RE: [OT] Oracle Java 11 discussion?
Chris cjb> large bureaucracy [...] I would not be cjb> surprised if there is a policy against dev kits and IDE's on cjb> production servers for security sake. Tomcat (whisper: with built-in cjb> compiler) is approved, but is the JDK allowed? Guess I can ask. cjb> Yeah, it's potentially a "distinction without a difference". cs> Hard and fast rule: no compilers. [...] It's a checkbox security cs> "feature" that is all of meaningless, ineffective, and inconvenient. Yeah, I was thinking similar things from inference. cs> These days, most servers have all the code you'd already ever need cs> to "compile" and run an exploit even if there were no compiler there. cs> All you need is a nice, vulnerable pre-existing binary. That's kinda scary. I suppose the attitude is that as long as there are security updates still being published, that conforms to policy and is therefore OK. Actually, what else can be done once any software has been released into the wild? mt> I'd plan to stick to the LTS releases. cjb> Meh, not my call. Whatever the Powers That Be decide for the cjb> production environment, I'll probably match that in dev. cs> They will decide to stick with Java 8, even though it's EOL. The cs> decision will be made because (a) "there are some incompatibilities cs> with Java 11 which are hairy to untangle" and (b) "Java 8 hasn't cs> caused a breach, yet, so we'll probably be fine". Interesting theory... Care to make a friendly wager on that, say lunch and/or a beer? Wait, do you have some sort of inside info? Wager rescinded! ;-) My question would be how long after the 2019 EOL will Java 8 still be approved for use, be it official policy or unofficial inertia. Well, at least until the next major vulnerability is discovered and then everyone scrambles to cover their behinds and upgrade Java. cs> I'm having trouble convincing a partner vendor to move from cs> Java *6* up to Java 8. *facepalm* "Ha ha" (said the guy who is still in the process of upgrading from TC 6.0 to 8.5). -- Cris Berneburg CACI Lead Software Engineer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Oracle Java 11 discussion?
Hey Chris cjb> RAMBLE: Too bad there can't be an Apache OpenJRE umbrella project, cjb> with specific Apache OpenJRE [version X] sub-projects, that maintain cjb> JRE [version X]'s indefinitely. One source (Apache) for all the cjb> different JRE's for the Java community at large, rather than depending cjb> on a bunch of different companies. cs> I know it's not exactly what you meant, but... cs> http://harmony.apache.org/ cs> You could always resurrect that project :) Actually, that does sound like what I was thinking. However, Harmony being dead since 2011 means that there hasn't been much demand for it. I wonder if Oracle's new policies for Java 11 will foster a resurgence of interest in keeping older Java versions alive, or perhaps one version in particular... "Java 8 Forever!" I dunno, it kinda has the same ring to it as "Windows XP Forever!" -- Cris Berneburg CACI Lead Software Engineer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Oracle Java 11 discussion?
Thanks Igal is> p.s. So happy to see that you finally moved from Tomcat 6 to 8.5. is> Perhaps you can share that experience in a separate thread and let is> others know if you ran into any major problems during that process. Will do. So far we've only run into 3 minor issues. -- Cris Berneburg CACI Lead Software Engineer
Re: Tomcat embedded with Apache Solr
On 10/18/2018 8:55 AM, Christopher Schultz wrote: Actually, my goal was to convince the Solr team that switching from Jetty to Tomcat was (a) possible and (b) possibly attractive. Over on lucene-dev, I had said that I removed jetty from solr's ivy config and found only two classes with errors in eclipse. Turns out this was because I hadn't removed jetty from the *lucene* ivy config, so most of the jetty jars were actually still referenced in the eclipse build path. When I remove jetty from ALL ivy configs, there are 335 compile errors, across many more classes. Some of those are on the Lucene side, where I have less concern. The part of Lucene that utilizes Jetty is not used in Solr. As I expected, a lot of the errors are in test code, but some of them are in code that's not for tests. If you really want to see us switch to Tomcat, we'll need help fixing those errors ... switching the code over to generic APIs (servlet and native Java) where possible, and to Tomcat where necessary. I would not expect the Tomcat community to actually do the work -- just provide expert guidance. Although if anyone was interested in volunteering, I wouldn't turn away the help! Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request for a technical review
Hi all! Just wanted to give you an update. I am working to get things for this series wrapped up by the first week of November. Hopefully, that still gives everyone enough time to review and leave any feedback. Mallory On Fri, Oct 12, 2018 at 3:37 PM Mallory Mooney wrote: > Igal, it will be available publicly once published! I don't have an > official publish date yet but can share that when it becomes more concrete. > > And no PRs yet, Chris! It's still in the less cool GDoc stage of the > review process. :) > > On Fri, Oct 12, 2018 at 1:36 PM Igal Sapir wrote: > >> On 10/12/2018 11:23 AM, Christopher Schultz wrote: >> > -BEGIN PGP SIGNED MESSAGE- >> > Hash: SHA256 >> > >> > Mallory, >> > >> > On 10/12/18 13:23, Mallory Mooney wrote: >> >> I definitely appreciate everyone's willingness to help out! >> >> >> >> Here is the link to the GDoc: >> >> >> https://docs.google.com/document/d/1fudlXj055nnPd-1lUoAXIS2ge8qNI56_jgUhHgKczFE/edit?usp=sharing >> >> Requesting access will still be needed, but I can grant that ASAP. >> >> I want to make sure I can attribute comments/suggestions to >> >> specific people, so I know who to thank, and who to follow up with >> >> if I need more clarification on a specific comment. Plus, it makes >> >> the IT department happy. >> > What, no GitHub PRs? ;) >> >> +1 >> >> Is that going to be publicly available or is it a >> proprietary/private/commercial guide? >> >> >> Igal >> >> > - -chris >> > >> >> On Thu, Oct 11, 2018 at 9:53 AM Christopher Schultz < >> >> ch...@christopherschultz.net> wrote: >> >> >> >> Mark, >> >> >> >> On 10/10/18 6:00 PM, Mark Thomas wrote: >> > On 10/10/18 17:44, Mallory Mooney wrote: >> >> Hi all, >> >> >> >> I work for Datadog and am writing a guide about monitoring >> >> Tomcat (with or without Datadog). I'd love to get some >> >> feedback on the technical content. The project maintainers >> >> we reached out to recommended we post a request here. >> >> >> >> Would anyone be up for that? I can send the post link to >> >> someone directly. >> >> >> >> Appreciate your help and time! >> > Why not post the link here so the community can review the >> > document? >> >> +1 >> >> >> >> There are many active community members who have an interest in >> >> monitoring. I'm sure you'll get lots of feedback. >> >> >> >> -chris >> >>> - >> >>> >> >>> >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> >>> For additional commands, e-mail: users-h...@tomcat.apache.org >> >>> >> >>> >> > -BEGIN PGP SIGNATURE- >> > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ >> > >> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvA5qUACgkQHPApP6U8 >> > pFjPDg/+NNmp2sdTXhuPD2cXJTtBGXGMoOLost629AJF2R5ddG79a685TDPENn6B >> > NVPInUppI6U42RgK9hYs6/3JNpHfMIDay8HC7zaErAiu4wBHowI3yFckofYJjUwD >> > Wcd2Wzo+eBDZrf2PgwqiBr41nw7kbkeEAQcGeBVce7RL/+3r8Fz7FG++P5Bguu7d >> > 0N9S7y6leD3AdkX1o+JC9hQ6/AP2F8rZc8sws57Q2dpeV5QtK+8Pf2qOQpd6fskB >> > RDK4RQ1f4nLeAZgQ6BibUkwOQj6Fw7jPBHKGIfm6m5MOHvROkRTMV+fX3oLAd/dG >> > 3S1aW/9x8WIbKgYShR9ixxca5QuBNICC/tt9/oTYNj3XPbZLalMmMgOZ/cJcNI+R >> > kORA8ehwACeP/hIb/aLztze5g8FqyPslM95VPH/TWqgQXxe7bgU5fb6nUF/aCa87 >> > RC/JXjZ/TZwMM+9xw1PQGH8aXqVGoku4Q/cbwXa4ctqklMKdGzlYRjY7TVjrqyec >> > ZMdFMgDb76wmDg2luD2g7jUmJJVdAtYiGXIidt5k8EtvymK6Nq/sEwj1SApV5jhT >> > PGdViui42IeL6IIwKY9gbuihL4btm0we9OXeeVc6fn99lySvsI8JZVgIQJzNmWEX >> > axmPUrQZI9iIr8qC9tufcuZOxwHpgCjYPIpM4IsR4/vlZv2VpQc= >> > =j6GH >> > -END PGP SIGNATURE- >> > >> > - >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> > For additional commands, e-mail: users-h...@tomcat.apache.org >> > >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > -- > Mallory Mooney > Technical Content Writer > -- Mallory Mooney Technical Content Writer
Re: OCSP stapling in tomcat 7 with APR
Hi !turns out to be a proxy issue because once I modify the openssl ocp command to include my proxy 192.168.1.6 and port I get the correct response openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt -CAfile issuer.crt -host 192.168.1.6:3131 -path http://ocsp.comodoca.com/ -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Oct 14 07:35:10 2018 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 Cert Status: good This Update: Oct 14 07:35:10 2018 GMT Next Update: Oct 21 07:35:10 2018 GMT Signature Algorithm: sha256WithRSAEncryption 28:c0:93:7d:9b:4d:96:16:37:f4:1f:fc:ca:8c:32:b1:bb:22: be:d8:33:14:9b:e9:75:18:b2:a5:20:77:ef:f9:6c:48:1c:72: 8f:db:87:4a:30:50:04:72:9d:75:0f:ce:09:82:b7:56:bf:aa: 62:fe:50:b7:10:96:82:b6:53:0f:a0:c8:b1:49:bf:0e:88:19: bf:41:64:21:8f:8f:9a:f3:1a:e5:3b:36:d0:96:7e:01:89:c4: a2:c3:19:3c:fa:fa:e7:ad:df:4e:76:37:32:72:ba:95:23:4e: c6:09:c8:a6:a1:28:63:5f:e6:6a:62:55:e3:a2:a8:29:47:4b: 70:a2:6b:e3:07:0a:a0:b2:28:79:61:24:f8:ab:9a:ff:bf:b6: ff:2b:ca:0e:f1:a8:cc:2a:ae:a5:4a:90:40:14:64:b1:ca:10: ca:44:a3:f9:00:af:d7:55:0b:5b:0e:0f:d9:8b:3a:c9:a2:41: 4e:e5:23:23:9a:36:dc:28:c3:a8:4d:1c:08:c7:64:87:a5:0c: d7:08:57:a8:62:85:73:d5:f7:14:a2:c7:07:e9:57:e9:e1:1a: 21:d0:d9:56:62:06:0f:05:bc:19:b7:c8:63:5a:a8:97:28:f3: 1b:5b:30:3c:d6:31:ec:f5:cb:cd:f8:7e:61:cd:2b:ea:19:1c: 17:8c:a4:9a Response verify OK /home/idis/STAR_ieml_ru.crt: good This Update: Oct 14 07:35:10 2018 GMT Next Update: Oct 21 07:35:10 2018 GMT now the question is how to tell tomcat to use proxy when making ocsp requests I have tried to put proxyName and proxyPort to the Connector definition that didn't do anything to ocsp support (ssllabs still says no for ocsp ) Any suggestions? От: Mark Thomas Отправлено: 17 октября 2018 г. 18:43:39 Кому: Tomcat Users List Тема: Re: OCSP stapling in tomcat 7 with APR On 17/10/18 15:02, Усманов Азат Анварович wrote: > Unfortunately, I still got the same issue with the slash > openssl ocsp -issuer /home/idis/authorities.crt -cert > /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/ > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 > Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 > Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 > Request Extensions: > OCSP Nonce: > 0410A42C073C3EA560D427D719BA3A8EC5FB > Error querying OCSP responder > 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response > error:crypto/ocsp/ocsp_ht.c:260:Code=301 That is http so you could use Wireshark or similar to do a network trace and see exactly what is going on there. Mark > > > > > От: Rainer Jung > Отправлено: 17 октября 2018 г. 16:41:27 > Кому: Tomcat Users List; Усманов Азат Анварович > Тема: Re: OCSP stapling in tomcat 7 with APR > > Redirect when accessing http://ocsp.comodoca.com could simply be a > trailing slash redirect (Location: http://ocsp.comodoca.com/). You > better use http://ocsp.comodoca.com/ (note the slash at the end of the URL). > > Regards, > > Rainer > > Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович: >> SSLLabs test still shows "OCSP stapling no" even with the latest version >> openssl >> >> I've tried to test it manually and got an error >> >> >> openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR >> >> >> _ieml_ru.crt -text -url http://ocsp.comodoca.com >> OCSP Request Data: >> Version: 1 (0x0) >> Requestor List: >> Certificate ID: >>Hash Algorithm: sha1 >>Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 >>Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 >>Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 >> Request