As the concern is that an erro page will show the tomcat version/patch info
AND a stacktrace,\
I found the easier/better? solution to be adding . showReport="false"
showServerInfo="false"
to the Error Report Valve section at the bottom of server.xml (and addin or
or uncommenting that valve sect
We have two similar production environments which use:
request.getAttribute("javax.servlet.request.X509Certificate")
for several purposes.
These use tomcat behind IIS using the Jakarta connector (aka reverse proxy)
and have been running since 2006 and 2011 respectively without significant
issues
response to him
On Tue, Jan 28, 2014 at 12:11 PM, Konstantin Kolinko wrote:
> 2014-01-28 John Palmer :
> > We have two similar production environments which use:
> > request.getAttribute("javax.servlet.request.X509Certificate")
> > for several purposes.
> &g
nd making me feel that I'm not alone in this.
On Tue, Jan 28, 2014 at 12:02 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> John,
>
> On 1/28/14, 12:41 PM, John Palmer wrote:
> > We have t
Our installations have been working fine for several years, but we're
having to replace the existing 32-bit Windows servers with 64-bit Windows
servers,
and I'm trying to take advantage of this effort to simply the
configuration...
we inherited this with IIS in front of Tomcat, using the Jakarta IS
I haven't tested it yet, but if you're on a Windows platform you MAY be
able to tell Tomcat to use the Windows Certificate Store (an thus NOT have
a password in server.xml) by adding something like this to the Java Options:
-Djavax.net.ssl.trustStoreProvider=SunMSCAPI
-Djavax.net.ssl.trustStoreType
nd("");
sb.append(smClient.getString("errorReportValve.errorReport"));
sb.append("");
}
// move style lines outside of if(showServerInfo || showReport){
section... above
sb.append("<!--");
sb.append(org.apache.catalina.util.TomcatCSS.TOMCAT_CSS);
sb.append("--> ");
sb.append("");
...
or am I missing (or just ignorant of ) something?
John Palmer
your server.xml shows TWO connectors for port 8443; that second one (with
all the certificate entries) is then causing the errror:
> Caused by: java.net.BindException: Address already in use
As that one is probably the one you want to be using, delete or comment out
the first connector for port
I found this to be easier to accomplish (and maintain):
add to the Host section of server.xml:
(this will disable the tomcat version number and the stacktrace - the
defaults for these are "true")
On Fri, Dec 14, 2018 at 10:18 AM wrote:
> Good Morning,
> I'm encountering following scan findi
I'm working with tomcat 8.5.35 to configure SSL
(current system is tomcat 7.5 using JKS keystore and truststore)..
I finally have the certificate parts working with the default (commented
out) APR connector..
it bothers me (doesn't seem intuitive) that the logging shows
"useAprConnector [false
I'm new to implementing APR/tc-natiive for SSL/TLS on Windows Server
2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 format in the
SSLHostConfig/Certificate elements for the keystore and truststore..
(I would prefer to drop the JKS format for several reasons)
questions are:
is this al
(I'm new to using TC-native, interested in how to accomplish "In security
conscious production environments, it is recommended to use separate shared
dlls for OpenSSL, APR, and libtcnative-1, and update them as needed
according to security bulletins. "
Apparently I need a concrete example (step-by
rschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> John,
>
> On 2/11/19 10:46, John Palmer wrote:
> > (I'm new to using TC-native, interested in how to accomplish "In
> > security conscious production environments, it is re
. Glad I finally ASKED).
Thanks again.
On Mon, Feb 11, 2019 at 11:22 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> John,
>
> On 2/11/19 10:42, John Palmer wrote:
> > I'm new to implementing AP
using the old Connector/clientAuth="true" or the new
Connector/SSLHostConfig/ certificateVerification="REQUIRED" (tried
lowercase and without the D) format..doesn't seem to work properly.
no matter what value I use or which format... the behavior seems to be that
the client cert is prompt
retested with tc-native 1.2.21 on the desktop... and its working as
expected.
(Still not sure what was going on previously).
thanks, again.
On Tue, Feb 12, 2019 at 12:27 PM Mark Thomas wrote:
> On 12/02/2019 17:21, John Palmer wrote:
> > using the ol
I'm testing to see if this might be an issue on a new tomcat 8.5.38 upgrade
I'm doing (using NIO2 and OpenSSL) before I promote this to our Production
environment :)
(Windows Server 2008R2, Java (javaC.exe) version is 1.8.0_191)
.. after some missteps (had to add some imports to get it to compile
What, if anything, needs to be configured to ENABLE (preferably REQUIRE)
tomat to do CLIENT certificate revocation checking via OCSP in Tomcat
8.5.38 using Openssl ?
I'm sure I'm missing something simple and obvious (once pointed out) but
I've been struggling with this all morning).
1) using Open
e:
> Hi,
>
> On Mon, Apr 1, 2019 at 3:30 PM John Palmer wrote:
>
> > What, if anything, needs to be configured to ENABLE (preferably REQUIRE)
> > tomat to do CLIENT certificate revocation checking via OCSP in Tomcat
> > 8.5.38 using Openssl ?
>
>
> Setti
the tc-native source what I might be missing,
but apparently I'm overlooking it.
helpful suggestions are welcomed.
On Wed, Apr 3, 2019 at 12:32 PM John Palmer wrote:
> I appreciate your response
>
> > Setting `certificateVerification="require"` on your
or:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed]
the Connector part of the server xml.config file is (ip address and server
name etc removed):
On Thu, Apr 4, 2019 at 7:47 PM John Palmer wrote:
> Well, afte
What, if anything, needs to be configured to ENABLE (preferably REQUIRE)
tomat to do CLIENT certificate revocation checking via OCSP in Tomcat
8.5.38 using Openssl ?
(will this work with NIO2 ? )
1) using Openssl (the tc-native-1.dll binary for Windows, compiled w OCSP
support - the X64 dll from
t
22 matches
Mail list logo
