sts-sponsors team mailing list archive

Thread
Date
[Bug 1903851] Re: Tomcat9: multipart upload fails over https

To: sts-sponsors@xxxxxxxxxxxxxxxxxxx
From: Mauricio Faria de Oliveira <1903851@xxxxxxxxxxxxxxxxxx>
Date: Fri, 25 Nov 2022 19:21:12 -0000
Reply-to: Bug 1903851 <1903851@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Hi Tom,

Thanks for the updated debdiff!

I have reviewed it and adjusted just a couple minor things,
and will upload it to Focal.

1) Deduplicated a bit of the changelog entry.
2) Added back the 'changelog.xml' portion of the patch,
as the (resulting) changelog.html goes in tomcat9-docs,
and it was still referred to in the git diffstat.
3) Even though there's no code changes required to apply 
(ie, backport), the changelog file required trivial bits
changed (refresh the upper 3 context lines), so I added
the (optional) 'backport' keyword to the Origin DEP3 tag.
4) Used the shorter/general LP bugs URL in Bug-Ubuntu.

Testing:

Since the package and its reverse dependencies (apt rdepends)
don't seem to have autopkgtests (debian/tests/) to help with
verifying the changes at scale (in addition to the synthetic
reproducer), there's a few points to note:

1) The upstream tomcat9.git/9.0.x branch has no additional
changes/fixes to this commit until the (reverted) code path
simplification is reapplied and improved (very big refactor).
[good]

2) The build time test-suite has `test-nio:` and `test-nio2`
sections, including Http11, which should cover the codepath.
[good]

3) There's no differences for them (test sections in general)
between the build logs of focal-updates (9.0.31-1ubuntu0.3)
and a PPA w/ your changes (9.0.31-1ubuntu0.4).
[good]

4) With the 3 points above, it looks fine to upload to Focal.

Nonetheless, once/if it lands in focal-proposed after review
by the Ubuntu SRU team, could you please perform stress tests
on both non-/SSL paths, with a tool like Apache JMeter?
(a comparison between focal-updates/-proposed would be great!)

It'd be important to iron out the changes as much as we can,
since it's a code deviation since the initial Focal release.

Thanks a bunch!
Mauricio

-- 
You received this bug notification because you are a member of SE SRU
("STS") Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1903851

Title:
  Tomcat9: multipart upload fails over https

Status in tomcat9 package in Ubuntu:
  Invalid
Status in tomcat9 source package in Focal:
  In Progress

Bug description:
  [ Impact ]

   * Tomcat version 9.0.31 has a bug that prevents multipart uploads over
     encrypted connections. This happens with the NIO SSL Connector, which
     is the one that gets auto-selected in a default configuration

   * This patch reverts a change that was made between 9.0.30 and 9.0.31 that
     causes the multipart upload to fail when using a TLS connection.

  [ Test Plan ]

   * Deploy focal

   * Deploy tomcat9 and use the default configuration

   * Enable HTTPS for tomcat9. A self-signed certificate is sufficient
     
     * Create a keystore:
       keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/tomcat9/keystore

     * Enable the HTTPS listener in the tomcat9 configuration file
       /etc/tomcat9/server.xml

     * Add the following XML snippet at the bottom of the the XML block
       '<Service name="Catalina">'. Ensure that you specify the same password
       as when you created the keystore above

     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="want" sslProtocol="TLS"
                sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
                keystoreFile="/etc/tomcat9/keystore" keystorePass="*******" />

   * Deploy the attached WAR (JerseyDemos.war) file which is a simple test
     application that exhibits the regression. This is done by placing the WAR
     file in the following directory: /var/lib/tomcat9/webapps/

   * In a browser on a separate machine, navigate to the application:
     https://<focal instance>/JerseyDemos/fileUpload.html

   * Attempt to upload the attached file: qg8dbNp.png

  [ Where problems could occur ]

   * This patch only addresses the server reading from the encrypted connection.
     There is the potential that the server writing to this same connection may
     trigger a similar issue if the client tries a multipart download.
     However, that use case is less common and the code for that is a seperate
     codepath entirely.

  [ Other Info ]

   * This change only applies to focal as releases after focal have a newer
     version of tomcat9 that includes this patch already.

   * Patch source:
     https://github.com/apache/tomcat/commit/6e60713c75141bc00f03f08f759df993a6416c71

   * Contained in upstream tag: 9.0.32

  [ Original Bug Description ]

  Tomcat version 9.0.31 has a bug that prevents multipart uploads over encrypted connections.
  This happens with the NIO SSL Connector, which is the one that gets auto-selected on my system.

  FAIL - Deploy Upload Failed, Exception:
  [org.apache.tomcat.util.http.fileupload.impl.IOFileUploadException:
  Processing of multipart/form-data request failed.
  java.net.SocketTimeoutException]

  https://bz.apache.org/bugzilla/show_bug.cgi?id=64195
  https://bz.apache.org/bugzilla/show_bug.cgi?id=64202

  The bug is not present in the next Tomcat upstream release, but it
  seems the correction has not been ported back to Ubuntu 20.04.1 LTS in
  the tomcat9 package, version 9.0.31-1ubuntu0.1.

  On a side note, the bug seems to be present also on the current
  tomcat9 package, version 9.0.31-1~deb10u2 for Debian 10.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1903851/+subscriptions