RE: SSL/TLS 8.5.3 upgrade from 8.0.32 using NIO2 url encoding issues

[Mekkelsen Madden, Steve]

This was reproduced in dev, staging, testqa on multiple servers.  Yes, the 
response shown is JSON which is puzzling since that only appears when using 
NIO2.  That's why there is so much confusion on this.  At the end of the day, I 
simply deployed Tomcat 8.5.3x64 Windows to each server and migrated all the 
settings from 8.0.32 to 8.5.3 respectively in the context.xml, server.xml, 
tomcat-users.xml and web.xml.  The biggest change in 8.5.3 was the significant 
differences in SSL/TLS configuration required to get Tomcat to even startup 
properly.  I'm referring specifically to the connector arguments that have 
changed.  As an example (noting that this works with NIO, but not as shown with 
NIO2):
***We used to have:***
         <Connector port="8443" 
protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="10" 
minSpareThreads="5" acceptCount="100" connectionTimeout="60000" 
disableUploadTimeout="true"  clientAuth="false" secure="true" scheme="https" 
SSLEnabled="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1.1,TLSv1.2" 
keystoreFile="D:\certificates\ourJKS.keystore" keystorePass="******" />   
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8019" protocol="AJP/1.3" redirectPort="8443" />

***Now changed with 8.5.3 settings:***
         <Connector port="8443" 
                                
protocol="org.apache.coyote.http11.Http11Nio2Protocol" 
                                maxThreads="150" disableUploadTimeout="true"  
                                SSLEnabled="true"
                                sslDefaultHost="ourServer.com">
         <SSLHostConfig hostName="ourServer.com">
                <Certificate 
certificateKeystoreFile="D:\certificates\ourJKS.keystore" 
certificateKeystorePassword="******" certificateKeyAlias="ourAlias" type="RSA"/>
         </SSLHostConfig>
        </Connector>
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8019" protocol="AJP/1.3" redirectPort="8443" />

Am I missing something here?  Has anyone else tried to do the same with NIO2 
protocol and it worked? :-)

Regards,

Steve Mekkelsen Madden  |  Systems Engineer Fellow / DBA / Certified Scrum 
Master  | GCS |  Pegasystems Inc.
Office: (617) 866.6023 | Mobile: (828) 729.9948 | Email: 
steve.mekkelsen.mad...@pega.com | www.pega.com


-----Original Message-----
From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] 
Sent: Thursday, July 07, 2016 12:53 PM
To: users@tomcat.apache.org
Subject: Re: SSL/TLS 8.5.3 upgrade from 8.0.32 using NIO2 url encoding issues

Am 07.07.2016 um 18:32 schrieb Mekkelsen Madden, Steve:
> Every request, making the environment virtually unstable and unusable since 
> everything we do is using xml.
The second logs showed json :) In any case, can you reproduce the issue in a 
dev environment? It would be superb, if you could make a minimal case, where 
this happens.

Regards,
  Felix
>
> Regards,
>
> Steve Mekkelsen Madden  |  Systems Engineer Fellow / DBA / Certified Scrum 
> Master  | GCS |  Pegasystems Inc.
> Office: (617) 866.6023 | Mobile: (828) 729.9948 | Email: 
> steve.mekkelsen.mad...@pega.com | www.pega.com
>
>
> -----Original Message-----
> From: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
> Sent: Thursday, July 07, 2016 12:30 PM
> To: users@tomcat.apache.org
> Subject: Re: SSL/TLS 8.5.3 upgrade from 8.0.32 using NIO2 url encoding 
> issues
>
> Am 07.07.2016 um 15:04 schrieb Mekkelsen Madden, Steve:
>> Hi, sorry for delay and misinformation of the screenshot.  The 
>> screenshot shows Fiddler seeing the correct xml using both NIO and 
>> NIO2 protocols.  Fiddler does not see anything wrong with the 
>> requests themselves.  However, when we enable more debugging on our 
>> server, the logs are showing this: http://pastebin.com/ShYzr92e
>>
>> Note that, this is the same test case run with NIO (which works fine and no 
>> errors) but fails in NIO2.  Also, that we have been using NIO2 for many 
>> months without any issues under Tomcat 8.0.32.  It wasn't until the upgrade 
>> to 8.5.3 that NIO2 just stopped working.  Hope this helps.
> Can you print out the data on the server side when it fails to parse?
>
> Is this happening on every request or randomly?
>
> Regards,
>    Felix
>> Regards,
>>
>> Steve Mekkelsen Madden  |  Systems Engineer Fellow / DBA / Certified Scrum 
>> Master  | GCS |  Pegasystems Inc.
>> Office: (617) 866.6023 | Mobile: (828) 729.9948 | Email: 
>> steve.mekkelsen.mad...@pega.com | www.pega.com
>>
>>
>> -----Original Message-----
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>> Sent: Wednesday, July 06, 2016 4:45 PM
>> To: Tomcat Users List <users@tomcat.apache.org>
>> Subject: Re: SSL/TLS 8.5.3 upgrade from 8.0.32 using NIO2 url 
>> encoding issues
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Steve,
>>
>> On 7/6/16 4:22 PM, Mekkelsen Madden, Steve wrote:
>>> Here is the image I tried attaching.  Sorry about that.
>>> [redacted... my SMTP server really doesn't like that URL]
>> So... what are we looking at, here?
>>
>> I see a POST URL that looks perfectly fine. I also see XML in the POST 
>> request. Is this a shot of Fiddler? Where is the problem?
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJXfW3LAAoJEBzwKT+lPKRYGsMP/3h+wQNIHoC/95G0VxQY75Kh
>> ClI+ny5Z5NeyVsA8iCrZ1rIr/fBEzE/nnHWlX16yPhkaCBQ8PwJ+i2MV11rYArU9
>> yUIhL2xyAxVAqyBUZGrNidzz6gydvJd2MPNGrtHg6shaIA7XtflX9gMUV16J+3m+
>> 7VC+E+lLBwOEcrYbpxJNni36Cn4QQ6f6sHMgLKsbGZZ6PSl7MGVPts6oz6SUkt6T
>> rwwPF6QLuovnndWlqt9HDaJtTD9/a9emSZgXKPQYACp8poSZ8xM7SxPn9f1XnX6l
>> iyOEc9RYJ3bvKocC8iMKCpSn41/XAGpiS3dwpYbNrN15sd2emRze2seDfJVI4Xtm
>> 1d7GRqXUadjCjq/PzDSihrFjHBU+6+7BKd/hdqn6raci6HbtQPizkUTkPDWPXUTg
>> T9Y7TOvi9zZNro9jLxErluN/A/niY8so53DFqT2kxV9wr2COf3dRu8UTyFM/4Mul
>> 6bcGpno5CjvpfwVltlB8BTwRUctGEWe3kYcUfUBOTMNFFAMUYq+/4saL/gOATD8P
>> LMcNXqbkex5fPrARU+vGgQvanFGeZMR7w9UXJbd9ACEWJUgRAnr18/5RtbVzWVjO
>> gd4uPaLFgyFV573Hpe4Luzg7OngDu7BXZqThKXXaiG4cZSKmdjyjJVb4709GMOWc
>> ARZb7MipIot/KGBBJhNd
>> =bPg7
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org