On 26/02/2020 11:19, Mark Thomas wrote: > On 26/02/2020 09:00, Mark Thomas wrote: >> On 25/02/2020 21:47, Ellen Meiselman wrote: >>> So it turned out that the logs were mostly set at FINE already, so >> Johann’s suggestion was already done. >>> >>> But I think I now know where the problem lies. Secure IIS request > >> to > non-secire AJP. >>> >>> I don’t think this was a problem on the other servers before but the >> security has probably been tightened, and it just doesn’t produce an >> error - it just won’t allow it. >>> >>> I have had IIS set to require SSL, but I turned it off to test and it >> actually worked all the way through to the simple.html file. so it’s >> some sort of policy about downgrading - which seems quite rational in >> retrospect >> >> Thanks for the new information. >> >> That rules out an issue with the secret settings. >> >> I wonder if IIS (or more likely the ISAPI redirector) is adding some >> unexpected request attributes that is triggering the new protection for >> CVE-2020-1938. If that is the case, adding the following to your AJP >> connector in server.xml should get things working for SSL as well: >> >> allowedRequestAttributesPattern=".*" >> >> Meanwhile, I'll configure my local test environment for IIS with TLS and >> see what happens. > > Confirmed. That is the issue and allowedRequestAttributesPattern=".*" > works around it. > > I need to debug further to find out exactly what the attributes are. I > expect we'll add them to the ones Tomcat accepts by default.
Added. Fixed in: - master for 10.0.0-M2 onwards - 9.0.x for 9.0.32 onwards - 8.5.x for 8.5.52 onwards - 7.0.x for 7.0.101 onwards For reference, the IIS specific attributes will be listed in the docs. CI version available from: https://ci.apache.org/projects/tomcat/tomcat9/docs/config/ajp.html#Standard_Implementations Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
