Hi, For all those of you helping me with the AJP connector allowedRequestAttributesPattern, I've spent some time carefully sanitizing 2 sets of isapi_redirect,log entries and put them up at the link below. These logs were generated from exactly two requests (sanitized version shown)
https://myserver.com/MyExposedApplication/simple.html and http://myserver.com/MyExposedApplication/simple.html In other words SSL, and non-SSL. I believe these show the request and headers, and hopefully will help with a discussion of allowed request attributes. Here's the link: https://docs.google.com/document/d/1Y4NNrshG_4_sV4hArP2G0xoAzdxjMvivL_0IVJKE5SM/edit?usp=sharing They'll be up for about 1 day, so please copy the text if you find them useful Ellen On Wed, Feb 26, 2020 at 9:25 AM <jonmcalexan...@wellsfargo.com.invalid> wrote: > -----Original Message----- > > From: Mark Thomas <ma...@apache.org> > > Sent: Wednesday, February 26, 2020 5:19 AM > > To: users@tomcat.apache.org > > Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector > andTomcat > > > On 26/02/2020 09:00, Mark Thomas wrote: > > On 25/02/2020 21:47, Ellen Meiselman wrote: > >> So it turned out that the logs were mostly set at FINE already, so > > Johann’s suggestion was already done. > >> > >> But I think I now know where the problem lies. Secure IIS request > > > to > non-secire AJP. > >> > >> I don’t think this was a problem on the other servers before but the > > security has probably been tightened, and it just doesn’t produce an > > error - it just won’t allow it. > >> > >> I have had IIS set to require SSL, but I turned it off to test and it > > actually worked all the way through to the simple.html file. so it’s > > some sort of policy about downgrading - which seems quite rational in > > retrospect > > > > Thanks for the new information. > > > > That rules out an issue with the secret settings. > > > > I wonder if IIS (or more likely the ISAPI redirector) is adding some > > unexpected request attributes that is triggering the new protection > > for CVE-2020-1938. If that is the case, adding the following to your > > AJP connector in server.xml should get things working for SSL as well: > > > > allowedRequestAttributesPattern=".*" > > > > Meanwhile, I'll configure my local test environment for IIS with TLS > > and see what happens. > > > Confirmed. That is the issue and allowedRequestAttributesPattern=".*" > > works around it. > > > I need to debug further to find out exactly what the attributes are. I > expect we'll add them to the ones Tomcat accepts by default. > > > Mark > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks Mark, > So, to be clear, add > > allowedRequestAttributesPattern=".*" > > to the AJP Connector in server.xml IF you are using IIS as the Front-End, > using the AJP Plugin and having SSL configured in IIS? > > Thanks, > > Dream * Excel * Explore * Inspire > Jon McAlexander > Asst Vice President > > Middleware Product Engineering > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions > > Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, > 12/20 – 12/31 > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > > > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose, or take any action based on this message > or any information herein. If you have received this message in error, > please advise the sender immediately by reply e-mail and delete this > message. Thank you for your cooperation. >
