Off-loading heavy process

[Rob Sargent]

My apologies if this is too vague to warrant consideration.

In the recent past I managed a naked port, a Selector, a 
ThreadPoolExecutor and friends (and it worked well enough...) but a dear 
and knowledgeable friend suggested embedding tomcat and using http.[3]


I have that working, one request at a time.

Now to get to "production level":   I have two distinct types of 
requests which might be problematic:  one is rather large[1] and the 
other rather prolific[2].  Both types are handled by the same servlet.  
The data structure is identical, just much less in case[2].


Is it advisable, practical to (re)establish a ThreadPoolExecutor, queue 
etc as a tomcat accessible "Resource" with JDNI lookup, and have my 
servlet pass the work off to the Executor's queue?


Any pointers appreciated,

rjs


   [1] Comprised of a data block which occasionally has exceeded java
   max array length,  gzipped streams helped a lot.  There are few of
   these requests (22 per project).  They last days and can "collide"
   in terms of when they finish, though by and large they naturally
   spread themselves out.

   [2] Given infinite EC2 capacity there would be tens of thousands of
   jobs started at once.  Realistic AWS capacity constraints limit this
   to hundreds of instances from a queue of thousands.  The duration of
   any instance varies from hours to days.  But the payload is simple,
   under 5K bytes.

   [3] I'm not entirely confident the original implementation handled
   all "requests" properly.

Re: TLS on Tomcat: Using ECC and RSA certificates together -- invalid intermediate certificate in chain

[Robert Turner]

Actually, one incorrect statement in my previous response. testssl.sh
didn't report the details of the certificate chain, only that it was
broken. I used https://ssllabs.com/ssltest/analyze.html as well, and it
reported the specific details of the certificate chain (and that the chain
was also broken).

Sorry about that.

Robert



On Wed, Dec 9, 2020 at 9:22 PM Robert Turner  wrote:

> Thanks Chris for replying.
>
> I'm pretty sure I'm using the APR connector. Without double-checking how
> things are configured... the startup logs show:
>
> 09-Dec-2020 21:05:25.689 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache
> Tomcat Native library [1.2.24] using APR version [1.7.0].
> 09-Dec-2020 21:05:25.689 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
> capabilities: IPv6 [true], sendfile [true], accept filters [false], random
> [true].
> 09-Dec-2020 21:05:25.689 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
> configuration: useAprConnector [false], useOpenSSL [true]
> 09-Dec-2020 21:05:25.704 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
> successfully initialized [OpenSSL 1.1.1g  21 Apr 2020]
>
> On your ECC/RSA separately question: yes, each one works fine by itself.
>
> I'm not sure what testssl.sh does specifically to verify the chains for
> each certificate. I haven't dug into its source yet, but it reports that
> the chain for my RSA certificate has the wrong intermediate (and shows the
> intermediate for the ECC certificate). So, with minimal examination, to me
> it suggests that Tomcat/OpenSSL is not exposing the correct intermediate
> certificate when presenting the RSA certificate chain for validation by the
> client.
>
>
> I may be able to request the re-issue, but I'm running with fairly
> inexpensive certificates, so it might be a bit more of a challenge to get
> done, but I could try -- that was going to be my "last resort" approach.
>
> I'm not clear on it either -- I'm not sure it's a requirement per say from
> what I can tell, but maybe just a limitation of the implementation. But I
> haven't done enough research (yet) into how TLS negotiation works, or the
> implementation of OpenSSL to offer a non-speculative conclusion. I was
> sort-of hoping to avoid a 2 or 3 day diversion to learn enough about it all.
>
> I had been planning on trying the combined certificates in single files to
> see if it worked (As it was the only idea that I had based on looking at
> the code and how it "saved" the certificates for use), and just kicked it
> off the changes while typing this up. (time to check the results)
>
> With the combined certificates (in order) in the main certificate file,
> both certificates now get reported by testssl.sh as:
>Chain of trust   NOT ok (chain incomplete)
>
> And when I connect using "openssl s_client -connect :", I see
> only the initial certificate in the server response, where normally I would
> see the chain listed out up to the root CA.
>
> So unfortunately, it looks like that doesn't quite work properly either.
>
> Robert
>
> On Wed, Dec 9, 2020 at 8:38 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Robert,
>>
>> On 12/9/20 17:54, Robert Turner wrote:
>> > I am trying to configure Tomcat 9.0.37 (or later if I need to) to use
>> both
>> > an RSA and an ECC certificate for the same host.
>> >
>> > Platform is Windows 2008 R2, with the Tomcat Native 1.2.24 library
>> > installed.
>>
>> Do you know if you are using the APR connector or the NIO(2) connector?
>>
>> > My configuration is roughly as follows:
>> >
>> >
>> >  > >honorCipherOrder="true"
>> >ciphers=""
>> >hostName="*.blahblah.com">
>> >  > certificateKeyFile="conf/blahblah_com_priv.key"
>> >   certificateFile="conf/blahblah_com.crt"
>> >
>> >   certificateChainFile="conf/blahblah_com.intermediate.crt"
>> >   type="RSA"
>> > />
>> >  > > certificateKeyFile="conf/blahblah_com_com-ECC.private.key"
>> >   certificateFile="conf/blahblah_com-ECC.pem"
>> >
>> >   certificateChainFile="conf/blahblah_com-ECC.intermediate.pem"
>> >   type="EC"
>> > />
>> >  
>> >
>> >
>> > The only change I've made was to add the additional Certificate element
>> for
>> > the ECC certificate (so I believe everything else about our
>> configuration
>> > is all good.
>> >
>> > When I run "testssh.sh" against the host, I end up with a failed
>> > certificate chain for the RSA certificate. The ECC certificate is all
>> fine
>> > though, and before adding the ECC certificate, the RSA certificate was
>> fine.
>>
>> Hmm. So if you specify either RSA or EC alone, with the certificate
>> chain, all is well (aside from the fact that you can only use one of the
>> two certs)?
>>
>> What does testssh.sh do?
>>
>> > 

Re: TLS on Tomcat: Using ECC and RSA certificates together -- invalid intermediate certificate in chain

[Robert Turner]

Thanks Chris for replying.

I'm pretty sure I'm using the APR connector. Without double-checking how
things are configured... the startup logs show:

09-Dec-2020 21:05:25.689 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache
Tomcat Native library [1.2.24] using APR version [1.7.0].
09-Dec-2020 21:05:25.689 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].
09-Dec-2020 21:05:25.689 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
09-Dec-2020 21:05:25.704 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.1.1g  21 Apr 2020]

On your ECC/RSA separately question: yes, each one works fine by itself.

I'm not sure what testssl.sh does specifically to verify the chains for
each certificate. I haven't dug into its source yet, but it reports that
the chain for my RSA certificate has the wrong intermediate (and shows the
intermediate for the ECC certificate). So, with minimal examination, to me
it suggests that Tomcat/OpenSSL is not exposing the correct intermediate
certificate when presenting the RSA certificate chain for validation by the
client.


I may be able to request the re-issue, but I'm running with fairly
inexpensive certificates, so it might be a bit more of a challenge to get
done, but I could try -- that was going to be my "last resort" approach.

I'm not clear on it either -- I'm not sure it's a requirement per say from
what I can tell, but maybe just a limitation of the implementation. But I
haven't done enough research (yet) into how TLS negotiation works, or the
implementation of OpenSSL to offer a non-speculative conclusion. I was
sort-of hoping to avoid a 2 or 3 day diversion to learn enough about it all.

I had been planning on trying the combined certificates in single files to
see if it worked (As it was the only idea that I had based on looking at
the code and how it "saved" the certificates for use), and just kicked it
off the changes while typing this up. (time to check the results)

With the combined certificates (in order) in the main certificate file,
both certificates now get reported by testssl.sh as:
   Chain of trust   NOT ok (chain incomplete)

And when I connect using "openssl s_client -connect :", I see
only the initial certificate in the server response, where normally I would
see the chain listed out up to the root CA.

So unfortunately, it looks like that doesn't quite work properly either.

Robert

On Wed, Dec 9, 2020 at 8:38 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Robert,
>
> On 12/9/20 17:54, Robert Turner wrote:
> > I am trying to configure Tomcat 9.0.37 (or later if I need to) to use
> both
> > an RSA and an ECC certificate for the same host.
> >
> > Platform is Windows 2008 R2, with the Tomcat Native 1.2.24 library
> > installed.
>
> Do you know if you are using the APR connector or the NIO(2) connector?
>
> > My configuration is roughly as follows:
> >
> >
> >   >honorCipherOrder="true"
> >ciphers=""
> >hostName="*.blahblah.com">
> >   >   certificateFile="conf/blahblah_com.crt"
> >
> >   certificateChainFile="conf/blahblah_com.intermediate.crt"
> >   type="RSA"
> > />
> >   > certificateKeyFile="conf/blahblah_com_com-ECC.private.key"
> >   certificateFile="conf/blahblah_com-ECC.pem"
> >
> >   certificateChainFile="conf/blahblah_com-ECC.intermediate.pem"
> >   type="EC"
> > />
> >  
> >
> >
> > The only change I've made was to add the additional Certificate element
> for
> > the ECC certificate (so I believe everything else about our configuration
> > is all good.
> >
> > When I run "testssh.sh" against the host, I end up with a failed
> > certificate chain for the RSA certificate. The ECC certificate is all
> fine
> > though, and before adding the ECC certificate, the RSA certificate was
> fine.
>
> Hmm. So if you specify either RSA or EC alone, with the certificate
> chain, all is well (aside from the fact that you can only use one of the
> two certs)?
>
> What does testssh.sh do?
>
> > I've dug into the documentation and found this statement with reference
> to
> > the certificateChainFile parameter:
> >
> > "Note that when using more than one certificate for different types, they
> > all must use the same certificate chain"
> >
> > So I checked the Git repo, and that was added with a commit comment that
> > references the Apache HTTP configuration which states something slightly
> > differently:
> >
> > "But be careful: Providing the certificate chain works only if you are
> > using a single RSA or DSA based server certificate. If you are using a
> > coupled RSA+DSA 

Re: TLS on Tomcat: Using ECC and RSA certificates together -- invalid intermediate certificate in chain

[Christopher Schultz]

Robert,

On 12/9/20 17:54, Robert Turner wrote:

I am trying to configure Tomcat 9.0.37 (or later if I need to) to use both
an RSA and an ECC certificate for the same host.

Platform is Windows 2008 R2, with the Tomcat Native 1.2.24 library
installed.


Do you know if you are using the APR connector or the NIO(2) connector?


My configuration is roughly as follows:


 
 
 
 


The only change I've made was to add the additional Certificate element for
the ECC certificate (so I believe everything else about our configuration
is all good.

When I run "testssh.sh" against the host, I end up with a failed
certificate chain for the RSA certificate. The ECC certificate is all fine
though, and before adding the ECC certificate, the RSA certificate was fine.


Hmm. So if you specify either RSA or EC alone, with the certificate 
chain, all is well (aside from the fact that you can only use one of the 
two certs)?


What does testssh.sh do?


I've dug into the documentation and found this statement with reference to
the certificateChainFile parameter:

"Note that when using more than one certificate for different types, they
all must use the same certificate chain"

So I checked the Git repo, and that was added with a commit comment that
references the Apache HTTP configuration which states something slightly
differently:

"But be careful: Providing the certificate chain works only if you are
using a single RSA or DSA based server certificate. If you are using a
coupled RSA+DSA certificate pair, this will work only if actually both
certificates use the same certificate chain. Else the browsers will be
confused in this situation."

The two statements suggest slightly different things. However the second
doesn't suggest that ECC and RSA cannot be combined with different chains.

Is there any way to have two different certificate chains for the ECC and
RSA certificates and get it working with Tomcat/OpenSSL? (as we don't have
certificates with the same chains as our provider seems to use different
intermediate CAs for ECC versus RSA).


Yeah... it's possible for a CA to use a single cert to sign both EC and 
RSA keys, but yours appears to use different ones. Any chance you can 
request a re-issue of one of your certificates using the other type of 
signing certificate? You will almost certainly have to call and request 
this from your CA.


I don't know why the two certs have to have the same chain when you use 
SSLCertificateChainFile. Oh, I think it's because there isn't a way to 
say in httpd which certificate which chain goes with, so there can be 
only one (effective) directive for that.


What happens if you pack everything into (each of) your certificateFile 
and don't use certificateChainFile *at all*?


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

TLS on Tomcat: Using ECC and RSA certificates together -- invalid intermediate certificate in chain

[Robert Turner]

I am trying to configure Tomcat 9.0.37 (or later if I need to) to use both
an RSA and an ECC certificate for the same host.

Platform is Windows 2008 R2, with the Tomcat Native 1.2.24 library
installed.

My configuration is roughly as follows:








The only change I've made was to add the additional Certificate element for
the ECC certificate (so I believe everything else about our configuration
is all good.

When I run "testssh.sh" against the host, I end up with a failed
certificate chain for the RSA certificate. The ECC certificate is all fine
though, and before adding the ECC certificate, the RSA certificate was fine.

I've dug into the documentation and found this statement with reference to
the certificateChainFile parameter:

"Note that when using more than one certificate for different types, they
all must use the same certificate chain"

So I checked the Git repo, and that was added with a commit comment that
references the Apache HTTP configuration which states something slightly
differently:

"But be careful: Providing the certificate chain works only if you are
using a single RSA or DSA based server certificate. If you are using a
coupled RSA+DSA certificate pair, this will work only if actually both
certificates use the same certificate chain. Else the browsers will be
confused in this situation."

The two statements suggest slightly different things. However the second
doesn't suggest that ECC and RSA cannot be combined with different chains.

Is there any way to have two different certificate chains for the ECC and
RSA certificates and get it working with Tomcat/OpenSSL? (as we don't have
certificates with the same chains as our provider seems to use different
intermediate CAs for ECC versus RSA).


Thanks for any suggestions anyone can provide,

Robert

[ANN] Apache Tomcat 8.5.61 available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.61.

Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and Java Authentication Service Provider Interface for
Containers technologies.

Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled
forward from the 9.0.x branch. The notable changes since 8.5.60 include:

- Align the behaviour of ServletContext.getRealPath(String path) with
  the recent clarification from the Servlet specification project. If
  the path parameter does not start with / then Tomcat processes the
  call as if / is appended to the beginning of the provided path.

- Fix a potential file descriptor leak when WebSocket connections are
  attempted and fail. Patch provided by Maurizio Adami.

- Ensure that the LoadBalancerDrainingValve uses the correct setting
  for the secure attribute for any session cookies it creates. Based on
  a pull request by Andreas Kurth.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-8.5-doc/changelog.html


Downloads:
http://tomcat.apache.org/download-80.cgi

Migration guides from Apache Tomcat 7.x and 8.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

[Amit Pande]

Thank you George for letting us know on 
-Dorg.bouncycastle.rsa.allow_multi_use=true" JVM option. Will explore this 
further and update the document 
(https://github.com/amitlpande/tomcat-9-fips/blob/master/README.md) 
appropriately. 

Albeit reluctantly, we have given in to use BCFIPS (over PKCS12) for our key 
stores as it is the only format meeting our FIPS requirements.

Thanks,
Amit

-Original Message-
From: George Stanchev  
Sent: Saturday, December 5, 2020 11:17 AM
To: Tomcat Users List 
Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Chris

-Original Message-
From: Christopher Schultz 
Sent: Friday, December 04, 2020 1:20 PM
To: users@tomcat.apache.org
Subject: Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?



> With the pluggability of Java's crypto interface, I seriously doubt 
> Oracle is going to certify a JCE module in the future, esp. with free 
> 3rd party solutions such as BCFIPS.

Is BC actually certified? It seems unlikely to me that a group of volunteers 
from Australia are going to bother to go through that module-certification 
process.

GS: While the project is open sourced they had a company (Crypto Workshop) that 
earned a living through paid support and consulting. They were recently 
acquired 
(https://www.prnewswire.com/news-releases/primekey-acquires-crypto-workshop-300988188.html).
 And yes they are certified 
(https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2768)
 and currently working on the next certification, expected out next year.




> I found it non-trivial and the toolsets to be very specific, and even 
> after following all instructions from several wikis and web pages I 
> kept running into issues resulting in overall failure.

Yes, the build process for OpenSSL is horrible. I have no idea why they decided 
to use Perl as their build system. On Windows? I have only tried to build the 
OpenSSL binary, not the FIPS-compliant module. Having done it on Linux (where 
it's "easy") I can say I'm glad I'm not responsible for doing it on Windows.

GS: Sadly, OpenSSL and the FIPS module built just fine. I forgot the details 
but it was the ARP or the tcnative itself that failed me. There is also a bug 
in OpenSSL or tomcat's glue code that if cacerts contain more than a certain 
number of certificates to fail the handshake with timeout 
(http://tomcat.10.x6.nabble.com/Client-Cert-TLS-issue-td5090609.html)

> Also, keep in mind that OpenSSL 1.0.1 is EOLed and the FIPS module is 
> only available for that version line. OpenSSL still produces security 
> fixes to paid support subscribers (we are) but they are not available 
> for the general public. OpenSSL 3.0 will have a refreshed re-certified 
> FIPS module but it is not due until later next year, so for now 
> general public is left hanging with the last public version of 
> 1.0.1+FIPS.

:(

This is why we can't have nice things.



> The workaround could be to use a different password based key 
> derivation function - PBKDF2. However, there is nothing in the PKCS12 
> spec that allows to encode another algorithm OID in MacData. In 
> essence, you cannot use any other algorithm other than the one defined 
> in spec which is not FIPS compliant.

And something which is ironically FIPS-compliant is to use a PEM file with no 
protection whatsoever.

GS: Well, the keys in the PEM files are still encrypted but you're right no 
protection of the overall container like in BCFKS or PKCS12

George

B CB  [  
X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]
 \X K ܙ B 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Updates to POEditor.com

[Woonsan Ko]

Nice! So we can edit in POEditor without worrying about any escaping
issue then. That's great.

Cheers,

Woonsan

On Tue, Dec 8, 2020 at 4:49 AM Mark Thomas  wrote:
>
> All,
>
> As you are probably aware, the Apache Tomcat project uses POEditor.com
> to manage the i18n translations used by the project.
>
> The POEditor team have implemented a change that means it is no longer
> necessary for us to escape single quotes when using them in translated
> strings. The appropriate escaping is now added automatically when the
> strings are exported. The current translations have been updated to
> reflect this.
>
> We have seen an immediate benefit of this change. I am currently in the
> middle of re-exporting the translations from POEditor.coma and importing
> them into the Tomcat source code to confirm that POEDitor's automatic
> update didn't break anything. So far I have found no errors and a
> handful of instances where we were not escaping correctly that have been
> automatically corrected.
>
> Remember, anyone can create a POEditor.com account and start helping
> with the translations.
>
> https://poeditor.com/projects/view?id=221603
>
> Thanks,
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [EXTERNAL] Re: Bouncy Castle FIPS on RHEL 7.3

[Amit Pande]

Thank you Stefan, Chris for the inputs.

As I understood from our security experts, there is no moving away from 
/dev/random (anything else isn't (strongly) FIPS compliant) for us.

Thanks,
Amit

-Original Message-
From: Christopher Schultz  
Sent: Wednesday, December 2, 2020 10:29 AM
To: users@tomcat.apache.org
Subject: Re: [EXTERNAL] Re: Bouncy Castle FIPS on RHEL 7.3

Stefan,

On 11/30/20 19:17, Stefan Mayr wrote:
> Hi,
> 
> Am 30.11.2020 um 17:09 schrieb Amit Pande:
>> I guess I will have to investigate the RHEL 7.3 entropy issue separately 
>> (possibly as hobby project) and look for other options to make progress.
>>
>> I still find it odd that something related to randomness (entropy 
>> generation) is so consistent (the slowness is equally slow or more on 
>> multiple RHEL 7.3 systems I have, maybe I need to look for machines from 
>> different data center or a physical 7.3 server).
>>
>> And yes, the 10 year certificate validity is just for testing 
>> purposes. 
>>
>> Thank you for your inputs. Indeed helpful in evaluating our choices.
>>
>> Thanks,
>> Amit
> 
> you might have a look at rng-tools (rngd) or haveged to boost your 
> entropy pool.
> 
> We use haveged in a VMware virtualized environment and this reduces a 
> plain tomcat startup from multiple minutes to just a few secondes.
> 
> I think Red Hat preferes rngd but there should be some articles on 
> access.redhat.com to help you depending on the used hypervisor.

I would think long and hard about whether or not you want to use any of these 
tools. There are already ways to get "a lot of entropy really quickly" from the 
Linux kernel; specifically, /dev/urandom.

The whole point of both /dev/random and /dev/urandom existing side by side is 
so that the application can pick whether it wants "high quality entropy" (by 
using /dev/random) or "good enough randomness" (by using /dev/urandom).

Tools like haveged and rngd basically make /dev/random behave like /dev/urandom 
so the application can never have "high quality entropy" 
even when it asks for it.

Have a look at this discussion on security.stackexchange to get you started 
down the path to paranoia:

https://security.stackexchange.com/questions/34523

My question has always been "if these things are both safe and a good idea, why 
does the Linux kernel not implement them directly?" There must be a reason why 
the kernel devs have decided not to "speed up" 
/dev/random using the techniques used by both haveged and rngd. Maybe their 
argument is essentially "you can always just use haveged/rngd" but my guess is 
there is a more fundamental reason for not adopting these techniques directly 
in the kernel.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 9.0.41 available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.41.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.41 is a bugfix and feature release. The notable
changes compared to 9.0.40 include:

- Align the behaviour of ServletContext.getRealPath(String path) with
  the recent clarification from the Servlet specification project. If
  the path parameter does not start with / then Tomcat processes the
  call as if / is appended to the beginning of the provided path.

- Fix a potential file descriptor leak when WebSocket connections are
  attempted and fail. Patch provided by Maurizio Adami.

- Ensure that the LoadBalancerDrainingValve uses the correct setting
  for the secure attribute for any session cookies it creates. Based on
  a pull request by Andreas Kurth.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-9.0-doc/changelog.html


Downloads:
http://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 10.0.0 (beta) available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.0.0 (beta).

Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

Users of Tomcat 10 onwards should be aware that, as a result of the move
from Java EE to Jakarta EE as part of the transfer of Java EE to the
Eclipse Foundation, the primary package for all implemented APIs has
changed from javax.* to jakarta.*. This will almost certainly require
code changes to enable applications to migrate from Tomcat 9 and earlier
to Tomcat 10 and later. A migration tool is under development to aid
this process.

Apache Tomcat 10.0.0 (beta) is a beta release of the 10.0.x
branch. The notable changes compared to 10.0.0-M10 include:

- The Jakarta EE specifications are now final. Tomcat passes the TCKs
  apart from a number of expected failures that don't impact
  specification compliance.

- The APR/Native AJP and HTTP connectors have been deprecated.
  Tomcat Native will continue to be used to support OpenSSL use with NIO
  and NIO2.

- Align the behaviour of ServletContext.getRealPath(String path) with
  the recent clarification from the Servlet specification project. If
  the path parameter does not start with / then Tomcat processes the
  call as if / is appended to the beginning of the provided path.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org