On 10/09/2020 21:23, Brian Harris wrote: > Thanks Christopher. You just nailed it buddy. I changed them all to \r\n > and it got a 200. I was completely overlooking that as it had never caused > a problem before. Something in 8.5.51 would not allow that anymore.
That is the fix for CVE-2020-1935 See http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 It isn't explicit in the changelog because it is security related and the change log is public before the release is available. Mark > > On Thu, Sep 10, 2020 at 4:07 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Brian, > > On 9/10/20 13:13, Brian Harris wrote: >>>> We’re having an issue when upgrading Tomcat from 8.5.50 to 8.5.51. >>>> Since moving to this version, requests sent to the http port are >>>> failing with a 400 error code(bad request). The server.xml is >>>> configured to redirect the http port to the https port. This has >>>> worked for years and did not start failing until the upgrade. >>>> Below is the connector config and the java class used to send a >>>> test transaction to the server. >>>> >>>> I’ve searched the change log and the only change I can see that >>>> might cause this is the Bug fix for bug 63966 – Charset of TLS >>>> message is hard coded to ISO-8859-1. This bug fix was introduced >>>> into 8.5.51. The reason I believe this might be the reason is when >>>> we would send this request to tomcat 8.5.50 the reply Content-Type >>>> would look like this: >>>> >>>> >>>> >>>> Content-Type: text/plain;charset=ISO-8859-1 >>>> >>>> >>>> >>>> With tomcat 8.5.51, I get this: >>>> >>>> Content-Type: text/html;charset=utf-8 >>>> >>>> >>>> >>>> Any ideas why I’m getting the 400 error when upgrading to 8.5.51 >>>> and beyond ? >>>> >>>> >>>> >>>> Connector config: >>>> >>>> >>>> >>>> <Connector port="5555" protocol="HTTP/1.1" >>>> >>>> connectionTimeout="20000" >>>> >>>> redirectPort="7777" >>>> >>>> /> >>>> >>>> >>>> >>>> <Connector port="7777" protocol="HTTP/1.1" SSLEnabled="true" >>>> >>>> scheme="https" secure="true" >>>> ciphers="TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_ > GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_ > GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AE > S_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_ > AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECD > SA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECD > HE_RSA_WITH_AES_256_GCM_SHA384" >>>> >>>> clientAuth="false" sslProtocol="TLS" >>>> sslEnabledProtocols="TLSv1.2" >>>> >>>> keyAlias="myKey" >>>> >>>> keystore="NONE" >>>> >>>> keystorePass="password" >>>> >>>> keystoreType="PKCS11" >>>> >>>> keystoreProvider="myprovider" >>>> >>>> enableLookups="false" >>>> >>>> server="server" >>>> >>>> "/> >>>> >>>> >>>> >>>> >>>> >>>> Java class used to send the test transaction: >>>> >>>> >>>> >>>> package com.testing; >>>> >>>> >>>> >>>> import java.io.*; >>>> >>>> import java.net.*; >>>> >>>> import java.util.Date; >>>> >>>> import java.text.DateFormat; >>>> >>>> import java.text.SimpleDateFormat; >>>> >>>> >>>> >>>> public class RunTestTran{ >>>> >>>> >>>> >>>> public RunTestTran() { >>>> >>>> } >>>> >>>> >>>> >>>> public static void main(String [] args){ >>>> >>>> RunTestTran recordProcessorTest = new RunTestTran(); >>>> >>>> recordProcessorTest.runTran("localhost", 5555, >>>> "/requestProcessor/rp"); >>>> >>>> } >>>> >>>> >>>> >>>> private void runTran(String ip, int port, String appName){ >>>> >>>> Socket socket = null; >>>> >>>> PrintWriter out = null; >>>> >>>> BufferedReader in = null; >>>> >>>> String dataToSend = ""; >>>> >>>> >>>> >>>> //Create socket connection >>>> >>>> try { >>>> >>>> socket = new Socket(ip, port); >>>> >>>> out = new PrintWriter(socket.getOutputStream(), true); >>>> >>>> in = new BufferedReader(new >>>> InputStreamReader(socket.getInputStream())); >>>> >>>> } catch (Exception e) { >>>> >>>> System.out.println("Exception:" + e.toString() ); >>>> >>>> System.exit(1); >>>> >>>> } >>>> >>>> >>>> >>>> DateFormat dateFormat = new SimpleDateFormat("MMddHHmmsss"); >>>> >>>> //get current date time with Date() to create a 11 digit tran id >>>> >>>> Date date = new Date(); >>>> >>>> String tranId = dateFormat.format(date); >>>> >>>> String PRIMER_TRAN = " V " + tranId + "9999999999000000000JANE >>>> DOE 100 Redwood Shores Pkwy Redwood City >>>> CA94065000000000000000 PRIMER TRAN"; >>>> >>>> >>>> >>>> >>>> >>>> try{ >>>> >>>> dataToSend = URLEncoder.encode("inputRecord", "UTF-8") + "=" + >>>> URLEncoder.encode(PRIMER_TRAN, "UTF-8"); >>>> >>>> >>>> >>>> }catch(Exception e){ >>>> >>>> System.out.println("Exception caught!" + e.toString()); >>>> >>>> } >>>> >>>> // send message >>>> >>>> StringBuffer sb = new StringBuffer(); >>>> >>>> sb.append("POST /" + appName + "/wrp HTTP/1.1\r\n"); >>>> >>>> // Try connection close-- see if it does close >>>> >>>> sb.append("Connection: close\r\n"); >>>> >>>> sb.append("Accept: image/gif, image/x-xbitmap, image/jpeg, >>>> image/pjpeg, application/vnd.ms-powerpoint, >>>> application/vnd.ms-excel, application/msword\n"); >>>> >>>> sb.append("Accept-Language: en-us\n"); >>>> >>>> sb.append("Accept-Encoding: gzip, deflate\n"); >>>> >>>> sb.append("User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows >>>> NT 5.0)\n"); >>>> >>>> // Authorization >>>> >>>> sb.append("Authorization: Basic DK34a3RvbWVydGVzddkK7WCx\n"); >>>> >>>> sb.append("Host: " + ip + ":" + port + "\n"); >>>> >>>> sb.append("Content-Length: " + dataToSend.length() + "\r\n"); >>>> >>>> sb.append("Content-Type: application/x-www-form-urlencoded\r\n"); >>>> >>>> sb.append("\r\n"); >>>> >>>> sb.append(dataToSend); >>>> >>>> // Send data >>>> >>>> String text = sb.toString(); >>>> >>>> out.println(text); >>>> >>>> >>>> >>>> System.out.println("\nText sent " + text.length() + " bytes:"); >>>> >>>> System.out.println(text + "\n\n"); >>>> >>>> >>>> >>>> try{ >>>> >>>> String gotBack1 = in.readLine(); >>>> >>>> System.out.println("Text received:" + gotBack1 ); >>>> >>>> String gotBack = null; >>>> >>>> while ( (gotBack = in.readLine()) != null){ >>>> >>>> System.out.println("Text received:" + gotBack ); >>>> >>>> if ( (gotBack.indexOf("TQ!") != -1)){ >>>> >>>> break; >>>> >>>> } >>>> >>>> } >>>> >>>> } catch (Exception e){ >>>> >>>> System.out.println("Read failed! " + e.toString()); >>>> >>>> System.exit(1); >>>> >>>> } >>>> >>>> } } > > Half your headers have \n line-terminators rather than \r\n > line-terminators. Is that intentional? It's certianly not /legal/. > > -chris >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
