Re: OT: hsts in Tomcat 9.0.73
Jon, On 4/25/23 13:26, jonmcalexan...@wellsfargo.com.INVALID wrote: Here is the code for the HSTS part of the Filter: // HSTS if (hstsEnabled && request.isSecure()) { httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue); } I was wondering if maybe secure="true" wasn't there, but you have it. :hmm: What's the name of application artifact? Like the WAR file or WAR-directoery in webapps/ ? Are you deploying it multiple times -- say, from both auto-deployment *and also* with a in conf/server.xml? Your copy/paste of web.xml has a bunch of leading - symbols before each of the e.g.: - httpHeaderSecurity Is that just an artifact from the XML editor/viewer you are using? I can see these headers which should also be coming from the HttpHeaderSecurityFilter: X-Content-Type-Options nosniff X-Frame-OptionsSAMEORIGIN X-XSS-Protection 1 (Although the documentation suggests that the value for X-XSS-Protection should be "1; mode=block" and it isn't in the above header value.) Are you able to change the configuration and/or add some code/config? -chris -Original Message- From: Christopher Schultz Sent: Tuesday, April 25, 2023 10:04 AM To: users@tomcat.apache.org Subject: Re: OT: hsts in Tomcat 9.0.73 Jon, On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote: It's the Server level web.xml in conf So it applies to all web applications. I would recommend that you change that configuration to: 1. Be present in your own web application's WEB-INF/web.xml file and 2. Deploy a ROOT application which has only a few things in it and 3. Be present in webapps/ROOT/WEB-INF/web.xml Having a missing ROOT application can cause a few weird things to happen. Having the ROOT means that you can always return e.g. a 404 response even if there is no application deployed on /foo just in case. (This may have changed in the past few years, it used to be that a request for /foo would return 400 or something similar instead of 404). It also means that your Tomcat installation doesn't have to be re-customized any time you upgrade it: just deploy your dummy-ROOT and your own application and you are all good. What does your look like for port 8443? -chris -Original Message- From: Christopher Schultz Sent: Tuesday, April 25, 2023 9:15 AM To: users@tomcat.apache.org Subject: Re: OT: hsts in Tomcat 9.0.73 Jon, On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote: Hellow again. I hae another app team that is getting hit with a QID 11827 stating that the hsts Security header is missing. We have reviewed the web.xml and the appropriate section and filter are present. hstsEnabled is set to true. Performing a curl aganst the site does NOT show the hsts STRICT header. WEB.XML Which web.xml? And is the filename really capitalized? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OT: hsts in Tomcat 9.0.73
Olaf, On 4/22/23 03:13, Olaf Kock wrote: Am 22.04.23 um 00:48 schrieb jonmcalexan...@wellsfargo.com.INVALID: Thanks Peter, I still do not see the hsts header. I'm wondering if this is causing it. SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. I don't know why it's complaining as the certificate for Tomcat is not a self-signed certificate. That's a good guess: Anything self-signed is a problem for HSTS No it's not. (though only curl might see it as that, depending on the root certificate store it uses compared to your browser). However, somehow I'd expect the server to be ignorant to the level of trust that the client has and send the header anyway. The server should send the header. The client should report that the header was sent. There is no "self-signed silently removes HTTP response headers" or anything like that. Another aspect to dig into is the explicit nonstandard port number. I didn't fully parse the RFC for it, but there are several statements on explicit, implicit ports and how they're mapped. The Filter has no idea what port is being used, nor does it care. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OT: hsts in Tomcat 9.0.73
Jon, On 4/25/23 11:33, jonmcalexan...@wellsfargo.com.INVALID wrote: There is a ROOT application which is part of the overall app and not the default Tomcat one. How should this be added to those web.xml files? If you deploy your own webapp as ROOT then you should place that HSTS configuration in ROOT/WEB-INF/web.xml and nowhere else. -chris -Original Message- From: Christopher Schultz Sent: Tuesday, April 25, 2023 10:04 AM To: users@tomcat.apache.org Subject: Re: OT: hsts in Tomcat 9.0.73 Jon, On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote: It's the Server level web.xml in conf So it applies to all web applications. I would recommend that you change that configuration to: 1. Be present in your own web application's WEB-INF/web.xml file and 2. Deploy a ROOT application which has only a few things in it and 3. Be present in webapps/ROOT/WEB-INF/web.xml Having a missing ROOT application can cause a few weird things to happen. Having the ROOT means that you can always return e.g. a 404 response even if there is no application deployed on /foo just in case. (This may have changed in the past few years, it used to be that a request for /foo would return 400 or something similar instead of 404). It also means that your Tomcat installation doesn't have to be re-customized any time you upgrade it: just deploy your dummy-ROOT and your own application and you are all good. What does your look like for port 8443? -chris -Original Message- From: Christopher Schultz Sent: Tuesday, April 25, 2023 9:15 AM To: users@tomcat.apache.org Subject: Re: OT: hsts in Tomcat 9.0.73 Jon, On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote: Hellow again. I hae another app team that is getting hit with a QID 11827 stating that the hsts Security header is missing. We have reviewed the web.xml and the appropriate section and filter are present. hstsEnabled is set to true. Performing a curl aganst the site does NOT show the hsts STRICT header. WEB.XML Which web.xml? And is the filename really capitalized? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: OT: hsts in Tomcat 9.0.73
Christopher, Here is the SSL connector: Thanks! Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Christopher Schultz > Sent: Tuesday, April 25, 2023 10:04 AM > To: users@tomcat.apache.org > Subject: Re: OT: hsts in Tomcat 9.0.73 > > Jon, > > On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote: > > It's the Server level web.xml in conf > > So it applies to all web applications. > > I would recommend that you change that configuration to: > > 1. Be present in your own web application's WEB-INF/web.xml file and 2. > Deploy a ROOT application which has only a few things in it and 3. Be present > in webapps/ROOT/WEB-INF/web.xml > > Having a missing ROOT application can cause a few weird things to happen. > Having the ROOT means that you can always return e.g. a 404 response even > if there is no application deployed on /foo just in case. > (This may have changed in the past few years, it used to be that a request for > /foo would return 400 or something similar instead of 404). > > It also means that your Tomcat installation doesn't have to be re-customized > any time you upgrade it: just deploy your dummy-ROOT and your own > application and you are all good. > > What does your look like for port 8443? > > -chris > > >> -Original Message- > >> From: Christopher Schultz > >> Sent: Tuesday, April 25, 2023 9:15 AM > >> To: users@tomcat.apache.org > >> Subject: Re: OT: hsts in Tomcat 9.0.73 > >> > >> Jon, > >> > >> On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote: > >>> Hellow again. > >>> > >>> I hae another app team that is getting hit with a QID 11827 stating > >>> that the > >> hsts Security header is missing. We have reviewed the web.xml and the > >> appropriate section and filter are present. hstsEnabled is set to true. > >> Performing a curl aganst the site does NOT show the hsts STRICT header. > >>> > >>> WEB.XML > >> > >> Which web.xml? And is the filename really capitalized? > >> > >> -chris > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Tomcat Native 1.2.30 -- Windows 2016 TLSv1.3 support?
Ok -- makes sense. Thank you, Vincent -Original Message- From: Christopher Schultz Sent: Tuesday, April 25, 2023 10:28 AM To: users@tomcat.apache.org Subject: [External] Re: Tomcat Native 1.2.30 -- Windows 2016 TLSv1.3 support? WARNING: This message has originated from an External Source. This may be a phishing email that can result in unauthorized access to Honeywell systems. Please use proper judgment and caution when opening attachments, clicking links or responding. Vincent, On 4/25/23 05:14, Mark Thomas wrote: > On 24/04/2023 20:15, Ragosta, Vincent wrote: >> Hello all, >> >> We have an application packaged with Tomcat Native 1.2.30, which, per >> the following, the Windows binaries were built using OpenSSL 1.1.1k: >> >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww >> .mail-archive.com%2Fdev%40tomcat.apache.org%2Fmsg152993.html&data=05% >> 7C01%7CVincent.Ragosta%40honeywell.com%7C70f0a3eb5dc94a74900708db4599 >> 4f40%7C96ece5269c7d48b08daf8b93c90a5d18%7C0%7C0%7C638180297054464718% >> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I >> k1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=q0CbLjS0uMiZz1xCezTSXQMr9 >> xEiDPwaBZubhLa4XkE%3D&reserved=0 >> >> However, per Microsoft, Windows 2016 does not support TLSv1.3: >> >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flea >> rn.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fsecauthn%2Fprotocols-in- >> tls-ssl--schannel-ssp-&data=05%7C01%7CVincent.Ragosta%40honeywell.com >> %7C70f0a3eb5dc94a74900708db45994f40%7C96ece5269c7d48b08daf8b93c90a5d1 >> 8%7C0%7C0%7C638180297054464718%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj >> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C& >> sdata=7HQSNFGjhMN%2B%2FMY6awtM7jtZdtTLK%2FNEQdRk1F7q%2B3o%3D&reserved >> =0 >> >> >> Do Tomcat Native or OpenSSL depend upon support for TLSv1.3 in the >> underlying OS? > > No. :) To be more specific, OpenSSL *is an implementation of SSL/TLS and the underlying cryptographic primitives*. The whole point is that it is not dependent upon whatever the operating system supports. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: OT: hsts in Tomcat 9.0.73
Christopher, There is a ROOT application which is part of the overall app and not the default Tomcat one. How should this be added to those web.xml files? I'm working on getting the connector. Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Christopher Schultz > Sent: Tuesday, April 25, 2023 10:04 AM > To: users@tomcat.apache.org > Subject: Re: OT: hsts in Tomcat 9.0.73 > > Jon, > > On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote: > > It's the Server level web.xml in conf > > So it applies to all web applications. > > I would recommend that you change that configuration to: > > 1. Be present in your own web application's WEB-INF/web.xml file and 2. > Deploy a ROOT application which has only a few things in it and 3. Be present > in webapps/ROOT/WEB-INF/web.xml > > Having a missing ROOT application can cause a few weird things to happen. > Having the ROOT means that you can always return e.g. a 404 response even > if there is no application deployed on /foo just in case. > (This may have changed in the past few years, it used to be that a request for > /foo would return 400 or something similar instead of 404). > > It also means that your Tomcat installation doesn't have to be re-customized > any time you upgrade it: just deploy your dummy-ROOT and your own > application and you are all good. > > What does your look like for port 8443? > > -chris > > >> -Original Message- > >> From: Christopher Schultz > >> Sent: Tuesday, April 25, 2023 9:15 AM > >> To: users@tomcat.apache.org > >> Subject: Re: OT: hsts in Tomcat 9.0.73 > >> > >> Jon, > >> > >> On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote: > >>> Hellow again. > >>> > >>> I hae another app team that is getting hit with a QID 11827 stating > >>> that the > >> hsts Security header is missing. We have reviewed the web.xml and the > >> appropriate section and filter are present. hstsEnabled is set to true. > >> Performing a curl aganst the site does NOT show the hsts STRICT header. > >>> > >>> WEB.XML > >> > >> Which web.xml? And is the filename really capitalized? > >> > >> -chris > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OT: hsts in Tomcat 9.0.73
Jon, On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote: It's the Server level web.xml in conf So it applies to all web applications. I would recommend that you change that configuration to: 1. Be present in your own web application's WEB-INF/web.xml file and 2. Deploy a ROOT application which has only a few things in it and 3. Be present in webapps/ROOT/WEB-INF/web.xml Having a missing ROOT application can cause a few weird things to happen. Having the ROOT means that you can always return e.g. a 404 response even if there is no application deployed on /foo just in case. (This may have changed in the past few years, it used to be that a request for /foo would return 400 or something similar instead of 404). It also means that your Tomcat installation doesn't have to be re-customized any time you upgrade it: just deploy your dummy-ROOT and your own application and you are all good. What does your look like for port 8443? -chris -Original Message- From: Christopher Schultz Sent: Tuesday, April 25, 2023 9:15 AM To: users@tomcat.apache.org Subject: Re: OT: hsts in Tomcat 9.0.73 Jon, On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote: Hellow again. I hae another app team that is getting hit with a QID 11827 stating that the hsts Security header is missing. We have reviewed the web.xml and the appropriate section and filter are present. hstsEnabled is set to true. Performing a curl aganst the site does NOT show the hsts STRICT header. WEB.XML Which web.xml? And is the filename really capitalized? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: OT: hsts in Tomcat 9.0.73
Hi Christopher, It's the Server level web.xml in conf, and no, the file is all lowercase. Welcome to the wonderful world of Qualsys. :-) Thank you, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Christopher Schultz > Sent: Tuesday, April 25, 2023 9:15 AM > To: users@tomcat.apache.org > Subject: Re: OT: hsts in Tomcat 9.0.73 > > Jon, > > On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote: > > Hellow again. > > > > I hae another app team that is getting hit with a QID 11827 stating that the > hsts Security header is missing. We have reviewed the web.xml and the > appropriate section and filter are present. hstsEnabled is set to true. > Performing a curl aganst the site does NOT show the hsts STRICT header. > > > > WEB.XML > > Which web.xml? And is the filename really capitalized? > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Native 1.2.30 -- Windows 2016 TLSv1.3 support?
Vincent, On 4/25/23 05:14, Mark Thomas wrote: On 24/04/2023 20:15, Ragosta, Vincent wrote: Hello all, We have an application packaged with Tomcat Native 1.2.30, which, per the following, the Windows binaries were built using OpenSSL 1.1.1k: https://www.mail-archive.com/dev@tomcat.apache.org/msg152993.html However, per Microsoft, Windows 2016 does not support TLSv1.3: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- Do Tomcat Native or OpenSSL depend upon support for TLSv1.3 in the underlying OS? No. :) To be more specific, OpenSSL *is an implementation of SSL/TLS and the underlying cryptographic primitives*. The whole point is that it is not dependent upon whatever the operating system supports. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: java.lang.InternalError: Unexpected CryptoAPI failure generating seed
Thomas, On 4/21/23 15:04, Thomas Worster wrote: That document is mostly about a corrupted install in Weblogic, but after that, it suggests making sure you are using the urandom (non-blocking) random number generator. This is Tomcat's Standard(Session)Manager generating a session identifier. It should be using a "fast" PRNG and not the potentially-slow one. Specifically, it uses SHA1PRNG by default. There was a recent change to specifically request the SecureRandom seed before handing control over to the application, but I believe that is unrelated to the problem being experienced, here. If you're using the blocking RNG, it would explain why the issue is not easily repeatable. -Djava.security.egd=file:/dev/./urandom This hasn't been required since like Java 1.7. Also, Tomcat's code uses alternate configuration mechanisms and the value of java.security.egd should not affect it. I can't recall if the format of that string is the same in Windows, but it should be similar. It doesn't matter. -chris On Fri, Apr 21, 2023 at 2:15 PM Christopher Schultz < ch...@christopherschultz.net> wrote: Harri, On 4/21/23 04:39, Harri Pesonen wrote: No, I think that I have seen this only once now, but of course it might have happened more than once. Googling says that other people have seen this as well, but very randomly. Apparently the problem happens in Windows function, but JNI call does not tell the reason for failure. This happened in AWS cloud, perhaps the server was busy or something. Or there is some kind of bug in JDK. Probably this would need JDK developer to look at. There might be solution here: https://support.oracle.com/knowledge/Middleware/1492450_1.html#FIX But I can't see it. 😊 I can't see it, either; I'm not an Oracle customer. If this is rare, and Tomcat can't really do anything about it, I would say "monitor your servers and restart them if necessary." Sorry... it doesn't look like we really have any other choices, here. -chris -Original Message- From: Christopher Schultz Sent: torstai 20. huhtikuuta 2023 19.35 To: users@tomcat.apache.org Subject: Re: java.lang.InternalError: Unexpected CryptoAPI failure generating seed Harri, On 4/18/23 07:43, Harri Pesonen wrote: Hello, we have: Tomcat/8.5.83 Windows Server 2016 java.version=11.0.12 java.vendor=Azul Systems, Inc. sun.arch.data.model=64 Sometimes Tomcat fails to start our application because of this error: 06:45:58.230 ERR> (Catalina-startStop-1) (org.apache.catalina.startup.HostConfig#deployDescriptors) Error waiting for multi-thread deployment of deployment descriptors to complete java.util.concurrent.ExecutionException: java.lang.InternalError: Unexpected CryptoAPI failure generating seed at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122) at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:594) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:472) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1610) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:318) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:962) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:833) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1427) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1417) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: java.lang.InternalError: Unexpected CryptoAPI failure generating seed at java.base/sun.security.provider.NativeSeedGenerator.getSeedBytes(NativeSeedGenerator.java:62)
Re: OT: hsts in Tomcat 9.0.73
Jon, On 4/25/23 10:15, Christopher Schultz wrote: Jon, On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote: Hellow again. I hae another app team that is getting hit with a QID 11827 stating that the hsts Security header is missing. We have reviewed the web.xml and the appropriate section and filter are present. hstsEnabled is set to true. Performing a curl aganst the site does NOT show the hsts STRICT header. WEB.XML Which web.xml? And is the filename really capitalized? Oh, and also, what does your look like for port 8443? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OT: hsts in Tomcat 9.0.73
Jon, On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote: Hellow again. I hae another app team that is getting hit with a QID 11827 stating that the hsts Security header is missing. We have reviewed the web.xml and the appropriate section and filter are present. hstsEnabled is set to true. Performing a curl aganst the site does NOT show the hsts STRICT header. WEB.XML Which web.xml? And is the filename really capitalized? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] MySQL Connection settings
Kevin, On 4/21/23 14:19, Kevin Huntly wrote: in general. something all purpose to get started with On Fri, Apr 21, 2023, 14:17 Christopher Schultz < ch...@christopherschultz.net> wrote: Kevin, On 4/21/23 09:35, Kevin Huntly wrote: I'm not a DBA nor do I pretend to be, so I'm asking what everyone's thoughts are on MySQL connection string settings? What are the best options to use, what options are absolutely required, etc? Just ... in general? Or do you have a specific use-case? Uhh... I would recommend getting the host, port, and database correct, otherwise you'll be disappointed. Everything after that is pretty much up to you. Are you using clustering or a multi-primary setup? Are you using a db load-balancer (e.g. haproxy or similar)? What does your code expect when datetime values are all zeros? Do you care about security? You should. I recommend encrypting all connections, regardless of the network configuration. At $work, we have collected a bunch of settings over the years that we have been required to set. Some of them may no longer be necessary, but they are all things we've tripped over. There is nothing the driver can do to significantly improve performance of the database other than: 1. Configuring how prepared statements are done: client-side or server-side. Server-side prepared statements were broken for a good long time, but all the references to Oracle's documentation I had for that issue have disappeared online :( 2. Provide pooling, which really should be handled by your application (or Tomcat in the case of a web application). -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat VAPT Closure
On 25/04/2023 12:18, PRATIK HUMNABADKAR wrote: Hi, We tried below suggestion but still receiving below errors. Please guide. Try reading the log messages. server.xml 25-Apr-2023 16:08:46.067 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib] 25-Apr-2023 16:08:46.349 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11AprProtocol-9090]] org.apache.catalina.LifecycleException: The configured protocol [org.apache.coyote.http11.Http11AprProtocol] requires the APR/native library which is not available at org.apache.catalina.connector.Connector.initInternal(Connector.java:1031) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) Pick a different Connector implementation (I suggest NIO unless you have a good reason to pick something different) or, if you have a good reason for using the APR/Native connector, install the Tomcat Native library for your platform. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat VAPT Closure
Hi, We tried below suggestion but still receiving below errors. Please guide. Server.xml Tomcat error log: [root@AfCrdrulEgUATApp logs]# tail -f catalina.out at org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:617) at org.apache.catalina.startup.Catalina.load(Catalina.java:709) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) 25-Apr-2023 16:04:17.563 SEVERE [main] org.apache.catalina.startup.Catalina.start Cannot start server, server instance is not configured 25-Apr-2023 16:08:46.025 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [SSLPassword] to [123456789] 25-Apr-2023 16:08:46.063 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/9.0.62 25-Apr-2023 16:08:46.063 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Mar 31 2022 14:34:15 UTC 25-Apr-2023 16:08:46.063 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.62.0 25-Apr-2023 16:08:46.063 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 25-Apr-2023 16:08:46.063 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 3.10.0-862.el7.x86_64 25-Apr-2023 16:08:46.064 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 25-Apr-2023 16:08:46.064 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-2.b14.el7.x86_64/jre 25-Apr-2023 16:08:46.064 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_161-b14 25-Apr-2023 16:08:46.064 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation 25-Apr-2023 16:08:46.064 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /home/ajayv/Actico/Actico-Rules/6.8.3/dev-server/apache-tomcat-9.0.62 25-Apr-2023 16:08:46.064 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /home/ajayv/Actico/Actico-Rules/6.8.3/dev-server/apache-tomcat-9.0.62 25-Apr-2023 16:08:46.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/home/ajayv/Actico/Actico-Rules/6.8.3/dev-server/apache-tomcat-9.0.62/conf/logging.properties 25-Apr-2023 16:08:46.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 25-Apr-2023 16:08:46.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dvisualrules.executionserver.home=/home/ajayv/Actico/Actico-Rules/6.8.3/server 25-Apr-2023 16:08:46.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 25-Apr-2023 16:08:46.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources 25-Apr-2023 16:08:46.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 25-Apr-2023 16:08:46.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs= 25-Apr-2023 16:08:46.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/home/ajayv/Actico/Actico-Rules/6.8.3/dev-server/apache-tomcat-9.0.62 25-Apr-2023 16:08:46.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/home/ajayv/Actico/Actico-Rules/6.8.3/dev-server/apache-tomcat-9.0.62 25-Apr-2023 16:08:46.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/home/ajayv/
Re: Tomcat Native 1.2.30 -- Windows 2016 TLSv1.3 support?
On 24/04/2023 20:15, Ragosta, Vincent wrote: Hello all, We have an application packaged with Tomcat Native 1.2.30, which, per the following, the Windows binaries were built using OpenSSL 1.1.1k: https://www.mail-archive.com/dev@tomcat.apache.org/msg152993.html However, per Microsoft, Windows 2016 does not support TLSv1.3: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- Do Tomcat Native or OpenSSL depend upon support for TLSv1.3 in the underlying OS? No. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat VAPT Closure
Hi Mark, We tried below 2 suggestions but still receiving errors. Can we get into quick teams call where I can share screen to resolve this. Regards, Pratik -Original Message- From: Mark Eggers Sent: 25 April 2023 11:08 To: users@tomcat.apache.org Subject: Re: Tomcat VAPT Closure Pratik, On 4/24/2023 10:20 PM, PRATIK HUMNABADKAR wrote: > Hi, > > Server.xml > > > > > > > > > SSLEngine="on" /> > > className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" > /> > > > > > type="org.apache.catalina.UserDatabase" >description="User database that can be updated and saved" >factory="org.apache.catalina.users.MemoryUserDatabaseFactory" >pathname="conf/tomcat-users.xml" /> > > > > > > > > > > > connectionTimeout="2" > redirectPort="8443" /> > > > > > > > > SSLProtocol="TLSv1.2" protocol="org.apache.coyote.http11.Http11AprProtocol" > > > > certificateFile="/root/visualrules/bajaj_af_cert/ServerCertificate.crt" > > certificateKeyFile="/root/visualrules/bajaj_af_cert/bflaf.key" > SSLPassword="123456789" > certificateChainFile="/root/visualrules/bajaj_af_cert/Root.crt" /> > > > > > > > > > > > > > > > > > > > > resourceName="UserDatabase"/> > > > unpackWARs="true" autoDeploy="true"> > > > > > > directory="logs" > prefix="localhost_access_log" suffix=".txt" > pattern="%h %l %u %t "%r" %s %b" /> > > > > > > > > > > Error Log Tomcat: > > 21-Apr-2023 16:29:45.545 SEVERE [main] > org.apache.catalina.startup.Catalina.start Cannot start server, server > instance is not configured > 21-Apr-2023 16:37:07.450 WARNING [main] > org.apache.tomcat.util.digester.SetPropertiesRule.begin Match > [Server/Service/Connector/SSLHostConfig/Certificate] failed to set > property [SSLPassword] to [123456789] > 21-Apr-2023 16:37:07.454 SEVERE [main] > org.apache.tomcat.util.digester.Digester.endElement End event threw exception > java.lang.reflect.InvocationTargetException > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:469) > at > org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:143) > at > org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1046) > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1782) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2967) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:602) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:505) > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:842) > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:771) > at > com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) > at > com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643) > at > org.apache.tomcat.util.digester.Digester.parse(Digester.java:1535) > at > org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:617) > at > org.apache.catalina.startup.Catalina.load(Catalina.java:709) > at > org.apache.catalina.startup.Catalina.load(Catalina.java:746) > at sun.reflect.NativeMethodAccessorI