You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tim K <ti...@gmail.com> on 2019/01/04 13:23:40 UTC
Re: 9.0.13 encrypted cluster traffic
On Sat, Dec 22, 2018, 11:56 AM Christopher Schultz <
chris@christopherschultz.net wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Tim,
>
> On 12/21/18 08:14, Tim K wrote:
> > On Thu, Dec 20, 2018, 10:11 PM Christopher Schultz <
> > chris@christopherschultz.net wrote:
> >
> > Tim,
> >
> > On 12/20/18 10:18, Tim K wrote:
> >>>>>
> >>>>> I just downloaded and tried 9.0.14 but I'm still getting
> >>>>> the same BadPaddingException upon starting the second
> >>>>> instance. I confirmed the encryptionKey matches on my two
> >>>>> instances.
> >>>>>
> >>>>
> >>>> Maybe something is wrong with my config? For this test, I
> >>>> have both Tomcats on the same server using different ports:
> >
> > This is the only thing that matters to the encryption interceptor:
> >
> >>>> <Interceptor
> >>>> className="org.apache.catalina.tribes.group.interceptors.EncryptInt
> erc
> >
> >>>>
> eptor"
> >>>>
> >>>>
> > encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
> >
> > I'm not sure if the order of encrypt/asyncdispatch interceptors
> > matters much.
> >
> > I copy/pasted your key into the TestEncryptInterceptor unit test
> > and I didn't get any errors. I generated 4 new 32-character
> > (16-byte) keys and tried all of them and didn't get any errors.
> >
> > Oddly, the very first time I copy/pasted it from your email
> > message into the tester it failed with BadPaddingException, but
> > when I re-copied "just in case" it stopped failing. Can you
> > download and build the 9.0.14 source and run that unit test in your
> > environment? Like this:
> >
> > $ ant test
> > -Dtest.entry=org.apache.catalina.tribes.group.interceptors.TestEncrypt
> In
> >
> >
> terceptor
> >
> > If that works, try copy/pasting your key into the source file of
> > the test -- it's right up at the top, called "encryptionKey128" --
> > then save and re-run the test (ant will recompile it). If that
> > works... then I'm stumped.
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > I grabbed the src from the site and built it successfully, tried
> > the test but it is looking for a message.bin file...
>
> If the file doesn't exist, it skips the test. That's normal.
>
> > I tried just touch'ing that file and the first test fails with a
> > NegativeArraySizeException
>
> Right... because it should contain an encrypted message. A zero-byte
> file won't be decrypted properly.
>
> (BTW this explains why I got a BadPaddingException in that *single*
> test... I forgot that the test decrypts the file left-behind from the
> previous test. This was intentional, to ensure that there wasn't some
> magical state being held within the JVM allowing it to decrypt the
> message.)
>
> > and it deletes the message.bin file and the subsequent 2 tests
> > can't find it. Is there something special I need to do with that
> > message.bin file to run the junit tests?
> No. The tests are running as expected.
>
> > Also, I tried just using the exact encryptionKey128 you had within
> > the test class and that one didn't work in my config either, same
> > BadPaddingException.
>
> Try running the test twice in a row. From your output, it looks like
> the test runs fine.
>
> Oh, you meant using my cafebabe key in your setup didn't work? Please
> see Keiichi's reply: it seems that the EncryptInterceptor must be
> "outside" of the TcpFailureDetector.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwebM8ACgkQHPApP6U8
> pFg2ew/+K1IqiZQR7brZVz7Oi8wa7VdRWvVz8viQDrTj05dbRCdicntdxz7PTWXQ
> SGNH/qxXaPfgDHq2N7S8zDHwpj0gTfadn6IFuWUgZYR3jaufpEAS4lmNpyg8e5K4
> +JIacYRZDGaMWzGo+MvhNLPZQ/RhdMc2MMHW6Gmg4PSU7vwYP6o3Pp5TZsOd7U6p
> asQKKDfleVjavxeLUOVlUoXwxXIGdYBe8Jd0iuS725xG68GX//8az85nHkbJfrqd
> 0jgKx2YpWONStGjOtlsNhBEn9Sj5XTdZ3qJV36O1KtfT1vYBFZtzD748iuLTS+GI
> xxcVZuxdZgbF2qrISnPCfjnGVC0lJn6mDJgXMdVNCJ//kqlsrq1BTu5elOgRZxsG
> dLNF5WqVdPpBzFnHXaTg1nLxK0/wtox6RVR6ENid5jto6vu+nX5M+Fnus02st5W0
> 7OsKkODnz8Vc32tB1u6HwvfQiVvEYU/kTQhMG6Crvouqzguzl4rjH9A3rLzYugSs
> 5bULs57Ac6d+xnp/8lwM0742piCJD60oBHEYqLWDZQjYPc0sIo77bzBceJXk3t4K
> tIPZuOJOaQVBTom/CThoWMmliaECD7QL9dJnci2Rr4G8QBL+Bw86vvDOej/HnW6b
> N5A1brToQjHJQ7M2DeKm/u+mT0xG8zBgGAI0VL6DK229yOLpvFo=
> =nSuF
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Moving the encryption interceptor to the first position appears to have
resolved this for me. Thank you all for the assistance!
Re: 9.0.13 encrypted cluster traffic
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tim,
On 1/4/19 08:23, Tim K wrote:
> On Sat, Dec 22, 2018, 11:56 AM Christopher Schultz <
> chris@christopherschultz.net wrote:
>
> Tim,
>
> On 12/21/18 08:14, Tim K wrote:
>>>> On Thu, Dec 20, 2018, 10:11 PM Christopher Schultz <
>>>> chris@christopherschultz.net wrote:
>>>>
>>>> Tim,
>>>>
>>>> On 12/20/18 10:18, Tim K wrote:
>>>>>>>>
>>>>>>>> I just downloaded and tried 9.0.14 but I'm still
>>>>>>>> getting the same BadPaddingException upon starting
>>>>>>>> the second instance. I confirmed the encryptionKey
>>>>>>>> matches on my two instances.
>>>>>>>>
>>>>>>>
>>>>>>> Maybe something is wrong with my config? For this
>>>>>>> test, I have both Tomcats on the same server using
>>>>>>> different ports:
>>>>
>>>> This is the only thing that matters to the encryption
>>>> interceptor:
>>>>
>>>>>>> <Interceptor
>>>>>>> className="org.apache.catalina.tribes.group.interceptors.Encrypt
Int
>
>>>>>>>
erc
>>>>
>>>>>>>
> eptor"
>>>>>>>
>>>>>>>
>>>> encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
>>>>
>>>> I'm not sure if the order of encrypt/asyncdispatch
>>>> interceptors matters much.
>>>>
>>>> I copy/pasted your key into the TestEncryptInterceptor unit
>>>> test and I didn't get any errors. I generated 4 new
>>>> 32-character (16-byte) keys and tried all of them and didn't
>>>> get any errors.
>>>>
>>>> Oddly, the very first time I copy/pasted it from your email
>>>> message into the tester it failed with BadPaddingException,
>>>> but when I re-copied "just in case" it stopped failing. Can
>>>> you download and build the 9.0.14 source and run that unit
>>>> test in your environment? Like this:
>>>>
>>>> $ ant test
>>>> -Dtest.entry=org.apache.catalina.tribes.group.interceptors.TestEncr
ypt
>
>>>>
In
>>>>
>>>>
> terceptor
>>>>
>>>> If that works, try copy/pasting your key into the source file
>>>> of the test -- it's right up at the top, called
>>>> "encryptionKey128" -- then save and re-run the test (ant will
>>>> recompile it). If that works... then I'm stumped.
>>>>
>>>> -chris
>>>>>
>>>>> ------------------------------------------------------------------
- ---
>>>>>
>>>>>
>
>>>>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail:
>>>>> users-help@tomcat.apache.org
>>>>
>>>>
>>>> I grabbed the src from the site and built it successfully,
>>>> tried the test but it is looking for a message.bin file...
>
> If the file doesn't exist, it skips the test. That's normal.
>
>>>> I tried just touch'ing that file and the first test fails
>>>> with a NegativeArraySizeException
>
> Right... because it should contain an encrypted message. A
> zero-byte file won't be decrypted properly.
>
> (BTW this explains why I got a BadPaddingException in that
> *single* test... I forgot that the test decrypts the file
> left-behind from the previous test. This was intentional, to ensure
> that there wasn't some magical state being held within the JVM
> allowing it to decrypt the message.)
>
>>>> and it deletes the message.bin file and the subsequent 2
>>>> tests can't find it. Is there something special I need to do
>>>> with that message.bin file to run the junit tests?
> No. The tests are running as expected.
>
>>>> Also, I tried just using the exact encryptionKey128 you had
>>>> within the test class and that one didn't work in my config
>>>> either, same BadPaddingException.
>
> Try running the test twice in a row. From your output, it looks
> like the test runs fine.
>
> Oh, you meant using my cafebabe key in your setup didn't work?
> Please see Keiichi's reply: it seems that the EncryptInterceptor
> must be "outside" of the TcpFailureDetector.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> Moving the encryption interceptor to the first position appears to
> have resolved this for me. Thank you all for the assistance!
Excellent. Thanks for the confirmation.
I was thinking about this the other day and it seems like such an easy
mistake to make with such a bad outcome it would be best to detect the
situation and throw a warning/error. I think that should be possible.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwwx9EACgkQHPApP6U8
pFgnsRAAofp4lUUj3hTYEH+9/6MoJj2kDTYG3fOvZgqrFKD2PDQtX47nzTplAEBM
5egfE3HKSykFvS5oPFLTSmbhZng+T4oLWsR0DwWVGIrcBQukYIx7BN7eR3txRAft
p2vt9KH89eBuKLjryXgItn0GIs6DG5Bq0iVSF+1dO2SdoNNhuZBPmu2z6Eq3lv4x
cUhJMKJ4RYoFv0xSjquScg6L2Ql+H5WFQneXDLP3vGLkq8pP4STbPazzm2GgnyVm
DDg2D2BpAjYSlhWE7THQM1odqmfDlconFpoft8gzy28TyWZiVJ/Di62Xy7YbKs+v
HtU5/yfPmeGksRoAFIlieERB+ZH+Bqk2QVoClpI10Af+bmzEAg7FQtjYPh5AuGKG
rAon+zD2vGHl3l8pp12w8Uk7u/be/PCrFUUYbfc7ETmLkD80MM4HFuLq3CUCsdYP
9dTues976SC/QdkEWxwSLWtpWYV+UcsVFqbMTbO99RxNeXU1aSmyZ152JJrjOGqK
5Q1cQ0zGONZiDS1NovGmdu1WMNzTwaHfzmK10eNzssf5pRfC72Rpj/X8x3MJSoOx
oGz04+wVk/lWt8SjGcq3bcpHsac2IQxR/HJ10VKaUa/aTaEhH/04mJDv/8fsCso/
sv3PIXGbtn5x+qk3aQwZ/uO/dJuS+m0mg1zeVR/QAt4ZvwWF/n8=
=82t5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org