-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 2/26/20 09:08, Mark Thomas wrote: > On 26/02/2020 11:19, Mark Thomas wrote: >> On 26/02/2020 09:00, Mark Thomas wrote: >>> On 25/02/2020 21:47, Ellen Meiselman wrote: >>>> So it turned out that the logs were mostly set at FINE >>>> already, so >>> Johann’s suggestion was already done. >>>> >>>> But I think I now know where the problem lies. Secure IIS >>>> request > >>> to > non-secire AJP. >>>> >>>> I don’t think this was a problem on the other servers before >>>> but the >>> security has probably been tightened, and it just doesn’t >>> produce an error - it just won’t allow it. >>>> >>>> I have had IIS set to require SSL, but I turned it off to >>>> test and it >>> actually worked all the way through to the simple.html file. so >>> it’s some sort of policy about downgrading - which seems quite >>> rational in retrospect >>> >>> Thanks for the new information. >>> >>> That rules out an issue with the secret settings. >>> >>> I wonder if IIS (or more likely the ISAPI redirector) is adding >>> some unexpected request attributes that is triggering the new >>> protection for CVE-2020-1938. If that is the case, adding the >>> following to your AJP connector in server.xml should get things >>> working for SSL as well: >>> >>> allowedRequestAttributesPattern=".*" >>> >>> Meanwhile, I'll configure my local test environment for IIS >>> with TLS and see what happens. >> >> Confirmed. That is the issue and >> allowedRequestAttributesPattern=".*" works around it. >> >> I need to debug further to find out exactly what the attributes >> are. I expect we'll add them to the ones Tomcat accepts by >> default. > > Added. > > Fixed in: - master for 10.0.0-M2 onwards - 9.0.x for 9.0.32 > onwards - 8.5.x for 8.5.52 onwards - 7.0.x for 7.0.101 onwards > > For reference, the IIS specific attributes will be listed in the > docs. CI version available from: > https://ci.apache.org/projects/tomcat/tomcat9/docs/config/ajp.html#Sta ndard_Implementations Well, > @#$*%&. Sorry, IIS folks. I hope we didn't ruin too many nights and weekends for you. :( - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5WpxcACgkQHPApP6U8 pFiCQBAAqM4R2meJGpAIgO4wAyqW4999+ZCF7AXtyXH0wDa7//RAhNzaNnNvNLNB 5XPQdwhxB5/Ckq7MYL1WBIKnwUZ052EBMnZTIgyOI8SP4NbUdPsovKAD8UAdoFOQ 48drsY27D2ltj9Xqja2hsvAEDLt1A2K3NF3CwhAMZCDz37SyHSpuOOEmSFJ0S1Q8 OtKMtSUsxGVPYmQR1CZwg18Q8XM6S8Rg5GRRpJHEowJ74+3C6CcYBk+i3xFMYMfN WkHEjYZQetyVnvgJqNI0NDsErWehfQ38sZGPsFewtYWXemwAAfnDeVUkr5XXYHSz UmMMlclZnG2CQLpHSklVKKuRJeRDO7CFijNQVkwZwpBtQa1tZFvpUQnsWD6SrXq2 YzGUTQBWHpEL9ZjSuws+uI3H4QmpFp1WhSuOMZoPHpE6m804Q1onWqFe+RPPW8E0 g5ykhzFPE7uo3gBpMUIkuiGVlnMFIQas98K7WApcHXOKryAwSjIBXclNcE5OSVuf synopXnR6w61Fymoq+sr5sTJ64gbVQlsfFDsWvRJhak14Zzt6ZJu3a2T14Yt9Fz3 5NHJZDX9j5gQbfE9ATuoj4L40n7LkE0SrLYaagzkT3B5UaV0IMRdQIyki7bJdV26 zfgAyER3hnC8qEN3THeBPtRVqPpXvXel+AyqRsKgq9RWhMqoPyw= =5nQA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
