Re: HTTP/2 connection broken (RST_STREAM) when multiple timeouts waiting for data from client

2022-11-17 Thread Gonzalo Fernandez
> > Hello. > > We are experiencing a problem in the following tomcat versions: > Tomcat 9.0.63 on OpenJDK 11.0.13 > Tomcat 9.0.65 on OpenJDK 17.0.5 > > The problem happens when a client with an open TCP / HTTP2 connection > sends multiple incomplete streams, which seems to block the connection > fo

HTTP/2 connection broken (RST_STREAM) when multiple timeouts waiting for data from client

2022-11-17 Thread Gonzalo Fernandez
Hello. We are experiencing a problem in the following tomcat versions: Tomcat 9.0.63 on OpenJDK 11.0.13 Tomcat 9.0.65 on OpenJDK 17.0.5 The problem happens when a client with an open TCP / HTTP2 connection sends multiple incomplete streams, which seems to block the connection forever and not be a

RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade

2022-11-17 Thread Joey Cochran
Angela, You might still have a passphrase on the private key that is different from the passphrase on the keystore. I generally do without passwords on the private key, or make sure the key passwords and store passwords are the same. The store password will be tried/used (when needed) on nested p

Re: Why does LockOutRealm not support CredentialHandler?

2022-11-17 Thread Rémy Maucherat
On Thu, Nov 17, 2022 at 11:22 AM Mark Thomas wrote: > > On 17/11/2022 10:07, Rémy Maucherat wrote: > > On Wed, Nov 16, 2022 at 6:14 PM Christopher Schultz > > > > >> I guess we could add a configuration option to CombinedRealm: > >> > >> inheritCredentialHandler="first|last|numeric-position|

Re: Why does LockOutRealm not support CredentialHandler?

2022-11-17 Thread Mark Thomas
On 17/11/2022 10:07, Rémy Maucherat wrote: On Wed, Nov 16, 2022 at 6:14 PM Christopher Schultz I guess we could add a configuration option to CombinedRealm: inheritCredentialHandler="first|last|numeric-position|false/off/no" ? Then you'd only have to declare it once and then you have

Re: Tomcat-embed and Tomcat Vulnerabilities

2022-11-17 Thread Mark Thomas
On 16/11/2022 23:45, David Alejandro Christensen Arreola wrote: Hi Users, My question is about whether a vulnerability applies to my particular application. My application is using tomcat-embed. Being tomcat-embed derived from Tomcat server, could tomcat-embed has the vulnerabilities that Tom

Re: Why does LockOutRealm not support CredentialHandler?

2022-11-17 Thread Rémy Maucherat
On Wed, Nov 16, 2022 at 6:14 PM Christopher Schultz wrote: > > Rémy, > > On 11/16/22 07:53, Rémy Maucherat wrote: > > On Wed, Nov 16, 2022 at 1:36 PM Christopher Schultz > > wrote: > >> > >> Thorsten, > >> > >> On 11/16/22 03:20, Thorsten Schöning wrote: > >>> Guten Tag Christopher Schultz, > >>>