Win a copy of Microservices Testing (Live Project) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

Tomcat 6 - catalina errors "did not find a matching property."

 
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So we are moving from Tomcat 5.5 to Tomcat 6.0.41 and in my testing, I've run into some warnings:

Nov 14, 2014 1:20:46 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.31 using APR version 1.4.8.
Nov 14, 2014 1:20:46 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
Nov 14, 2014 1:20:46 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'minSpareThreads' to '25' did not find a matching property.
Nov 14, 2014 1:20:46 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property.
Nov 14, 2014 1:20:46 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ciphers' to ' SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ' did not find a matching property.
Nov 14, 2014 1:20:46 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clientAuth' to 'false' did not find a matching property.
Nov 14, 2014 1:20:46 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLEngine' to 'on' did not find a matching property.
Nov 14, 2014 1:20:46 PM org.apache.catalina.core.AprLifecycleListener initializeSSL
INFO: OpenSSL successfully initialized with version OpenSSL 1.0.1h 5 Jun 2014
Nov 14, 2014 1:20:46 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 14, 2014 1:20:46 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
Nov 14, 2014 1:20:46 PM org.apache.coyote.ajp.AjpAprProtocol init
INFO: Initializing Coyote AJP/1.3 on ajp-8009
Nov 14, 2014 1:20:46 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1190 ms
Nov 14, 2014 1:20:46 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Nov 14, 2014 1:20:46 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.41
Nov 14, 2014 1:20:46 PM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor PaymentSwitch.xml
Nov 14, 2014 1:20:49 PM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2014 1:20:49 PM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-443
Nov 14, 2014 1:20:49 PM org.apache.coyote.ajp.AjpAprProtocol start
INFO: Starting Coyote AJP/1.3 on ajp-8009
Nov 14, 2014 1:20:49 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2615 ms

Here is the relevant section of my server.xml:

<!-- Define a SSL HTTP/1.1 Connector on port 443 -->
<Connector port="443" maxHttpHeaderSize="8192" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
ciphers="
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
"
clientAuth="false"
sslProtocol="TLS"
SSLEngine="on"
SSLEnabled="true"
SSLPassword="********"
SSLCertificateFile="C:\Program Files\Apache Software Foundation\Tomcat 6\conf\newcerts\server.crt"
SSLCertificateKeyFile="C:\Program Files\Apache Software Foundation\Tomcat 6\conf\newcerts\serverpriv.key"
SSLCACertificateFile="C:\Program Files\Apache Software Foundation\Tomcat 6\conf\newcerts\gdig2.crt"
SSLCertificateChainFile="C:\Program Files\Apache Software Foundation\Tomcat 6\conf\newcerts\gd_bundle-g2-g1.crt" />

I'm mainly concerned with the SSL settings.
Most of the settings are valid for Tomcat 6, from what I've seen in the documentation.
 
Saloon Keeper
Posts: 25824
184
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I realise that APR is different from normal Tomcat pipelining, but some of those directives look like they should be in the Apache config file, not in Tomcat's server.xml.
 
Peter Bollwerk
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Here is Apache's documentation:
https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL Support
As you can see "ciphers" is a valid property.
The APR connector adds some additional properties, but there is no indication that "ciphers" is no longer valid.
https://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS

We do not use Apache on the server in question. Only Tomcat.
 
Tim Holloway
Saloon Keeper
Posts: 25824
184
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Whoops. Sorry. I was thinking APR was an Apache/Tomcat tunnel like Coyote.

You need to read the docs more closely (https://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS).

The SSLEngineOn directive doesn't work because you didn't put it in the right place. It's a Listener attribute, not a Connector attribute. Likewise, the min/maxSpareThreads attributes are not valid for the APR Connector.

But if you're not fronting Tomcat with Apache, there's a potential MAJOR security risk. Tomcat doesn't have the ability to open protected TCP ports (80, 443) and then drop down to unprivileged operations the way Apache does. Unless you're fronting it with something - even if it's only the Tomcat security wrapper - then anyone who can weasel their way in has the potential to pwn your entire IT installation.
 
Peter Bollwerk
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think maybe you're referring to Tomcat running on *nix maybe?
We run Tomcat on Windows Server 2003 / 2008, with a domain service account, so perhaps it's not the same security risk.

As to the configuration parameters, it seems that "ciphers" is only valid for JSSE and not APR.
When I replaced ciphers with SSLCipherSuite, with the appropriate separators, it worked fine.
Unfortunately, it doesn't seem that Apache documented which parameters are not valid with APR.
 
Tim Holloway
Saloon Keeper
Posts: 25824
184
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's ALWAYS the same security risk, unless the OS doesn't do basic TCP security.

And Windows, for all its sins does have the same restriction. If you open a port numbered less than 4096 (i.e., 80, 443), then your application (Tomcat) [i]must have Administrator privileges.

Then again, Windows and security are two words most closely paired for comedy relief anyway.

Don't forget to apply the Windows panic emergency fix that was announced yesterday!



The reason you don't have up-front docs on what's supported with APR is probably because APR has to be built on-site from Apache source, so it would depend on what Apache source you have and what options you had it defined for. Which is one of the reasons I've avoided APR. APR's primary purpose is to provide faster throughput, and I figure if I'm that desperate for performance, I probably should start by optimizing the webapps. Then again, I use the Apache frontend and J2EE security subsystems for my primary defences. They have good records.
 
Hey cool! They got a blimp! But I have a tiny ad:
Free, earth friendly heat - from the CodeRanch trailboss
https://www.kickstarter.com/projects/paulwheaton/free-heat
reply
    Bookmark Topic Watch Topic
  • New Topic