-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Matthias,
On 3/12/20 07:19, Matthias Fechner wrote: > Hi Christopher, > > Am 09.03.2020 um 22:50 schrieb Christopher Schultz: >> That's not a super-secure solution. You really should specify a >> correct whitelist pattern instead of "accept all". > > thanks for your comment. You are fully right, but as this seem to > will be fixed with the next tomcat version, I see it only as a > temporary work-around. > > After the new version is released the configuration option can be > completely removed again. Fair enough. In the meantime, if you didn't trust your AJP connection before, you (again) cannot trust it until you upgrade. And even then, maybe not. You really need to lock it down; I highly recommend mutually-authenticated TLS using e.g. stunnel. > I'm not sure if it is worth to find the correct options you have > to allow, as tomcat does not log any reason why the connection was > refused. The complete new default pattern is: (javax\.servlet\.request\.(cipher_suite|key_size|ssl_session|X509Certifi cate)|CERT_(ISSUER|SUBJECT|COOKIE|FLAGS|SERIALNUMBER)|HTTPS_(SERVER_SUBJ ECT|SECRETKEYSIZE|SERVER_ISSUER|KEYSIZE)) The pattern above has no newlines in it; you may have to trim those from your mail reader in order to produce the correct pattern. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5qUSkACgkQHPApP6U8 pFgTvg//fYB7WwXUdHBBqiBMhgT1hioTgflhd4mp06znz2s46ufpQvbKm30UQbKx 4D8/bA/6ouKh9LnlhzoybPyYelxHx5RXO5tV0n6d+VDfFyA2MIdFiRleoj8SPJyn HxmeYZQqCceVWmIDzPxXpqQ2Xh4+oLbKtwqn8lZWdJdCzpE5v5VgQmEWGtYMsCYV wWZmhhZiZzdNnulgBh+G3VMa+GiXnAZZ1xaaAcCUut2Fw7Dk9dkkSl59srgc0bM8 Y2nFHso55c1tnLdRkVTAORGyNjTE1UnKovPNEcH4yONiokaAir+i5OhzzaJNXLcI UehPdQ4lPySE1V0ZwJnorCqeLMUhmc1hf64e9+PxhhYdKZpoAh1v0KNG995+hCpm osy2sXbmanUu1RbgzvUipzBMxHBd75Q6ehlaqyImnGt6RL7DAeeEvL2bjUTPiVkj DuYZartMwBk+AIYzO2WlLng7VubziF9rpDCEIT7nb8hmFW5Tg/pHVjs9G1F7/pOG sBb1pKxIfsdjGAKNR2DFsWwWwQJnH468OLiZ0PKK6Plvq8LWK4l/uJhpeJCuHkVd uiI9THx3ZvS6hd5UXi+jpIS7d3nFCpfq1+6AFfBdESwKibVPHn2VibGLzPnKe6pV PkGn+DqFqgUWoan6vRPVenuHY6BwuDWHx62aeDgYEyIwoJXKyM8= =n70c -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
