Re: Http2UpgradeHandler error

On Wed, Jun 22, 2016 at 10:42 PM, Mark Thomas wrote: > On 21/06/2016 17:36, Mark Thomas wrote: >> On 21/06/2016 14:52, Mark Thomas wrote: >>> On 21/06/2016 14:43, Andrei Ivanov wrote: >> >> >> 21-Jun-2016 13:38:41.122 FINE [https-openssl-apr-8443-exec-6]

Re: SSL problems with Tomcat 7.0.69

Mark, Thanks for the hint! I added the following line to my connector and it did the trick! ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,

Re: Http2UpgradeHandler error

On 21/06/2016 17:36, Mark Thomas wrote: > On 21/06/2016 14:52, Mark Thomas wrote: >> On 21/06/2016 14:43, Andrei Ivanov wrote: > > > >>> 21-Jun-2016 13:38:41.122 FINE [https-openssl-apr-8443-exec-6] >>> org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.fillReadBuffer >>> An APR general

Re: SSL problems with Tomcat 7.0.69

On 22/06/2016 16:47, James Wiley wrote: > Hi Tomcat Users, > > Has anyone run into any issues supporting SSL using the JSSE Connector when > upgrading from 7.0.68 to 7.0.69? > > I help maintain a web application that uses tomcat7. A recent upgrade from > 7.0.68 to 7.0.69 has caused the

SSL problems with Tomcat 7.0.69

Hi Tomcat Users, Has anyone run into any issues supporting SSL using the JSSE Connector when upgrading from 7.0.68 to 7.0.69? I help maintain a web application that uses tomcat7. A recent upgrade from 7.0.68 to 7.0.69 has caused the tomcat7 instance to throw an “Error during SSL Handshake”

Re: error during startup after applying changes from CVE-2016-3092

- On Jun 22, 2016, at 1:52 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: > Hi, > > i changed maxHttpHeaderSize in server.xml following the recommendation in > CVE-2016-3092. > I changed it to 2048 bytes. > >connectionTimeout="2" >

error during startup after applying changes from CVE-2016-3092

Hi, i changed maxHttpHeaderSize in server.xml following the recommendation in CVE-2016-3092. I changed it to 2048 bytes.

Re: Webapp with underscore in it's name leads to failed session-cookies

On 22/06/2016 11:29, Mark Thomas wrote: > On 22/06/2016 09:28, Markus Näher wrote: >> In the web console of firefox, I could see that the session cookie was >> set with the path /jsf%5ftest, while other cookies (set by myfaces) were >> correctly set with the path /jsf_test. >> It looks like

Re: Webapp with underscore in it's name leads to failed session-cookies

On 22/06/2016 09:28, Markus Näher wrote: > Hi, > > I'm working on a JSF (myfaces) project that runs on Tomcat. First I > thought it was a myfaces issue, but they told me that the container is > responsible for the session cookie, so now I'm here :-) That is correct. To a point. There are some

[SECURITY][CORRECTION] CVE-2016-3092 Apache Tomcat Denial of Service

Note: This announcement corrects several errors and omissions in the Tomcat aspects of the announcement for CVE-2016-3092 from the Apache Commons project that was recently forwarded to various Apache Tomcat mailing lists. For the sake of clarity, the Tomcat specific corrections are as follows: 1.

Webapp with underscore in it's name leads to failed session-cookies

Hi, I'm working on a JSF (myfaces) project that runs on Tomcat. First I thought it was a myfaces issue, but they told me that the container is responsible for the session cookie, so now I'm here :-) I've created a minimal JSF test project and I called it jsf_test. When I open the tomcat

RE: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability

Thanks for the info Mark. Regards, Chinoy -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, June 22, 2016 11:43 AM To: Tomcat Users List Subject: Re: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability

Re: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability

On 22/06/2016 05:51, Chinoy Gupta wrote: > What about 8.5.x branch? Is that also affected. Yes. 8.5.0 to 8.5.2 are affected. > And I am not able to see this update on Tomcat security page. Any reasons for > that? Oversight. I'll get it added later today unless someone beats me to it. I'll also