urgent problems with tomcat release 8.5.4

[CYAG (Johnny Chao Yang)]

Hello team,


Due to the tomcat 8.0 will closed to its support deadline, so we are going to 
upgrade our tomcat version from 8.0 to 8.5.4, as Apache tomcat official website 
announced 8.5.x will not stop support so far, but the support time decides 
which tomcat version is better for us to choose and it really affect our IT 
infrastructure, so could we know approximately how long will Apache keep 
support Tomcat release 8.5.x ?


Very appreciated for your help & will looking hearing for your feedback. :)


Johnny Yang
Middleware & Batch team
E-mail : c...@nnit.com

Re: Apache Tomcat 8.5.24 SSL Configuration

[George S.]

On 12/21/2017 3:24 PM, Thomas Delaney wrote:

Thank you for the input so far!

I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
receive the same result

when running the openssl s_client command I recieved this as the Cipher and
SSL version
Protocol  : TLSv1.2
Cipher: DHE-RSA-AES256-GCM-SHA384

I also get a message saying  "verify error:num=20:unable to get local
issuer certificate"
"Verify return code: 20 (unable to get local issuer certificate)"


I second Chris Schultz's recommendation that you run the site through 
the SSL Labs testing site and see what it points out. It's going to 
check a lot more things right off the bat and display them in an easier 
format:


https://www.ssllabs.com/ssltest/





On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 12/21/17 2:38 AM, l...@kreuser.name wrote:

Hi Thomas,


Am 21.12.2017 um 00:56 schrieb Thomas Delaney
:

Greetings,

I am having trouble regarding google chrome's behavior to Apache
Tomcat's SSL setup. I have been successful getting an ssl website
to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
on google chrome. Mozilla Firefox brings me to my site with no
problem.

When going to https://mydomain.com:8443 I recieve a message from
Google Chrome.

Google Chrome Error - This site can’t provide a secure
connection mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol The client and server don't support a common
SSL protocol version or cipher suite.

When checking Google Chrome's Browser console in the security tab
I recieve: Page is not secure Valid certificate secure resources

Here is the following background info I have for the
configuration I gave Apache Tomcat when setting up the 8443
connector

Chrome Version 63.0.3239.108 (Official Build) (64-bit)

Linux OS: SUSE Enterprise 12 sp1

Packages installed:

- OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79

That may be the culprit.

Apparently this (old) version of Java7 will not provide in the
default modern ciphers that Chrome requires. And the config is
using the JSSE SSL implementation. But as you have TC Native and
openssl 1.0.2 you should switch to openssl.

This probably isn't the problem since Thomas is using the APR
connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
not relevant.


- tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
tomcat-native-1.2.16-src

Server.xml apr connector (Certificates are signed from GoDaddy
and are placed in the conf directory of Apache Tomcat):

  
 

This looks okay to me. If you start Tomcat and then use "openssl
s_client -connect :", does openssl connect? It should
report the protocol and cipher suite being used to connect.

If you server is externally-accessible, consider using an external TLS
capabilities scanner such as that from Qualys,
https://www.ssllabs.com/ssltest/

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
/aq7VBV+GiEaWzZweAi8/k4R3wk=
=DEHk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Re: Apache Tomcat 8.5.24 SSL Configuration

[Jason Hall]

- Original Message -
From: Thomas Delaney 
To: Tomcat Users List 
Sent: Thu, 21 Dec 2017 17:24:06 -0500 (EST)
Subject: Re: Apache Tomcat 8.5.24 SSL Configuration

Thank you for the input so far!

I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
receive the same result

when running the openssl s_client command I recieved this as the Cipher and
SSL version
Protocol  : TLSv1.2
Cipher: DHE-RSA-AES256-GCM-SHA384

I also get a message saying  "verify error:num=20:unable to get local
issuer certificate"
"Verify return code: 20 (unable to get local issuer certificate)"

On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Peter,
>
> On 12/21/17 2:38 AM, l...@kreuser.name wrote:
> >
> > Hi Thomas,
> >
> >> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
> >> :
> >>
> >> Greetings,
> >>
> >> I am having trouble regarding google chrome's behavior to Apache
> >> Tomcat's SSL setup. I have been successful getting an ssl website
> >> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
> >> on google chrome. Mozilla Firefox brings me to my site with no
> >> problem.
> >>
> >> When going to https://mydomain.com:8443 I recieve a message from
> >> Google Chrome.
> >>
> >> Google Chrome Error - This site can’t provide a secure
> >> connection mydomain.com uses an unsupported protocol.
> >> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> >>
> >> Unsupported protocol The client and server don't support a common
> >> SSL protocol version or cipher suite.
> >>
> >> When checking Google Chrome's Browser console in the security tab
> >> I recieve: Page is not secure Valid certificate secure resources
> >>
> >> Here is the following background info I have for the
> >> configuration I gave Apache Tomcat when setting up the 8443
> >> connector
> >>
> >> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
> >>
> >> Linux OS: SUSE Enterprise 12 sp1
> >>
> >> Packages installed:
> >>
> >> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
> >
> > That may be the culprit.
> >
> > Apparently this (old) version of Java7 will not provide in the
> > default modern ciphers that Chrome requires. And the config is
> > using the JSSE SSL implementation. But as you have TC Native and
> > openssl 1.0.2 you should switch to openssl.
>
> This probably isn't the problem since Thomas is using the APR
> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
> not relevant.
>
> >> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
> >> tomcat-native-1.2.16-src
> >>
> >> Server.xml apr connector (Certificates are signed from GoDaddy
> >> and are placed in the conf directory of Apache Tomcat):
> >>
> >>  >> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> >> mydomain.com" >  >> protocols="TLSv1,TLSv1.1,TLSv1.2">  >> certificateKeyFile="conf/server.key"
> >> certificateFile="conf/server.crt"
> >> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
> >>  
>
> This looks okay to me. If you start Tomcat and then use "openssl
> s_client -connect :", does openssl connect? It should
> report the protocol and cipher suite being used to connect.
>
> If you server is externally-accessible, consider using an external TLS
> capabilities scanner such as that from Qualys,
> https://www.ssllabs.com/ssltest/
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
> /aq7VBV+GiEaWzZweAi8/k4R3wk=
> =DEHk
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Just a guess, but does the whole chain need to leaded.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 8.5.24 SSL Configuration

[Thomas Delaney]

Thank you for the input so far!

I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
receive the same result

when running the openssl s_client command I recieved this as the Cipher and
SSL version
Protocol  : TLSv1.2
Cipher: DHE-RSA-AES256-GCM-SHA384

I also get a message saying  "verify error:num=20:unable to get local
issuer certificate"
"Verify return code: 20 (unable to get local issuer certificate)"

On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Peter,
>
> On 12/21/17 2:38 AM, l...@kreuser.name wrote:
> >
> > Hi Thomas,
> >
> >> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
> >> :
> >>
> >> Greetings,
> >>
> >> I am having trouble regarding google chrome's behavior to Apache
> >> Tomcat's SSL setup. I have been successful getting an ssl website
> >> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
> >> on google chrome. Mozilla Firefox brings me to my site with no
> >> problem.
> >>
> >> When going to https://mydomain.com:8443 I recieve a message from
> >> Google Chrome.
> >>
> >> Google Chrome Error - This site can’t provide a secure
> >> connection mydomain.com uses an unsupported protocol.
> >> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> >>
> >> Unsupported protocol The client and server don't support a common
> >> SSL protocol version or cipher suite.
> >>
> >> When checking Google Chrome's Browser console in the security tab
> >> I recieve: Page is not secure Valid certificate secure resources
> >>
> >> Here is the following background info I have for the
> >> configuration I gave Apache Tomcat when setting up the 8443
> >> connector
> >>
> >> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
> >>
> >> Linux OS: SUSE Enterprise 12 sp1
> >>
> >> Packages installed:
> >>
> >> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
> >
> > That may be the culprit.
> >
> > Apparently this (old) version of Java7 will not provide in the
> > default modern ciphers that Chrome requires. And the config is
> > using the JSSE SSL implementation. But as you have TC Native and
> > openssl 1.0.2 you should switch to openssl.
>
> This probably isn't the problem since Thomas is using the APR
> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
> not relevant.
>
> >> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
> >> tomcat-native-1.2.16-src
> >>
> >> Server.xml apr connector (Certificates are signed from GoDaddy
> >> and are placed in the conf directory of Apache Tomcat):
> >>
> >>  >> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> >> mydomain.com" >  >> protocols="TLSv1,TLSv1.1,TLSv1.2">  >> certificateKeyFile="conf/server.key"
> >> certificateFile="conf/server.crt"
> >> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
> >>  
>
> This looks okay to me. If you start Tomcat and then use "openssl
> s_client -connect :", does openssl connect? It should
> report the protocol and cipher suite being used to connect.
>
> If you server is externally-accessible, consider using an external TLS
> capabilities scanner such as that from Qualys,
> https://www.ssllabs.com/ssltest/
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
> /aq7VBV+GiEaWzZweAi8/k4R3wk=
> =DEHk
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: getting "BindException: permission denied" exception when trying to change port 8080 to 8090

[Coty Sutherland]

On Thu, Dec 21, 2017 at 2:45 PM, Alceu R. de Freitas Jr.
 wrote:
>  Hello Cristopher,
> I never saw something like that too. I also search on Google, all occurrences 
> happened with people trying to run Tomcat on privileged ports (<1024).
> Here is a quick test, with port 9090:
>
> [root@localhost ~]# systemctl stop tomcat
> [root@localhost ~]# rm -f /var/log/tomcat/*
> [root@localhost ~]# vi /etc/tomcat/server.xml
> [root@localhost ~]# grep -A 2 'Connector port="9090"' /etc/tomcat/server.xml
> connectionTimeout="2"
>redirectPort="8443" />
> [root@localhost ~]# systemctl start tomcat
> [root@localhost ~]# systemctl status tomcat
> ● tomcat.service - Apache Tomcat Web Application Container
>Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor 
> preset: disabled)
>Active: active (running) since Qui 2017-12-21 17:39:57 -02; 6s ago
>  Main PID: 4385 (java)
>CGroup: /system.slice/tomcat.service
>└─4385 /usr/lib/jvm/jre/bin/java -classpath 
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-da...
>
> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
> org.apache.catalina.startup.HostConfig deployDirectory
> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deployment 
> of web application directory /var/lib/tomcat/webapps/manager has finish… in 
> 498 ms
> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
> org.apache.catalina.startup.HostConfig deployDirectory
> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deploying 
> web application directory /var/lib/tomcat/webapps/ROOT
> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
> org.apache.catalina.startup.TldConfig execute
> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: At least one 
> JAR was scanned for TLDs yet contained no TLDs. Enable debug logging …tion 
> time.
> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
> org.apache.catalina.startup.HostConfig deployDirectory
> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deployment 
> of web application directory /var/lib/tomcat/webapps/ROOT has finished in 534 
> ms
> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
> org.apache.catalina.startup.HostConfig deployDirectory
> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deploying 
> web application directory /var/lib/tomcat/webapps/examples
> Hint: Some lines were ellipsized, use -l to show in full.
> [root@localhost ~]# less /var/log/tomcat/catalina.2017-12-21.log
> GRAVE: Failed to initialize end point associated with ProtocolHandler 
> ["http-bio-9090"]
> java.net.BindException: Permissão negada (Bind failed) :9090
> at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413)
> at 
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
> at 
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
> at 
> org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at 
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:642)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:667)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427)
> Caused by: java.net.BindException: Permissão negada (Bind failed)
> at java.net.PlainSocketImpl.socketBind(Native Method)
> at 
> java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:387)
> at java.net.ServerSocket.bind(ServerSocket.java:375)
> at java.net.ServerSocket.(ServerSocket.java:237)
> at java.net.ServerSocket.(ServerSocket.java:181)
> at 
> org.apache.tomcat.util.net.DefaultServerSocketFactory.createSocket(DefaultServerSocketFactory.java:49)
> at 

Re: getting "BindException: permission denied" exception when trying to change port 8080 to 8090

[Alceu R. de Freitas Jr.]

 Hello Cristopher,
I never saw something like that too. I also search on Google, all occurrences 
happened with people trying to run Tomcat on privileged ports (<1024).
Here is a quick test, with port 9090:

[root@localhost ~]# systemctl stop tomcat
[root@localhost ~]# rm -f /var/log/tomcat/*
[root@localhost ~]# vi /etc/tomcat/server.xml 
[root@localhost ~]# grep -A 2 'Connector port="9090"' /etc/tomcat/server.xml 
    
[root@localhost ~]# systemctl start tomcat
[root@localhost ~]# systemctl status tomcat
● tomcat.service - Apache Tomcat Web Application Container
   Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor 
preset: disabled)
   Active: active (running) since Qui 2017-12-21 17:39:57 -02; 6s ago
 Main PID: 4385 (java)
   CGroup: /system.slice/tomcat.service
   └─4385 /usr/lib/jvm/jre/bin/java -classpath 
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-da...

Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
org.apache.catalina.startup.HostConfig deployDirectory
Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deployment of 
web application directory /var/lib/tomcat/webapps/manager has finish… in 498 ms
Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
org.apache.catalina.startup.HostConfig deployDirectory
Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deploying web 
application directory /var/lib/tomcat/webapps/ROOT
Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
org.apache.catalina.startup.TldConfig execute
Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: At least one 
JAR was scanned for TLDs yet contained no TLDs. Enable debug logging …tion time.
Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
org.apache.catalina.startup.HostConfig deployDirectory
Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deployment of 
web application directory /var/lib/tomcat/webapps/ROOT has finished in 534 ms
Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
org.apache.catalina.startup.HostConfig deployDirectory
Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deploying web 
application directory /var/lib/tomcat/webapps/examples
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# less /var/log/tomcat/catalina.2017-12-21.log
GRAVE: Failed to initialize end point associated with ProtocolHandler 
["http-bio-9090"]
java.net.BindException: Permissão negada (Bind failed) :9090
    at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413)
    at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
    at 
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
    at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:642)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:667)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427)
Caused by: java.net.BindException: Permissão negada (Bind failed)
    at java.net.PlainSocketImpl.socketBind(Native Method)
    at 
java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:387)
    at java.net.ServerSocket.bind(ServerSocket.java:375)
    at java.net.ServerSocket.(ServerSocket.java:237)
    at java.net.ServerSocket.(ServerSocket.java:181)
    at 
org.apache.tomcat.util.net.DefaultServerSocketFactory.createSocket(DefaultServerSocketFactory.java:49)
    at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)
    ... 17 more
dez 21, 2017 5:40:00 PM org.apache.catalina.core.StandardService initInternal
GRAVE: Failed to initialize connector [Connector[HTTP/1.1-9090]]
org.apache.catalina.LifecycleException: Failed to initialize component 
[Connector[HTTP/1.1-9090]]
    at 

Re: getting "BindException: permission denied" exception when trying to change port 8080 to 8090

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alceu,

On 12/21/17 1:36 PM, Alceu R. de Freitas Jr. wrote:
> Hello folks, I'm new to this list, and to Tomcat as well. I was
> trying to get Jenkins and Tomcat running on the same VM that I have
> (with CentOS 7), but I'm struggling with a small issue. Since I
> already had Jenkins running on port number 8080, I decided to
> change Tomcat to listen to 8090 by editing /etc/tomcat/server.xml,
> in the following line:  connectionTimeout="2" redirectPort="8443" />
> 
> And the change:  connectionTimeout="2" redirectPort="8443" />
> 
> I soon as I started, I got "BindException: permission denied"
> exception on the catalina log file. If I stop Jenkins daemon and
> change it back to 8080, it works as expected. I even tried to put
> port number "1", but results were the same. I checked out ports
> in use with netstat, firewall configuration... I got nothing. Since
> I was able to change Jenkins to run on 8090, I'm clueless what is
> happening over there. It seems CentOS is happy letting applications
> to bind to 8080 and 8090, so I'm quite curious why things are not
> working with Tomcat...

I've never seem "BindException: permission denied" when the port
number is above 1024. Are you sure it's the connector port (e.g. 8090)
it's complaining about?

When you try your "other applications" test, are you sure you are
running as the same effective user as the Tomcat process?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8DMMdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjxhRAAkkjaL042wtvpQp7G
hcGU8P3Tc8ePfMLjUrwvoRsLGHxAdt4lRF64wm/l9XqTfIDYVXPRRF4kDxHShiFL
ifbNRgYhOVdpmh9J/8oI2iVEW+xKU4edV4sGY+KCr0kAKKk1kno1uASKLH7NKMeV
q9PjKsXfWw5m2uvvyaHxGiHdFG7IGMtxxol/GSwkYWDIiJIiMONg4i3867zhZJce
1/QOmXYAdnu1KAddk1mrXZEYl6wcTm7Skqg3f0/HJ1AuAmEp511c0YCAObPfaSfj
8pEQPgA1e8OmVGbV2p1sBX46dYxFXUn0cGvgAVqs/ZuDwNJhdE0Pc8j1kQz7ylXz
/PQ4WHvcL4rkki21s73kTRudjhRNOBNH7pagXJ5KSiD9Gpz/+/7crlNLEXm2AyzR
uDft7yJD4inMBvshVtrb5FXuuQt8VRJq5a6Ee8GlNhM8Oyk273TUEENM2qnQbFE/
OETVUvJA5HN6PRekVG7KYZ166pbme3hWDEvQ+GnDradAR5ugZq9cuPupW50TwS1m
mwWyG8U2YjSdtvO4AqDlaXHAabwBQLsnQMDVHEElkhUEb9fUqkDiKWFbso/N7Ug8
qebGZpw1CA6ADJoIP83FJH5ebVLpCMKffRZnV7XhqpJyoEtjDJ8FDD0boIgbMMUb
xJIF5szgQ0F9COHwzUkIGbFyT98=
=R1XB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 8.5.24 SSL Configuration

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 12/21/17 2:38 AM, l...@kreuser.name wrote:
> 
> Hi Thomas,
> 
>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>> :
>> 
>> Greetings,
>> 
>> I am having trouble regarding google chrome's behavior to Apache
>> Tomcat's SSL setup. I have been successful getting an ssl website
>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>> on google chrome. Mozilla Firefox brings me to my site with no
>> problem.
>> 
>> When going to https://mydomain.com:8443 I recieve a message from
>> Google Chrome.
>> 
>> Google Chrome Error - This site can’t provide a secure
>> connection mydomain.com uses an unsupported protocol. 
>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>> 
>> Unsupported protocol The client and server don't support a common
>> SSL protocol version or cipher suite.
>> 
>> When checking Google Chrome's Browser console in the security tab
>> I recieve: Page is not secure Valid certificate secure resources
>> 
>> Here is the following background info I have for the
>> configuration I gave Apache Tomcat when setting up the 8443
>> connector
>> 
>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>> 
>> Linux OS: SUSE Enterprise 12 sp1
>> 
>> Packages installed:
>> 
>> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
> 
> That may be the culprit.
> 
> Apparently this (old) version of Java7 will not provide in the
> default modern ciphers that Chrome requires. And the config is
> using the JSSE SSL implementation. But as you have TC Native and
> openssl 1.0.2 you should switch to openssl.

This probably isn't the problem since Thomas is using the APR
connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
not relevant.

>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>> tomcat-native-1.2.16-src
>> 
>> Server.xml apr connector (Certificates are signed from GoDaddy
>> and are placed in the conf directory of Apache Tomcat):
>> 
>> > protocol="org.apache.coyote.http11.Http11AprProtocol" 
>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName=" 
>> mydomain.com" > > protocols="TLSv1,TLSv1.1,TLSv1.2"> > certificateKeyFile="conf/server.key" 
>> certificateFile="conf/server.crt" 
>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" /> 
>>  

This looks okay to me. If you start Tomcat and then use "openssl
s_client -connect :", does openssl connect? It should
report the protocol and cipher suite being used to connect.

If you server is externally-accessible, consider using an external TLS
capabilities scanner such as that from Qualys,
https://www.ssllabs.com/ssltest/

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
/aq7VBV+GiEaWzZweAi8/k4R3wk=
=DEHk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

getting "BindException: permission denied" exception when trying to change port 8080 to 8090

[Alceu R. de Freitas Jr.]

Hello folks,
I'm new to this list, and to Tomcat as well.
I was trying to get Jenkins and Tomcat running on the same VM that I have (with 
CentOS 7), but I'm struggling with a small issue.
Since I already had Jenkins running on port number 8080, I decided to change 
Tomcat to listen to 8090 by editing /etc/tomcat/server.xml, in the following 
line:


And the change:


I soon as I started, I got "BindException: permission denied" exception on the 
catalina log file. If I stop Jenkins daemon and change it back to 8080, it 
works as expected.
I even tried to put port number "1", but results were the same. I checked 
out ports in use with netstat, firewall configuration... I got nothing.
Since I was able to change Jenkins to run on 8090, I'm clueless what is 
happening over there. It seems CentOS is happy letting applications to bind to 
8080 and 8090, so I'm quite curious why things are not working with Tomcat...
Thanks!

RE: internalProxies regex

[Harrie Robins]

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] 
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List 
Onderwerp: Re: internalProxies regex

2017-12-20 11:37 GMT+03:00 Harrie Robins :
> Hello everyone,
>
>
>
> I have a question about the remoteipvalve in tomcat 8.5:
> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
> s/Remo
> teIpValve.html
>
>
>
>
> internalProxies
>
> Regular expression that matches the IP addresses of internal proxies. 
> If they appear in the remoteIpHeader value, they will be trusted and 
> will not appear in the proxiesHeader value
>
> RemoteIPInternalProxy
>
> Regular expression (in the syntax supported by java.util.regex)
>
> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed.
>
>
>
> I need to convert some CIDR ranges to regex:
>
>
> my concern is that /d{1,3} wil match too many (non exist) addresses
>
> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
> 103\.3
> 1\.\d[4-7]\.\d[0-9]\d{1,3}
>
>
>
> So I re-wrote using capture groups, below does not function however, 
> and I assume it is due to OR (|) which tomcat will affectively see as a new 
> entry?
> So I tried escaping, but I cannot get it to work:
>
> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
> |5[0-5
> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0
> -9]\|5
> [0-5]))

Your assumption that "tomcat will affectively see as a new entry" is wrong.
The string is used as whole to initialize a java.util.regex.Pattern().
Tomcat does not split it.

You may write a simple program / junit test to test how
java.util.regex.Pattern() processes your value.  Or you may run Tomcat with 
debugger,

https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario

AFAIK, '\|' in a regular expression will be interpreted as expecting literal 
'|' character in the matched string.  No IP address has this character so none 
will match.



Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org