-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jon,
On 2/26/20 09:25, jonmcalexan...@wellsfargo.com.INVALID wrote: > -----Original Message----- >> From: Mark Thomas <ma...@apache.org> Sent: Wednesday, February >> 26, 2020 5:19 AM To: users@tomcat.apache.org Subject: Re: [OT] At >> wits end: Difficulties with IIS ISAPI connector andTomcat > >> On 26/02/2020 09:00, Mark Thomas wrote: On 25/02/2020 21:47, >> Ellen Meiselman wrote: >>> So it turned out that the logs were mostly set at FINE already, >>> so >> Johann’s suggestion was already done. >>> >>> But I think I now know where the problem lies. Secure IIS >>> request > >> to > non-secire AJP. >>> >>> I don’t think this was a problem on the other servers before >>> but the >> security has probably been tightened, and it just doesn’t produce >> an error - it just won’t allow it. >>> >>> I have had IIS set to require SSL, but I turned it off to test >>> and it >> actually worked all the way through to the simple.html file. so >> it’s some sort of policy about downgrading - which seems quite >> rational in retrospect >> >> Thanks for the new information. >> >> That rules out an issue with the secret settings. >> >> I wonder if IIS (or more likely the ISAPI redirector) is adding >> some unexpected request attributes that is triggering the new >> protection for CVE-2020-1938. If that is the case, adding the >> following to your AJP connector in server.xml should get things >> working for SSL as well: >> >> allowedRequestAttributesPattern=".*" >> >> Meanwhile, I'll configure my local test environment for IIS with >> TLS and see what happens. > >> Confirmed. That is the issue and >> allowedRequestAttributesPattern=".*" works around it. > >> I need to debug further to find out exactly what the attributes >> are. I expect we'll add them to the ones Tomcat accepts by >> default. > >> Mark > >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks Mark, So, to be clear, add > > allowedRequestAttributesPattern=".*" > > to the AJP Connector in server.xml IF you are using IIS as the > Front-End, using the AJP Plugin and having SSL configured in IIS? And also if you can convince yourself that nobody is going to make malicious connections to your AJP port. It looks like Mark found the set of attributes that need to be added to the whitelist; if you look at those patches, you can put just those items into the pattern (e.g. allowedRequestAttributesPattern="(CLIENT_CERT|..." to be as safe as possible. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5WqDoACgkQHPApP6U8 pFhR7w/+IjEhNdUThQtdjfI8AVA/ZhsFTsbnmQq+Ue++fCUmxPbnPPC1alJK1RNx RkaDZTgjUXPZD2H7DgKd0zXpdNEGrDetCY+mOE2UTIyGPM8T9a14nFB7/gOw7hPX +WlnoI5EtV9YaKreM/qniM4kJLY5y//OenzEDKL1MQGqHBm9A7JxkM/L0+5aBn47 tzIKcjX+ZBsDitmyn6rmSGjPnm+7yRsRM84T8uw97LI1mSTNCUhGjTF44kkSbgsf 9nLRRyVXa9/HlJMcbtZm1NOd4UZbsikcP6VHg7RvNxZNrAcWDorCyhlS1xdBMJZe LE+FQKpoE8KLJa9G1bU0ANea7wSo/TSA18HE4Rn7t40XCWsIut3B8cyhXQKoBaoN seoyue1XmqB82YrQAEe31qyINYB9PK/7XV0cznWR80I9CoJa5QQXHKAeDt3Ct/Bx IWHNi5KCOD4c8UwCxnVA05vJIHGsUhsuwDtXDUbcZWD1YkHtL2k6GHXXrWt9xnho jD8WW+wsj1ut85PjyujMAvoYW0aUUAcSsGZF2nqnoIr+2UD+DHAgqfSzrXaNO/BH cjiUbJREjyV7hgsiyWxZBfnxC1825GWfpVEgw1sC7qpC3ik3QdNZJbYbJk1EcK40 blvQ/xxnQ1nb2tdq6Ozn0xX3KlOqhZpl0l+FKs5Wz3QPXbHEqKM= =2eup -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
