuration)
Robert
On Wed, Aug 23, 2023 at 1:03 PM Daniel Savard
wrote:
> Hi
My 2 cents:
I think that it would be a very strange change to make to a generic product
and a "sample" configuration file. If Tomcat was packaged in a
distribution, that might be a more reasonable suggestion. I don't think
Tomcat is insecure because of this; binding to addresses/ports is a key
You can run an aarm64 version of the Java runtime (various distributions
exist) and run Tomcat on that -- it works well. No specific version of
Tomcat is required as it a Java package.
On Mon, Jan 16, 2023 at 3:38 PM m...@cvkimball.com
wrote:
>
> I'd like to run Tomcat on one of the new Apple
I believe the default certificate alias used by Tomcat is "tomcat". I think
you are creating your keystore with the alias "root".
(see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html for docs on
Tomcat SSL configuration -- adjust for the version you are running)
On Mon, Mar 20, 2023 at
helpful than I...sorry.
On Mon, Mar 20, 2023 at 9:14 PM Robert Turner wrote:
> I believe the default certificate alias used by Tomcat is "tomcat". I
> think you are creating your keystore with the alias "root".
>
> (see https://tomcat.apache.org/tomcat-9.0-doc/ssl
What about the standard / provided Tomcat Manager application?
https://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html
On Fri, Jul 7, 2023 at 9:26 AM Graham Leggett
wrote:
> Hi all,
>
> Is there is application out there that will provide, at / (or a path of
> your choosing), a list of
of Java I should use?
>
> Thanks,
>
> Lance
>
> -Original Message-
> From: Robert Turner
> Sent: Tuesday, November 21, 2023 2:36 PM
> To: Tomcat Users List
> Subject: Re: Issue Migrating servlets to 10.1
>
> Tomcat 10.x and higher require Jakarta namesp
Tomcat 10.x and higher require Jakarta namespaces versions of the Servlet
specifications.
Tomcat 9.x is the last Tomcat support javax.servlet namespaces.
Refer to the Which Version page for Tomcat for details:
https://tomcat.apache.org/whichversion.html
On Tue, Nov 21, 2023 at 3:30 PM Campbell,
Chris,
I think maybe Mark answered a similar question a while back indicating the
only supported method within the Servlet API was custom session tracking. I
could be remembering incorrectly. That's what we do however, because
without "snooping" into the Tomcat internals, I don't think there was
We receive the sessionWillPassivate and sessionDidActivate callbacks on
startup. Odd that you are not. That's how we achieve the same.
On Thu, Mar 21, 2024 at 3:25 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> All,
>
> After having written a solution using JMX to do something
r a way to query the sessions from the app, but as we
know, that's not part of the current Servlet specification, or any
extensions Tomcat currently provides.
Robert
On Thu, Mar 21, 2024 at 3:31 PM Robert Turner wrote:
> We receive the sessionWillPassivate and sessionDidActivate callbacks on
>
It's also possible you may need to support the "Range" HTTP header for
fetching parts of the audio file for playback. IIRC, we had to do that to
support the HTML 5 audio control properly.
On Mon, Mar 11, 2024 at 9:15 AM Joey Cochran wrote:
> Thanks for replying!!
>
> Yes audio files are
AFAIK, there is nothing in Tomcat for SMTP. This would be part of the
application you are running typically. It's possible (but not guaranteed)
that the web application is using the standard Java libraries for SMTP, and
as such, you may (but again not guaranteed) be able to configure some of
the
coop.it.invalid. Learn why
> this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> I had issues in the past connectin to mailserver using TLS and solved them
> upgrading the webapplicatio library from mail-1.4.jar to
> javax.mail-1.6.2.jar
>
> Il 11/03/2024 17:
On Fri, Mar 22, 2024 at 9:28 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Robert,
>
> On 3/21/24 15:31, Robert Turner wrote:
> > We receive the sessionWillPassivate and sessionDidActivate callbacks
> > on startup. Odd that you are not. That's how we
istopherschultz.net> wrote:
> All,
>
> On 3/22/24 09:59, Christopher Schultz wrote:
> > All,
> >
> > On 3/22/24 09:33, Robert Turner wrote:
> >> On Fri, Mar 22, 2024 at 9:28 AM Christopher Schultz <
> >> ch...@christopherschultz.net> wrote:
>
50 matches
Mail list logo