You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2015/11/13 01:12:51 UTC
[VOTE] Release Apache Tomcat 9.0.0.M1
The proposed Apache Tomcat 9.0.0.M1 release is now available for voting.
This is the first milestone release for the 9.0.x branch. It should be
noted that, as a milestone release:
- Servlet 4.0 is not finalised
- The EGs have not started work on JSP 2.4, EL 3.1 or WebSocket 1.2/2.0
The major changes compared to the 8.0.x branch are:
- Requires Java 8
- BIO, Comet and Windows Itanium support have been removed
- Support for TLS virtual hosting, ALPN, HTTP/2 and OpenSSL with
NIO/NIO2 has been added
- Lots of internal refactoring to support the above changes
For full details, see the changelog:
http://svn.us.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml
It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M1/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1054/
The svn tag is:
http://svn.apache.org/repos/asf/tomcattags/TOMCAT_9_0_0_M1/
The proposed 9.0.0.M1 release is:
[ ] Broken - do not release
[ ] Alpha - go ahead and release as 9.0.0.M1
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Mark Thomas <ma...@apache.org>.
On 13/11/2015 10:26, Rémy Maucherat wrote:
> 2015-11-13 1:12 GMT+01:00 Mark Thomas <ma...@apache.org>:
>
>> The proposed Apache Tomcat 9.0.0.M1 release is now available for voting.
>>
>> This is the first milestone release for the 9.0.x branch. It should be
>> noted that, as a milestone release:
>> - Servlet 4.0 is not finalised
>> - The EGs have not started work on JSP 2.4, EL 3.1 or WebSocket 1.2/2.0
>>
>> The major changes compared to the 8.0.x branch are:
>> - Requires Java 8
>> - BIO, Comet and Windows Itanium support have been removed
>> - Support for TLS virtual hosting, ALPN, HTTP/2 and OpenSSL with
>> NIO/NIO2 has been added
>> - Lots of internal refactoring to support the above changes
>>
>> For full details, see the changelog:
>> http://svn.us.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml
>>
>> It can be obtained from:
>> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M1/
>> The Maven staging repo is:
>> https://repository.apache.org/content/repositories/orgapachetomcat-1054/
>> The svn tag is:
>> http://svn.apache.org/repos/asf/tomcattags/TOMCAT_9_0_0_M1/
>>
>> The proposed 9.0.0.M1 release is:
>> [ ] Broken - do not release
>> [X] Alpha - go ahead and release as 9.0.0.M1
>>
>> It looks like a very nice first build to release.
>
> OTOH testing HTTP/2 at all is a bit difficult (ok, not just "a bit"), so
> maybe there will not be that much feedback on it. The requirements are:
> new native
Yes, but provided on Windows and should be a simple build on Linux
> bleeding edge OpenSSL,
As new native. Getting a new OpenSSL build could be a bit harder
depending on the Linux distro.
> config in server.xml to add the protocol handler,
That I can fix by adding HTTP/2 to the example.
> valid per host certificate (no comment ...),
No different to the 8.0.x requirements. You can do more but you don't
have to.
> secure cipher suite
Should be negotiated by default (now we honour client cipher order)
> for the https connector. So if you're looking at a first webinar topic,
> "Beginner HTTP/2 in Tomcat" would be nice.
Agreed. When you look at it, it is lots of fairly simple things but I
agree that that would make a good topic for a Webinar, maybe even the
first one.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Rémy Maucherat <re...@apache.org>.
2015-11-13 1:12 GMT+01:00 Mark Thomas <ma...@apache.org>:
> The proposed Apache Tomcat 9.0.0.M1 release is now available for voting.
>
> This is the first milestone release for the 9.0.x branch. It should be
> noted that, as a milestone release:
> - Servlet 4.0 is not finalised
> - The EGs have not started work on JSP 2.4, EL 3.1 or WebSocket 1.2/2.0
>
> The major changes compared to the 8.0.x branch are:
> - Requires Java 8
> - BIO, Comet and Windows Itanium support have been removed
> - Support for TLS virtual hosting, ALPN, HTTP/2 and OpenSSL with
> NIO/NIO2 has been added
> - Lots of internal refactoring to support the above changes
>
> For full details, see the changelog:
> http://svn.us.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M1/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1054/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcattags/TOMCAT_9_0_0_M1/
>
> The proposed 9.0.0.M1 release is:
> [ ] Broken - do not release
> [X] Alpha - go ahead and release as 9.0.0.M1
>
> It looks like a very nice first build to release.
OTOH testing HTTP/2 at all is a bit difficult (ok, not just "a bit"), so
maybe there will not be that much feedback on it. The requirements are: new
native, bleeding edge OpenSSL, config in server.xml to add the protocol
handler, valid per host certificate (no comment ...), secure cipher suite
for the https connector. So if you're looking at a first webinar topic,
"Beginner HTTP/2 in Tomcat" would be nice.
Rémy
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 11/12/15 7:12 PM, Mark Thomas wrote:
> The proposed Apache Tomcat 9.0.0.M1 release is now available for voting.
>
> This is the first milestone release for the 9.0.x branch. It should be
> noted that, as a milestone release:
> - Servlet 4.0 is not finalised
> - The EGs have not started work on JSP 2.4, EL 3.1 or WebSocket 1.2/2.0
>
> The major changes compared to the 8.0.x branch are:
> - Requires Java 8
> - BIO, Comet and Windows Itanium support have been removed
> - Support for TLS virtual hosting, ALPN, HTTP/2 and OpenSSL with
> NIO/NIO2 has been added
> - Lots of internal refactoring to support the above changes
>
> For full details, see the changelog:
> http://svn.us.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M1/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1054/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcattags/TOMCAT_9_0_0_M1/
>
> The proposed 9.0.0.M1 release is:
> [ ] Broken - do not release
> [X] Alpha - go ahead and release as 9.0.0.M1
Only tested the build/unit tests so far: builds on Linux.
Interesting to note that tcnative 1.2.x "requires" OpenSSL 1.0.2 - and
says so during "configure", but does not fail to configure/build/run. Is
1.0.2 truly a requirement? If so, the build probably ought to break.
* Environment
* Java (build): java version "1.8.0_60" Java(TM) SE Runtime
Environment (build 1.8.0_60-b27) Java HotSpot(TM) 64-Bit Server VM
(build 25.60-b23, mixed mode)
* Java (test): java version "1.8.0_60" Java(TM) SE Runtime
Environment (build 1.8.0_60-b27) Java HotSpot(TM) 64-Bit Server VM
(build 25.60-b23, mixed mode)
* OS: Linux 2.6.32-312-ec2 x86_64
* cc: cc (Debian 4.7.2-5) 4.7.2
* make: GNU Make 3.81
* OpenSSL: OpenSSL 1.0.1e 11 Feb 2013
* APR: 1.4.6
*
* Valid MD5 signature for apache-tomcat-9.0.0.M1.zip
* Valid GPG signature for apache-tomcat-9.0.0.M1.zip
* Valid MD5 signature for apache-tomcat-9.0.0.M1.tar.gz
* Valid GPG signature for apache-tomcat-9.0.0.M1.tar.gz
* Valid MD5 signature for apache-tomcat-9.0.0.M1.exe
* Valid GPG signature for apache-tomcat-9.0.0.M1.exe
* Valid MD5 signature for apache-tomcat-9.0.0.M1-src.zip
* Valid GPG signature for apache-tomcat-9.0.0.M1-src.zip
* Valid MD5 signature for apache-tomcat-9.0.0.M1-src.tar.gz
* Valid GPG signature for apache-tomcat-9.0.0.M1-src.tar.gz
*
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
*
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
*
* Tests that failed:
* org.apache.catalina.session.TestStandardSessionIntegration.APR.txt
* org.apache.catalina.session.TestStandardSessionIntegration.NIO.txt
* org.apache.catalina.session.TestStandardSessionIntegration.NIO2.txt
* org.apache.catalina.tribes.group.TestGroupChannelMemberArrival.APR.txt
* org.apache.catalina.tribes.group.TestGroupChannelMemberArrival.NIO.txt
* org.apache.catalina.tribes.group.TestGroupChannelMemberArrival.NIO2.txt
* org.apache.catalina.tribes.group.TestGroupChannelSenderConnections.APR.txt
* org.apache.catalina.tribes.group.TestGroupChannelSenderConnections.NIO.txt
*
org.apache.catalina.tribes.group.TestGroupChannelSenderConnections.NIO2.txt
* org.apache.catalina.tribes.group.TestGroupChannelStartStop.APR.txt
* org.apache.catalina.tribes.group.TestGroupChannelStartStop.NIO.txt
* org.apache.catalina.tribes.group.TestGroupChannelStartStop.NIO2.txt
*
org.apache.catalina.tribes.group.interceptors.TestNonBlockingCoordinator.APR.txt
*
org.apache.catalina.tribes.group.interceptors.TestNonBlockingCoordinator.NIO.txt
*
org.apache.catalina.tribes.group.interceptors.TestNonBlockingCoordinator.NIO2.txt
* org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.APR.txt
* org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.NIO.txt
*
org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.NIO2.txt
*
org.apache.catalina.tribes.group.interceptors.TestTcpFailureDetector.APR.txt
*
org.apache.catalina.tribes.group.interceptors.TestTcpFailureDetector.NIO.txt
*
org.apache.catalina.tribes.group.interceptors.TestTcpFailureDetector.NIO2.txt
* org.apache.tomcat.util.http.TestMimeHeadersIntegration.NIO2.txt
* org.apache.tomcat.util.net.openssl.ciphers.TestCipher.APR.txt
* org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO.txt
* org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO2.txt
*
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.APR.txt
*
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO.txt
*
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO2.txt
The tribes stuff always fails for me. The OpenSSL ciphers tests are
almost certainly due to version mismatch/configuration mismatch. Session
tests fail because some of those tests require clustering (which I
maintain should be split-out into separate tests, to make it clear why
they are failing).
Thanks,
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE][RESULT] Release Apache Tomcat 9.0.0.M1
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 11/17/15 3:44 PM, Mark Thomas wrote:
> On 17/11/2015 20:34, Christopher Schultz wrote:
>> Mark,
>>
>> On 11/17/15 3:24 PM, Mark Thomas wrote:
>>> The votes cast were as follows:
>>>
>>> Binding:
>>> +1: remm, markt, mgrigorov
>>
>> Also +1 : schultz, not that it really matters.
>
> Sorry. Not sure how I missed that.
I was pretty late in responding.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE][RESULT] Release Apache Tomcat 9.0.0.M1
Posted by Mark Thomas <ma...@apache.org>.
On 17/11/2015 20:34, Christopher Schultz wrote:
> Mark,
>
> On 11/17/15 3:24 PM, Mark Thomas wrote:
>> The votes cast were as follows:
>>
>> Binding:
>> +1: remm, markt, mgrigorov
>
> Also +1 : schultz, not that it really matters.
Sorry. Not sure how I missed that.
Mark
>
>> Non-binding:
>> +1: ognjen
>>
>> The vote therefore passes. 9.0.0.M1 will be released with an alpha label
>>
>> Thanks to everyone for the testing.
>
> Thanks for rolling the release!
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE][RESULT] Release Apache Tomcat 9.0.0.M1
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 11/17/15 3:24 PM, Mark Thomas wrote:
> The votes cast were as follows:
>
> Binding:
> +1: remm, markt, mgrigorov
Also +1 : schultz, not that it really matters.
> Non-binding:
> +1: ognjen
>
> The vote therefore passes. 9.0.0.M1 will be released with an alpha label
>
> Thanks to everyone for the testing.
Thanks for rolling the release!
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE][RESULT] Release Apache Tomcat 9.0.0.M1
Posted by Mark Thomas <ma...@apache.org>.
The votes cast were as follows:
Binding:
+1: remm, markt, mgrigorov
Non-binding:
+1: ognjen
The vote therefore passes. 9.0.0.M1 will be released with an alpha label
Thanks to everyone for the testing.
Mark
On 13/11/2015 00:12, Mark Thomas wrote:
> The proposed Apache Tomcat 9.0.0.M1 release is now available for voting.
>
> This is the first milestone release for the 9.0.x branch. It should be
> noted that, as a milestone release:
> - Servlet 4.0 is not finalised
> - The EGs have not started work on JSP 2.4, EL 3.1 or WebSocket 1.2/2.0
>
> The major changes compared to the 8.0.x branch are:
> - Requires Java 8
> - BIO, Comet and Windows Itanium support have been removed
> - Support for TLS virtual hosting, ALPN, HTTP/2 and OpenSSL with
> NIO/NIO2 has been added
> - Lots of internal refactoring to support the above changes
>
> For full details, see the changelog:
> http://svn.us.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M1/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1054/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcattags/TOMCAT_9_0_0_M1/
>
> The proposed 9.0.0.M1 release is:
> [ ] Broken - do not release
> [ ] Alpha - go ahead and release as 9.0.0.M1
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Mark Thomas <ma...@apache.org>.
On 16/11/2015 22:51, Ognjen Blagojevic wrote:
> Mark,
> Chris,
>
> On 16.11.2015 17:15, Mark Thomas wrote:
>>> Tomcat 8 docs lists APR Connector attribute "SSLCertificateChainFile"
>>> [1]. Tomcat 9 docs, does not list such attribute (neither in "SSL
>>> Support - SSLHostConfig", "SSL Support - Certificate" nor "SSL Support -
>>> Connector - APR/Native (deprecated)"). I also check the class
>>> SSLHostConfigCertificate, and couldn't find a field for the chain.
>>
>> You use the same attribute as for the cert. i.e. you provide the full
>> chain rather than just the cert.
>
> Ok, my initial testing was with the attribute SSLCertificateChainFile,
> which was deprecated.
>
> Now I tried to add chain to server certificate file, but it does not
> work for me, either. I still get the warning that certificate chain is
> incomplete. I tried those two configurations, both of them serve only
> server cert:
OK. Looks like I've misunderstood something / messed something up. I've
opened BZ 58621.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Ognjen Blagojevic <og...@gmail.com>.
Mark,
Chris,
On 16.11.2015 17:15, Mark Thomas wrote:
>> Tomcat 8 docs lists APR Connector attribute "SSLCertificateChainFile"
>> [1]. Tomcat 9 docs, does not list such attribute (neither in "SSL
>> Support - SSLHostConfig", "SSL Support - Certificate" nor "SSL Support -
>> Connector - APR/Native (deprecated)"). I also check the class
>> SSLHostConfigCertificate, and couldn't find a field for the chain.
>
> You use the same attribute as for the cert. i.e. you provide the full
> chain rather than just the cert.
Ok, my initial testing was with the attribute SSLCertificateChainFile,
which was deprecated.
Now I tried to add chain to server certificate file, but it does not
work for me, either. I still get the warning that certificate chain is
incomplete. I tried those two configurations, both of them serve only
server cert:
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="443"
SSLEnabled="true"
SSLCertificateFile="cert-with-chain.pem"
SSLCertificateKeyFile="server.key" />
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="443"
SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeyFile="server.key"
certificateFile="cert-with-chain.pem" />
</SSLHostConfig>
</Connector>
File "cert-with-chain.pem" contains three certificates -- first the
server certificate, and then two intermediate sertificates.
I also tried changing certificate order (first the intermediate
certificates, then server cert) but that results with
"error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch", so I guess server certificate must be the first one.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Mark Thomas <ma...@apache.org>.
On 16/11/2015 15:59, Ognjen Blagojevic wrote:
> Mark,
>
> On 15.11.2015 13:42, Mark Thomas wrote:
>>> * SSLTest also reports that APR/native does not serve full
>>> certificate
>>> chain; instead, it serves only server certificate. The same APR config
>>> serves full chain with Tomcat 8.0.28 + Native 1.2.2, so it seems to be a
>>> regression. Not serving full chain might be a problem for some clients
>>> -- browsers will probably work, but other clients may fail to establish
>>> TLS connection.
>>
>> Hmm. I'm sure this was working at one point. I'll retest it.
>
> Tomcat 8 docs lists APR Connector attribute "SSLCertificateChainFile"
> [1]. Tomcat 9 docs, does not list such attribute (neither in "SSL
> Support - SSLHostConfig", "SSL Support - Certificate" nor "SSL Support -
> Connector - APR/Native (deprecated)"). I also check the class
> SSLHostConfigCertificate, and couldn't find a field for the chain.
You use the same attribute as for the cert. i.e. you provide the full
chain rather than just the cert.
docs might need updating to make that clear.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Ognjen Blagojevic <og...@gmail.com>.
Mark,
On 15.11.2015 13:42, Mark Thomas wrote:
>> * SSLTest also reports that APR/native does not serve full certificate
>> chain; instead, it serves only server certificate. The same APR config
>> serves full chain with Tomcat 8.0.28 + Native 1.2.2, so it seems to be a
>> regression. Not serving full chain might be a problem for some clients
>> -- browsers will probably work, but other clients may fail to establish
>> TLS connection.
>
> Hmm. I'm sure this was working at one point. I'll retest it.
Tomcat 8 docs lists APR Connector attribute "SSLCertificateChainFile"
[1]. Tomcat 9 docs, does not list such attribute (neither in "SSL
Support - SSLHostConfig", "SSL Support - Certificate" nor "SSL Support -
Connector - APR/Native (deprecated)"). I also check the class
SSLHostConfigCertificate, and couldn't find a field for the chain.
-Ognjen
[1]
http://tomcat.apache.org/tomcat-8.0-doc/config/http.html#SSL_Support_-_APR/Native
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Mark Thomas <ma...@apache.org>.
On 15/11/2015 00:29, Ognjen Blagojevic wrote:
> Mark,
>
> On 13.11.2015 1:12, Mark Thomas wrote:
>> The proposed Apache Tomcat 9.0.0.M1 release is now available for voting.
>
>> The proposed 9.0.0.M1 release is:
>> [ ] Broken - do not release
>> [X] Alpha - go ahead and release as 9.0.0.M1
>
> Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.8.0_60 and
> APR/native 1.2.2:
>
> - Tested TLS connectivity for NIO and APR connectors:
>
> * Thanks to Java 8 parameter (-Djdk.tls.ephemeralDHKeySize=2048) with
> NIO and Native 1.2.2 with APR, I was able to configure DH key size >=
> 2048. SSLTest is happy.
>
> * SSLTest also reports that APR/native does not serve full certificate
> chain; instead, it serves only server certificate. The same APR config
> serves full chain with Tomcat 8.0.28 + Native 1.2.2, so it seems to be a
> regression. Not serving full chain might be a problem for some clients
> -- browsers will probably work, but other clients may fail to establish
> TLS connection.
Hmm. I'm sure this was working at one point. I'll retest it.
> - Tested with several webapps that are in active development. Small
> nuisances:
>
> * It seems that it is not possible anymore to use attribute "digest"
> in realms. It would be nice if that is mentioned in release
> announcement. I guess quite a number of people uses Realms with digest,
> and they will need to adjust the config before switching to 9.0.0.
digest is marked as deprecated in the Tomcat 8 docs. We can add that to
the migration guide.
> * Tomcat 9 uses DBCP2, so attribute names for connection pool are
> different now (e.g. maxActive -> maxTotal). It would be nice to also add
> that to the announcement.
Tomcat 8 also uses DBCP 2 so there is no change here. This is covered in
the 7.0.x to 8.0.x migration guide.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Rémy Maucherat <re...@apache.org>.
2015-11-17 0:04 GMT+01:00 Ognjen Blagojevic <og...@gmail.com>:
> Chris,
>
> On 16.11.2015 23:06, Christopher Schultz wrote:
>
>> What is your TLS configuration?
>>
>
> Please look at my previous reply on this thread.
>
>
> * It seems that it is not possible anymore to use attribute "digest"
>>> in realms. It would be nice if that is mentioned in release
>>> announcement. I guess quite a number of people uses Realms with digest,
>>> and they will need to adjust the config before switching to 9.0.0.
>>>
>>
>> "digest" should still work
>>
>
> For me, it doesn't work [1]. It yields:
>
> org.apache.tomcat.util.digester.SetPropertiesRule.begin
> [SetPropertiesRule]{Context/Realm/Realm} Setting property 'digest' to
> 'SHA-512' did not find a matching property.
>
> The webapp is started, but I cannot log in. It works fine, however, with
> nested CredentialHandler [2].
>
> I have to confess I thought you were talking about the digest auth method.
Anyway, the "digest" attribute on the realm was deprecated in Tomcat 8, and
setting it is already not doing anything in that branch (it is unused). It
has now been removed in 9.
Rémy
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Ognjen Blagojevic <og...@gmail.com>.
Chris,
On 16.11.2015 23:06, Christopher Schultz wrote:
> What is your TLS configuration?
Please look at my previous reply on this thread.
>> * It seems that it is not possible anymore to use attribute "digest"
>> in realms. It would be nice if that is mentioned in release
>> announcement. I guess quite a number of people uses Realms with digest,
>> and they will need to adjust the config before switching to 9.0.0.
>
> "digest" should still work
For me, it doesn't work [1]. It yields:
org.apache.tomcat.util.digester.SetPropertiesRule.begin
[SetPropertiesRule]{Context/Realm/Realm} Setting property 'digest' to
'SHA-512' did not find a matching property.
The webapp is started, but I cannot log in. It works fine, however, with
nested CredentialHandler [2].
-Ognjen
[1]
<Resource name="jdbc/dbserver" (snip) />
<Realm className="org.apache.catalina.realm.LockOutRealm" (snip)
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/dbserver"
localDataSource="true"
digest="SHA-512"
(snip) />
</Realm>
[2]
<Resource name="jdbc/dbserver" (snip) />
<Realm className="org.apache.catalina.realm.LockOutRealm" (snip)
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/dbserver"
localDataSource="true"
(snip)>
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="SHA-512" />
</Realm>
</Realm>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Ognjen,
On 11/14/15 7:29 PM, Ognjen Blagojevic wrote:
> * SSLTest also reports that APR/native does not serve full certificate
> chain; instead, it serves only server certificate. The same APR config
> serves full chain with Tomcat 8.0.28 + Native 1.2.2, so it seems to be a
> regression. Not serving full chain might be a problem for some clients
> -- browsers will probably work, but other clients may fail to establish
> TLS connection.
What is your TLS configuration?
> * It seems that it is not possible anymore to use attribute "digest"
> in realms. It would be nice if that is mentioned in release
> announcement. I guess quite a number of people uses Realms with digest,
> and they will need to adjust the config before switching to 9.0.0.
"digest" should still work
> * Tomcat 9 uses DBCP2, so attribute names for connection pool are
> different now (e.g. maxActive -> maxTotal). It would be nice to also add
> that to the announcement.
Tomcat 8 also uses DBCP2, and this is mentioned in the 7->8 guide:
http://tomcat.apache.org/migration-8.html#Database_Connection_Pooling
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Ognjen Blagojevic <og...@gmail.com>.
Mark,
On 13.11.2015 1:12, Mark Thomas wrote:
> The proposed Apache Tomcat 9.0.0.M1 release is now available for voting.
> The proposed 9.0.0.M1 release is:
> [ ] Broken - do not release
> [X] Alpha - go ahead and release as 9.0.0.M1
Tested .zip distribution on Windows 7 64-bit, Oracle JDK 1.8.0_60 and
APR/native 1.2.2:
- Tested TLS connectivity for NIO and APR connectors:
* Thanks to Java 8 parameter (-Djdk.tls.ephemeralDHKeySize=2048) with
NIO and Native 1.2.2 with APR, I was able to configure DH key size >=
2048. SSLTest is happy.
* SSLTest also reports that APR/native does not serve full
certificate chain; instead, it serves only server certificate. The same
APR config serves full chain with Tomcat 8.0.28 + Native 1.2.2, so it
seems to be a regression. Not serving full chain might be a problem for
some clients -- browsers will probably work, but other clients may fail
to establish TLS connection.
- Crawled most links (except /manager, /host-manager and
/examples/async* and alike). No broken links found.
- Smoke tests of NIO and APR, with and without TLS, all passed.
- Tested HTTP/2, Firefox reports that HTTP/2 is active. Smoke test passes.
- Tested with several webapps that are in active development. Small
nuisances:
* It seems that it is not possible anymore to use attribute "digest"
in realms. It would be nice if that is mentioned in release
announcement. I guess quite a number of people uses Realms with digest,
and they will need to adjust the config before switching to 9.0.0.
* Tomcat 9 uses DBCP2, so attribute names for connection pool are
different now (e.g. maxActive -> maxTotal). It would be nice to also add
that to the announcement.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Mark Thomas <ma...@apache.org>.
On 13/11/2015 00:12, Mark Thomas wrote:
> The proposed Apache Tomcat 9.0.0.M1 release is now available for voting.
>
> This is the first milestone release for the 9.0.x branch. It should be
> noted that, as a milestone release:
> - Servlet 4.0 is not finalised
> - The EGs have not started work on JSP 2.4, EL 3.1 or WebSocket 1.2/2.0
>
> The major changes compared to the 8.0.x branch are:
> - Requires Java 8
> - BIO, Comet and Windows Itanium support have been removed
> - Support for TLS virtual hosting, ALPN, HTTP/2 and OpenSSL with
> NIO/NIO2 has been added
> - Lots of internal refactoring to support the above changes
>
> For full details, see the changelog:
> http://svn.us.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M1/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1054/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcattags/TOMCAT_9_0_0_M1/
>
> The proposed 9.0.0.M1 release is:
> [ ] Broken - do not release
> [X] Alpha - go ahead and release as 9.0.0.M1
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Rémy Maucherat <re...@apache.org>.
2015-11-15 16:36 GMT+01:00 Martin Grigorov <mg...@apache.org>:
> 1)
> ERROR - AtmosphereFramework - AtmosphereFramework exception
> java.lang.IllegalStateException: A filter or servlet of the current chain
> does not support asynchronous operations.
> at org.apache.catalina.connector.Request.startAsync(Request.java:1571)
> at
>
> org.apache.catalina.connector.RequestFacade.startAsync(RequestFacade.java:1037)
> at
> org.atmosphere.cpr.AtmosphereRequest.startAsync(AtmosphereRequest.java:723)
> at
>
> org.atmosphere.container.Servlet30CometSupport.suspend(Servlet30CometSupport.java:93)
> at
>
> org.atmosphere.container.Servlet30CometSupport.service(Servlet30CometSupport.java:68)
> at
>
> org.atmosphere.cpr.AtmosphereFramework.doCometSupport(AtmosphereFramework.java:2078)
> at org.atmosphere.cpr.AtmosphereServlet.doPost(AtmosphereServlet.java:198)
>
> Is it a good idea (and possible) to print which filter or servlet is not
> properly configured? For better debug info.
>
This is not a new feature, and this was not refactored. Adding more details
like the class name is quite difficult with the way this is done at the
moment, it would need a full rewrite [and most likely some regressions].
Not worth it IMO.
>
> 2)
> java.lang.NullPointerException
> at
> org.apache.catalina.connector.Request.getServletContext(Request.java:1559)
> at org.apache.catalina.connector.Request.getContextPath(Request.java:1894)
> at
>
> org.apache.catalina.connector.RequestFacade.getContextPath(RequestFacade.java:783)
> at
>
> org.atmosphere.cpr.AtmosphereRequest.getContextPath(AtmosphereRequest.java:359)
> at
>
> javax.servlet.http.HttpServletRequestWrapper.getContextPath(HttpServletRequestWrapper.java:150)
> at
> org.apache.wicket.atmosphere.EventBus$2.getContextPath(EventBus.java:473)
> at
>
> org.apache.wicket.protocol.http.servlet.ServletWebRequest.getContextRelativeUrl(ServletWebRequest.java:184)
> at
>
> org.apache.wicket.protocol.http.servlet.ServletWebRequest.<init>(ServletWebRequest.java:112)
> at
>
> org.apache.wicket.protocol.http.servlet.ServletWebRequest.<init>(ServletWebRequest.java:82)
>
> I believe this issue has been discussed before. Either here or in
> Atmosphere forums.
>
> Full stack trace please ? The context is null so either no context was
mapped or the request has already been recycled. I'm not convinced adding
too many null checks would really help.
Rémy
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Martin Grigorov <mg...@apache.org>.
On Fri, Nov 13, 2015 at 1:12 AM, Mark Thomas <ma...@apache.org> wrote:
> The proposed Apache Tomcat 9.0.0.M1 release is now available for voting.
>
> This is the first milestone release for the 9.0.x branch. It should be
> noted that, as a milestone release:
> - Servlet 4.0 is not finalised
> - The EGs have not started work on JSP 2.4, EL 3.1 or WebSocket 1.2/2.0
>
> The major changes compared to the 8.0.x branch are:
> - Requires Java 8
> - BIO, Comet and Windows Itanium support have been removed
> - Support for TLS virtual hosting, ALPN, HTTP/2 and OpenSSL with
> NIO/NIO2 has been added
> - Lots of internal refactoring to support the above changes
>
> For full details, see the changelog:
> http://svn.us.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M1/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1054/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcattags/TOMCAT_9_0_0_M1/
>
> The proposed 9.0.0.M1 release is:
> [ ] Broken - do not release
> [ X ] Alpha - go ahead and release as 9.0.0.M1
>
Environment: Ubuntu 15.10, Firefox 42.0, Google Chrome 46
Tested:
- Apache Wicket WebSocket demo application (uses JSR 356 web sockets) with
HTTP2.
- Apache Wicket examples application
The only problem I faced was with Wicket-Atmosphere integration (Atmosphere
ver. 2.2.8):
1)
ERROR - AtmosphereFramework - AtmosphereFramework exception
java.lang.IllegalStateException: A filter or servlet of the current chain
does not support asynchronous operations.
at org.apache.catalina.connector.Request.startAsync(Request.java:1571)
at
org.apache.catalina.connector.RequestFacade.startAsync(RequestFacade.java:1037)
at
org.atmosphere.cpr.AtmosphereRequest.startAsync(AtmosphereRequest.java:723)
at
org.atmosphere.container.Servlet30CometSupport.suspend(Servlet30CometSupport.java:93)
at
org.atmosphere.container.Servlet30CometSupport.service(Servlet30CometSupport.java:68)
at
org.atmosphere.cpr.AtmosphereFramework.doCometSupport(AtmosphereFramework.java:2078)
at org.atmosphere.cpr.AtmosphereServlet.doPost(AtmosphereServlet.java:198)
Is it a good idea (and possible) to print which filter or servlet is not
properly configured? For better debug info.
2)
java.lang.NullPointerException
at
org.apache.catalina.connector.Request.getServletContext(Request.java:1559)
at org.apache.catalina.connector.Request.getContextPath(Request.java:1894)
at
org.apache.catalina.connector.RequestFacade.getContextPath(RequestFacade.java:783)
at
org.atmosphere.cpr.AtmosphereRequest.getContextPath(AtmosphereRequest.java:359)
at
javax.servlet.http.HttpServletRequestWrapper.getContextPath(HttpServletRequestWrapper.java:150)
at org.apache.wicket.atmosphere.EventBus$2.getContextPath(EventBus.java:473)
at
org.apache.wicket.protocol.http.servlet.ServletWebRequest.getContextRelativeUrl(ServletWebRequest.java:184)
at
org.apache.wicket.protocol.http.servlet.ServletWebRequest.<init>(ServletWebRequest.java:112)
at
org.apache.wicket.protocol.http.servlet.ServletWebRequest.<init>(ServletWebRequest.java:82)
I believe this issue has been discussed before. Either here or in
Atmosphere forums.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: [VOTE] Release Apache Tomcat 9.0.0.M1
Posted by Huxing Zhang <hu...@alibaba-inc.com>.
Hi,
I have tested tomcat 9.0.0.M1 on Mac OSX EI Capitan.
The svn link seems broken to me:
http://svn.apache.org/repos/asf/tomcattags/TOMCAT_9_0_0_M1/
Instead, the following url is accessible:
http://svn.apache.org/repos/asf/tomcat/tags/TOMCAT_9_0_0_M1/
Environment:
Mac OSX, jdk 1.8.0_51, apr 1.5.2, tcnative 1.2.2, OpenSSL 1.0.2d 9 Jul 2015
Test Results:
All NIO/NIO2/APR test cases have successfully passed.
Test https + apr with openssl generated self-signed certificate: ok
Smoking test on servlet/jsp/websocket examples: ok
HTTP/2 server push feature on Chrome: ok
Test https + nio/nio2 with sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" defined in connector
Smoking test on servlet/jsp/websocket examples: ok
HTTP/2 server push feature on Chrome: ok
Observations:
* lack of documentation of <UpgradeProtocol> element, should be in config/http.html#Nested_Components
* deprecated documentation found on docs/ssl-howto.html:
Right now the doc says:
The APR connector uses different attributes for many SSL settings, particularly keys and certificates. An example of an APR configuration is:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
Since SSL configuration attributes in the Connector element is deprecated, it should be replaced by configurations in SSLHostConfig element. At least, it should be marked as deprecated.
* ${catalina.base} directory appears after running unit test case, it also appeared in trunk, but never in tomcat8/tomcat7 trunk. I haven't looked into it, but I guess there is some test which forgot to set the catalina.base system property.
* in docs/ssl-howto.html, it might be better to provide an example of generating self-signed certificate using openssl, what I am using is:
/usr/local/openssl/bin/openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
* the documentation of docs/config/http.html#SSL_Support_-_SSLHostConfig looks a little confused, it might be better to separate JSSE only and Openssl only attributes.
Overall my conclusion is:
[ X ] Alpha - go ahead and release as 9.0.0.M1
------------------------------------------------------------------
From:Mark Thomas <ma...@apache.org>
Time:2015 Nov 13 (Fri) 08:13
To:dev@tomcat.apache.org <de...@tomcat.apache.org>
Subject:[VOTE] Release Apache Tomcat 9.0.0.M1
The proposed Apache Tomcat 9.0.0.M1 release is now available for voting.
This is the first milestone release for the 9.0.x branch. It should be
noted that, as a milestone release:
- Servlet 4.0 is not finalised
- The EGs have not started work on JSP 2.4, EL 3.1 or WebSocket 1.2/2.0
The major changes compared to the 8.0.x branch are:
- Requires Java 8
- BIO, Comet and Windows Itanium support have been removed
- Support for TLS virtual hosting, ALPN, HTTP/2 and OpenSSL with
NIO/NIO2 has been added
- Lots of internal refactoring to support the above changes
For full details, see the changelog:
http://svn.us.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml
It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M1/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1054/
The svn tag is:
http://svn.apache.org/repos/asf/tomcattags/TOMCAT_9_0_0_M1/
The proposed 9.0.0.M1 release is:
[ ] Broken - do not release
[ ] Alpha - go ahead and release as 9.0.0.M1
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org