sts-sponsors team mailing list archive

Thread
Date
[Bug 1903851] Re: Tomcat9: multipart upload fails over https

To: sts-sponsors@xxxxxxxxxxxxxxxxxxx
From: Andreas Hasenack <1903851@xxxxxxxxxxxxxxxxxx>
Date: Thu, 01 Dec 2022 20:47:03 -0000
Reply-to: Bug 1903851 <1903851@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Hello Simone, or anyone else affected,

Accepted tomcat9 into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.4 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: tomcat9 (Ubuntu Focal)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-focal

-- 
You received this bug notification because you are a member of SE SRU
("STS") Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1903851

Title:
  Tomcat9: multipart upload fails over https

Status in tomcat9 package in Ubuntu:
  Invalid
Status in tomcat9 source package in Focal:
  Fix Committed

Bug description:
  [ Impact ]

   * Tomcat version 9.0.31 has a bug that prevents multipart uploads over
     encrypted connections. This happens with the NIO SSL Connector, which
     is the one that gets auto-selected in a default configuration

   * This patch reverts a change that was made between 9.0.30 and 9.0.31 that
     causes the multipart upload to fail when using a TLS connection.

  [ Test Plan ]

   * Deploy focal

   * Deploy tomcat9 and use the default configuration

   * Enable HTTPS for tomcat9. A self-signed certificate is sufficient
     
     * Create a keystore:
       keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/tomcat9/keystore

     * Enable the HTTPS listener in the tomcat9 configuration file
       /etc/tomcat9/server.xml

     * Add the following XML snippet at the bottom of the the XML block
       '<Service name="Catalina">'. Ensure that you specify the same password
       as when you created the keystore above

     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="want" sslProtocol="TLS"
                sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
                keystoreFile="/etc/tomcat9/keystore" keystorePass="*******" />

   * Deploy the attached WAR (JerseyDemos.war) file which is a simple test
     application that exhibits the regression. This is done by placing the WAR
     file in the following directory: /var/lib/tomcat9/webapps/

   * In a browser on a separate machine, navigate to the application:
     https://<focal instance>/JerseyDemos/fileUpload.html

   * Attempt to upload the attached file: qg8dbNp.png

  [ Where problems could occur ]

   * This patch only addresses the server reading from the encrypted connection.
     There is the potential that the server writing to this same connection may
     trigger a similar issue if the client tries a multipart download.
     However, that use case is less common and the code for that is a seperate
     codepath entirely.

  [ Other Info ]

   * This change only applies to focal as releases after focal have a newer
     version of tomcat9 that includes this patch already.

   * Patch source:
     https://github.com/apache/tomcat/commit/6e60713c75141bc00f03f08f759df993a6416c71

   * Contained in upstream tag: 9.0.32

  [ Original Bug Description ]

  Tomcat version 9.0.31 has a bug that prevents multipart uploads over encrypted connections.
  This happens with the NIO SSL Connector, which is the one that gets auto-selected on my system.

  FAIL - Deploy Upload Failed, Exception:
  [org.apache.tomcat.util.http.fileupload.impl.IOFileUploadException:
  Processing of multipart/form-data request failed.
  java.net.SocketTimeoutException]

  https://bz.apache.org/bugzilla/show_bug.cgi?id=64195
  https://bz.apache.org/bugzilla/show_bug.cgi?id=64202

  The bug is not present in the next Tomcat upstream release, but it
  seems the correction has not been ported back to Ubuntu 20.04.1 LTS in
  the tomcat9 package, version 9.0.31-1ubuntu0.1.

  On a side note, the bug seems to be present also on the current
  tomcat9 package, version 9.0.31-1~deb10u2 for Debian 10.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1903851/+subscriptions