TLS client cert clarification

[Wilmoth, Jon]

I was hoping to get some clarification on when to expect client x509 certs in 
http requests where the Tomcat server (v9.x) has been configured to “want” or 
“need” client auth.  
https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf
 says:

“If there is an SSL certificate associated with the request, it must be exposed 
by the servlet container to the servlet programmer as an array of objects of 
type java.security.cert.X509Certificate and accessible via a ServletRequest 
attribute of javax.servlet.request.X509Certificate.”

Is this only for the request that initiated the TLS handshake?  Or does this 
mean it will be present on all requests (i.e. requests on a keep-alive 
connection after the initial handshake) while the TLS connection is still open?

Thanks,
Jon

Re: OCSP Connector on Tomcat 8.5 not working

[Michael Magnuson]

Thanks Mark.  I would like to deny access if an unknown response is received.


From: Mark Thomas 
Sent: Thursday, July 11, 2019 12:59 PM
To: users@tomcat.apache.org
Subject: Re: OCSP Connector on Tomcat 8.5 not working

On 11/07/2019 17:46, Michael Magnuson wrote:
> The OCSP function is working as expected for both "good" and "revoked" 
> responses.  However, I find that it also allows "unknown" responses.  Is the 
> "unknown" response behavior adjustable?

The relevant code is:

else if (ocsp_response == OCSP_STATUS_UNKNOWN) {
   /* TODO: do nothing for time being */

So, not at the moment.

What behaviour would you like to see / do you think there should be?

Mark


>
> Thanks,
> Mike
>
> 
> From: Michael Magnuson 
> Sent: Friday, June 28, 2019 10:38 AM
> To: users@tomcat.apache.org
> Subject: Re: OCSP Connector on Tomcat 8.5 not working
>
>
>
> Mark,  I was able to get this working.  Thank you again for all your help.  
> The fix happened when I concatenated both the intermediate CA certificate and 
> the root CA certificate into a single PEM file, and used it for the 
> caCertificate= attribute.
>
> 
> From: Mark Thomas 
> Sent: Tuesday, June 25, 2019 12:41 PM
> To: users@tomcat.apache.org
> Subject: Re: OCSP Connector on Tomcat 8.5 not working
>
> On 25/06/2019 20:22, Michael Magnuson wrote:
>>
>>
>> Mark, thanks for the further clarification.  With that setup, it prompts for 
>> the smart card PIN and you can select your certificate, but then nothing 
>> happens.  The only way I can get it to successfully open the page is if I 
>> also add the attributes trustStoreFile= and trustStorePass= but still no 
>> OCSP action.
>
> Can you post your current configuration please.
>
> Please also list the certificate(s) in each of the keystores / PEM files.
>
> I'm wondering if the chain from the sever to the CA is missing.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OCSP Connector on Tomcat 8.5 not working

[Mark Thomas]

On 11/07/2019 17:46, Michael Magnuson wrote:
> The OCSP function is working as expected for both "good" and "revoked" 
> responses.  However, I find that it also allows "unknown" responses.  Is the 
> "unknown" response behavior adjustable?

The relevant code is:

else if (ocsp_response == OCSP_STATUS_UNKNOWN) {
   /* TODO: do nothing for time being */

So, not at the moment.

What behaviour would you like to see / do you think there should be?

Mark


> 
> Thanks,
> Mike
> 
> 
> From: Michael Magnuson 
> Sent: Friday, June 28, 2019 10:38 AM
> To: users@tomcat.apache.org
> Subject: Re: OCSP Connector on Tomcat 8.5 not working
> 
> 
> 
> Mark,  I was able to get this working.  Thank you again for all your help.  
> The fix happened when I concatenated both the intermediate CA certificate and 
> the root CA certificate into a single PEM file, and used it for the 
> caCertificate= attribute.
> 
> 
> From: Mark Thomas 
> Sent: Tuesday, June 25, 2019 12:41 PM
> To: users@tomcat.apache.org
> Subject: Re: OCSP Connector on Tomcat 8.5 not working
> 
> On 25/06/2019 20:22, Michael Magnuson wrote:
>>
>>
>> Mark, thanks for the further clarification.  With that setup, it prompts for 
>> the smart card PIN and you can select your certificate, but then nothing 
>> happens.  The only way I can get it to successfully open the page is if I 
>> also add the attributes trustStoreFile= and trustStorePass= but still no 
>> OCSP action.
> 
> Can you post your current configuration please.
> 
> Please also list the certificate(s) in each of the keystores / PEM files.
> 
> I'm wondering if the chain from the sever to the CA is missing.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Webapp previously stopped with Tomcat Manager started unexpectedly

[Mark Thomas]

On 11/07/2019 19:30, Kevin Brake wrote:
> Reply to Kevin Brake
> 
> Tomcat 8.5.32JVM 1.8.0_181-b13 Windows Server 2016 amd64
> 
> We had stopped a webapp via Manager in February. Over July 4th the webapp 
> started and ran for several days before it was discovered.
> There was a windows restart at that time in connection with windows updates. 
> Searching the logs also revealed potential CSRF attacks both on other webapps 
> that were supposed to be running as well as the one which restarted. There 
> was no activity for this webapp restart recorded in the manager log.
> 
> I have searched known tomcat issues, general web, internal logs for the web 
> server.
> 
> We are trying to determine how the webapp could have possibly started. Has 
> anyone heard of an issue where a stopped webapp can change state and run 
> because of an operating system restart?

http://tomcat.apache.org/tomcat-9.0-doc/config/host.html

deployOnStartup

> Could a successful CSRF attack set conditions for the webapp to start either 
> by a windows restart or a direct start?

That would depend on the capabilities of the web applications and what
requests were forged.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 9 & Port 80

[Arbelo, Ralph]

Thank you for your reply, André.

Unfortunately, the Tomcat 9 Ubuntu package is only available on Ubuntu 18 and 
19 (at least that I could find). I'm on 16 at the moment (though I did think 
about upgrading) which is why I'm using the binary distribution from 
tomcat.apache.org. 

The good news is I was able to get authbind to work. If anyone is interested in 
the steps I used, please let me know. 

Thanks again,
Ralph



On 7/10/19, 5:29 AM, "André Warnier (tomcat)"  wrote:

Hi.
Apologies for breaking conventions of this list and top-posting..

It seems that the issue below is more of a question for the Ubuntu list, 
than Tomcat's.

The standard /etc/init.d/tomcat9 startup script included in the Ubuntu 
tomcat9 package, 
should allow starting tomcat 9 on port 80 without any changes to the tomcat 
configuration 
or scripts (other than setting the Connector to port 80 in server.xml).
If "it doesn't work", you should consult the Ubuntu user's support list, 
where you are 
more likely to find appropriate answers.
See here : 
https://urldefense.proofpoint.com/v2/url?u=https-3A__ubuntu.com_support_community-2Dsupport&d=DwIDaQ&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=yU49ICjDxaD7z2G3Zm_yr4Iprw-m6yW-pk9yfkB8GpE&m=C-ylp1u0rXLaw8PuIu2iihe8t9J5yoRDho4_9flKXd4&s=5Vjv2foGMSmFIvWhdp77aYdkojYCLQdZ7iYmgP1z16M&e=

At another level : below, you mention trying authbind (which is what the 
standard Ubuntu 
startup script does), but "I could not get it to work".
Did you check that the settings of authbind are correct, for port 80 ?
See : 
https://urldefense.proofpoint.com/v2/url?u=http-3A__manpages.ubuntu.com_manpages_bionic_man1_authbind.1.html&d=DwIDaQ&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=yU49ICjDxaD7z2G3Zm_yr4Iprw-m6yW-pk9yfkB8GpE&m=C-ylp1u0rXLaw8PuIu2iihe8t9J5yoRDho4_9flKXd4&s=GXIhb1mYfUXA5OiXdNRVVG3HqNXu29cuaJW44oIbEvY&e=

On 09.07.2019 15:49, Arbelo, Ralph wrote:
> Hello,
>
> I have Tomcat 9.0.21 installed (binary distribution) on an Ubuntu 16.04 
server. My Java version is OpenJDK 11.0.4. I have the JSVC built and run the 
dameon.sh script to start and stop Tomcat via a systemd script. Everything 
works great, but now I need to run it on port 80 & 443. On our old server we 
have a script we use, but it doesn’t work upon startup (due to the needing to 
use sudo to get privileges to bind to port 80). For this new build, I was 
hoping to streamline the process and have Tomcat start upon boot. I’ve been 
doing a lot of Google searching on binding port 80 on Tomcat, but most of what 
I found was for older versions. Here’s what I found:
>
>*   Use iptables to redirect 8080 to 80
>*   Proxy with NGINX or Apache
>*   Use authbind
>
> I’d rather not use iptables to redirect as (from what I understand) you 
still have to allow direct access to port 8080.
>
> I tried using authbind, but I could not get it to work. All the 
procedures I found were for older versions of Tomcat, so I don’t know if 
authbind will even work with Tomcat 9.
>
> Finally my questions-
>
>1.  Has anyone successfully used authbind with Tomcat 9?
>2.  Anything I’m missing with getting Tomcat to bind with port 80? 
Should I just bite the bullet and use an HTTP proxy?
>
> Thank you!
> Ralph
>
> Ralph Arbelo
> Library IT Services - River Campus Libraries
> University of Rochester
> 121B Rush Rhees Library, Rochester, NY 14627
> o: 585.275.3449 - f: 585.275.1032
>
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Webapp previously stopped with Tomcat Manager started unexpectedly

[Kevin Brake]

Reply to Kevin Brake

Tomcat 8.5.32JVM 1.8.0_181-b13 Windows Server 2016 amd64

We had stopped a webapp via Manager in February. Over July 4th the webapp 
started and ran for several days before it was discovered.
There was a windows restart at that time in connection with windows updates. 
Searching the logs also revealed potential CSRF attacks both on other webapps 
that were supposed to be running as well as the one which restarted. There was 
no activity for this webapp restart recorded in the manager log.

I have searched known tomcat issues, general web, internal logs for the web 
server.

We are trying to determine how the webapp could have possibly started. Has 
anyone heard of an issue where a stopped webapp can change state and run 
because of an operating system restart? Could a successful CSRF attack set 
conditions for the webapp to start either by a windows restart or a direct 
start?



Sent from Mail for Windows 10

All messages created in this system belong to the City of Goodyear and should 
be considered a public record subject to disclosure under Arizona Public 
Records Law (A.R.S. 39-121). City employees, City public officials, and those 
who generate E-mail to them, should have no expectation of privacy related to 
the use of this technology. If you are not the intended recipient you are 
notified that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited.

Tomcat version 9.0.22 release

[Kaushal Shriyan]

Hi,

Is there a way to find out if tomcat version 9.0.22
https://tomcat.apache.org/download-90.cgi#9.0.22 is a security or
enhancement or bug fix to tomcat version 9.0.21?

Any help would be appreciated and i look forward to hearing from you.

Thanks in Advance.

Best Regards,

Kaushal

Re: OCSP Connector on Tomcat 8.5 not working

[Michael Magnuson]

The OCSP function is working as expected for both "good" and "revoked" 
responses.  However, I find that it also allows "unknown" responses.  Is the 
"unknown" response behavior adjustable?

Thanks,
Mike


From: Michael Magnuson 
Sent: Friday, June 28, 2019 10:38 AM
To: users@tomcat.apache.org
Subject: Re: OCSP Connector on Tomcat 8.5 not working



Mark,  I was able to get this working.  Thank you again for all your help.  The 
fix happened when I concatenated both the intermediate CA certificate and the 
root CA certificate into a single PEM file, and used it for the caCertificate= 
attribute.


From: Mark Thomas 
Sent: Tuesday, June 25, 2019 12:41 PM
To: users@tomcat.apache.org
Subject: Re: OCSP Connector on Tomcat 8.5 not working

On 25/06/2019 20:22, Michael Magnuson wrote:
>
>
> Mark, thanks for the further clarification.  With that setup, it prompts for 
> the smart card PIN and you can select your certificate, but then nothing 
> happens.  The only way I can get it to successfully open the page is if I 
> also add the attributes trustStoreFile= and trustStorePass= but still no OCSP 
> action.

Can you post your current configuration please.

Please also list the certificate(s) in each of the keystores / PEM files.

I'm wondering if the chain from the sever to the CA is missing.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [EXTERNAL] Re: java.lang.NoClassDefFoundError: Could not initialize class net.sf.ehcache.Element

[Hua, Gary - Saint Louis, MO - Contractor]

Paul:

 Thanks.I put the ehcache-3.6.3.jar and the error seemed to be 
gone.

Gary

-Original Message-
From: Paul Carter-Brown [mailto:paul.carter-br...@jini.guru] 
Sent: Wednesday, July 10, 2019 3:42 PM
To: Tomcat Users List 
Subject: [EXTERNAL] Re: java.lang.NoClassDefFoundError: Could not initialize 
class net.sf.ehcache.Element

NoClassDefFoundError is not the same as ClassNotFoundException

Typically a NoClassDefFoundError is due to a class failing its static 
initialisation when first loaded by the classloader. Can you check in your logs 
for any prior errors (even at bootup) relating to class failing to be loaded

Paul



On Wed, Jul 10, 2019 at 6:42 PM Hua, Gary - Saint Louis, MO - Contractor 
 wrote:

> Tomcat Experts:
>
> I have a web application deployed to our DEV Tomcat server
> 9.0.13.   I try to put all the hibernate jars files to version
> Hibernate-3.6.10.  The following is the jar files under WEB-INF/lib:
>
>
> /opt/TomCat/tomcat/webapps/TOPS-WEB/WEB-INF/lib>ls -l total 56844
> -rw-r--r-- 1 atadmin atadmin   443432 Feb  8  2012
> antlr-2.7.6.jar
> -rw-r--r-- 1 atadmin atadmin16777 Jun 18 15:58
> asm-attrs.jar
> -rw-r--r-- 1 atadmin atadmin26360 Jun 18 15:58  asm.jar
> -rw-r--r-- 1 atadmin atadmin   281998 Jun 18 15:58
>  cglib-2.1.jar
> -rw-r--r-- 1 atadmin atadmin  4604132 Jun 18 15:58 
> com.ibm.ws.webcontainer.jar
> -rw-r--r-- 1 atadmin atadmin   188671 Jun 18 15:58
> commons-beanutils.jar
> -rw-r--r-- 1 atadmin atadmin   559366 Feb  8  2012
> commons-collections-3.1.jar
> -rw-r--r-- 1 atadmin atadmin   165119 Jun 18 16:00
> commons-collections.jar.old
> -rw-r--r-- 1 atadmin atadmin   205318 Mar 19 11:12
> commons-dbcp2-2.6.0.jar
> -rw-r--r-- 1 atadmin atadmin   168446 Jun 18 15:58
> commons-digester.jar
> -rw-r--r-- 1 atadmin atadmin70604 Jun 18 15:58
> commons-fileupload-1.3.3.jar
> -rw-r--r-- 1 atadmin atadmin   214788 Jun 18 15:58
> commons-io-2.6.jar
> -rw-r--r-- 1 atadmin atadmin   207723 Jun 18 15:58
> commons-lang-2.1.jar
> -rw-r--r-- 1 atadmin atadmin   315805 Jun 18 15:58
> commons-lang3-3.1.jar
> -rw-r--r-- 1 atadmin atadmin26388 Jun 18 15:58
> commons-logging.jar
> -rw-r--r-- 1 atadmin atadmin84462 Jun 18 15:58
> commons-validator.jar
> -rw-r--r-- 1 atadmin atadmin  4239628 Jun 18 15:58  db2jcc4.jar
> -rw-r--r-- 1 atadmin atadmin 2068 Jun 18 15:58
> db2jcc_license_cu.jar
> -rw-r--r-- 1 atadmin atadmin  2125577 Jun 18 15:58 db2jcc_V9FP6.jar
> -rw-r--r-- 1 atadmin atadmin   210432 Jun 18 15:58
> displaytag-1.1.jar
> -rw-r--r-- 1 atadmin atadmin12590 Jun 18 15:58
> displaytag-export-poi-1.1.jar
> -rw-r--r-- 1 atadmin atadmin   312509 Jun 18 16:00
> dom4j-1.5.2.jar.old
> -rw-r--r-- 1 atadmin atadmin   313898 Feb  8  2012
> dom4j-1.6.1.jar
> -rw-r--r-- 1 atadmin atadmin 10237841 Jul  9 12:29 ehcache-2.10.6.jar
> -rw-r--r-- 1 atadmin atadmin   989884 Jul  9 16:57
> ehcache-core-2.4.2.jar
> -rw-r--r-- 1 atadmin atadmin  4162825 Jul  3 10:43 hibernate3.jar
> -rw-r--r-- 1 atadmin atadmin  3123360 Jul  9 12:44 
> hibernate-core-3.6.10.Final.jar
> -rw-r--r-- 1 atadmin atadmin56287 Jul  9 12:29
> hibernate-ehcache-5.4.3.Final.jar
> -rw-r--r-- 1 atadmin atadmin65425 Jun 18 15:58
>  jakarta-oro.jar
> -rw-r--r-- 1 atadmin atadmin  1979523 Dec 17  2018 javaee-api-8.0.jar
> -rw-r--r-- 1 atadmin atadmin   633312 Feb  8  2012
>  javassist-3.12.0.GA.jar
> -rw-r--r-- 1 atadmin atadmin   153115 Jun 18 15:58  jdom.jar
> -rw-r--r-- 1 atadmin atadmin64597 Jun 18 15:58
> json-20180813.jar
> -rw-r--r-- 1 atadmin atadmin10899 Feb  8  2012  jta-1.1.jar
> -rw-r--r-- 1 atadmin atadmin   367444 Jun 18 15:58  log4j.jar
> -rw-r--r-- 1 atadmin atadmin  3698857 Jul  6 21:11  ojdbc7.jar
> -rw-r--r-- 1 atadmin atadmin   105355 Jun 18 15:58
> old_lcms-webtools.jar
> -rw-r--r-- 1 atadmin atadmin   795231 Jun 18 15:58
> poi-2.5-final-20040302.jar
> -rw-r--r-- 1 atadmin atadmin55210 Jun 18 15:58
> poi-contrib-2.5-final-20040302.jar
> -rw-r--r-- 1 atadmin atadmin   188942 Jun 18 15:58
> poi-scratchpad-2.5-final-20040302.jar
> -rw-r--r-- 1 atadmin atadmin   475943 Jun 18 15:58
> proxool-0.8.3.jar
> -rw-r--r-- 1 atadmin atadmin25496 Feb  8  2012
> slf4j-api-1.6.1.jar
> -rw-r--r-- 1 atadmin atadmin 7669 Mar 26 20:33
> slf4j-simple-1.6.1.jar
> -rw-r--r-- 1 atadmin atadmin   543706 Jun 18 15:58  struts.jar
> -rw-r--r-- 1 atadmin atadmin   495271 Jun 18 15:58
> Struts-Layout.jar
> -rw-r--r-- 1 atadmin atadmin68046 Jun 18 15:58
> struts-menu-2.4.3.jar
> -rw-r--r-- 1 atadmin atadmin39427 Jun 18 15:58
> taglibs-request.jar
> -rw-r--r-- 1 atadmin atadmin44061 Jun 18 15:58
> USPS-Framework-1.0.8-alpha.jar
> -rw-r--r-- 1 atadmin atadmin   364425 Jun 18 15:58
> usps_tools.jar
> -rw-r--r-- 1 atadmin atadmin   834966 Jun 18 15:58
> xercesImpl.jar
>
>
>
>
> After I started the Tomcat 9.0.13 server,  login as  topsadmin user, our
> Postal TOPS applicat