On Wed, Nov 21, 2018, 9:48 AM Christopher Schultz < ch...@christopherschultz.net wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Tim, > > On 11/20/18 13:36, Tim K wrote: > > On Tue, Nov 20, 2018, 12:19 PM Christopher Schultz < > > ch...@christopherschultz.net wrote: > > > > Tim, > > > > On 11/20/18 11:42, Tim K wrote: > >>>>> > >>>>> Ignore the secure port. The code behind that setting was > >>>>> never implemented. We really should remove it. > >>>>> > >>>>> You want: > >>>>> > >>>>> http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor > .ht > > > >>>>> > ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr > > <http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.ht > ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr > <http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr> > > > > > > > ibutes > >>>>> > >>>>> > >>>>> > > Mark > >>>> > >>>> > >>>> I'm having some trouble getting it working. Can you provide > >>>> an example of the new EncryptInterceptor with an algorithm > >>>> and key? > > > > Each node in the cluster needs an interceptor configured, like > > this: > > > > <Interceptor > > className="org.apache.catalina.tribes.group.interceptors.EncryptInterc > ep > > > > > tor" > > encryptionKey="[the key]" /> > > > > All nodes need the same key. The default algorithm > > (AES/CBC/PKCS12Padding) is sufficient. > > > > To generate a key, just get some random garbage and convert it > > into hex, like this: > > > > $ dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5 > > > > That'll give you a 128-bit key you can use for encryption. You can > > also use a 256-bit key if you'd like, or a 192-bit key. For keys > > larger than 128 bite (32 bytes), you'll need to use a different > > signature algorithm such as sha1 or later. > > > > I just chose MD5 because it generates the right number of output > > characters for a 128-bit key. You can get your random key from > > anywhere, including pounding on the keyboard. Remember that the > > key must be in hex-encoded binary (so only characters 0-9 and > > a-f). > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > I tried this between 2 nodes but it fails with this error on each: > > > > dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5sum > > e0f2cdf931e99fdce0453964294f97f3 - > > > > <Interceptor > > className="org.apache.catalina.tribes.group.interceptors.EncryptInterc > eptor" > > > > > encryptionKey="e0f2cdf931e99fdce0453964294f97f3" /> > > > > 20-Nov-2018 13:31:20.070 SEVERE > > [Tribes-Task-Receiver[Catalina-Channel]-1] > > org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.messa > geReceived > > > > > Failed to decrypt message > > > > javax.crypto.BadPaddingException: Given final block not properly > > padded. Such issues can arise if a bad key is used during > > decryption. > > Both nodes have the same encryption key, right? The key itself looks > fine. For example, I dropped that key into the unit test file and it > worked as expected. > > I've been working on a patch yesterday and today that uses random IVs > instead of re-using them. It really shouldn't change anything about > the config, etc. but both nodes will require the new code to re-test. > I've also expanded the unit tests to cover cipher block modes other > than CBC. > > I don't actually have a cluster here for testing, though, so > everything is being done with the unit tests. > > I thought I had reproduced your issue (BadPaddingException) except it > turned out that the test itself was wrong and the interceptor code was > correct. > > Are you able to build from source? I'm about to commit these changes > to the trunk (9.0.x), which really shouldn't change anything for you, > but it might fix some edge case that you are hitting. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv1cC0ACgkQHPApP6U8 > pFhjuQ/+Mb46dCFqAd1QZqKtvc6BLO/K8/JCQiD8Z10YR0231AMwdCMLGkb7X7Xx > A11KwaOSkISQucp7cLujC3KwlvrVpPBVeQODw7TydGVGtMBXGp+cp2pqhUDRJuZt > 9MZM0aQsQSA2udbako77qNo/ISjgytp5ruW4RaHwwj8XauMuAZuQ1KjqXCgXOlfs > DFBkVx4Qcs/YTn0DIuc9YGqROpb+h3VafNZiXXDIhv15ecSnMxqYAH928UA5MTi9 > byA3Lq9GlHoKlhaL5IYHGE+UoMds7QKCdSiQti8u/QEhMhXtvH1LPcZy/l3V5Xj+ > vklEkXgHef+kPVdwzwGQjQIvnbVl5qppx8wXJvDbY1hNsvgGbtXIj/Z1Xfwzx+BS > 6fkGY2vEh5//nZB6REmbT79WByIlQSiOsLixha5LgkC8/li5X2ulXu2791UpmdSr > mHVh06MBjMgaWP0fqELvgC88Q1x0z5O4SmYNka++wDpZYv3ZGE8zgWnaBPkQYLMI > k4xF1udoKM662Zgh/fguKzht2OVRQK1qglm8R3HCtMNWR+EHFefrWlxQebAuKdFL > dSftpA/tD4eaZ+MAN7B7bvj0dArywrQ1sA8EALzdfKfFAxDpLhPPCARLMtxO/Hue > wlVBRUJ/4OdxjcQVZBmytGpQ2mSc3wLsxXslrTYokGq9D9E76fQ= > =w3kX > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Key is the same on both, yes. I never built from src before.