Re: SUSPICIOUS Re: Updating configTest to include shutdown port validation

Mon, 23 Jun 2025 09:24:03 -0700 

Thank you Chris for the inputs.

export JAVA_OPTS=-Dorg.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true before 
running the configtest

This seems to help fail the validation if connector initialization fails.

Thanks,
Amit
________________________________
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Sunday, June 22, 2025 3:30 PM
To: users@tomcat.apache.org <users@tomcat.apache.org>
Subject: SUSPICIOUS Re: Updating configTest to include shutdown port validation

Cohesity Security Advisory: Automated detections have identified this email as 
SUSPICIOUS for the following reasons:

 Message matched suspicious signature 
'SentimentCM_Subject.HiddenPath.URL.Phishing'
 Use extra caution with this email. If you believe this detection was in error 
or have questions, please contact secur...@cohesity.com.

Amit,

On 6/20/25 11:32 AM, Amit Pande wrote:
> Thank you Mark for the feedback.
>
> Reason to ask for shutdown port availability was that, configtest already 
> check that for connector ports. E.g.
>
> SEVERE: Failed to initialize component 
> [Connector["nbhttps-jsse-nio-127.0.0.1-12345"]]
> org.apache.catalina.LifecycleException: Protocol handler initialization failed
>          at 
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1075)
>          at 
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
>          at 
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:522)
>          at 
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
>          at 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:957)
>          at 
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
>          at org.apache.catalina.startup.Catalina.load(Catalina.java:712)
>          at org.apache.catalina.startup.Catalina.load(Catalina.java:735)
>          at 
> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown 
> Source)
>          at java.base/java.lang.reflect.Method.invoke(Unknown Source)
>          at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
>          at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:485)
> Caused by: java.net.BindException: Address already in use
>          at java.base/sun.nio.ch.Net.bind0(Native Method)
>          at java.base/sun.nio.ch.Net.bind(Unknown Source)
>          at java.base/sun.nio.ch.ServerSocketChannelImpl.netBind(Unknown 
> Source)
>          at java.base/sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source)
>          at 
> org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:266)
>          at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:221)
>          at 
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1399)
>          at 
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1412)
>          at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:633)
>          at 
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82)
>          at 
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1073)
>          ... 11 more
>
> And a follow up question, even with the SEVERE error like above (or while 
> creating the SSL context due to incorrect store password for instance),  the 
> return code is 0. Did I miss anything here?
>
> Jun 20, 2025 10:23:15 AM org.apache.catalina.startup.Catalina load
> INFO: Server initialization in [2457] milliseconds
> [me@mymachine bin]# echo $?
> 0

A single connector failing won't cause the server to fail to start. So
it doesn't cause the configtest to fail, either.

-chris

> ________________________________
> From: Mark Thomas <ma...@apache.org>
> Sent: Friday, June 20, 2025 2:58 AM
> To: users@tomcat.apache.org <users@tomcat.apache.org>
> Subject: Re: Updating configTest to include shutdown port validation
>
> Cohesity Security Advisory: Automated detections have identified this email 
> as SUSPICIOUS for the following reasons:
>
>   Message matched bulk signature 'BULK.LUC.High'
>   Message matched suspicious signature 
> 'SentimentCM_Subject.HiddenPath.URL.Phishing'
>   Use extra caution with this email. If you believe this detection was in 
> error or have questions, please contact secur...@cohesity.com.
>
> On 20/06/2025 01:18, Amit Pande wrote:
>> Hello,
>>
>> I was testing out the "configtest"  option of the catalina.sh/.bat and 
>> observed that does not do validation for the shutdown port.
>
> There are lots of things it doesn't explicitly test. Why is the shutdown
> port of particular interest?
>
>> hxxps://nam11,safelinks,protection,outlook,com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fblob%2F8bbdabe02c384cf15aa43dafb66a5b42440edac3%2Fjava%2Forg%2Fapache%2Fcatalina%2Fstartup%2FBootstrap.java&data=05%7C02%7Camit.pande%40cohesity.com%7C891eb88268c24f0f45e208ddafd045ed%7Cb3c5c12c459546ac9b80e6d7b886903f%7C0%7C0%7C638860031236032446%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=2Gg7g%2Bto9fxn8S30F9qDuDp93iLpWFPPvkXboUqTLlc%3D&reserved=0<hxxps://github,com/apache/tomcat/blob/8bbdabe02c384cf15aa43dafb66a5b42440edac3/java/org/apache/catalina/startup/Bootstrap.java>
>>
>>                   case "configtest":
>>                       daemon.load(args);
>>                       if (null == daemon.getServer()) {
>>                           System.exit(1);
>>                       }
>>                       // Can we add the shutdown port validation code here?
>>                      // Check if the port is an integter, check if this port 
>> is available for use
>
> The integer check will be performed automatically as part of parsing the
> file. You'll see a warning for non-integer values.
>
> Port availability is a tricky one. Just because the port is available
> now, that is no guarantee it will be available when you start the instance.
>
> Consider the case of three Tomcat instances on a single machine, all
> using the same shutdown port. Run the configtest on each and it passes.
> Try starting them and you get failures.
>
> I'm not convinced there is much value in a port availability test.
>
>>                     // Not 100% sure yet if this is the right place
>>                      validateShutdownPort(daemon.getServer().getPorrt());
>>                       System.exit(0);
>>                       break;
>>
>> Appreciate feedback on whether this is a good idea to enhance the server.xml 
>> config validation check?
>
> I'm not yet convinced.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to