You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ramon Pfeiffer <ra...@uni-tuebingen.de> on 2015/05/28 18:29:19 UTC
Problem specifying cipher suites in tomcat6
Hi all,
I'm currently trying to specify a list of cipher suites to be used by my
connector in Tomcat 6.0.24. However, when testing the connector with
ssllabs.com, a bunch of ciphers I didn't specify show up.
Here is the connector config:
<Connector
port="443"
protocol="HTTP/1.1"
enableLookups="false"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="{omitted}"
sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
/>
Just for the sake of the argument, I specified only a single suite.
This is what ssllabs gives me as list of possible ciphers:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Obviously, this is not what I specified. When configuring
ciphers="ALL"
the result Anybody can shed some light on what I did wrong?
Thanks for any help.
Best regards
Ramon Pfeiffer
--
--
Universität Tübingen
Zentrum für Datenverarbeitung
E-Mail: ramon.pfeiffer@uni-tuebingen.de
RE: Problem specifying cipher suites in tomcat6
Posted by Jeffrey Janner <Je...@PolyDyne.com>.
> -----Original Message-----
> From: Ramon Pfeiffer [mailto:ramon.pfeiffer@uni-tuebingen.de]
> Sent: Friday, May 29, 2015 2:33 AM
> To: users@tomcat.apache.org
> Subject: Re: Problem specifying cipher suites in tomcat6
>
> Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R:
> >> From: Ramon Pfeiffer [mailto:ramon.pfeiffer@uni-tuebingen.de]
> >> Subject: Problem specifying cipher suites in tomcat6
> >
> >> I'm currently trying to specify a list of cipher suites to be used by
> my
> >> connector in Tomcat 6.0.24.
> >
> >> Anybody can shed some light on what I did wrong?
> >
> > Using a version of Tomcat that's more than five years old is the first
> thing - there have been many, many security fixes since then, including
> some related to the ciphers attribute. You also need to tell us the JVM
> version, the platform you're running on, and whether or not APR is in
> use for this <Connector> (it's in the logs).
>
> Sadly, it's a system I inherited last year and now have the pleasure to
> work with. I can't update Tomcat for I don't know what will break.
>
> Anyway, I'm working on a RHEL6 system. A java -version yields
> # java -version
> java version "1.7.0_79"
> OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14)
> OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)
>
> APR is not installed.
>
> Thanks,
> Ramon
You should be able to upgrade to the latest version of Tomcat 7 with little to no problem.
Get the latest release from the tomcat website, not the Red Hat RPM and you can install it in parallel with your existing Tomcat, so you can switch back quickly if you do experience a problem related to the upgrade.
You will need to migrate your server.xml file and possibly you context.xml files as well, though unlikely in the latter case.
I know that a lot depends on how tightly integrated your app is with tomcat, but I made the migration with almost no difficulty years ago.
Jeff
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Problem specifying cipher suites in tomcat6
Posted by George Stanchev <Gs...@serena.com>.
Chris, thanks for sharing this. I've recently ran across a similar tool:
http://www.bolet.org/TestSSLServer/
That does the same thing as your code but may be a little bit more elaborate. It also has a source code on link. Since you has shared your code, I might as well share this - the more the better.
George
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, May 29, 2015 3:32 PM
To: Tomcat Users List
Subject: Re: Problem specifying cipher suites in tomcat6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ramon,
On 5/29/15 4:42 PM, Ramon Pfeiffer wrote:
> On 29.05.2015 21:12, Christopher Schultz wrote:
>> Ramon,
>>
>> On 5/29/15 3:32 AM, Ramon Pfeiffer wrote:
>>> Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R:
>>>>> From: Ramon Pfeiffer
>>>>> [mailto:ramon.pfeiffer@uni-tuebingen.de] Subject: Problem
>>>>> specifying cipher suites in tomcat6
>>>>
>>>>> I'm currently trying to specify a list of cipher suites to be used
>>>>> by my connector in Tomcat 6.0.24.
>>>>
>>>>> Anybody can shed some light on what I did wrong?
>>>>
>>>> Using a version of Tomcat that's more than five years old is the
>>>> first thing - there have been many, many security fixes since then,
>>>> including some related to the ciphers attribute.
>>>> You also need to tell us the JVM version, the platform you're
>>>> running on, and whether or not APR is in use for this <Connector>
>>>> (it's in the logs).
>>
>>> Sadly, it's a system I inherited last year and now have the pleasure
>>> to work with. I can't update Tomcat for I don't know what will
>>> break.
>>
>> If you can't upgrade it, you are better-off shutting-down the
>> service, because there are security vulnerabilities in there.
>>
>> So, ask your boss which is worse: shuttering the project, or getting
>> a new version of Tomcat into a testing environment?
>
> Shutting it down is not an option. So I guess next week will be...
> interesting.
>
> The important thing is this: Will the connector work in this
> configuration after I updated Tomcat? Or is the issue completely
> unrelated? Where are the ciphers shown by ssllabs taken from? Is the
> cipher attribute ignored?
Lots of things have been fixed/added in more recent versions of Tomcat 6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't even need to deploy your own web application on it; just configure it for SSL and hit the default web application (the Tomcat documentation), or the examples, or whatever.
SSLLabs picks the ciphers it wants to check for; usually a group of "good" ciphers to make sure that you can support the latest-and-greatest ciphers, plus a bunch of them that are known to be broken (like most SSL-only ones).
This tool may help you test, because it's a whole lot faster than SSLLabs' tests:
http://markmail.org/message/tz4z44nfjl7sy2lj
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVaNqzAAoJEBzwKT+lPKRYyyIP/AxaJNDI8C98lGUGP4bqOFsm
ZSxcfQG44mAFwBAMkW2oxfCCD7MDb8y9jQT5qyEv+eEgLd9kFjG1UOXogDKAm6dI
d8lh10FSI/Wk4o7OMuWl7nCE8APzUAMCojJz3RxvMvJwFpyP6Te7Zl8baNHXUl2U
zir68R9fTjT/UT9Wps6+gg5UWS/v08gzeBarizdk3QHtQrgXJamF9aLgJ+L7g3rX
cJbxVKUBinznnDFZ3Z3r5RAM1dXRrVvUkKHzewBHtZSOzlXFEnj+vmw2XCu1rrph
wdJURfX19KuONjGfkzLw5c3geL9nOwBfBP0D62DsivP2kdcpNCt7N/szFvB6ICUQ
FcCGI57KGCGYGG3EF9SmbFrb0YORO5iR149SEXeoLzWz5O7rlqK5NClPOiyITIv2
n4yrbq7PlXZny3d9IRx801fhpetRKmmtRLHau+SmR4nf79VN/le7uee/Sehx+2bO
WGyQZG+UO8brLozVvtNYutFVOphfO1YKOACKZfBmzCD1zGmEG8O1/9ApeMzlsnjE
Bpg9fXS3YgPEKDSXFtS6wafz+CH+JuSHAhpkUVQ1I7XMHa/SGIVHAeRi4FCUZo6i
8iRnMVbD+4R8F6NupRvFQ7qeOnfI4E7wDfGYjW7sUd2XF/yVFsRALBiHaExCVp0g
dG8GnIcirHHy+w3GwbUj
=YI9Z
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
Posted by Konstantin Kolinko <kn...@gmail.com>.
2015-06-01 11:17 GMT+03:00 Ramon Pfeiffer <ra...@uni-tuebingen.de>:
> Am 29.05.2015 um 23:31 schrieb Christopher Schultz:
>>
>> Lots of things have been fixed/added in more recent versions of Tomcat
>> 6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't
>> even need to deploy your own web application on it; just configure it
>> for SSL and hit the default web application (the Tomcat
>> documentation), or the examples, or whatever.
>>
>
> Apparently, I need to correct myself a bit. Tomcat6 is installed via the
> RHEL repositories, the latest version offered by RHEL is 6.0.24:
> # yum list tomcat6.x86_64
> tomcat6.x86_64 6.0.24-83.el6_6
>
> So it seems as if the latest version of tomcat6 is installed already, giving
> me the cipher suite headaches nonetheless.
It is in the FAQ:
https://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5
[q] Moreover, some of those packages are notably outdated. [/q]
If you need documentation for 6.0.24, see "webapps/docs" web
application in your copy of Tomcat 6.0.24. That is unless you vendor
have bundled it. Official downloads from tomcat.apache.org include the
documentation.
The online documentation is for the current version (6.0.44).
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
Posted by Ramon Pfeiffer <ra...@uni-tuebingen.de>.
Am 29.05.2015 um 23:31 schrieb Christopher Schultz:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Ramon,
>
> On 5/29/15 4:42 PM, Ramon Pfeiffer wrote:
>> On 29.05.2015 21:12, Christopher Schultz wrote:
>>> Ramon,
>>>
>>> On 5/29/15 3:32 AM, Ramon Pfeiffer wrote:
>>>> Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R:
>>>>>> From: Ramon Pfeiffer
>>>>>> [mailto:ramon.pfeiffer@uni-tuebingen.de] Subject: Problem
>>>>>> specifying cipher suites in tomcat6
>>>>>
>>>>>> I'm currently trying to specify a list of cipher suites to
>>>>>> be used by my connector in Tomcat 6.0.24.
>>>>>
>>>>>> Anybody can shed some light on what I did wrong?
>>>>>
>>>>> Using a version of Tomcat that's more than five years old is
>>>>> the first thing - there have been many, many security fixes
>>>>> since then, including some related to the ciphers attribute.
>>>>> You also need to tell us the JVM version, the platform you're
>>>>> running on, and whether or not APR is in use for this
>>>>> <Connector> (it's in the logs).
>>>
>>>> Sadly, it's a system I inherited last year and now have the
>>>> pleasure to work with. I can't update Tomcat for I don't know
>>>> what will break.
>>>
>>> If you can't upgrade it, you are better-off shutting-down the
>>> service, because there are security vulnerabilities in there.
>>>
>>> So, ask your boss which is worse: shuttering the project, or
>>> getting a new version of Tomcat into a testing environment?
>>
>> Shutting it down is not an option. So I guess next week will be...
>> interesting.
>>
>> The important thing is this: Will the connector work in this
>> configuration after I updated Tomcat? Or is the issue completely
>> unrelated? Where are the ciphers shown by ssllabs taken from? Is
>> the cipher attribute ignored?
>
> Lots of things have been fixed/added in more recent versions of Tomcat
> 6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't
> even need to deploy your own web application on it; just configure it
> for SSL and hit the default web application (the Tomcat
> documentation), or the examples, or whatever.
>
Apparently, I need to correct myself a bit. Tomcat6 is installed via the
RHEL repositories, the latest version offered by RHEL is 6.0.24:
# yum list tomcat6.x86_64
tomcat6.x86_64 6.0.24-83.el6_6
So it seems as if the latest version of tomcat6 is installed already,
giving me the cipher suite headaches nonetheless.
Any further ideas?
Thanks,
Ramon
Re: Problem specifying cipher suites in tomcat6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ramon,
On 5/29/15 4:42 PM, Ramon Pfeiffer wrote:
> On 29.05.2015 21:12, Christopher Schultz wrote:
>> Ramon,
>>
>> On 5/29/15 3:32 AM, Ramon Pfeiffer wrote:
>>> Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R:
>>>>> From: Ramon Pfeiffer
>>>>> [mailto:ramon.pfeiffer@uni-tuebingen.de] Subject: Problem
>>>>> specifying cipher suites in tomcat6
>>>>
>>>>> I'm currently trying to specify a list of cipher suites to
>>>>> be used by my connector in Tomcat 6.0.24.
>>>>
>>>>> Anybody can shed some light on what I did wrong?
>>>>
>>>> Using a version of Tomcat that's more than five years old is
>>>> the first thing - there have been many, many security fixes
>>>> since then, including some related to the ciphers attribute.
>>>> You also need to tell us the JVM version, the platform you're
>>>> running on, and whether or not APR is in use for this
>>>> <Connector> (it's in the logs).
>>
>>> Sadly, it's a system I inherited last year and now have the
>>> pleasure to work with. I can't update Tomcat for I don't know
>>> what will break.
>>
>> If you can't upgrade it, you are better-off shutting-down the
>> service, because there are security vulnerabilities in there.
>>
>> So, ask your boss which is worse: shuttering the project, or
>> getting a new version of Tomcat into a testing environment?
>
> Shutting it down is not an option. So I guess next week will be...
> interesting.
>
> The important thing is this: Will the connector work in this
> configuration after I updated Tomcat? Or is the issue completely
> unrelated? Where are the ciphers shown by ssllabs taken from? Is
> the cipher attribute ignored?
Lots of things have been fixed/added in more recent versions of Tomcat
6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't
even need to deploy your own web application on it; just configure it
for SSL and hit the default web application (the Tomcat
documentation), or the examples, or whatever.
SSLLabs picks the ciphers it wants to check for; usually a group of
"good" ciphers to make sure that you can support the
latest-and-greatest ciphers, plus a bunch of them that are known to be
broken (like most SSL-only ones).
This tool may help you test, because it's a whole lot faster than
SSLLabs' tests:
http://markmail.org/message/tz4z44nfjl7sy2lj
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVaNqzAAoJEBzwKT+lPKRYyyIP/AxaJNDI8C98lGUGP4bqOFsm
ZSxcfQG44mAFwBAMkW2oxfCCD7MDb8y9jQT5qyEv+eEgLd9kFjG1UOXogDKAm6dI
d8lh10FSI/Wk4o7OMuWl7nCE8APzUAMCojJz3RxvMvJwFpyP6Te7Zl8baNHXUl2U
zir68R9fTjT/UT9Wps6+gg5UWS/v08gzeBarizdk3QHtQrgXJamF9aLgJ+L7g3rX
cJbxVKUBinznnDFZ3Z3r5RAM1dXRrVvUkKHzewBHtZSOzlXFEnj+vmw2XCu1rrph
wdJURfX19KuONjGfkzLw5c3geL9nOwBfBP0D62DsivP2kdcpNCt7N/szFvB6ICUQ
FcCGI57KGCGYGG3EF9SmbFrb0YORO5iR149SEXeoLzWz5O7rlqK5NClPOiyITIv2
n4yrbq7PlXZny3d9IRx801fhpetRKmmtRLHau+SmR4nf79VN/le7uee/Sehx+2bO
WGyQZG+UO8brLozVvtNYutFVOphfO1YKOACKZfBmzCD1zGmEG8O1/9ApeMzlsnjE
Bpg9fXS3YgPEKDSXFtS6wafz+CH+JuSHAhpkUVQ1I7XMHa/SGIVHAeRi4FCUZo6i
8iRnMVbD+4R8F6NupRvFQ7qeOnfI4E7wDfGYjW7sUd2XF/yVFsRALBiHaExCVp0g
dG8GnIcirHHy+w3GwbUj
=YI9Z
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
Posted by Ramon Pfeiffer <ra...@uni-tuebingen.de>.
On 29.05.2015 21:12, Christopher Schultz wrote:
> Ramon,
>
> On 5/29/15 3:32 AM, Ramon Pfeiffer wrote:
>> Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R:
>>>> From: Ramon Pfeiffer [mailto:ramon.pfeiffer@uni-tuebingen.de]
>>>> Subject: Problem specifying cipher suites in tomcat6
>>>
>>>> I'm currently trying to specify a list of cipher suites to be
>>>> used by my connector in Tomcat 6.0.24.
>>>
>>>> Anybody can shed some light on what I did wrong?
>>>
>>> Using a version of Tomcat that's more than five years old is the
>>> first thing - there have been many, many security fixes since
>>> then, including some related to the ciphers attribute. You also
>>> need to tell us the JVM version, the platform you're running on,
>>> and whether or not APR is in use for this <Connector> (it's in
>>> the logs).
>
>> Sadly, it's a system I inherited last year and now have the
>> pleasure to work with. I can't update Tomcat for I don't know what
>> will break.
>
> If you can't upgrade it, you are better-off shutting-down the service,
> because there are security vulnerabilities in there.
>
> So, ask your boss which is worse: shuttering the project, or getting a
> new version of Tomcat into a testing environment?
Shutting it down is not an option. So I guess next week will be...
interesting.
The important thing is this: Will the connector work in this
configuration after I updated Tomcat? Or is the issue completely
unrelated? Where are the ciphers shown by ssllabs taken from? Is the
cipher attribute ignored?
Thanks so far for all your responses (and corresponding warnings)!
Ramon
Re: Problem specifying cipher suites in tomcat6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ramon,
On 5/29/15 3:32 AM, Ramon Pfeiffer wrote:
> Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R:
>>> From: Ramon Pfeiffer [mailto:ramon.pfeiffer@uni-tuebingen.de]
>>> Subject: Problem specifying cipher suites in tomcat6
>>
>>> I'm currently trying to specify a list of cipher suites to be
>>> used by my connector in Tomcat 6.0.24.
>>
>>> Anybody can shed some light on what I did wrong?
>>
>> Using a version of Tomcat that's more than five years old is the
>> first thing - there have been many, many security fixes since
>> then, including some related to the ciphers attribute. You also
>> need to tell us the JVM version, the platform you're running on,
>> and whether or not APR is in use for this <Connector> (it's in
>> the logs).
>
> Sadly, it's a system I inherited last year and now have the
> pleasure to work with. I can't update Tomcat for I don't know what
> will break.
If you can't upgrade it, you are better-off shutting-down the service,
because there are security vulnerabilities in there.
So, ask your boss which is worse: shuttering the project, or getting a
new version of Tomcat into a testing environment?
> Anyway, I'm working on a RHEL6 system. A java -version yields #
> java -version java version "1.7.0_79" OpenJDK Runtime Environment
> (rhel-2.5.5.3.el6_6-x86_64 u79-b14) OpenJDK 64-Bit Server VM (build
> 24.79-b02, mixed mode)
So, no problem keeping the JVM up-to-date. You must have a testing
process for that, right? Just use the same testing process after
upgrading Tomcat. Once you're up-to-date on Tomcat 6.0.x, go ahead and
try again with Tomcat 8.0.x.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVaLoeAAoJEBzwKT+lPKRYOq4P/RiGBu4V/2MXWkfSTzTaE9t7
rEDNibD6hMyWIGhuqlbAaZJ/jnUB8Hnnnu6TPttkhDCXxasKybC6htK4GlzHj8J8
vH4a0DfMR4NM3JQs4M38XYpl78mTMgv5079cHMasJsOfNpiGpJLIqyOTFB/LQV+i
h8W1PLLBPQrbRITgAJNfAMUrvCQoRGx61Z8yptRA6TMN/jLEERGIJf20xBMqvBdW
08btc/o2LLVtsXctw7tlx/4FRyV9VxOEWwf9vYp4q4tGc1Rhiu4uB6YvC9PvVZQI
FmElHOpwSq+GeauBlaRb2Y3EUEdPC1hZsmvHsy68X87Ni2gUT+7og7CygspWHmiV
Hq9C4z/mo4lQWnHQfFmEx0hJ8tmiRyumtfZD01D8cnYWdW9eBH6J7bGeQVh81jx8
JYbqbIWkDEKpNhUIN7czlX1T/SNcA6+VGynajILx1+qHf6FbFyVJLbpElSKVV1UX
YmXS6qIX7DlKvn80nZ81NB+WcmnfxZR7cn2ppKLGZyMSvVvY1AOXXF3vrFXfB2SG
2WZz4RbCulSY+s8qxzwhfhSagGWyn9ua5WrmDzeJ9tBplguIdvdHoXpwWOPbd3cW
vlcgk9EYP2ooWawrQY+ltGNffuqtYzxjwrfo63PYAMuZDXpksSp5YJtDv4L+gsec
s4wSnVMBakZ4lm70I/4/
=mSi+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
Posted by Sean Dawson <se...@gmail.com>.
On Fri, May 29, 2015 at 3:30 PM, George Stanchev <Gs...@serena.com>
wrote:
> I don't see where he blamed the developers for anything. The poster even
> admitted it was their fault. I think it is reasonable to warn the OP that
> any change can result in issue. Even if you're doing everything correctly,
> there is a change of running in a new Tomcat issue or a regression or what
> not.
>
> We as developers know that corner cases that have 1% of happening occur
> 50% of the time ;-)
>
> Any application server upgrade should be tested before deployed...
>
> My 2c
>
> George
>
>
Thanks George. There was also the change to unpack WAR files by default to
the webapps folder (or something along those lines) and the bug related to
certain cases of not being able to turn that back off... "A known issue
with FastDataInputStream (57173). See the changelog."
Not intending to be antagonistic - just trying to give fair warning to OP.
-----Original Message-----
> From: André Warnier [mailto:aw@ice-sa.com]
> Sent: Friday, May 29, 2015 12:12 PM
> To: Tomcat Users List
> Subject: Re: Problem specifying cipher suites in tomcat6
>
> Sean Dawson wrote:
> > I had significant problems trying to uncover a change in tomcat7 that
> > broke our app when upgrading from 42 to 57, for a couple weeks over
> > Christmas holidays.
> >
> > Turns out it was something we shouldn't have been doing -
>
> you mean, apart from top-posting here ?
>
> but it was
> > definitely a change in tomcat (51 or so) that resulted in the issue(s).
> >
> > Just something to keep in mind.
> >
>
> Well yes, but in all truth, if you were doing something which you should
> not have been doing - and bonus points for admitting it - then you cannot
> really blame the tomcat developers for making a change which broke it, even
> over Christmas, can you ?
>
> At the contrary, you should be grateful : the fact that the change pointed
> out the bad thing in your code, may have prevented the later advent of a
> nuclear war. That would have been even less fun over Christmas.
>
> As a concession, maybe George's post below could have been prefixed with
> "If your code is well-behaved, .."
>
>
> >
> > On Fri, May 29, 2015 at 11:43 AM, George Sexton <ge...@mhsoftware.com>
> > wrote:
> >
> >>
> >> On 5/29/2015 5:16 AM, David kerber wrote:
> >>
> >>> On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote:
> >>>
> >>>> Sadly, it's a system I inherited last year and now have the pleasure
> to
> >>>> work with. I can't update Tomcat for I don't know what will break.
> >>>>
> >>> There's a fair chance that you can update to the latest version of TC 6
> >>> without anything breaking, but of course that's not guaranteed.
> >>>
> >> I can think of very few instances where a change in Tomcat broke my app.
> >> The only one I can really remember was a change that I initiated :)
> >>
> >>
> >> --
> >> George Sexton
> >> *MH Software, Inc.*
> >> Voice: 303 438 9585
> >> http://www.mhsoftware.com
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Problem specifying cipher suites in tomcat6
Posted by George Stanchev <Gs...@serena.com>.
I don't see where he blamed the developers for anything. The poster even admitted it was their fault. I think it is reasonable to warn the OP that any change can result in issue. Even if you're doing everything correctly, there is a change of running in a new Tomcat issue or a regression or what not.
We as developers know that corner cases that have 1% of happening occur 50% of the time ;-)
Any application server upgrade should be tested before deployed...
My 2c
George
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Friday, May 29, 2015 12:12 PM
To: Tomcat Users List
Subject: Re: Problem specifying cipher suites in tomcat6
Sean Dawson wrote:
> I had significant problems trying to uncover a change in tomcat7 that
> broke our app when upgrading from 42 to 57, for a couple weeks over
> Christmas holidays.
>
> Turns out it was something we shouldn't have been doing -
you mean, apart from top-posting here ?
but it was
> definitely a change in tomcat (51 or so) that resulted in the issue(s).
>
> Just something to keep in mind.
>
Well yes, but in all truth, if you were doing something which you should not have been doing - and bonus points for admitting it - then you cannot really blame the tomcat developers for making a change which broke it, even over Christmas, can you ?
At the contrary, you should be grateful : the fact that the change pointed out the bad thing in your code, may have prevented the later advent of a nuclear war. That would have been even less fun over Christmas.
As a concession, maybe George's post below could have been prefixed with "If your code is well-behaved, .."
>
> On Fri, May 29, 2015 at 11:43 AM, George Sexton <ge...@mhsoftware.com>
> wrote:
>
>>
>> On 5/29/2015 5:16 AM, David kerber wrote:
>>
>>> On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote:
>>>
>>>> Sadly, it's a system I inherited last year and now have the pleasure to
>>>> work with. I can't update Tomcat for I don't know what will break.
>>>>
>>> There's a fair chance that you can update to the latest version of TC 6
>>> without anything breaking, but of course that's not guaranteed.
>>>
>> I can think of very few instances where a change in Tomcat broke my app.
>> The only one I can really remember was a change that I initiated :)
>>
>>
>> --
>> George Sexton
>> *MH Software, Inc.*
>> Voice: 303 438 9585
>> http://www.mhsoftware.com
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
Posted by André Warnier <aw...@ice-sa.com>.
Sean Dawson wrote:
> I had significant problems trying to uncover a change in tomcat7 that broke
> our app when upgrading from 42 to 57, for a couple weeks over Christmas
> holidays.
>
> Turns out it was something we shouldn't have been doing -
you mean, apart from top-posting here ?
but it was
> definitely a change in tomcat (51 or so) that resulted in the issue(s).
>
> Just something to keep in mind.
>
Well yes, but in all truth, if you were doing something which you should not have been
doing - and bonus points for admitting it - then you cannot really blame the tomcat
developers for making a change which broke it, even over Christmas, can you ?
At the contrary, you should be grateful : the fact that the change pointed out the bad
thing in your code, may have prevented the later advent of a nuclear war. That would have
been even less fun over Christmas.
As a concession, maybe George's post below could have been prefixed with "If your code is
well-behaved, .."
>
> On Fri, May 29, 2015 at 11:43 AM, George Sexton <ge...@mhsoftware.com>
> wrote:
>
>>
>> On 5/29/2015 5:16 AM, David kerber wrote:
>>
>>> On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote:
>>>
>>>> Sadly, it's a system I inherited last year and now have the pleasure to
>>>> work with. I can't update Tomcat for I don't know what will break.
>>>>
>>> There's a fair chance that you can update to the latest version of TC 6
>>> without anything breaking, but of course that's not guaranteed.
>>>
>> I can think of very few instances where a change in Tomcat broke my app.
>> The only one I can really remember was a change that I initiated :)
>>
>>
>> --
>> George Sexton
>> *MH Software, Inc.*
>> Voice: 303 438 9585
>> http://www.mhsoftware.com
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
Posted by Sean Dawson <se...@gmail.com>.
I had significant problems trying to uncover a change in tomcat7 that broke
our app when upgrading from 42 to 57, for a couple weeks over Christmas
holidays.
Turns out it was something we shouldn't have been doing - but it was
definitely a change in tomcat (51 or so) that resulted in the issue(s).
Just something to keep in mind.
On Fri, May 29, 2015 at 11:43 AM, George Sexton <ge...@mhsoftware.com>
wrote:
>
>
> On 5/29/2015 5:16 AM, David kerber wrote:
>
>> On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote:
>>
>>>
>>> Sadly, it's a system I inherited last year and now have the pleasure to
>>> work with. I can't update Tomcat for I don't know what will break.
>>>
>>
>> There's a fair chance that you can update to the latest version of TC 6
>> without anything breaking, but of course that's not guaranteed.
>>
>
> I can think of very few instances where a change in Tomcat broke my app.
> The only one I can really remember was a change that I initiated :)
>
>
> --
> George Sexton
> *MH Software, Inc.*
> Voice: 303 438 9585
> http://www.mhsoftware.com
>
Re: Problem specifying cipher suites in tomcat6
Posted by George Sexton <ge...@mhsoftware.com>.
On 5/29/2015 5:16 AM, David kerber wrote:
> On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote:
>>
>> Sadly, it's a system I inherited last year and now have the pleasure to
>> work with. I can't update Tomcat for I don't know what will break.
>
> There's a fair chance that you can update to the latest version of TC
> 6 without anything breaking, but of course that's not guaranteed.
I can think of very few instances where a change in Tomcat broke my app.
The only one I can really remember was a change that I initiated :)
--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
Re: Problem specifying cipher suites in tomcat6
Posted by David kerber <dc...@verizon.net>.
On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote:
> Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R:
>>> From: Ramon Pfeiffer [mailto:ramon.pfeiffer@uni-tuebingen.de]
>>> Subject: Problem specifying cipher suites in tomcat6
>>
>>> I'm currently trying to specify a list of cipher suites to be used by my
>>> connector in Tomcat 6.0.24.
>>
>>> Anybody can shed some light on what I did wrong?
>>
>> Using a version of Tomcat that's more than five years old is the first
>> thing - there have been many, many security fixes since then,
>> including some related to the ciphers attribute. You also need to
>> tell us the JVM version, the platform you're running on, and whether
>> or not APR is in use for this <Connector> (it's in the logs).
>
> Sadly, it's a system I inherited last year and now have the pleasure to
> work with. I can't update Tomcat for I don't know what will break.
There's a fair chance that you can update to the latest version of TC 6
without anything breaking, but of course that's not guaranteed.
>
> Anyway, I'm working on a RHEL6 system. A java -version yields
> # java -version
> java version "1.7.0_79"
> OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14)
> OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)
The fact that you're on a recent Java version will help a lot.
>
> APR is not installed.
>
> Thanks,
> Ramon
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
Posted by Ramon Pfeiffer <ra...@uni-tuebingen.de>.
Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R:
>> From: Ramon Pfeiffer [mailto:ramon.pfeiffer@uni-tuebingen.de]
>> Subject: Problem specifying cipher suites in tomcat6
>
>> I'm currently trying to specify a list of cipher suites to be used by my
>> connector in Tomcat 6.0.24.
>
>> Anybody can shed some light on what I did wrong?
>
> Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this <Connector> (it's in the logs).
Sadly, it's a system I inherited last year and now have the pleasure to
work with. I can't update Tomcat for I don't know what will break.
Anyway, I'm working on a RHEL6 system. A java -version yields
# java -version
java version "1.7.0_79"
OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14)
OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)
APR is not installed.
Thanks,
Ramon
RE: Problem specifying cipher suites in tomcat6
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Ramon Pfeiffer [mailto:ramon.pfeiffer@uni-tuebingen.de]
> Subject: Problem specifying cipher suites in tomcat6
> I'm currently trying to specify a list of cipher suites to be used by my
> connector in Tomcat 6.0.24.
> Anybody can shed some light on what I did wrong?
Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this <Connector> (it's in the logs).
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org