Default limit on cluster message size
Hi all, The Tomcat developers would like to add a limit on cluster message size to provide some protection against OOME / DoS risks. Note: This would be a hardening measure. Clustering is designed to be operated over a secure, trusted network where it is assumed messages are not malicious. The intention is to set the default limit high enough that the significant majority of cluster users won't be impacted but low enough to be beneficial if an excessively large message is received. Our (educated) guess on a sensible default limit for a cluster message is 1MB. Before implementing this limit, we wanted to request feedback from the user community. So, if you use Tomcat's clustering, what would be a reasonable default per message size limit for your use case? As I typed this, a further thought occurred to me. We could initially implement this as a soft limit that just logs a warning / request to post to this list if a message exceeds the limit. Is that worth doing? Thanks, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows
On 18/05/2022 06:14, Rupesh P wrote: Hi Christopher Schultz, I am sorry for the inconvenience caused. Actually i am not able to enable the FIPS Mode in Tomcat 9 for windows. It gives an error "Failed to enter fips mode". Software Specifications: Tomcat version - 9.0.34 Openssl version - 3.0.2 OS - Windows Server 2019 64-bit I tried building the Tomcat Native native library with APR(1.7.0) , Openssl(3.0.2) and Tomcat Native library (1.2.32). The openssl 3.0.2 along with the FIPS got built successfully. Since FIPS Object Module Package is already integrated with the openssl 3.0, There is no separate package for it. So I have built the Tomcat Native library and it got built successfully. But when i tried to put the 1. *tcnative-1.dll* in the *Bin folder of Tomcat 9\* *2. Adding the FIPSMODE="on" for the APR listener* *3. Added the **HTTPS connector to use Native (OpenSSL) implementation of SSL/TLS protocol.* *4. Restarted the Tomcat and checked the catalina.log* *The Fips mode is not getting enabled, shows the log error "*Failed to enter fips mode*" and along with that it also states "** FIPS was not available to tcnative at build time".* *T*he same steps i have performed for the Openssl version 1.0.2 along with the FIPS Object Module Package, There Tomcat was able to initialize FIPS mode and Tomcat started with the FIPS mode. Is there any way to overcome this issue? Please do let me know any solution for this issue. Tomcat Native has not been updated for OpenSSL 3.0.x and FIPS. Code changes in Tomcat Native are going to be required to get this to work. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
