sts-sponsors team mailing list archive

[Tom Moyer <1903851@xxxxxxxxxxxxxxxxxx>]

Attached is the jmeter test plan that I used to validate the correctness
of the fix

** Attachment added: "Test-Plan.jmx"
   https://bugs.launchpad.net/ubuntu/focal/+source/tomcat9/+bug/1903851/+attachment/5634589/+files/Test-Plan.jmx

-- 
You received this bug notification because you are a member of SE SRU
("STS") Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1903851

Title:
  Tomcat9: multipart upload fails over https

Status in tomcat9 package in Ubuntu:
  Invalid
Status in tomcat9 source package in Focal:
  Fix Committed

Bug description:
  [ Impact ]

   * Tomcat version 9.0.31 has a bug that prevents multipart uploads over
     encrypted connections. This happens with the NIO SSL Connector, which
     is the one that gets auto-selected in a default configuration

   * This patch reverts a change that was made between 9.0.30 and 9.0.31 that
     causes the multipart upload to fail when using a TLS connection.

  [ Test Plan ]

   * Deploy focal

   * Deploy tomcat9 and use the default configuration

   * Enable HTTPS for tomcat9. A self-signed certificate is sufficient
     
     * Create a keystore:
       keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/tomcat9/keystore

     * Enable the HTTPS listener in the tomcat9 configuration file
       /etc/tomcat9/server.xml

     * Add the following XML snippet at the bottom of the the XML block
       '<Service name="Catalina">'. Ensure that you specify the same password
       as when you created the keystore above

     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="want" sslProtocol="TLS"
                sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
                keystoreFile="/etc/tomcat9/keystore" keystorePass="*******" />

   * Deploy the attached WAR (JerseyDemos.war) file which is a simple test
     application that exhibits the regression. This is done by placing the WAR
     file in the following directory: /var/lib/tomcat9/webapps/

   * In a browser on a separate machine, navigate to the application:
     https://<focal instance>/JerseyDemos/fileUpload.html

   * Attempt to upload the attached file: qg8dbNp.png

  [ Where problems could occur ]

   * This patch only addresses the server reading from the encrypted connection.
     There is the potential that the server writing to this same connection may
     trigger a similar issue if the client tries a multipart download.
     However, that use case is less common and the code for that is a seperate
     codepath entirely.

  [ Other Info ]

   * This change only applies to focal as releases after focal have a newer
     version of tomcat9 that includes this patch already.

   * Patch source:
     https://github.com/apache/tomcat/commit/6e60713c75141bc00f03f08f759df993a6416c71

   * Contained in upstream tag: 9.0.32

  [ Original Bug Description ]

  Tomcat version 9.0.31 has a bug that prevents multipart uploads over encrypted connections.
  This happens with the NIO SSL Connector, which is the one that gets auto-selected on my system.

  FAIL - Deploy Upload Failed, Exception:
  [org.apache.tomcat.util.http.fileupload.impl.IOFileUploadException:
  Processing of multipart/form-data request failed.
  java.net.SocketTimeoutException]

  https://bz.apache.org/bugzilla/show_bug.cgi?id=64195
  https://bz.apache.org/bugzilla/show_bug.cgi?id=64202

  The bug is not present in the next Tomcat upstream release, but it
  seems the correction has not been ported back to Ubuntu 20.04.1 LTS in
  the tomcat9 package, version 9.0.31-1ubuntu0.1.

  On a side note, the bug seems to be present also on the current
  tomcat9 package, version 9.0.31-1~deb10u2 for Debian 10.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1903851/+subscriptions