Details on testssl.sh are available on their web site: https://testssl.sh/
You can run it from any computer against the target computer. Best to run
it on a *nix style computer, or from WSL if running on Windows is your only
option.
On Fri, Apr 11, 2025 at 12:48 AM Uday Upadhyay
wrote:
> Thank
Tomcat 10.x uses the jakarta versions of the API, and I believe all the
attributes have been renamed:
"javax.servlet.request.X509Certificate" ->
"jakarta.servlet.request.X509Certificate"
Give that a quick try...
On Tue, Feb 25, 2025 at 4:45 PM Chris Evans wrote:
>
> Hello,
>
> I need assistan
On Fri, Feb 7, 2025 at 12:27 PM Jalaj Asher
wrote:
> Thanks mark for the response.
>
> I am not sure why the tomcat is not doing the auto clean up. But we did
> try using the deleteonexithook approach but that introduces its own set of
> problems. Is there a recommendation to clean up the folder
Those are XML / HTML comments. Try using JSP comments to wrap what you want
to comment out:
<%-- --%>
On Tue, Jul 2, 2024 at 4:40 PM Aryeh Friedman
wrote:
> When I do the following the include is still done short of rewriting
> it to not be a include how do I comment it out correctly:
>
>
>
>
This page might be a useful resource to read if you haven't already:
https://tomcat.apache.org/tomcat-9.0-doc/config/context.html
The short version is -- to publish an application in the "root" web url
path (of http(s)://your.server-name.com/), you can name your WAR file
"ROOT.war" and copy it to
<
ch...@christopherschultz.net> wrote:
> All,
>
> On 3/22/24 09:59, Christopher Schultz wrote:
> > All,
> >
> > On 3/22/24 09:33, Robert Turner wrote:
> >> On Fri, Mar 22, 2024 at 9:28 AM Christopher Schultz <
> >> ch...@christopherschultz.net&g
On Fri, Mar 22, 2024 at 9:28 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Robert,
>
> On 3/21/24 15:31, Robert Turner wrote:
> > We receive the sessionWillPassivate and sessionDidActivate callbacks
> > on startup. Odd that you are not. That's ho
prefer a way to query the sessions from the app, but as we
know, that's not part of the current Servlet specification, or any
extensions Tomcat currently provides.
Robert
On Thu, Mar 21, 2024 at 3:31 PM Robert Turner wrote:
> We receive the sessionWillPassivate and sessionDidActivate callba
We receive the sessionWillPassivate and sessionDidActivate callbacks on
startup. Odd that you are not. That's how we achieve the same.
On Thu, Mar 21, 2024 at 3:25 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> All,
>
> After having written a solution using JMX to do something li
rom lube...@archicoop.it.invalid. Learn why
> this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> I had issues in the past connectin to mailserver using TLS and solved them
> upgrading the webapplicatio library from mail-1.4.jar to
> javax.mail-1.6.2.jar
>
> I
AFAIK, there is nothing in Tomcat for SMTP. This would be part of the
application you are running typically. It's possible (but not guaranteed)
that the web application is using the standard Java libraries for SMTP, and
as such, you may (but again not guaranteed) be able to configure some of
the ma
It's also possible you may need to support the "Range" HTTP header for
fetching parts of the audio file for playback. IIRC, we had to do that to
support the HTML 5 audio control properly.
On Mon, Mar 11, 2024 at 9:15 AM Joey Cochran wrote:
> Thanks for replying!!
>
> Yes audio files are generate
Chris,
I think maybe Mark answered a similar question a while back indicating the
only supported method within the Servlet API was custom session tracking. I
could be remembering incorrectly. That's what we do however, because
without "snooping" into the Tomcat internals, I don't think there was a
sion of Java I should use?
>
> Thanks,
>
> Lance
>
> -----Original Message-
> From: Robert Turner
> Sent: Tuesday, November 21, 2023 2:36 PM
> To: Tomcat Users List
> Subject: Re: Issue Migrating servlets to 10.1
>
> Tomcat 10.x and higher require Jakarta n
Tomcat 10.x and higher require Jakarta namespaces versions of the Servlet
specifications.
Tomcat 9.x is the last Tomcat support javax.servlet namespaces.
Refer to the Which Version page for Tomcat for details:
https://tomcat.apache.org/whichversion.html
On Tue, Nov 21, 2023 at 3:30 PM Campbell, L
isn't an option - then there are a range of
> options as set out in the Tomcat 8.5 security guide. That guide also
> provides the correct way to override the version number (if you really
> need to) without editing the JAR contents. In short, you can simply
> override the individual fi
with server
> version in responses), though the remediation listed here is from looong
> time ago, when the was no ErrorReportValve to purge the version info.
>
> So the CIS Tomcat 8(!) Guide is pretty outdated! Probably in more than
> this spot...
>
> Peter
>
> > Am 05.09.20
While I think I know the answer to my question, I wanted to double-check
with the group to confirm.
I have been asked to perform the CIS Apache Tomcat 8 Benchmark (v1.1.0) on
our production Tomcat installation, and I am looking through the questions
/ information extraction requests, and I suspect
You can try adding:
-XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=C:\HeapDump\java_pid.hprof
to the Java options (in "Configure Tomcat") to capture heap dumps on out of
memory errors (adjust path to suit your configuration)
Robert
On Wed, Aug 23, 2023 at 1:03 PM Daniel Savard
wrote:
> Hi
What about the standard / provided Tomcat Manager application?
https://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html
On Fri, Jul 7, 2023 at 9:26 AM Graham Leggett
wrote:
> Hi all,
>
> Is there is application out there that will provide, at / (or a path of
> your choosing), a list of lin
more helpful than I...sorry.
On Mon, Mar 20, 2023 at 9:14 PM Robert Turner wrote:
> I believe the default certificate alias used by Tomcat is "tomcat". I
> think you are creating your keystore with the alias "root".
>
> (see https://tomcat.apache.org/tomcat-9.0-do
I believe the default certificate alias used by Tomcat is "tomcat". I think
you are creating your keystore with the alias "root".
(see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html for docs on
Tomcat SSL configuration -- adjust for the version you are running)
On Mon, Mar 20, 2023 at 9:
You can run an aarm64 version of the Java runtime (various distributions
exist) and run Tomcat on that -- it works well. No specific version of
Tomcat is required as it a Java package.
On Mon, Jan 16, 2023 at 3:38 PM m...@cvkimball.com
wrote:
>
> I'd like to run Tomcat on one of the new Apple
My 2 cents:
I think that it would be a very strange change to make to a generic product
and a "sample" configuration file. If Tomcat was packaged in a
distribution, that might be a more reasonable suggestion. I don't think
Tomcat is insecure because of this; binding to addresses/ports is a key
par
I think you need to use an ARM-based JVM -- IIRC, you will need Corretto
JDK 18 I think, otherwise it will be running in emulation.
On Tue, Apr 5, 2022 at 1:56 PM Paquin, Brian wrote:
> After compiling Tomcat Native (that comes with Tomcat 9.0.62, version
> 1.2.32) on a (ARM) M1 Mac (with Amazon
On Thu, Mar 3, 2022 at 1:10 PM Berneburg, Cris J. - US
wrote:
> > Running Tomcat in a container via Docker Desktop on a Windows host
> > with the web application served from a location on the host mounted
> > /bound to the container is insecure.
>
> So the app resides on the "host" OS file system
at the web application would be included in the container in production.
>
> If you do continue to use this approach in development, keep in mind that:
> - you may see issues like the original EL issue you reported
> - security testing may report false positives
>
> HTH,
>
>
> Just a note:
>
> On 2/8/2022 8:32 AM, Rob Sargent wrote:
> >
> >
> > On 2/8/22 08:11, Robert Turner wrote:
> >> Okay. Yep, my most recent suspicion was correct -- it's related to the
> >> Docker bind to a local folder containing the webapps. As suc
ommand above will result in the expect
page being displayed (and no exception).
Robert
On Tue, Feb 8, 2022 at 9:39 AM Robert Turner wrote:
> Mark,
>
> Thanks for the quick follow up.
>
> Based on your comments I have some ideas on what it might be, and I should
> b
t;with JPDA enabled.
>
> - Which AMI you used to create the AWS instance. I'm using the AWS free
>tier so I used a t2.micro instance with
>amzn2-ami-kernel-5.10-hvm-2.0.20220121.0-x86_64-gp2
>
> Thanks,
>
> Mark
>
>
> On 08/02/2022 13:24, Robe
with
a debugger up on the Expression Resolvers, you will at least narrow it down
quickly...)
On Tue, Feb 8, 2022 at 7:55 AM Robert Turner wrote:
> Thanks Mark. Much appreciated.
>
> On Tue., Feb. 8, 2022, 04:06 Mark Thomas, wrote:
>
>> Robert,
>>
>> Thank yo
x27;d expect consistent
> behaviour across platforms irrespective of the case sensitivity of the
> file system in use.
>
> I'm going to use your test case to investigate this further. I'll report
> back here with my findings - hopefully later today.
>
> Mark
>
>
>
gt;
<%
final Failing failing = null;
pageContext.setAttribute("failing", failing);
%>
Hello World!
field1=${failing.field1}
On Mon, Feb 7, 2022 at 10:14 PM Robert Turner wrote:
> So back to a divide and conquer approach I think.
>
> I just created a trivial &qu
ntext.setAttribute("failing", failing);
%>
Hello World!
field1=${failing.field1}
$ cat src/main/java/com/example/rt/Failing.java
package com.example.rt;
public class Failing {
private final String field1 = "field1_value";
public String getField1() {
return field
1.0.13+8-LTS)
OpenJDK 64-Bit Server VM Corretto-11.0.13.8.1 (build 11.0.13+8-LTS, mixed
mode)
JDK on Windows is:
openjdk 11.0.14 2022-01-18 LTS
OpenJDK Runtime Environment Corretto-11.0.14.9.1 (build 11.0.14+9-LTS)
OpenJDK 64-Bit Server VM Corretto-11.0.14.9.1 (build 11.0.14+9-LTS, mixed
mode)
y)
- construct a trivial application reproduction, along with docker layout,
and see if anyone else can reproduce... (assuming anyone else has time to
do that of course...)
Anyone got any suggestions of what to look into next?
On Mon, Feb 7, 2022 at 5:05 PM Rob Sargent wrote:
>
>
> On 2/7/22 1
Neil,
I'm not actually trying to have the class loaded. I want it to return
"null" in the EL evaluation as though the attribute is missing.
The "problem" is that I'm seeing a different behaviour in one environment
than another, and it's proving difficult to track down why.
I'm still working on t
expression containing a class name will be
resolved against the static members of the class.
So, as to why it is different between the two environments, maybe it's as
Rob S suggested (a classpath issue of some sort) -- I will continue looking
in this direction
On Mon, Feb 7, 2022 at 5:07 P
2022 at 5:05 PM Rob Sargent wrote:
>
>
> On 2/7/22 14:50, Robert Turner wrote:
> > All
> >
> > I'm hoping that someone can point me in the right direction as this issue
> > has been baffling me all day, and I'm starting to run out of ideas of
> what
&
All
I'm hoping that someone can point me in the right direction as this issue
has been baffling me all day, and I'm starting to run out of ideas of what
to look at next.
The logic below is working without issue until I move our test environment
into a Docker container. I'm using the same Tomcat v
itely works
yet). As far as I can tell it's free to use as it's an MIT-style License.
And at least, one can get at the code and "fix" things if needed.
On Tue, Mar 16, 2021 at 4:19 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Robert,
>
>
Chris,
I'm not sure if it will do what you want, but when sourcing Java-based SAML
libraries for our use as an SP, I too found that most of the libraries were
much larger and more complicated that I thought necessary. We went with the
(limited but simple to use) OneLogin libraries for our use case
I suggest you have a read here:
https://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support
The documentation covers the details you need to correctly configure Tomcat
and SSL and links to a related page about SSL configuration.
Notice the line:
Each secure connector must define at leas
If you look at the stack trace, it tells you what the problem is:
Caused by: java.lang.IllegalArgumentException: No SSLHostConfig
element was found with the hostName [_default_] to match the
defaultSSLHostConfigName for the connector [https-openssl-nio-8443]
So it no longer looks like you are hi
Your more recent exception log didn't include the "caused by" exception --
which is the actual failure details. Double-check that and make sure it's
the same issue.
Also, use netstat to confirm you aren't using the ports already. Changing
it may just find another conflict (although less likely). T
It's saying port 80 is already in use. Make sure another process (like IIS)
isn't using the port already, or change your configuration to a different
port.
You can use 'netstat' (with options) to determine which process is using
the port already.
On Tue., Mar. 16, 2021, 07:36 , wrote:
> Dear Al
Have you tried enabling heap dumps on OOM exceptions (
https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/clopts001.html
; HeapDumpOnOutOfMemoryError) and then looking at the heap dump? It should
help you identify where the allocated heap is going to, and give you some
ideas of whe
version from the current 8.5.38 to 8.5.61 will
> this remediate the findings or still we need to delete these files as
> suggested.
>
> Also, is this upgrade is straightforward, or do we need to perform the same
> with any specific steps, Please suggest.
>
> I am from a W
Have a look at https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html
. The documentation includes the recommendations made by your internal
security team, along with others.
You may also want to upgrade to 8.5.61 or 9.0.41 to pick up the latest
security updates for Tomcat. (latest versions
I would check permissions on the folders/files. The account running the
windows service may not have permissions to execute the programs or maybe
access the directories. That's the first thing I would check. (Also check
Event Viewer for any related messages).
On Fri, Jan 15, 2021 at 8:24 AM Igor S
You'll want to set the protocols, ciphers, and honorCipherOrder attributes
on either the Connector or the SSLHostConfig objects in your server.xml
file to restrict the available TLS/SSL protocols and ciphers available to
avoid using weak ones.
See the documentation here for details:
https://tomcat
2020 at 12:56 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Robert,
>
> On 12/9/20 21:31, Robert Turner wrote:
> > Actually, one incorrect statement in my previous response. testssl.sh
> > didn't report the details of the certificate chain,
also broken).
Sorry about that.
Robert
On Wed, Dec 9, 2020 at 9:22 PM Robert Turner wrote:
> Thanks Chris for replying.
>
> I'm pretty sure I'm using the APR connector. Without double-checking how
> things are configured... the startup logs show:
>
> 09
it looks like that doesn't quite work properly either.
Robert
On Wed, Dec 9, 2020 at 8:38 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Robert,
>
> On 12/9/20 17:54, Robert Turner wrote:
> > I am trying to configure Tomcat 9.0.37 (or later if I need to
I am trying to configure Tomcat 9.0.37 (or later if I need to) to use both
an RSA and an ECC certificate for the same host.
Platform is Windows 2008 R2, with the Tomcat Native 1.2.24 library
installed.
My configuration is roughly as follows:
The onl
55 matches
Mail list logo
