Discussion:
9.0.13 encrypted cluster traffic
Tim K
2018-11-20 14:52:09 UTC
Permalink
I see encrypted cluster traffic has been added to 9.0.13, but upon using a
securePort on the NioReceiver and StaticMember, I'm still able to see clear
text information being passed around with Wireshark... Is there some other
config to set to take advantage of this new feature?

Thank you.
Mark Thomas
2018-11-20 15:06:11 UTC
Permalink
Post by Tim K
I see encrypted cluster traffic has been added to 9.0.13, but upon using a
securePort on the NioReceiver and StaticMember, I'm still able to see clear
text information being passed around with Wireshark... Is there some other
config to set to take advantage of this new feature?
Ignore the secure port. The code behind that setting was never
implemented. We really should remove it.

You want:
http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attributes

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Tim K
2018-11-20 16:42:55 UTC
Permalink
Post by Mark Thomas
Ignore the secure port. The code behind that setting was never
implemented. We really should remove it.
http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attributes
Mark
---------------------------------------------------------------------
I'm having some trouble getting it working. Can you provide an example of
the new EncryptInterceptor with an algorithm and key?
Christopher Schultz
2018-11-20 17:19:09 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tim,
Post by Tim K
Post by Mark Thomas
Ignore the secure port. The code behind that setting was never
implemented. We really should remove it.
http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.ht
ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr
ibutes
Mark
Post by Tim K
I'm having some trouble getting it working. Can you provide an
example of the new EncryptInterceptor with an algorithm and key?
Each node in the cluster needs an interceptor configured, like this:

<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptIntercep
tor"
encryptionKey="[the key]" />

All nodes need the same key. The default algorithm
(AES/CBC/PKCS12Padding) is sufficient.

To generate a key, just get some random garbage and convert it into
hex, like this:

$ dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5

That'll give you a 128-bit key you can use for encryption. You can
also use a 256-bit key if you'd like, or a 192-bit key. For keys
larger than 128 bite (32 bytes), you'll need to use a different
signature algorithm such as sha1 or later.

I just chose MD5 because it generates the right number of output
characters for a 128-bit key. You can get your random key from
anywhere, including pounding on the keyboard. Remember that the key
must be in hex-encoded binary (so only characters 0-9 and a-f).

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv0Qg0ACgkQHPApP6U8
pFhEMg//fqPv9UfiJ0H1XYSEhca0+XANYY11wdJCrUzjFZrBKweZtsPwBm6VErw1
65xx/SiBBtcbp317VoBNjrrMtgCWVxNuz9FG6YKqXuWu2PeFSlB9C8vHfsMEce2B
1Jk8TixIdw7zWx4IHVgQsPIKvszQ9YsjMeMa2wTK8Us1AB3HEkwHYiV84UckdQmH
3oac1rGS+4YxAvpYSe7WF4rRAusKkKLC/1hgbiF+pEPPoax2g8sDW/Upk2ijEWIe
5B5qrpH9fJIeuQjsR0xlZWEuyQ3KQpdu9j6DyhJnjAqBFLyyg6TiD3uD3M3ZO3es
xgwlLd8C0BDS8ZzpvPOyN3IyygEwVas1+v8YHhqJF8VedGfZVkBplGKuNm7Yoqrg
1OxGGKCN06cVG+TbH3JzLfuhoYMNN92soqZH+Nm9BUf9G3A5Ll2oTDDYO1peyhHw
kw3FigfUueNPM/sjb42wJp2QvSm9jpRDr8S/Vrv8SxpKmmwgGM/VDNlDcbccRQ5s
FtY3inV9KNH7n2+V69yY8at50HKn4pTLvBRFncZ5pLoOE5DfhVt9PZeefMKzAQQd
LGUJa7Fl+5wovL++Sclaf/MYBJ9BNSg1gpw+P33ga/c63G0JR9lzM9e8xYELJ6Mu
44GJAgwGzAOq2/TSimmVEffERRxXRTErRORMgG5Qo8KFDsfoDvo=
=J0P5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Tim K
2018-11-20 18:36:14 UTC
Permalink
On Tue, Nov 20, 2018, 12:19 PM Christopher Schultz <
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tim,
Post by Tim K
Post by Mark Thomas
Ignore the secure port. The code behind that setting was never
implemented. We really should remove it.
http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.ht
ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr
<http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr>
ibutes
Mark
Post by Tim K
I'm having some trouble getting it working. Can you provide an
example of the new EncryptInterceptor with an algorithm and key?
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptIntercep
tor"
encryptionKey="[the key]" />
All nodes need the same key. The default algorithm
(AES/CBC/PKCS12Padding) is sufficient.
To generate a key, just get some random garbage and convert it into
$ dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5
That'll give you a 128-bit key you can use for encryption. You can
also use a 256-bit key if you'd like, or a 192-bit key. For keys
larger than 128 bite (32 bytes), you'll need to use a different
signature algorithm such as sha1 or later.
I just chose MD5 because it generates the right number of output
characters for a 128-bit key. You can get your random key from
anywhere, including pounding on the keyboard. Remember that the key
must be in hex-encoded binary (so only characters 0-9 and a-f).
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv0Qg0ACgkQHPApP6U8
pFhEMg//fqPv9UfiJ0H1XYSEhca0+XANYY11wdJCrUzjFZrBKweZtsPwBm6VErw1
65xx/SiBBtcbp317VoBNjrrMtgCWVxNuz9FG6YKqXuWu2PeFSlB9C8vHfsMEce2B
1Jk8TixIdw7zWx4IHVgQsPIKvszQ9YsjMeMa2wTK8Us1AB3HEkwHYiV84UckdQmH
3oac1rGS+4YxAvpYSe7WF4rRAusKkKLC/1hgbiF+pEPPoax2g8sDW/Upk2ijEWIe
5B5qrpH9fJIeuQjsR0xlZWEuyQ3KQpdu9j6DyhJnjAqBFLyyg6TiD3uD3M3ZO3es
xgwlLd8C0BDS8ZzpvPOyN3IyygEwVas1+v8YHhqJF8VedGfZVkBplGKuNm7Yoqrg
1OxGGKCN06cVG+TbH3JzLfuhoYMNN92soqZH+Nm9BUf9G3A5Ll2oTDDYO1peyhHw
kw3FigfUueNPM/sjb42wJp2QvSm9jpRDr8S/Vrv8SxpKmmwgGM/VDNlDcbccRQ5s
FtY3inV9KNH7n2+V69yY8at50HKn4pTLvBRFncZ5pLoOE5DfhVt9PZeefMKzAQQd
LGUJa7Fl+5wovL++Sclaf/MYBJ9BNSg1gpw+P33ga/c63G0JR9lzM9e8xYELJ6Mu
44GJAgwGzAOq2/TSimmVEffERRxXRTErRORMgG5Qo8KFDsfoDvo=
=J0P5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
I tried this between 2 nodes but it fails with this error on each:

dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5sum
e0f2cdf931e99fdce0453964294f97f3 -

<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInterceptor"
encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />

20-Nov-2018 13:31:20.070 SEVERE [Tribes-Task-Receiver[Catalina-Channel]-1]
org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.messageReceived
Failed to decrypt message

javax.crypto.BadPaddingException: Given final block not properly padded.
Such issues can arise if a bad key is used during decryption.

at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:991)

at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847)

at
com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)

at javax.crypto.Cipher.doFinal(Cipher.java:2164)

at
org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.decrypt(EncryptInterceptor.java:369)

at
org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.messageReceived(EncryptInterceptor.java:114)

at
org.apache.catalina.tribes.group.ChannelInterceptorBase.messageReceived(ChannelInterceptorBase.java:91)

at
org.apache.catalina.tribes.group.interceptors.StaticMembershipInterceptor.messageReceived(StaticMembershipInterceptor.java:96)

at
org.apache.catalina.tribes.group.ChannelInterceptorBase.messageReceived(ChannelInterceptorBase.java:91)

at
org.apache.catalina.tribes.group.ChannelCoordinator.messageReceived(ChannelCoordinator.java:274)

at
org.apache.catalina.tribes.transport.ReceiverBase.messageDataReceived(ReceiverBase.java:261)

at
org.apache.catalina.tribes.transport.nio.NioReplicationTask.drainChannel(NioReplicationTask.java:213)

at
org.apache.catalina.tribes.transport.nio.NioReplicationTask.run(NioReplicationTask.java:101)

at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

at java.lang.Thread.run(Thread.java:748)
Christopher Schultz
2018-11-21 14:48:14 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tim,
Post by Tim K
On Tue, Nov 20, 2018, 12:19 PM Christopher Schultz <
Tim,
Post by Mark Thomas
Post by Tim K
Post by Mark Thomas
Ignore the secure port. The code behind that setting was
never implemented. We really should remove it.
http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor
.ht
ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr
Post by Tim K
<http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.ht
ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr
ibutes
Post by Tim K
Mark
Post by Mark Thomas
Post by Tim K
I'm having some trouble getting it working. Can you provide
an example of the new EncryptInterceptor with an algorithm
and key?
Each node in the cluster needs an interceptor configured, like
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInterc
ep
tor"
Post by Tim K
encryptionKey="[the key]" />
All nodes need the same key. The default algorithm
(AES/CBC/PKCS12Padding) is sufficient.
To generate a key, just get some random garbage and convert it
$ dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5
That'll give you a 128-bit key you can use for encryption. You can
also use a 256-bit key if you'd like, or a 192-bit key. For keys
larger than 128 bite (32 bytes), you'll need to use a different
signature algorithm such as sha1 or later.
I just chose MD5 because it generates the right number of output
characters for a 128-bit key. You can get your random key from
anywhere, including pounding on the keyboard. Remember that the
key must be in hex-encoded binary (so only characters 0-9 and
a-f).
-chris
Post by Mark Thomas
---------------------------------------------------------------------
dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5sum
e0f2cdf931e99fdce0453964294f97f3 -
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInterc
eptor"
encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
Post by Tim K
20-Nov-2018 13:31:20.070 SEVERE
[Tribes-Task-Receiver[Catalina-Channel]-1]
org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.messa
geReceived
Failed to decrypt message
Post by Tim K
javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during
decryption.
Both nodes have the same encryption key, right? The key itself looks
fine. For example, I dropped that key into the unit test file and it
worked as expected.

I've been working on a patch yesterday and today that uses random IVs
instead of re-using them. It really shouldn't change anything about
the config, etc. but both nodes will require the new code to re-test.
I've also expanded the unit tests to cover cipher block modes other
than CBC.

I don't actually have a cluster here for testing, though, so
everything is being done with the unit tests.

I thought I had reproduced your issue (BadPaddingException) except it
turned out that the test itself was wrong and the interceptor code was
correct.

Are you able to build from source? I'm about to commit these changes
to the trunk (9.0.x), which really shouldn't change anything for you,
but it might fix some edge case that you are hitting.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv1cC0ACgkQHPApP6U8
pFhjuQ/+Mb46dCFqAd1QZqKtvc6BLO/K8/JCQiD8Z10YR0231AMwdCMLGkb7X7Xx
A11KwaOSkISQucp7cLujC3KwlvrVpPBVeQODw7TydGVGtMBXGp+cp2pqhUDRJuZt
9MZM0aQsQSA2udbako77qNo/ISjgytp5ruW4RaHwwj8XauMuAZuQ1KjqXCgXOlfs
DFBkVx4Qcs/YTn0DIuc9YGqROpb+h3VafNZiXXDIhv15ecSnMxqYAH928UA5MTi9
byA3Lq9GlHoKlhaL5IYHGE+UoMds7QKCdSiQti8u/QEhMhXtvH1LPcZy/l3V5Xj+
vklEkXgHef+kPVdwzwGQjQIvnbVl5qppx8wXJvDbY1hNsvgGbtXIj/Z1Xfwzx+BS
6fkGY2vEh5//nZB6REmbT79WByIlQSiOsLixha5LgkC8/li5X2ulXu2791UpmdSr
mHVh06MBjMgaWP0fqELvgC88Q1x0z5O4SmYNka++wDpZYv3ZGE8zgWnaBPkQYLMI
k4xF1udoKM662Zgh/fguKzht2OVRQK1qglm8R3HCtMNWR+EHFefrWlxQebAuKdFL
dSftpA/tD4eaZ+MAN7B7bvj0dArywrQ1sA8EALzdfKfFAxDpLhPPCARLMtxO/Hue
wlVBRUJ/4OdxjcQVZBmytGpQ2mSc3wLsxXslrTYokGq9D9E76fQ=
=w3kX
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2018-11-21 15:50:02 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tim,

I'm all ready for a back-port of the EncryptInterceptor to Tomcat 8.5
but I'd like to make sure things are working for you before I do it.

Thanks,
- -chris
Post by Mark Thomas
Tim,
Post by Tim K
On Tue, Nov 20, 2018, 12:19 PM Christopher Schultz <
Tim,
Post by Mark Thomas
Post by Tim K
Post by Mark Thomas
Ignore the secure port. The code behind that setting was
never implemented. We really should remove it.
http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-intercepto
r
.ht
Post by Mark Thomas
ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_At
tr
<http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.ht
Post by Mark Thomas
ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_At
tr
Post by Mark Thomas
ibutes
Post by Tim K
Mark
Post by Mark Thomas
Post by Tim K
I'm having some trouble getting it working. Can you
provide an example of the new EncryptInterceptor with an
algorithm and key?
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInter
c
ep
Post by Mark Thomas
tor"
Post by Tim K
encryptionKey="[the key]" />
All nodes need the same key. The default algorithm
(AES/CBC/PKCS12Padding) is sufficient.
To generate a key, just get some random garbage and convert it
$ dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5
That'll give you a 128-bit key you can use for encryption. You
can also use a 256-bit key if you'd like, or a 192-bit key. For
keys larger than 128 bite (32 bytes), you'll need to use a
different signature algorithm such as sha1 or later.
I just chose MD5 because it generates the right number of output
characters for a 128-bit key. You can get your random key from
anywhere, including pounding on the keyboard. Remember that the
key must be in hex-encoded binary (so only characters 0-9 and
a-f).
-chris
Post by Mark Thomas
--------------------------------------------------------------------
- -
Post by Mark Thomas
Post by Tim K
I tried this between 2 nodes but it fails with this error on
dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5sum
e0f2cdf931e99fdce0453964294f97f3 -
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInter
c
eptor"
Post by Mark Thomas
encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
Post by Tim K
20-Nov-2018 13:31:20.070 SEVERE
[Tribes-Task-Receiver[Catalina-Channel]-1]
org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.mess
a
geReceived
Post by Mark Thomas
Failed to decrypt message
Post by Tim K
javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during
decryption.
Both nodes have the same encryption key, right? The key itself
looks fine. For example, I dropped that key into the unit test file
and it worked as expected.
I've been working on a patch yesterday and today that uses random
IVs instead of re-using them. It really shouldn't change anything
about the config, etc. but both nodes will require the new code to
re-test. I've also expanded the unit tests to cover cipher block
modes other than CBC.
I don't actually have a cluster here for testing, though, so
everything is being done with the unit tests.
I thought I had reproduced your issue (BadPaddingException) except
it turned out that the test itself was wrong and the interceptor
code was correct.
Are you able to build from source? I'm about to commit these
changes to the trunk (9.0.x), which really shouldn't change
anything for you, but it might fix some edge case that you are
hitting.
-chris
---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv1fqoACgkQHPApP6U8
pFhrVBAAiX1HKpmipHpunEQRZBW9JcWKjry+gyt2MyShjJHuui8KepIxcMkpI2TY
HIuckUX4ZPoven6X1ehDjYpm48/wIuMWPoBcOOCKt+EJqWOH3jy7uHx5+zC/32FV
ne8E7It/makhPYY9MbfUCkWgig41/rb/W5QtJQNaosB9/ZOLQzn04gD/JzWGicxJ
uWTEvvxbjTR0NP94pCNWXGnbXUboWItfhqLtUd5C4uLiHAzGQT4sShZY1kK9Osps
M/tHg/r3jhRFWmNxZJZ61jWnqvHShy0ZxU0aqrKbHbUhuCa5PZ1Y8eVkuuapZShy
De65NqUrTwzjg5zxLnHS5euzAkPRdtSlvmkUdcPgbd/i/cMyQTBvxgrnnMiwrOfy
bZT/GgjdEz8/E0dh10VTSBfwpwCg7GasEeEj98q8ndyUqbQymcs6Ddk243TZtqho
NdwYNAvdnC7ShmwwLGKRv+JQiPfn0X2uG7NN58Qm1QORrIy0y4r1w9weUxp6UUP8
1asrBL5mxnBSOunZTszsCm9Q1kkInypLCBE7zWyITqKBrP/yJ9JEvQpZpECapH32
ZU7b+yzlgA/v7gMHtL8+SUNF9qs9F36Sg+DmhwiIxBXK8ywSf7OpkrIgw5L9cwUA
NRg+jWRSUHKQ1IVhzgJfp6hB4jVKbZ+vEDXD5lAvCgKJL44d1HA=
=xGF8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Tim K
2018-11-21 18:55:20 UTC
Permalink
On Wed, Nov 21, 2018, 9:48 AM Christopher Schultz <
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tim,
Post by Tim K
On Tue, Nov 20, 2018, 12:19 PM Christopher Schultz <
Tim,
Post by Mark Thomas
Post by Tim K
Post by Mark Thomas
Ignore the secure port. The code behind that setting was
never implemented. We really should remove it.
http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor
.ht
ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr
Post by Tim K
<http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.ht
ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr
<http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr>
ibutes
Post by Tim K
Mark
Post by Mark Thomas
Post by Tim K
I'm having some trouble getting it working. Can you provide
an example of the new EncryptInterceptor with an algorithm
and key?
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInterc
ep
tor"
Post by Tim K
encryptionKey="[the key]" />
All nodes need the same key. The default algorithm
(AES/CBC/PKCS12Padding) is sufficient.
To generate a key, just get some random garbage and convert it
$ dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5
That'll give you a 128-bit key you can use for encryption. You can
also use a 256-bit key if you'd like, or a 192-bit key. For keys
larger than 128 bite (32 bytes), you'll need to use a different
signature algorithm such as sha1 or later.
I just chose MD5 because it generates the right number of output
characters for a 128-bit key. You can get your random key from
anywhere, including pounding on the keyboard. Remember that the
key must be in hex-encoded binary (so only characters 0-9 and
a-f).
-chris
Post by Mark Thomas
---------------------------------------------------------------------
dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5sum
e0f2cdf931e99fdce0453964294f97f3 -
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInterc
eptor"
encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
Post by Tim K
20-Nov-2018 13:31:20.070 SEVERE
[Tribes-Task-Receiver[Catalina-Channel]-1]
org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.messa
geReceived
Failed to decrypt message
Post by Tim K
javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during
decryption.
Both nodes have the same encryption key, right? The key itself looks
fine. For example, I dropped that key into the unit test file and it
worked as expected.
I've been working on a patch yesterday and today that uses random IVs
instead of re-using them. It really shouldn't change anything about
the config, etc. but both nodes will require the new code to re-test.
I've also expanded the unit tests to cover cipher block modes other
than CBC.
I don't actually have a cluster here for testing, though, so
everything is being done with the unit tests.
I thought I had reproduced your issue (BadPaddingException) except it
turned out that the test itself was wrong and the interceptor code was
correct.
Are you able to build from source? I'm about to commit these changes
to the trunk (9.0.x), which really shouldn't change anything for you,
but it might fix some edge case that you are hitting.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv1cC0ACgkQHPApP6U8
pFhjuQ/+Mb46dCFqAd1QZqKtvc6BLO/K8/JCQiD8Z10YR0231AMwdCMLGkb7X7Xx
A11KwaOSkISQucp7cLujC3KwlvrVpPBVeQODw7TydGVGtMBXGp+cp2pqhUDRJuZt
9MZM0aQsQSA2udbako77qNo/ISjgytp5ruW4RaHwwj8XauMuAZuQ1KjqXCgXOlfs
DFBkVx4Qcs/YTn0DIuc9YGqROpb+h3VafNZiXXDIhv15ecSnMxqYAH928UA5MTi9
byA3Lq9GlHoKlhaL5IYHGE+UoMds7QKCdSiQti8u/QEhMhXtvH1LPcZy/l3V5Xj+
vklEkXgHef+kPVdwzwGQjQIvnbVl5qppx8wXJvDbY1hNsvgGbtXIj/Z1Xfwzx+BS
6fkGY2vEh5//nZB6REmbT79WByIlQSiOsLixha5LgkC8/li5X2ulXu2791UpmdSr
mHVh06MBjMgaWP0fqELvgC88Q1x0z5O4SmYNka++wDpZYv3ZGE8zgWnaBPkQYLMI
k4xF1udoKM662Zgh/fguKzht2OVRQK1qglm8R3HCtMNWR+EHFefrWlxQebAuKdFL
dSftpA/tD4eaZ+MAN7B7bvj0dArywrQ1sA8EALzdfKfFAxDpLhPPCARLMtxO/Hue
wlVBRUJ/4OdxjcQVZBmytGpQ2mSc3wLsxXslrTYokGq9D9E76fQ=
=w3kX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
Key is the same on both, yes.

I never built from src before.
Christopher Schultz
2018-11-23 17:55:26 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tim,
Post by Tim K
On Wed, Nov 21, 2018, 9:48 AM Christopher Schultz <
Tim,
Post by Mark Thomas
Post by Tim K
On Tue, Nov 20, 2018, 12:19 PM Christopher Schultz <
Tim,
Post by Mark Thomas
Post by Tim K
Post by Mark Thomas
Ignore the secure port. The code behind that setting
was never implemented. We really should remove it.
http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-intercep
tor
.ht
Post by Tim K
ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_At
tr
<http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.ht
Post by Tim K
ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_At
tr
<http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.html
#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr>
Post by Tim K
ibutes
Post by Mark Thomas
Post by Tim K
Mark
Post by Mark Thomas
Post by Tim K
I'm having some trouble getting it working. Can you
provide an example of the new EncryptInterceptor with
an algorithm and key?
Each node in the cluster needs an interceptor configured,
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInt
erc
ep
Post by Tim K
tor"
Post by Mark Thomas
Post by Tim K
encryptionKey="[the key]" />
All nodes need the same key. The default algorithm
(AES/CBC/PKCS12Padding) is sufficient.
To generate a key, just get some random garbage and convert
$ dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5
That'll give you a 128-bit key you can use for encryption.
You can also use a 256-bit key if you'd like, or a 192-bit
key. For keys larger than 128 bite (32 bytes), you'll need to
use a different signature algorithm such as sha1 or later.
I just chose MD5 because it generates the right number of
output characters for a 128-bit key. You can get your random
key from anywhere, including pounding on the keyboard.
Remember that the key must be in hex-encoded binary (so only
characters 0-9 and a-f).
-chris
Post by Mark Thomas
------------------------------------------------------------------
- ---
Post by Tim K
Post by Mark Thomas
Post by Tim K
dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5sum
e0f2cdf931e99fdce0453964294f97f3 -
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInt
erc
eptor"
Post by Tim K
encryptionKey="e0f2cdf931e99fdce0453964294f97f3" />
Post by Mark Thomas
Post by Tim K
20-Nov-2018 13:31:20.070 SEVERE
[Tribes-Task-Receiver[Catalina-Channel]-1]
org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.me
ssa
geReceived
Post by Tim K
Failed to decrypt message
Post by Mark Thomas
Post by Tim K
javax.crypto.BadPaddingException: Given final block not
properly padded. Such issues can arise if a bad key is used
during decryption.
Both nodes have the same encryption key, right? The key itself
looks fine. For example, I dropped that key into the unit test file
and it worked as expected.
I've been working on a patch yesterday and today that uses random
IVs instead of re-using them. It really shouldn't change anything
about the config, etc. but both nodes will require the new code to
re-test. I've also expanded the unit tests to cover cipher block
modes other than CBC.
I don't actually have a cluster here for testing, though, so
everything is being done with the unit tests.
I thought I had reproduced your issue (BadPaddingException) except
it turned out that the test itself was wrong and the interceptor
code was correct.
Are you able to build from source? I'm about to commit these
changes to the trunk (9.0.x), which really shouldn't change
anything for you, but it might fix some edge case that you are
hitting.
-chris
Post by Mark Thomas
---------------------------------------------------------------------
Key is the same on both, yes.
I never built from src before.
Okay, the problem is that I built the EncryptInterceptor without
realizing that cluster-messaging isn't single-threaded. It's
completely non-thread-safe and it needs to be.

There is a simple fix that can be applied (synchronize the encrypt and
decrypt methods) but it'll create a big bottleneck for you. On the
other hand, it's easy to apply and test and ensure it's working in
your environment. Are you willing to grab the Tomcat source and
compile it? If you get the 9.0.13 source and are able to compile it, I
can give you a 2-line patch that should fix your issue. Alternatively,
I can give you a patched catalina-tribes.jar that you can just
drop-in-replace to try out.

I have a more elaborate patch that I'm going to apply soon and it
should be available in the next release of Tomcat 9.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv4Pw0ACgkQHPApP6U8
pFhscQ/+Mtyovz+K6bIRfybLg7m4wOeIgdbR22I87ltf71cw7fSsIEGYBlTt4HpC
mZb91QwlcF7QwBE1SEjTRBni/1OEUNN2YqhKaFU/vKZO6HZKopV+UwTNLwMUUNjB
4ufJ7HqrCgsBITKSVZEe3E3kmcOWXCK9wiG9AmL05C99RoGbjcvLOEJ5OLxKJFMw
PzRJJtA8j3WzyNCiSTNsU4XqPxYC87f5I3mlbQ5D7NXW4i20wunqAjAGZ+TmmpyR
8Y8kgJoKCXisa8OVbvRyX/NxxjI9S19V32Oa5SFFD3eNmCPC9ruFSxCHXTYgCRH3
F68CHwkx4ghMvAxQ+CIlS9dR9zdxK/TkKgdJdpWjqfdDqqEjJzNAsel09VKvUzbr
JHAHa2oGq/sIi9BveJDOSIWusI8paCTFWaTOsbj1hm396l3dSAP8rk6/sMtHlAyl
U7et26WoyTP5tPmUN1QvN6ZeBL2WHvjfsVhy6gWDLbSfDRrHvQ5yaWwbq5Q1Dh6X
+cn57HShBTe35iLcPCXelu7Z3IllQi+kB9xuzydjjT11RNm7X8bijWWgGHECQ4fV
MwOTwuqNZlhyJCI3BZT8dbzb5iXidfgz2k4KyG1QibGsJBrl0sy9iH8freNJBjFE
NHZV4PEkK+xQCoTDXxJrkwVonK0DUFyiFOTC9/m/Ipc2GCmWkGg=
=1oku
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2018-11-24 16:13:19 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tim,
Post by Christopher Schultz
Okay, the problem is that I built the EncryptInterceptor without
realizing that cluster-messaging isn't single-threaded. It's
completely non-thread-safe and it needs to be.
There is a simple fix that can be applied (synchronize the encrypt
and decrypt methods) but it'll create a big bottleneck for you. On
the other hand, it's easy to apply and test and ensure it's working
in your environment. Are you willing to grab the Tomcat source and
compile it? If you get the 9.0.13 source and are able to compile
it, I can give you a 2-line patch that should fix your issue.
Alternatively, I can give you a patched catalina-tribes.jar that
you can just drop-in-replace to try out.
I have a more elaborate patch that I'm going to apply soon and it
should be available in the next release of Tomcat 9.
I think this should be fixed, now. If you build from trunk, I think
things will work remarkably better for you. Or, just wait until the
next release (a few weeks maybe). If you *can* build from source, it
would be great to get some real-world mileage on this code before the
next release.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv5eJ4ACgkQHPApP6U8
pFgMQw//Z1BND215m27Lja3sHlJjWDEHdS/snEqtZfbED1ps7C0a/1/P867yS004
XWdcgRlPLEZub0exaav3J84EGPB+7KTaipPvulIap2pyoXDhd9H2UInqtqRZqR+u
RLzDQoXXErFY5usigR2lVUlNyHjFyBybWV4Wrru/J+VuN9+E9iYe9czXYSKmZNX0
Kig8NlaQcVdcCazQEQ60bPuLxEUoVW+ggZAwsBJ2hCvWjaBH3naTXZEzhOWu+R4J
/tZ+o1echoWQSH5um7nPeFlNU5wla7zKCSg6zpLLFIzolJjR3Yr9LRP6wBw0Herj
ikKs4fURsF+MDP04JLbJO0qHuV+6Ydz4nbln3mQRtLMNlkBP9dNB8pdQ7kTdntxG
k3Olp2805Gb+9aVdkD805g4fk/4eRTafwRRVaSPtVPvXm0544tjUh7AxpWIyL3k4
/qPAK84AvY1EacRzvr9pnKZcUGiY5WT6Zn7yPYkVX+OUhFwLgowJEnyhdq1Uy1r6
rm20H4UWHH+hC1Ae+ErXAVJj7n5+7LHq/2BAtL6qDJjBSiGp4iuO8XHv89EwHC1B
pTV2SkwKNtFoLy7iOOIBgSqp6urYVhZnQNKAXvFZotoEgkKm/GdtsKR3IayAgBUe
7uLltKHvfKKyYh6KL7BhbntBSILIYbWYVohgdsquIuk+94NFgwc=
=293j
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Esther Montes
2018-11-24 19:48:15 UTC
Permalink
Disculpe pero es q no le entiendo

El sáb., 24 de nov. de 2018 8:13 AM, Christopher Schultz <
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tim,
Post by Christopher Schultz
Okay, the problem is that I built the EncryptInterceptor without
realizing that cluster-messaging isn't single-threaded. It's
completely non-thread-safe and it needs to be.
There is a simple fix that can be applied (synchronize the encrypt
and decrypt methods) but it'll create a big bottleneck for you. On
the other hand, it's easy to apply and test and ensure it's working
in your environment. Are you willing to grab the Tomcat source and
compile it? If you get the 9.0.13 source and are able to compile
it, I can give you a 2-line patch that should fix your issue.
Alternatively, I can give you a patched catalina-tribes.jar that
you can just drop-in-replace to try out.
I have a more elaborate patch that I'm going to apply soon and it
should be available in the next release of Tomcat 9.
I think this should be fixed, now. If you build from trunk, I think
things will work remarkably better for you. Or, just wait until the
next release (a few weeks maybe). If you *can* build from source, it
would be great to get some real-world mileage on this code before the
next release.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv5eJ4ACgkQHPApP6U8
pFgMQw//Z1BND215m27Lja3sHlJjWDEHdS/snEqtZfbED1ps7C0a/1/P867yS004
XWdcgRlPLEZub0exaav3J84EGPB+7KTaipPvulIap2pyoXDhd9H2UInqtqRZqR+u
RLzDQoXXErFY5usigR2lVUlNyHjFyBybWV4Wrru/J+VuN9+E9iYe9czXYSKmZNX0
Kig8NlaQcVdcCazQEQ60bPuLxEUoVW+ggZAwsBJ2hCvWjaBH3naTXZEzhOWu+R4J
/tZ+o1echoWQSH5um7nPeFlNU5wla7zKCSg6zpLLFIzolJjR3Yr9LRP6wBw0Herj
ikKs4fURsF+MDP04JLbJO0qHuV+6Ydz4nbln3mQRtLMNlkBP9dNB8pdQ7kTdntxG
k3Olp2805Gb+9aVdkD805g4fk/4eRTafwRRVaSPtVPvXm0544tjUh7AxpWIyL3k4
/qPAK84AvY1EacRzvr9pnKZcUGiY5WT6Zn7yPYkVX+OUhFwLgowJEnyhdq1Uy1r6
rm20H4UWHH+hC1Ae+ErXAVJj7n5+7LHq/2BAtL6qDJjBSiGp4iuO8XHv89EwHC1B
pTV2SkwKNtFoLy7iOOIBgSqp6urYVhZnQNKAXvFZotoEgkKm/GdtsKR3IayAgBUe
7uLltKHvfKKyYh6KL7BhbntBSILIYbWYVohgdsquIuk+94NFgwc=
=293j
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
Christopher Schultz
2018-11-24 21:10:59 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Esther,
Post by Esther Montes
Disculpe pero es q no le entiendo
Lo siento si no me entiendes El idioma oficial de esta lista de correo
es el inglés. Si lo desea, puede unirse a una lista de correo
diferente si desea utilizar el español en su lugar.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv5vmMACgkQHPApP6U8
pFgolhAAwGxL9wl/vd4Iv1Gez60QQpgukAx0n+G5Vx1+LrumvXR3Geu96J1Be+m0
wU2YhRxVmq85CDjTcRKrDnih7BP5Lu8Xenk8BljWQRnt4zeuleN40jFyLH88MBXe
E52lqmTfZXIP6eA/2csZpz5Ug436JxG20PaCqB4d2/NuNgSM0yyu2p/r+LHPqz8p
EFi5x0RKcLcSgLNObM1aauMcBPnIe/i0AaO3L5LV/RGglNXZbTJOtx3WfOrDpkpY
8FH5pGb3UiWw1Q2zT4mgcWqcSzBMTwaNGHtApA47TWiYc18CqOe2Yz4T3QkEBUhW
hHKqEKtDxHOZJUTGrnNhuEu8mVbCqd8xjBpsZKjncgMmtZunx8xoka+QLo/DOiXE
oMEPRDZ+wAzbw/9OXj3QWgPAI4FGGjCBD2U420HP/9yggxUO+rxX2XYLcRQcM8Kl
KlRMM/um/z+ogY/CST3lJ+brL+RIlFZtLKq1hxw7ouBk32yZyGTt5m+WkFMqxeIc
aEn4wDKmF3/8PZhI7ByMVlZPnRph8hBqyZHkvZRrbwtnT4AHuBXRm7n9m3y9brj+
46eT5NOMXju604pF0D+Kg2McHEjT5WEEQViLpNPy7SU0YGNb9YR9EoqA1sSXwFPe
EhJo2+SrqQ5geGWFn9dCS1D5S5n9LGczvocumyw6n9s+AXP7G0Y=
=fYD7
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Loading...