You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2018/12/20 04:00:19 UTC
Re: 9.0.13 encrypted cluster traffic
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tim,
Tomcat 9.0.14 is available and should work much better. Would it be
possible for you to test the latest release with the encrypted clusterin
g?
Thanks,
- -chris
On 11/24/18 11:13, Christopher Schultz wrote:
> Tim,
>
> On 11/23/18 12:55, Christopher Schultz wrote:
>> Okay, the problem is that I built the EncryptInterceptor without
>> realizing that cluster-messaging isn't single-threaded. It's
>> completely non-thread-safe and it needs to be.
>
>> There is a simple fix that can be applied (synchronize the
>> encrypt and decrypt methods) but it'll create a big bottleneck
>> for you. On the other hand, it's easy to apply and test and
>> ensure it's working in your environment. Are you willing to grab
>> the Tomcat source and compile it? If you get the 9.0.13 source
>> and are able to compile it, I can give you a 2-line patch that
>> should fix your issue. Alternatively, I can give you a patched
>> catalina-tribes.jar that you can just drop-in-replace to try
>> out.
>
>> I have a more elaborate patch that I'm going to apply soon and it
>> should be available in the next release of Tomcat 9.
>
> I think this should be fixed, now. If you build from trunk, I
> think things will work remarkably better for you. Or, just wait
> until the next release (a few weeks maybe). If you *can* build from
> source, it would be great to get some real-world mileage on this
> code before the next release.
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwbE9MACgkQHPApP6U8
pFhHPQ/+PMCSp8YuG811TLmzZg91gdgbxXgMOKrSnNDh/w3paiUhQD2+uPW8FPbP
3E8yRgN34JOm+r5ND3x57e3TpXXO9QzQ287d7Pka2RxLlkz4tj/wPbRmyiNaot/t
f/IjVx0NdLdfCxEkntcTAwQUUkqP6VM8umrN2URJqsWqTVs0tqFGMtw2xe8zVCIT
FkZCfwTqGFCHa65iCTlA8LCJbhc1E1d8lDJVBetYrEREE//3y6U1xEbfOJPcKdEv
s8RsTcdOt4A0iQDyqdY0Zsj58Bb6xSUfdRVSqgmQDUDUF3SQLif9a38VNwp2xaPE
BgQiiLHa6Mpmd2+2iZPM/k3GcTSVeFq21opvmlKmYI1QNhy++UsOHbQ1KaSPbDed
GIQ+MWE8K4SPIbX3RSz9lJqKySJabDsQliI+Cfktz6Q0MhvQoFH33E2IsrxgFUxn
3tU/Yyaa6fUpRYmWuersKU2ps3BMoMT4dwou57cQiTqcgHDVYXcXj64pJv5EM2Ap
/dL1pzAlv0mKkS+wIeFraVvAbH0qeg2sjk0kEjQTN+hrYi74UpKrp076Oc2i8TUI
Wc7TmSiuBqpAIjNb3oLjs1EjbI/B8V2tULOUJYlWz2GTPSdJAQp/u/8lQpu26m6W
EisenCnlc18ANvuIko/ZqlXNKrYIkociip1krluNGH2gCmq/6N4=
=5/TA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 9.0.13 encrypted cluster traffic
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Keiichi,
On 12/25/18 02:33, Keiichi Fujino wrote:
> 2018年12月23日(日) 2:10 Christopher Schultz
> <ch...@christopherschultz.net>:
>
> Keiichi,
>
> On 12/21/18 02:58, Keiichi Fujino wrote:
>>>> 2018年12月21日(金) 12:11 Christopher Schultz
>>>> <ch...@christopherschultz.net>:
>>>>
>>>> Tim,
>>>>
>>>> On 12/20/18 10:18, Tim K wrote:
>>>>>>>>
>>>>>>>> I just downloaded and tried 9.0.14 but I'm still
>>>>>>>> getting the same BadPaddingException upon starting
>>>>>>>> the second instance. I confirmed the encryptionKey
>>>>>>>> matches on my two instances.
>>>>>>>>
>>>>>>>
>>>>>>> Maybe something is wrong with my config? For this
>>>>>>> test, I have both Tomcats on the same server using
>>>>>>> different ports:
>>>>
>>>> This is the only thing that matters to the encryption
>>>> interceptor:
>>>>
>>>>>>> <Interceptor
>>>>>>> className="org.apache.catalina.tribes.group.interceptors.Encrypt
Int
>
>>>>>>>
erc
>>>>
>>>>>>>
> eptor"
>>>>>>>
>>>>>>>
>>>> encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
>>>>
>>>> I'm not sure if the order of encrypt/asyncdispatch
>>>> interceptors matters much.
>>>>
>>>>
>>>>
>>>>> Hi.
>>>>
>>>>> The case of using TcpFailureDetector, there is a case to
>>>>> write directly without passing through the interceptor
>>>>> chain.
>>>>
>>>>> TcpFailureDetector#memberAlive writes the channel data
>>>>> directly to outputstream without passing through the
>>>>> interceptor chain. However, when receiving this channel
>>>>> data, It passes through the interceptor chain. So, it must
>>>>> be received by TcpFailureDetector before decrypt of
>>>>> EncryptInterceptor. That is, the order is important. The
>>>>> order is EncryptInterceptor -> TcpFailureDetector.
>
> How's this for an update to the EncryptInterceptor documentation:
>
> " If using the <code>TcpFailureDetector</code>, the
> <code>EncryptInterceptor</code> <i>must</i> be inserted into the
> interceptor chain <i>before</i> the
> <code>TcpFailureDetector</code>. This is becuase the
> <code>TcpFailureDetector</code> writes channel data directly
> without using the remainder of the interceptor chain, but on the
> receiving side, the message still goes through the chain (in
> reverse). Because of this asymmetry, the
> <code>EncryptInterceptor</code> must execute <i>before</i> the
> <code>TcpFailureDetector</code> on the sender and <i>after</i> it
> on the receiver. "
>
>
>> Hi Chris.
>
>> Writing channel data directly is only for member verification.
>> Normal message are sent/received via the interceptor chain. So,
>> It may be better to add a sentence that interprets that writing
>> channel data directly is only for member verification. such as,
>> "When TcpFailureDetector validates cluster members..." etc.
How about this:
"
If using the <code>TcpFailureDetector</code>, the
<code>EncryptInterceptor</code>
<i>must</i> be inserted into the interceptor chain <i>before</i> the
<code>TcpFailureDetector</code>. This is becuase when validating cluster
members, <code>TcpFailureDetector</code> writes channel data directly
to the other members without using the remainder of the interceptor chai
n,
but on the receiving side, the message still goes through the chain (in
reverse).
Because of this asymmetry, the <code>EncryptInterceptor</code> must
execute
<i>before</i> the <code>TcpFailureDetector</code> on the sender and
<i>after</i>
it on the receiver, otherwise message corruption will occur.
"
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwo1DkACgkQHPApP6U8
pFj5RxAAhhhMiY//Q5JqJOUSD4whffm64N0jlq1tpmQzVp5bU9Xu6qL36aelFZMP
YH4VTQOvWwcPDyYBirix1feBBYWTIfIHCGtRw26fWj7OilE+EouiMM1gVPyfKSqj
LdrTlDpTzQ7LeZdukkYKIDNpaI02k9EbeYWCNi3AHIp3YCB0dX3XnpN4dmnm7lsw
idwc8B2ExmkdSqy/4Yzn21IIia2DSfAA8BrdHlwlWiAF8VQZyVMO/gkeXk4HQ4Fg
jwKdRtZxNcwyMW4o2S2owYNFdd85pNyPiFihTS7M0+WHoLHRO29kR/c0yeVlBfCf
AijiVpTjKyYZ/Al0cavuBRDty5Cg0AEX0DDwj1PvxUQ+i1Teiv3Y7f8IhpEnwmFI
AFoVFN3lghJ5U/cMkm+TzDjwME2TbTup35zabclzNTpDx7EKjPve66MJmOs4xxoJ
jtKepyt9W5z9/FlhAvxxrLJjj5T3LJSqBrtSw+YUlj0DKqrW92sxf5s3hHoy4tkH
Fji36KYx8Sryj+jQsyd+w7YlZHZ7A6W7wRIKBtqc/zxECowHSD5Q2fpqC9hUTMfN
TB9JPhFvwOBRgDWp5UWTT3JHidOQSiL/0OFdvW2d5RutZq424MpY2gObFJIoRYMp
uRIwO+AU7kyt6kkSYpN/dShScGOJ8sdX0TBK2K9CyrbK8OD5H4U=
=y0zP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 9.0.13 encrypted cluster traffic
Posted by Keiichi Fujino <kf...@apache.org>.
2018年12月23日(日) 2:10 Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Keiichi,
>
> On 12/21/18 02:58, Keiichi Fujino wrote:
> > 2018年12月21日(金) 12:11 Christopher Schultz
> > <ch...@christopherschultz.net>:
> >
> > Tim,
> >
> > On 12/20/18 10:18, Tim K wrote:
> >>>>>
> >>>>> I just downloaded and tried 9.0.14 but I'm still getting
> >>>>> the same BadPaddingException upon starting the second
> >>>>> instance. I confirmed the encryptionKey matches on my two
> >>>>> instances.
> >>>>>
> >>>>
> >>>> Maybe something is wrong with my config? For this test, I
> >>>> have both Tomcats on the same server using different ports:
> >
> > This is the only thing that matters to the encryption interceptor:
> >
> >>>> <Interceptor
> >>>> className="org.apache.catalina.tribes.group.interceptors.EncryptInt
> erc
> >
> >>>>
> eptor"
> >>>>
> >>>>
> > encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
> >
> > I'm not sure if the order of encrypt/asyncdispatch interceptors
> > matters much.
> >
> >
> >
> >> Hi.
> >
> >> The case of using TcpFailureDetector, there is a case to write
> >> directly without passing through the interceptor chain.
> >
> >> TcpFailureDetector#memberAlive writes the channel data directly
> >> to outputstream without passing through the interceptor chain.
> >> However, when receiving this channel data, It passes through the
> >> interceptor chain. So, it must be received by TcpFailureDetector
> >> before decrypt of EncryptInterceptor. That is, the order is
> >> important. The order is EncryptInterceptor ->
> >> TcpFailureDetector.
>
> How's this for an update to the EncryptInterceptor documentation:
>
> "
> If using the <code>TcpFailureDetector</code>, the
> <code>EncryptInterceptor</code>
> <i>must</i> be inserted into the interceptor chain <i>before</i> the
> <code>TcpFailureDetector</code>. This is becuase the
> <code>TcpFailureDetector</code> writes channel data directly
> without using
> the remainder of the interceptor chain, but on the receiving side,
> the message still goes through the chain (in reverse). Because of this
> asymmetry, the <code>EncryptInterceptor</code> must execute
> <i>before</i>
> the <code>TcpFailureDetector</code> on the sender and <i>after</i>
> it on the receiver.
> "
>
>
Hi Chris.
Writing channel data directly is only for member verification.
Normal message are sent/received via the interceptor chain.
So, It may be better to add a sentence that interprets that writing channel
data directly is only for member verification.
such as, "When TcpFailureDetector validates cluster members..." etc.
> ??
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlweb+MACgkQHPApP6U8
> pFibAhAAuQWi3IGaGRGGwZEHYo9jMB9gdxGkZvQGMEK4naN2KgMkzZ56wTxWRwFh
> SEV6yHj6Tz+MERc6YL2st3Hm8VH6DgwEth1g1SmLZGM0JxD4HgqTwtVE9JZk9s4Y
> dMCgRR+O09bUh0fnCOybcOHeMZv1SewPFhXq8e/rquTbJAhljRhCrANkzRmo5/05
> WS+DsG78EVrjMG/X8uZIkkBOO43TzwTyAWNrX7u3DwUvf01idgHUceBQ/pRVC+L9
> a4TwypZjYkxJcLeHexzytXYLs8j/r8JtrPYFZfTeQvnlFdDkAcFgYL+CjfjKRTwo
> GPJyMU8HjxAfROe0HsRXwtX/OL0XTDq21bwE7yNTCtV1NcnsLSY74eh7WtwMgIKx
> kmNva4roGCeb+IQAC2QRnXmenB3qX2RN2ZrY3KWEq2s+UJP7PTf3Xga5ov/OJ0ce
> SE8UIuXfmh8IS7nZPn0mFwflbB9xjJZZV8c/oScQflAJKtVjc3mQ6b+29Jfx+zMI
> imvx+B7szFkccjtIjZQlPHqgW0MbnuflqiVBUb8tH29adDOWELRPook3V6htHdBA
> 1Izbpng+dVU2R2xEQdtdcevUKbaIvmB8xYGRgilu//o/1RrC8wzGqZuXaiomBT01
> Q/wIOQjjXKvVELoAu7Ym23KEv+IDrZAmtZy7QWiBP5azPwbc4sA=
> =wOVI
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Keiichi.Fujino
Re: 9.0.13 encrypted cluster traffic
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Keiichi,
On 12/21/18 02:58, Keiichi Fujino wrote:
> 2018年12月21日(金) 12:11 Christopher Schultz
> <ch...@christopherschultz.net>:
>
> Tim,
>
> On 12/20/18 10:18, Tim K wrote:
>>>>>
>>>>> I just downloaded and tried 9.0.14 but I'm still getting
>>>>> the same BadPaddingException upon starting the second
>>>>> instance. I confirmed the encryptionKey matches on my two
>>>>> instances.
>>>>>
>>>>
>>>> Maybe something is wrong with my config? For this test, I
>>>> have both Tomcats on the same server using different ports:
>
> This is the only thing that matters to the encryption interceptor:
>
>>>> <Interceptor
>>>> className="org.apache.catalina.tribes.group.interceptors.EncryptInt
erc
>
>>>>
eptor"
>>>>
>>>>
> encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
>
> I'm not sure if the order of encrypt/asyncdispatch interceptors
> matters much.
>
>
>
>> Hi.
>
>> The case of using TcpFailureDetector, there is a case to write
>> directly without passing through the interceptor chain.
>
>> TcpFailureDetector#memberAlive writes the channel data directly
>> to outputstream without passing through the interceptor chain.
>> However, when receiving this channel data, It passes through the
>> interceptor chain. So, it must be received by TcpFailureDetector
>> before decrypt of EncryptInterceptor. That is, the order is
>> important. The order is EncryptInterceptor ->
>> TcpFailureDetector.
How's this for an update to the EncryptInterceptor documentation:
"
If using the <code>TcpFailureDetector</code>, the
<code>EncryptInterceptor</code>
<i>must</i> be inserted into the interceptor chain <i>before</i> the
<code>TcpFailureDetector</code>. This is becuase the
<code>TcpFailureDetector</code> writes channel data directly
without using
the remainder of the interceptor chain, but on the receiving side,
the message still goes through the chain (in reverse). Because of this
asymmetry, the <code>EncryptInterceptor</code> must execute
<i>before</i>
the <code>TcpFailureDetector</code> on the sender and <i>after</i>
it on the receiver.
"
??
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlweb+MACgkQHPApP6U8
pFibAhAAuQWi3IGaGRGGwZEHYo9jMB9gdxGkZvQGMEK4naN2KgMkzZ56wTxWRwFh
SEV6yHj6Tz+MERc6YL2st3Hm8VH6DgwEth1g1SmLZGM0JxD4HgqTwtVE9JZk9s4Y
dMCgRR+O09bUh0fnCOybcOHeMZv1SewPFhXq8e/rquTbJAhljRhCrANkzRmo5/05
WS+DsG78EVrjMG/X8uZIkkBOO43TzwTyAWNrX7u3DwUvf01idgHUceBQ/pRVC+L9
a4TwypZjYkxJcLeHexzytXYLs8j/r8JtrPYFZfTeQvnlFdDkAcFgYL+CjfjKRTwo
GPJyMU8HjxAfROe0HsRXwtX/OL0XTDq21bwE7yNTCtV1NcnsLSY74eh7WtwMgIKx
kmNva4roGCeb+IQAC2QRnXmenB3qX2RN2ZrY3KWEq2s+UJP7PTf3Xga5ov/OJ0ce
SE8UIuXfmh8IS7nZPn0mFwflbB9xjJZZV8c/oScQflAJKtVjc3mQ6b+29Jfx+zMI
imvx+B7szFkccjtIjZQlPHqgW0MbnuflqiVBUb8tH29adDOWELRPook3V6htHdBA
1Izbpng+dVU2R2xEQdtdcevUKbaIvmB8xYGRgilu//o/1RrC8wzGqZuXaiomBT01
Q/wIOQjjXKvVELoAu7Ym23KEv+IDrZAmtZy7QWiBP5azPwbc4sA=
=wOVI
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 9.0.13 encrypted cluster traffic
Posted by Keiichi Fujino <kf...@apache.org>.
2018年12月21日(金) 12:11 Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Tim,
>
> On 12/20/18 10:18, Tim K wrote:
> >>
> >> I just downloaded and tried 9.0.14 but I'm still getting the same
> >> BadPaddingException upon starting the second instance. I
> >> confirmed the encryptionKey matches on my two instances.
> >>
> >
> > Maybe something is wrong with my config? For this test, I have
> > both Tomcats on the same server using different ports:
>
> This is the only thing that matters to the encryption interceptor:
>
> > <Interceptor
> > className="org.apache.catalina.tribes.group.interceptors.EncryptInterc
> eptor"
> >
> >
> encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
>
> I'm not sure if the order of encrypt/asyncdispatch interceptors
> matters much.
>
Hi.
The case of using TcpFailureDetector, there is a case to write directly
without passing through the interceptor chain.
TcpFailureDetector#memberAlive writes the channel data directly to
outputstream without passing through the interceptor chain.
However, when receiving this channel data, It passes through the
interceptor chain.
So, it must be received by TcpFailureDetector before decrypt of
EncryptInterceptor.
That is, the order is important.
The order is
EncryptInterceptor -> TcpFailureDetector.
>
> I copy/pasted your key into the TestEncryptInterceptor unit test and I
> didn't get any errors. I generated 4 new 32-character (16-byte) keys
> and tried all of them and didn't get any errors.
>
> Oddly, the very first time I copy/pasted it from your email message
> into the tester it failed with BadPaddingException, but when I
> re-copied "just in case" it stopped failing. Can you download and
> build the 9.0.14 source and run that unit test in your environment?
> Like this:
>
> $ ant test
> - -Dtest.entry=org.apache.catalina.tribes.group.interceptors.TestEncryptIn
> terceptor
>
> If that works, try copy/pasting your key into the source file of the
> test -- it's right up at the top, called "encryptionKey128" -- then
> save and re-run the test (ant will recompile it). If that works...
> then I'm stumped.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwcWdEACgkQHPApP6U8
> pFhClRAAnW4mZ59yG6exLzJqv6nNW8wdUhrLY2eGWFroWN3JMADU7kwA14ndNZfv
> iOEIaaE1zvtEiScivqAj6VhIetrb/j07NUSX8eoUYzsEWS6GlFtAY53ok/6xPX4F
> 5MUxJTjklQr16C/IAx+4mgbTE/eUKWodfE58Q5sZo6acKxmikwMFFdRkGfqlkLe3
> Gmed6zCHMjbhr/yq3g7J484wEqmzYXhGcOHHfNERxunjrcnfd4m4pqQhjTiLMNRN
> wRG6wovEbAwv3P/PPlGu30d776m3OKNAaYIh17AHFEB2dS6Xn5GToMHAyp5nmRFs
> Tt+bWhWnB37EmsvvvU+yH17CqUtatdnCw1UHVseoVZGmzefpxQdwuh57Hs1NLSSN
> 683giOomSALGWupBd6XV56XfV19k+PuB1gv2He4AfJRmBzJhyS4WTJgwalMcIEOF
> 4r2hmJQGhoopTZR3grvycLTzKvSH/s35Lbf2C1BSxZ+lxsig46NYeemX8xe9H39g
> s/30ACCNV3h2LUjrqHTQ+wT4VBtOvC7VviZnWzaegmjDuP7xPEENr2uYt230eRGt
> Z+WkHrhTkLchwmdK4v1ziCNPgggfI8vEM6IOQwxxmwiwthYpfxA7zDBFgqiJUMO4
> HN/74VauFxG2YeK4LFPYd3i65fCYZRqLceMuzfquYgdmX6ccgQQ=
> =IAd9
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Keiichi.Fujino
Re: 9.0.13 encrypted cluster traffic
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tim,
On 1/4/19 08:23, Tim K wrote:
> On Sat, Dec 22, 2018, 11:56 AM Christopher Schultz <
> chris@christopherschultz.net wrote:
>
> Tim,
>
> On 12/21/18 08:14, Tim K wrote:
>>>> On Thu, Dec 20, 2018, 10:11 PM Christopher Schultz <
>>>> chris@christopherschultz.net wrote:
>>>>
>>>> Tim,
>>>>
>>>> On 12/20/18 10:18, Tim K wrote:
>>>>>>>>
>>>>>>>> I just downloaded and tried 9.0.14 but I'm still
>>>>>>>> getting the same BadPaddingException upon starting
>>>>>>>> the second instance. I confirmed the encryptionKey
>>>>>>>> matches on my two instances.
>>>>>>>>
>>>>>>>
>>>>>>> Maybe something is wrong with my config? For this
>>>>>>> test, I have both Tomcats on the same server using
>>>>>>> different ports:
>>>>
>>>> This is the only thing that matters to the encryption
>>>> interceptor:
>>>>
>>>>>>> <Interceptor
>>>>>>> className="org.apache.catalina.tribes.group.interceptors.Encrypt
Int
>
>>>>>>>
erc
>>>>
>>>>>>>
> eptor"
>>>>>>>
>>>>>>>
>>>> encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
>>>>
>>>> I'm not sure if the order of encrypt/asyncdispatch
>>>> interceptors matters much.
>>>>
>>>> I copy/pasted your key into the TestEncryptInterceptor unit
>>>> test and I didn't get any errors. I generated 4 new
>>>> 32-character (16-byte) keys and tried all of them and didn't
>>>> get any errors.
>>>>
>>>> Oddly, the very first time I copy/pasted it from your email
>>>> message into the tester it failed with BadPaddingException,
>>>> but when I re-copied "just in case" it stopped failing. Can
>>>> you download and build the 9.0.14 source and run that unit
>>>> test in your environment? Like this:
>>>>
>>>> $ ant test
>>>> -Dtest.entry=org.apache.catalina.tribes.group.interceptors.TestEncr
ypt
>
>>>>
In
>>>>
>>>>
> terceptor
>>>>
>>>> If that works, try copy/pasting your key into the source file
>>>> of the test -- it's right up at the top, called
>>>> "encryptionKey128" -- then save and re-run the test (ant will
>>>> recompile it). If that works... then I'm stumped.
>>>>
>>>> -chris
>>>>>
>>>>> ------------------------------------------------------------------
- ---
>>>>>
>>>>>
>
>>>>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail:
>>>>> users-help@tomcat.apache.org
>>>>
>>>>
>>>> I grabbed the src from the site and built it successfully,
>>>> tried the test but it is looking for a message.bin file...
>
> If the file doesn't exist, it skips the test. That's normal.
>
>>>> I tried just touch'ing that file and the first test fails
>>>> with a NegativeArraySizeException
>
> Right... because it should contain an encrypted message. A
> zero-byte file won't be decrypted properly.
>
> (BTW this explains why I got a BadPaddingException in that
> *single* test... I forgot that the test decrypts the file
> left-behind from the previous test. This was intentional, to ensure
> that there wasn't some magical state being held within the JVM
> allowing it to decrypt the message.)
>
>>>> and it deletes the message.bin file and the subsequent 2
>>>> tests can't find it. Is there something special I need to do
>>>> with that message.bin file to run the junit tests?
> No. The tests are running as expected.
>
>>>> Also, I tried just using the exact encryptionKey128 you had
>>>> within the test class and that one didn't work in my config
>>>> either, same BadPaddingException.
>
> Try running the test twice in a row. From your output, it looks
> like the test runs fine.
>
> Oh, you meant using my cafebabe key in your setup didn't work?
> Please see Keiichi's reply: it seems that the EncryptInterceptor
> must be "outside" of the TcpFailureDetector.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> Moving the encryption interceptor to the first position appears to
> have resolved this for me. Thank you all for the assistance!
Excellent. Thanks for the confirmation.
I was thinking about this the other day and it seems like such an easy
mistake to make with such a bad outcome it would be best to detect the
situation and throw a warning/error. I think that should be possible.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwwx9EACgkQHPApP6U8
pFgnsRAAofp4lUUj3hTYEH+9/6MoJj2kDTYG3fOvZgqrFKD2PDQtX47nzTplAEBM
5egfE3HKSykFvS5oPFLTSmbhZng+T4oLWsR0DwWVGIrcBQukYIx7BN7eR3txRAft
p2vt9KH89eBuKLjryXgItn0GIs6DG5Bq0iVSF+1dO2SdoNNhuZBPmu2z6Eq3lv4x
cUhJMKJ4RYoFv0xSjquScg6L2Ql+H5WFQneXDLP3vGLkq8pP4STbPazzm2GgnyVm
DDg2D2BpAjYSlhWE7THQM1odqmfDlconFpoft8gzy28TyWZiVJ/Di62Xy7YbKs+v
HtU5/yfPmeGksRoAFIlieERB+ZH+Bqk2QVoClpI10Af+bmzEAg7FQtjYPh5AuGKG
rAon+zD2vGHl3l8pp12w8Uk7u/be/PCrFUUYbfc7ETmLkD80MM4HFuLq3CUCsdYP
9dTues976SC/QdkEWxwSLWtpWYV+UcsVFqbMTbO99RxNeXU1aSmyZ152JJrjOGqK
5Q1cQ0zGONZiDS1NovGmdu1WMNzTwaHfzmK10eNzssf5pRfC72Rpj/X8x3MJSoOx
oGz04+wVk/lWt8SjGcq3bcpHsac2IQxR/HJ10VKaUa/aTaEhH/04mJDv/8fsCso/
sv3PIXGbtn5x+qk3aQwZ/uO/dJuS+m0mg1zeVR/QAt4ZvwWF/n8=
=82t5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 9.0.13 encrypted cluster traffic
Posted by Tim K <ti...@gmail.com>.
On Sat, Dec 22, 2018, 11:56 AM Christopher Schultz <
chris@christopherschultz.net wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Tim,
>
> On 12/21/18 08:14, Tim K wrote:
> > On Thu, Dec 20, 2018, 10:11 PM Christopher Schultz <
> > chris@christopherschultz.net wrote:
> >
> > Tim,
> >
> > On 12/20/18 10:18, Tim K wrote:
> >>>>>
> >>>>> I just downloaded and tried 9.0.14 but I'm still getting
> >>>>> the same BadPaddingException upon starting the second
> >>>>> instance. I confirmed the encryptionKey matches on my two
> >>>>> instances.
> >>>>>
> >>>>
> >>>> Maybe something is wrong with my config? For this test, I
> >>>> have both Tomcats on the same server using different ports:
> >
> > This is the only thing that matters to the encryption interceptor:
> >
> >>>> <Interceptor
> >>>> className="org.apache.catalina.tribes.group.interceptors.EncryptInt
> erc
> >
> >>>>
> eptor"
> >>>>
> >>>>
> > encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
> >
> > I'm not sure if the order of encrypt/asyncdispatch interceptors
> > matters much.
> >
> > I copy/pasted your key into the TestEncryptInterceptor unit test
> > and I didn't get any errors. I generated 4 new 32-character
> > (16-byte) keys and tried all of them and didn't get any errors.
> >
> > Oddly, the very first time I copy/pasted it from your email
> > message into the tester it failed with BadPaddingException, but
> > when I re-copied "just in case" it stopped failing. Can you
> > download and build the 9.0.14 source and run that unit test in your
> > environment? Like this:
> >
> > $ ant test
> > -Dtest.entry=org.apache.catalina.tribes.group.interceptors.TestEncrypt
> In
> >
> >
> terceptor
> >
> > If that works, try copy/pasting your key into the source file of
> > the test -- it's right up at the top, called "encryptionKey128" --
> > then save and re-run the test (ant will recompile it). If that
> > works... then I'm stumped.
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > I grabbed the src from the site and built it successfully, tried
> > the test but it is looking for a message.bin file...
>
> If the file doesn't exist, it skips the test. That's normal.
>
> > I tried just touch'ing that file and the first test fails with a
> > NegativeArraySizeException
>
> Right... because it should contain an encrypted message. A zero-byte
> file won't be decrypted properly.
>
> (BTW this explains why I got a BadPaddingException in that *single*
> test... I forgot that the test decrypts the file left-behind from the
> previous test. This was intentional, to ensure that there wasn't some
> magical state being held within the JVM allowing it to decrypt the
> message.)
>
> > and it deletes the message.bin file and the subsequent 2 tests
> > can't find it. Is there something special I need to do with that
> > message.bin file to run the junit tests?
> No. The tests are running as expected.
>
> > Also, I tried just using the exact encryptionKey128 you had within
> > the test class and that one didn't work in my config either, same
> > BadPaddingException.
>
> Try running the test twice in a row. From your output, it looks like
> the test runs fine.
>
> Oh, you meant using my cafebabe key in your setup didn't work? Please
> see Keiichi's reply: it seems that the EncryptInterceptor must be
> "outside" of the TcpFailureDetector.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwebM8ACgkQHPApP6U8
> pFg2ew/+K1IqiZQR7brZVz7Oi8wa7VdRWvVz8viQDrTj05dbRCdicntdxz7PTWXQ
> SGNH/qxXaPfgDHq2N7S8zDHwpj0gTfadn6IFuWUgZYR3jaufpEAS4lmNpyg8e5K4
> +JIacYRZDGaMWzGo+MvhNLPZQ/RhdMc2MMHW6Gmg4PSU7vwYP6o3Pp5TZsOd7U6p
> asQKKDfleVjavxeLUOVlUoXwxXIGdYBe8Jd0iuS725xG68GX//8az85nHkbJfrqd
> 0jgKx2YpWONStGjOtlsNhBEn9Sj5XTdZ3qJV36O1KtfT1vYBFZtzD748iuLTS+GI
> xxcVZuxdZgbF2qrISnPCfjnGVC0lJn6mDJgXMdVNCJ//kqlsrq1BTu5elOgRZxsG
> dLNF5WqVdPpBzFnHXaTg1nLxK0/wtox6RVR6ENid5jto6vu+nX5M+Fnus02st5W0
> 7OsKkODnz8Vc32tB1u6HwvfQiVvEYU/kTQhMG6Crvouqzguzl4rjH9A3rLzYugSs
> 5bULs57Ac6d+xnp/8lwM0742piCJD60oBHEYqLWDZQjYPc0sIo77bzBceJXk3t4K
> tIPZuOJOaQVBTom/CThoWMmliaECD7QL9dJnci2Rr4G8QBL+Bw86vvDOej/HnW6b
> N5A1brToQjHJQ7M2DeKm/u+mT0xG8zBgGAI0VL6DK229yOLpvFo=
> =nSuF
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Moving the encryption interceptor to the first position appears to have
resolved this for me. Thank you all for the assistance!
Re: 9.0.13 encrypted cluster traffic
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tim,
On 12/21/18 08:14, Tim K wrote:
> On Thu, Dec 20, 2018, 10:11 PM Christopher Schultz <
> chris@christopherschultz.net wrote:
>
> Tim,
>
> On 12/20/18 10:18, Tim K wrote:
>>>>>
>>>>> I just downloaded and tried 9.0.14 but I'm still getting
>>>>> the same BadPaddingException upon starting the second
>>>>> instance. I confirmed the encryptionKey matches on my two
>>>>> instances.
>>>>>
>>>>
>>>> Maybe something is wrong with my config? For this test, I
>>>> have both Tomcats on the same server using different ports:
>
> This is the only thing that matters to the encryption interceptor:
>
>>>> <Interceptor
>>>> className="org.apache.catalina.tribes.group.interceptors.EncryptInt
erc
>
>>>>
eptor"
>>>>
>>>>
> encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
>
> I'm not sure if the order of encrypt/asyncdispatch interceptors
> matters much.
>
> I copy/pasted your key into the TestEncryptInterceptor unit test
> and I didn't get any errors. I generated 4 new 32-character
> (16-byte) keys and tried all of them and didn't get any errors.
>
> Oddly, the very first time I copy/pasted it from your email
> message into the tester it failed with BadPaddingException, but
> when I re-copied "just in case" it stopped failing. Can you
> download and build the 9.0.14 source and run that unit test in your
> environment? Like this:
>
> $ ant test
> -Dtest.entry=org.apache.catalina.tribes.group.interceptors.TestEncrypt
In
>
>
terceptor
>
> If that works, try copy/pasting your key into the source file of
> the test -- it's right up at the top, called "encryptionKey128" --
> then save and re-run the test (ant will recompile it). If that
> works... then I'm stumped.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> I grabbed the src from the site and built it successfully, tried
> the test but it is looking for a message.bin file...
If the file doesn't exist, it skips the test. That's normal.
> I tried just touch'ing that file and the first test fails with a
> NegativeArraySizeException
Right... because it should contain an encrypted message. A zero-byte
file won't be decrypted properly.
(BTW this explains why I got a BadPaddingException in that *single*
test... I forgot that the test decrypts the file left-behind from the
previous test. This was intentional, to ensure that there wasn't some
magical state being held within the JVM allowing it to decrypt the
message.)
> and it deletes the message.bin file and the subsequent 2 tests
> can't find it. Is there something special I need to do with that
> message.bin file to run the junit tests?
No. The tests are running as expected.
> Also, I tried just using the exact encryptionKey128 you had within
> the test class and that one didn't work in my config either, same
> BadPaddingException.
Try running the test twice in a row. From your output, it looks like
the test runs fine.
Oh, you meant using my cafebabe key in your setup didn't work? Please
see Keiichi's reply: it seems that the EncryptInterceptor must be
"outside" of the TcpFailureDetector.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwebM8ACgkQHPApP6U8
pFg2ew/+K1IqiZQR7brZVz7Oi8wa7VdRWvVz8viQDrTj05dbRCdicntdxz7PTWXQ
SGNH/qxXaPfgDHq2N7S8zDHwpj0gTfadn6IFuWUgZYR3jaufpEAS4lmNpyg8e5K4
+JIacYRZDGaMWzGo+MvhNLPZQ/RhdMc2MMHW6Gmg4PSU7vwYP6o3Pp5TZsOd7U6p
asQKKDfleVjavxeLUOVlUoXwxXIGdYBe8Jd0iuS725xG68GX//8az85nHkbJfrqd
0jgKx2YpWONStGjOtlsNhBEn9Sj5XTdZ3qJV36O1KtfT1vYBFZtzD748iuLTS+GI
xxcVZuxdZgbF2qrISnPCfjnGVC0lJn6mDJgXMdVNCJ//kqlsrq1BTu5elOgRZxsG
dLNF5WqVdPpBzFnHXaTg1nLxK0/wtox6RVR6ENid5jto6vu+nX5M+Fnus02st5W0
7OsKkODnz8Vc32tB1u6HwvfQiVvEYU/kTQhMG6Crvouqzguzl4rjH9A3rLzYugSs
5bULs57Ac6d+xnp/8lwM0742piCJD60oBHEYqLWDZQjYPc0sIo77bzBceJXk3t4K
tIPZuOJOaQVBTom/CThoWMmliaECD7QL9dJnci2Rr4G8QBL+Bw86vvDOej/HnW6b
N5A1brToQjHJQ7M2DeKm/u+mT0xG8zBgGAI0VL6DK229yOLpvFo=
=nSuF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 9.0.13 encrypted cluster traffic
Posted by Tim K <ti...@gmail.com>.
On Thu, Dec 20, 2018, 10:11 PM Christopher Schultz <
chris@christopherschultz.net wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Tim,
>
> On 12/20/18 10:18, Tim K wrote:
> >>
> >> I just downloaded and tried 9.0.14 but I'm still getting the same
> >> BadPaddingException upon starting the second instance. I
> >> confirmed the encryptionKey matches on my two instances.
> >>
> >
> > Maybe something is wrong with my config? For this test, I have
> > both Tomcats on the same server using different ports:
>
> This is the only thing that matters to the encryption interceptor:
>
> > <Interceptor
> > className="org.apache.catalina.tribes.group.interceptors.EncryptInterc
> eptor"
> >
> >
> encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
>
> I'm not sure if the order of encrypt/asyncdispatch interceptors
> matters much.
>
> I copy/pasted your key into the TestEncryptInterceptor unit test and I
> didn't get any errors. I generated 4 new 32-character (16-byte) keys
> and tried all of them and didn't get any errors.
>
> Oddly, the very first time I copy/pasted it from your email message
> into the tester it failed with BadPaddingException, but when I
> re-copied "just in case" it stopped failing. Can you download and
> build the 9.0.14 source and run that unit test in your environment?
> Like this:
>
> $ ant test
> - -Dtest.entry=org.apache.catalina.tribes.group.interceptors.TestEncryptIn
> terceptor
>
> If that works, try copy/pasting your key into the source file of the
> test -- it's right up at the top, called "encryptionKey128" -- then
> save and re-run the test (ant will recompile it). If that works...
> then I'm stumped.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwcWdEACgkQHPApP6U8
> pFhClRAAnW4mZ59yG6exLzJqv6nNW8wdUhrLY2eGWFroWN3JMADU7kwA14ndNZfv
> iOEIaaE1zvtEiScivqAj6VhIetrb/j07NUSX8eoUYzsEWS6GlFtAY53ok/6xPX4F
> 5MUxJTjklQr16C/IAx+4mgbTE/eUKWodfE58Q5sZo6acKxmikwMFFdRkGfqlkLe3
> Gmed6zCHMjbhr/yq3g7J484wEqmzYXhGcOHHfNERxunjrcnfd4m4pqQhjTiLMNRN
> wRG6wovEbAwv3P/PPlGu30d776m3OKNAaYIh17AHFEB2dS6Xn5GToMHAyp5nmRFs
> Tt+bWhWnB37EmsvvvU+yH17CqUtatdnCw1UHVseoVZGmzefpxQdwuh57Hs1NLSSN
> 683giOomSALGWupBd6XV56XfV19k+PuB1gv2He4AfJRmBzJhyS4WTJgwalMcIEOF
> 4r2hmJQGhoopTZR3grvycLTzKvSH/s35Lbf2C1BSxZ+lxsig46NYeemX8xe9H39g
> s/30ACCNV3h2LUjrqHTQ+wT4VBtOvC7VviZnWzaegmjDuP7xPEENr2uYt230eRGt
> Z+WkHrhTkLchwmdK4v1ziCNPgggfI8vEM6IOQwxxmwiwthYpfxA7zDBFgqiJUMO4
> HN/74VauFxG2YeK4LFPYd3i65fCYZRqLceMuzfquYgdmX6ccgQQ=
> =IAd9
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
I grabbed the src from the site and built it successfully, tried the test
but it is looking for a message.bin file... I tried just touch'ing that
file and the first test fails with a NegativeArraySizeException and it
deletes the message.bin file and the subsequent 2 tests can't find it. Is
there something special I need to do with that message.bin file to run the
junit tests?
test-nio:
[junit] Running
org.apache.catalina.tribes.group.interceptors.TestEncryptInterceptor
[junit] Tests run: 17, Failures: 0, Errors: 0, Skipped: 2, Time
elapsed: 0.364 sec
[junit] File message.bin does not exist. Skipping test.
test-nio2:
[junit] Running
org.apache.catalina.tribes.group.interceptors.TestEncryptInterceptor
[junit] Tests run: 17, Failures: 0, Errors: 0, Skipped: 2, Time
elapsed: 0.625 sec
[junit] File message.bin does not exist. Skipping test.
test-apr-exists:
test-apr:
[junit] Running
org.apache.catalina.tribes.group.interceptors.TestEncryptInterceptor
[junit] Tests run: 17, Failures: 0, Errors: 0, Skipped: 2, Time
elapsed: 0.465 sec
[junit] File message.bin does not exist. Skipping test.
cobertura-report:
test:
[concat] Testsuites with skipped tests:
[concat]
TEST-org.apache.catalina.tribes.group.interceptors.TestEncryptInterceptor.APR.txt
[concat]
TEST-org.apache.catalina.tribes.group.interceptors.TestEncryptInterceptor.NIO.txt
[concat]
TEST-org.apache.catalina.tribes.group.interceptors.TestEncryptInterceptor.NIO2.txt
[concat] Testsuites with failed tests:
BUILD SUCCESSFUL
Total time: 11 seconds
Also, I tried just using the exact encryptionKey128 you had within the test
class and that one didn't work in my config either, same
BadPaddingException.
-Tim
Re: 9.0.13 encrypted cluster traffic
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tim,
On 12/20/18 10:18, Tim K wrote:
>>
>> I just downloaded and tried 9.0.14 but I'm still getting the same
>> BadPaddingException upon starting the second instance. I
>> confirmed the encryptionKey matches on my two instances.
>>
>
> Maybe something is wrong with my config? For this test, I have
> both Tomcats on the same server using different ports:
This is the only thing that matters to the encryption interceptor:
> <Interceptor
> className="org.apache.catalina.tribes.group.interceptors.EncryptInterc
eptor"
>
>
encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
I'm not sure if the order of encrypt/asyncdispatch interceptors
matters much.
I copy/pasted your key into the TestEncryptInterceptor unit test and I
didn't get any errors. I generated 4 new 32-character (16-byte) keys
and tried all of them and didn't get any errors.
Oddly, the very first time I copy/pasted it from your email message
into the tester it failed with BadPaddingException, but when I
re-copied "just in case" it stopped failing. Can you download and
build the 9.0.14 source and run that unit test in your environment?
Like this:
$ ant test
- -Dtest.entry=org.apache.catalina.tribes.group.interceptors.TestEncryptIn
terceptor
If that works, try copy/pasting your key into the source file of the
test -- it's right up at the top, called "encryptionKey128" -- then
save and re-run the test (ant will recompile it). If that works...
then I'm stumped.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwcWdEACgkQHPApP6U8
pFhClRAAnW4mZ59yG6exLzJqv6nNW8wdUhrLY2eGWFroWN3JMADU7kwA14ndNZfv
iOEIaaE1zvtEiScivqAj6VhIetrb/j07NUSX8eoUYzsEWS6GlFtAY53ok/6xPX4F
5MUxJTjklQr16C/IAx+4mgbTE/eUKWodfE58Q5sZo6acKxmikwMFFdRkGfqlkLe3
Gmed6zCHMjbhr/yq3g7J484wEqmzYXhGcOHHfNERxunjrcnfd4m4pqQhjTiLMNRN
wRG6wovEbAwv3P/PPlGu30d776m3OKNAaYIh17AHFEB2dS6Xn5GToMHAyp5nmRFs
Tt+bWhWnB37EmsvvvU+yH17CqUtatdnCw1UHVseoVZGmzefpxQdwuh57Hs1NLSSN
683giOomSALGWupBd6XV56XfV19k+PuB1gv2He4AfJRmBzJhyS4WTJgwalMcIEOF
4r2hmJQGhoopTZR3grvycLTzKvSH/s35Lbf2C1BSxZ+lxsig46NYeemX8xe9H39g
s/30ACCNV3h2LUjrqHTQ+wT4VBtOvC7VviZnWzaegmjDuP7xPEENr2uYt230eRGt
Z+WkHrhTkLchwmdK4v1ziCNPgggfI8vEM6IOQwxxmwiwthYpfxA7zDBFgqiJUMO4
HN/74VauFxG2YeK4LFPYd3i65fCYZRqLceMuzfquYgdmX6ccgQQ=
=IAd9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 9.0.13 encrypted cluster traffic
Posted by Tim K <ti...@gmail.com>.
>
> I just downloaded and tried 9.0.14 but I'm still getting the
> same BadPaddingException upon starting the second instance. I confirmed
> the encryptionKey matches on my two instances.
>
Maybe something is wrong with my config? For this test, I have both
Tomcats on the same server using different ports:
server1:
<Cluster
className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
channelSendOptions="8">
<Manager
className="org.apache.catalina.ha.session.DeltaManager"
expireSessionsOnShutdown="false" notifyListenersOnReplication="true"/>
<Channel
className="org.apache.catalina.tribes.group.GroupChannel">
<Receiver
className="org.apache.catalina.tribes.transport.nio.NioReceiver"
address="auto" port="4000" autoBind="100" selectorTimeout="5000"
maxThreads="6"/>
<Sender
className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
<Transport
className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
</Sender>
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.TcpPingInterceptor"/>
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor"/>
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInterceptor"
encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.StaticMembershipInterceptor">
<Member className="org.apache.catalina.tribes.membership.StaticMember"
host="localhost" domain="my-cluster"
uniqueId="{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}"/>
</Interceptor>
</Channel>
<Valve
className="org.apache.catalina.ha.tcp.ReplicationValve" filter=""/>
<Valve
className="org.apache.catalina.ha.session.JvmRouteBinderValve"/>
<ClusterListener
className="org.apache.catalina.ha.session.ClusterSessionListener"/>
</Cluster>
server2:
<Cluster
className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
channelSendOptions="8">
<Manager
className="org.apache.catalina.ha.session.DeltaManager"
expireSessionsOnShutdown="false" notifyListenersOnReplication="true"/>
<Channel
className="org.apache.catalina.tribes.group.GroupChannel">
<Receiver
className="org.apache.catalina.tribes.transport.nio.NioReceiver"
address="auto" port="4001" autoBind="100" selectorTimeout="5000"
maxThreads="6"/>
<Sender
className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
<Transport
className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
</Sender>
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.TcpPingInterceptor"/>
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor"/>
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInterceptor"
encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.StaticMembershipInterceptor">
<Member className="org.apache.catalina.tribes.membership.StaticMember"
host="localhost" domain="my-cluster"
uniqueId="{1,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}"/>
</Interceptor>
</Channel>
<Valve
className="org.apache.catalina.ha.tcp.ReplicationValve" filter=""/>
<Valve
className="org.apache.catalina.ha.session.JvmRouteBinderValve"/>
<ClusterListener
className="org.apache.catalina.ha.session.ClusterSessionListener"/>
</Cluster>
Re: 9.0.13 encrypted cluster traffic
Posted by Tim K <ti...@gmail.com>.
On Wed, Dec 19, 2018, 11:00 PM Christopher Schultz <
chris@christopherschultz.net wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Tim,
>
> Tomcat 9.0.14 is available and should work much better. Would it be
> possible for you to test the latest release with the encrypted clusterin
> g?
>
> Thanks,
> - -chris
>
> On 11/24/18 11:13, Christopher Schultz wrote:
> > Tim,
> >
> > On 11/23/18 12:55, Christopher Schultz wrote:
> >> Okay, the problem is that I built the EncryptInterceptor without
> >> realizing that cluster-messaging isn't single-threaded. It's
> >> completely non-thread-safe and it needs to be.
> >
> >> There is a simple fix that can be applied (synchronize the
> >> encrypt and decrypt methods) but it'll create a big bottleneck
> >> for you. On the other hand, it's easy to apply and test and
> >> ensure it's working in your environment. Are you willing to grab
> >> the Tomcat source and compile it? If you get the 9.0.13 source
> >> and are able to compile it, I can give you a 2-line patch that
> >> should fix your issue. Alternatively, I can give you a patched
> >> catalina-tribes.jar that you can just drop-in-replace to try
> >> out.
> >
> >> I have a more elaborate patch that I'm going to apply soon and it
> >> should be available in the next release of Tomcat 9.
> >
> > I think this should be fixed, now. If you build from trunk, I
> > think things will work remarkably better for you. Or, just wait
> > until the next release (a few weeks maybe). If you *can* build from
> > source, it would be great to get some real-world mileage on this
> > code before the next release.
> >
> > -chris
> >
> > ---------------------------------------------------------------------
> >
> >
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwbE9MACgkQHPApP6U8
> pFhHPQ/+PMCSp8YuG811TLmzZg91gdgbxXgMOKrSnNDh/w3paiUhQD2+uPW8FPbP
> 3E8yRgN34JOm+r5ND3x57e3TpXXO9QzQ287d7Pka2RxLlkz4tj/wPbRmyiNaot/t
> f/IjVx0NdLdfCxEkntcTAwQUUkqP6VM8umrN2URJqsWqTVs0tqFGMtw2xe8zVCIT
> FkZCfwTqGFCHa65iCTlA8LCJbhc1E1d8lDJVBetYrEREE//3y6U1xEbfOJPcKdEv
> s8RsTcdOt4A0iQDyqdY0Zsj58Bb6xSUfdRVSqgmQDUDUF3SQLif9a38VNwp2xaPE
> BgQiiLHa6Mpmd2+2iZPM/k3GcTSVeFq21opvmlKmYI1QNhy++UsOHbQ1KaSPbDed
> GIQ+MWE8K4SPIbX3RSz9lJqKySJabDsQliI+Cfktz6Q0MhvQoFH33E2IsrxgFUxn
> 3tU/Yyaa6fUpRYmWuersKU2ps3BMoMT4dwou57cQiTqcgHDVYXcXj64pJv5EM2Ap
> /dL1pzAlv0mKkS+wIeFraVvAbH0qeg2sjk0kEjQTN+hrYi74UpKrp076Oc2i8TUI
> Wc7TmSiuBqpAIjNb3oLjs1EjbI/B8V2tULOUJYlWz2GTPSdJAQp/u/8lQpu26m6W
> EisenCnlc18ANvuIko/ZqlXNKrYIkociip1krluNGH2gCmq/6N4=
> =5/TA
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
I just downloaded and tried 9.0.14 but I'm still getting the
same BadPaddingException upon starting the second instance. I confirmed
the encryptionKey matches on my two instances.
>
>