-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tim,
On 11/21/18 13:55, Tim K wrote: > On Wed, Nov 21, 2018, 9:48 AM Christopher Schultz < > ch...@christopherschultz.net wrote: > > Tim, > > On 11/20/18 13:36, Tim K wrote: >>>> On Tue, Nov 20, 2018, 12:19 PM Christopher Schultz < >>>> ch...@christopherschultz.net wrote: >>>> >>>> Tim, >>>> >>>> On 11/20/18 11:42, Tim K wrote: >>>>>>>> >>>>>>>> Ignore the secure port. The code behind that setting >>>>>>>> was never implemented. We really should remove it. >>>>>>>> >>>>>>>> You want: >>>>>>>> >>>>>>>> http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-intercep tor > >>>>>>>> .ht >>>> >>>>>>>> > ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_At tr >>>> > <http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.ht > ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_At tr > > <http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.html #org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr> >>>> >>>> >>>> > ibutes >>>>>>>> >>>>>>>> >>>>>>>> >>>> Mark >>>>>>> >>>>>>> >>>>>>> I'm having some trouble getting it working. Can you >>>>>>> provide an example of the new EncryptInterceptor with >>>>>>> an algorithm and key? >>>> >>>> Each node in the cluster needs an interceptor configured, >>>> like this: >>>> >>>> <Interceptor >>>> className="org.apache.catalina.tribes.group.interceptors.EncryptInt erc > >>>> ep >>>> >>>> > tor" >>>> encryptionKey="[the key]" /> >>>> >>>> All nodes need the same key. The default algorithm >>>> (AES/CBC/PKCS12Padding) is sufficient. >>>> >>>> To generate a key, just get some random garbage and convert >>>> it into hex, like this: >>>> >>>> $ dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5 >>>> >>>> That'll give you a 128-bit key you can use for encryption. >>>> You can also use a 256-bit key if you'd like, or a 192-bit >>>> key. For keys larger than 128 bite (32 bytes), you'll need to >>>> use a different signature algorithm such as sha1 or later. >>>> >>>> I just chose MD5 because it generates the right number of >>>> output characters for a 128-bit key. You can get your random >>>> key from anywhere, including pounding on the keyboard. >>>> Remember that the key must be in hex-encoded binary (so only >>>> characters 0-9 and a-f). >>>> >>>> -chris >>>>> >>>>> ------------------------------------------------------------------ - --- >>>>> >>>>> > >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: >>>>> users-h...@tomcat.apache.org >>>> >>>> >>>> I tried this between 2 nodes but it fails with this error on >>>> each: >>>> >>>> dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5sum >>>> e0f2cdf931e99fdce0453964294f97f3 - >>>> >>>> <Interceptor >>>> className="org.apache.catalina.tribes.group.interceptors.EncryptInt erc > >>>> eptor" >>>> >>>> > encryptionKey="e0f2cdf931e99fdce0453964294f97f3" /> >>>> >>>> 20-Nov-2018 13:31:20.070 SEVERE >>>> [Tribes-Task-Receiver[Catalina-Channel]-1] >>>> org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.me ssa > >>>> geReceived >>>> >>>> > Failed to decrypt message >>>> >>>> javax.crypto.BadPaddingException: Given final block not >>>> properly padded. Such issues can arise if a bad key is used >>>> during decryption. > > Both nodes have the same encryption key, right? The key itself > looks fine. For example, I dropped that key into the unit test file > and it worked as expected. > > I've been working on a patch yesterday and today that uses random > IVs instead of re-using them. It really shouldn't change anything > about the config, etc. but both nodes will require the new code to > re-test. I've also expanded the unit tests to cover cipher block > modes other than CBC. > > I don't actually have a cluster here for testing, though, so > everything is being done with the unit tests. > > I thought I had reproduced your issue (BadPaddingException) except > it turned out that the test itself was wrong and the interceptor > code was correct. > > Are you able to build from source? I'm about to commit these > changes to the trunk (9.0.x), which really shouldn't change > anything for you, but it might fix some edge case that you are > hitting. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > Key is the same on both, yes. > > I never built from src before. Okay, the problem is that I built the EncryptInterceptor without realizing that cluster-messaging isn't single-threaded. It's completely non-thread-safe and it needs to be. There is a simple fix that can be applied (synchronize the encrypt and decrypt methods) but it'll create a big bottleneck for you. On the other hand, it's easy to apply and test and ensure it's working in your environment. Are you willing to grab the Tomcat source and compile it? If you get the 9.0.13 source and are able to compile it, I can give you a 2-line patch that should fix your issue. Alternatively, I can give you a patched catalina-tribes.jar that you can just drop-in-replace to try out. I have a more elaborate patch that I'm going to apply soon and it should be available in the next release of Tomcat 9. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv4Pw0ACgkQHPApP6U8 pFhscQ/+Mtyovz+K6bIRfybLg7m4wOeIgdbR22I87ltf71cw7fSsIEGYBlTt4HpC mZb91QwlcF7QwBE1SEjTRBni/1OEUNN2YqhKaFU/vKZO6HZKopV+UwTNLwMUUNjB 4ufJ7HqrCgsBITKSVZEe3E3kmcOWXCK9wiG9AmL05C99RoGbjcvLOEJ5OLxKJFMw PzRJJtA8j3WzyNCiSTNsU4XqPxYC87f5I3mlbQ5D7NXW4i20wunqAjAGZ+TmmpyR 8Y8kgJoKCXisa8OVbvRyX/NxxjI9S19V32Oa5SFFD3eNmCPC9ruFSxCHXTYgCRH3 F68CHwkx4ghMvAxQ+CIlS9dR9zdxK/TkKgdJdpWjqfdDqqEjJzNAsel09VKvUzbr JHAHa2oGq/sIi9BveJDOSIWusI8paCTFWaTOsbj1hm396l3dSAP8rk6/sMtHlAyl U7et26WoyTP5tPmUN1QvN6ZeBL2WHvjfsVhy6gWDLbSfDRrHvQ5yaWwbq5Q1Dh6X +cn57HShBTe35iLcPCXelu7Z3IllQi+kB9xuzydjjT11RNm7X8bijWWgGHECQ4fV MwOTwuqNZlhyJCI3BZT8dbzb5iXidfgz2k4KyG1QibGsJBrl0sy9iH8freNJBjFE NHZV4PEkK+xQCoTDXxJrkwVonK0DUFyiFOTC9/m/Ipc2GCmWkGg= =1oku -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
