[VOTE] Release Apache Tomcat 8.5.35

The proposed Apache Tomcat 8.5.35 release is now available for voting.

The major changes compared to the 8.5.34 release are:

- support for TLSv1.3 when used with a JRE or OpenSSl version that
  supports it

- multiple improvements to the RewriteValve

- correct several regressions in the JSP compiler


Along with lots of other bug fixes and improvements.

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.35/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1197/
The svn tag is:
http://svn.apache.org/repos/asf/tomcat/tc8.5.x/tags/TOMCAT_8_5_35/

The proposed 8.5.35 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.35

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On Sat, Nov 3, 2018 at 10:55 AM Mark Thomas <[hidden email]> wrote:

+1  NB

Ran build, test, and application that I'm currently working on.  Test shows
same false positives as on trunk so I'm ignoring those.

Igal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 11/3/18 13:55, Mark Thomas wrote: 7/
>
>
The svn tag is:
> http://svn.apache.org/repos/asf/tomcat/tc8.5.x/tags/TOMCAT_8_5_35/
>
> The proposed 8.5.35 release is: [ ] Broken - do not release [X]
> Stable - go ahead and release as 8.5.35

Looks good. Runs without any problems on local development
applications on Debian Linux.

Several false-positive test-failures (tribes, openssl) that are known
to fail in my environment. Details below.

I also ran against OpenSSL 1.1.1 on MacOS Mojave and I got a few
failures in the TLS/cipher suite tests.

TestCipher has a problem with missing IBM cipher suites, but also some
suites seem to be unavailable when they are expected to be there.

TestOpenSSLCipherConfigurationParser fails for similar reasons.

I think there might be some confusion between the OpenSSL and LibreSSL
(installed system-wide) libraries in this case. I'll investigate this
in a separate thread.

Thanks,
- -chris

Details:

* Environment
*  Java (build):     java version "1.8.0_181" Java(TM) SE Runtime
Environment (build 1.8.0_181-b13) Java HotSpot(TM) 64-Bit Server VM
(build 25.181-b13, mixed mode)
*  Java (test):     java version "1.8.0_181" Java(TM) SE Runtime
Environment (build 1.8.0_181-b13) Java HotSpot(TM) 64-Bit Server VM
(build 25.181-b13, mixed mode)
*  OS:       Linux 2.6.32-312-ec2 x86_64
*  cc:       cc (Debian 4.7.2-5) 4.7.2
*  make:     GNU Make 3.81
*  OpenSSL:  OpenSSL 1.0.2k 26 Jan 2017
*  APR:      1.4.6
*
* Valid SHA-256 signature for apache-tomcat-8.5.35.zip
* Valid GPG signature for apache-tomcat-8.5.35.zip
* Valid SHA-256 signature for apache-tomcat-8.5.35.tar.gz
* Valid GPG signature for apache-tomcat-8.5.35.tar.gz
* Valid SHA-256 signature for apache-tomcat-8.5.35.exe
* Valid GPG signature for apache-tomcat-8.5.35.exe
* Valid SHA512 signature for apache-tomcat-8.5.35-src.zip
* Valid GPG signature for apache-tomcat-8.5.35-src.zip
* Valid SHA512 signature for apache-tomcat-8.5.35-src.tar.gz
* Valid GPG signature for apache-tomcat-8.5.35-src.tar.gz
*
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
*
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: FAILED
*
* Tests that failed:
* org.apache.catalina.session.TestStandardSessionIntegration.APR.txt
* org.apache.catalina.session.TestStandardSessionIntegration.NIO.txt
* org.apache.catalina.session.TestStandardSessionIntegration.NIO2.txt
* org.apache.catalina.tribes.group.TestGroupChannelMemberArrival.APR.txt
* org.apache.catalina.tribes.group.TestGroupChannelMemberArrival.NIO.txt
* org.apache.catalina.tribes.group.TestGroupChannelMemberArrival.NIO2.tx
t
*
org.apache.catalina.tribes.group.TestGroupChannelSenderConnections.APR.t
xt
*
org.apache.catalina.tribes.group.TestGroupChannelSenderConnections.NIO.t
xt
*
org.apache.catalina.tribes.group.TestGroupChannelSenderConnections.NIO2.
txt
* org.apache.catalina.tribes.group.TestGroupChannelStartStop.APR.txt
* org.apache.catalina.tribes.group.TestGroupChannelStartStop.NIO.txt
* org.apache.catalina.tribes.group.TestGroupChannelStartStop.NIO2.txt
*
org.apache.catalina.tribes.group.interceptors.TestNonBlockingCoordinator
.APR.txt
*
org.apache.catalina.tribes.group.interceptors.TestNonBlockingCoordinator
.NIO.txt
*
org.apache.catalina.tribes.group.interceptors.TestNonBlockingCoordinator
.NIO2.txt
*
org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.APR.t
xt
*
org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.NIO.t
xt
*
org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.NIO2.
txt
*
org.apache.catalina.tribes.group.interceptors.TestTcpFailureDetector.APR
.txt
*
org.apache.catalina.tribes.group.interceptors.TestTcpFailureDetector.NIO
.txt
*
org.apache.catalina.tribes.group.interceptors.TestTcpFailureDetector.NIO
2.txt
* org.apache.tomcat.util.net.openssl.ciphers.TestCipher.APR.txt
* org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO.txt
* org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO2.txt
*
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfiguratio
nParser.APR.txt
*
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfiguratio
nParser.NIO.txt
*
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfiguratio
nParser.NIO2.txt
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvgb1sACgkQHPApP6U8
pFihFBAAullBRraGQjFiRVCKw+10MeFn8lpG/iULQIpYaolj+7oGn4jS8+44LQhb
ylmdK0FUF9Y6tmeqxGB+CvjLyTd1kSvPsaLUlFKn22tqIa1tEu4attg43HxkvZ5A
QpdinHPVlNgeKeIdOtyWZzjSfy6KpwwDSOSvbprWP0wxxBypz3411jmi5Xl98sln
DMgoPQjaGe2xXARjeZxldPifYLq90kJEpfRzBHZp0sAbm5ZfrzZJJRhS+WFuVJVH
+Cllkilx/35KEGzb0fpn+UsJoTPUkQe9lK6sugq469gTkmHjOXcAO9vBiTVXw0uv
i6/rFJExCYumFo75860pN/Gz5a1hOp57j6DZS18cUzOC2EiTPg0AYhdzSNASisyo
X6lYEfA3SlPRod1NeNy7QH7zigLcQ98d49dDLnPyyYwRvTM9nyC403raoxh0HgA/
Q1sExr5bzcGPYZzpLpY60lG7xYW475veJFf7F/+RXMtk3jpJJUE1RCoblH1CR6Ml
pE1x7Z2qBylNdw/FoysqmaDvev10FxShLm1ybIfI4BQNAUI8Opx4i6xrfvT/Na/9
Lcr3un1z+piLBf8ZShJTBH/g45uQ116InAolMqC8dPpH+/bq+o3AcxFSEFhVly2F
PBkVCbsDS/L9RPLMHrwTs1TT0m/h31VyeQGPEp6PHh5Jnkb0fPg=
=2Zh8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On Sat, Nov 3, 2018 at 6:55 PM Mark Thomas <[hidden email]> wrote:

Am 3. November 2018 18:55:11 MEZ schrieb Mark Thomas <[hidden email]>:
Regards,
Felix

>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [hidden email]
>For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Hi,

На сб, 3.11.2018 г. в 19:55 ч. Mark Thomas <[hidden email]> написа:
+1

Regards,
Violeta

I got two issues when building Tomcat 8.5.35 with OpenJDK 11
and OpenSSL 1.1.1 in Debian.

1. testClientCertPost and testClientCertGet in TestClientCertTls13
   failed with the three NIO/NIO2/APR connectors:

  javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
      at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
      at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
      at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
      at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
      at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
      at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
      at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
      at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:163)
      at org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:782)
      at org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:748)
      at org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:722)
      at org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(TestClientCertTls13.java:75)


2. testAbortedUploadLimitedNoSwallow and testAbortedPOST413NoSwallow
   failed with NIO only:

  Testcase: testAbortedUploadLimitedNoSwallow took 0.106 sec
          FAILED
  Limited upload with swallow disabled does not generate client exception
  junit.framework.AssertionFailedError: Limited upload with swallow disabled does not generate client exception
      at org.apache.catalina.core.TestSwallowAbortedUploads.testAbortedUploadLimitedNoSwallow(TestSwallowAbortedUploads.java:130)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

  Testcase: testAbortedPOST413NoSwallow took 0.036 sec
          FAILED
  Limited upload with swallow disabled does not generate client exception
  junit.framework.AssertionFailedError: Limited upload with swallow disabled does not generate client exception
      at org.apache.catalina.core.TestSwallowAbortedUploads.testAbortedPOST413NoSwallow(TestSwallowAbortedUploads.java:176)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)


Emmanuel Bourg


Le 03/11/2018 à 18:55, Mark Thomas a écrit :

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On 06/11/2018 09:28, Emmanuel Bourg wrote:
> I got two issues when building Tomcat 8.5.35 with OpenJDK 11
> and OpenSSL 1.1.1 in Debian.
>
> 1. testClientCertPost and testClientCertGet in TestClientCertTls13
>    failed with the three NIO/NIO2/APR connectors:
>
>   javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version

I think some re-work is required around those tests to cover the various
permutations and combinations. It isn't quite right at the moment.


Interesting. I see those with 8.5.x as well but not with 9.0.x. More
investigation required.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On 06/11/2018 10:17, Mark Thomas wrote:
Should be fixed now.

>> 2. testAbortedUploadLimitedNoSwallow and testAbortedPOST413NoSwallow
>>    failed with NIO only:

<snip/>

> Interesting. I see those with 8.5.x as well but not with 9.0.x. More
> investigation required.

There were some robustness fixes in 9.0.x that had not been back-ported.
I've just done that.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Le 06/11/2018 à 12:44, Mark Thomas a écrit :

> Should be fixed now.

> There were some robustness fixes in 9.0.x that had not been back-ported.
> I've just done that.

I confirm it works, thank you.

Emmanuel Bourg

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Le 03/11/2018 à 18:55, Mark Thomas a écrit :

> The proposed 8.5.35 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.35

+1

Emmanuel Bourg

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Emmanuel,

On 11/6/18 09:00, Emmanuel Bourg wrote:
> Le 06/11/2018 à 12:44, Mark Thomas a écrit :
>
>> Should be fixed now.
>
>> There were some robustness fixes in 9.0.x that had not been
>> back-ported. I've just done that.
>
> I confirm it works, thank you.

Just to confirm: the problem was with the unit tests and not the
server, right?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvhoccACgkQHPApP6U8
pFi4wBAAjMvga7JEDDLbL6bq01gcOnhCH/Ky3GcC3tGU1y+33lOyYPC+eSBoaDOw
M4FFzMxuF5ZGxKLq85IMEj6482Ney4UFkQpUB73ZAw3f+vOUoxWlQPuAc69lbzsv
kpQmMSWFs+kS01L084I25/6HR6RZ77xOhu3T4bUYUgk6yPxPjRpZ4MSZ49okBKNS
0VI8IXVAgErhJTS416lT/KZ1hWp6khPnBsFtHURvbGC/Wn+yW4p9gFwRD0V646/P
T0UcKFJ6+iyxyutcQCX1yPYiUPPKE+PbljVy/dICul9OrVHtrDubdCm08olVkkgE
I2fvc+10WPWTJf73PyREZJDALmlgULk1GjHXRA+FkbV/So41vU7cIA7pe6j9F891
iFWUUQI3xZbLn80R2MnX0yz/FhwLSMKMNyzNBg3nyoNk8gbEd/D8c/xMsclOiZKi
aDMEgPWyYpLppxfmMgPq6kGKUbpsbo4cnP7VQtYrAPWgAW7c6p/opCxrSgJb6O4B
z3+Lop2N7msmLHqSct5Ecnj5wgJGuzwwAp8W0Y9gMwfJIrYLrWHBfiTrlTOIukDn
d1Rwk8b92EBQfIIYWI+Cq8rRBqDYMwC/Ev4XjhQNTv4S0HGaMcD8FpJyJSA1S+MM
/yDbnxTTVGnoZBq+DH0N6Kh3/UlIcm/MoHp/N//U9sGlyTUtB90=
=iAg+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On 06/11/2018 14:14, Christopher Schultz wrote:
Correct. It was a unit test bug.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 11/6/18 09:22, Mark Thomas wrote:
+1

Confirmed myself on MacOS Mojave, JDK 11, 8.5.35 + back-ports for
tests. + support.

The whole unit test suite completes successfully in the above environmen
t.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvhqKgACgkQHPApP6U8
pFgLeg//a84sAqiq7/xBeFYBvI9lXapA+c+5dFLV2XTjQ6ZbwyFYJteeJJKco/kG
FEB8wxdvTpnR7mLEk2orHlX1X/VnvGryiAPT9u5ohsfyvH9OIFUM5+GTxc7X+Sls
1UYyELgUHjw32pG5vo87ngAd6yOGEHiDthcCm6b20LEWkDl4J3yPCMKqLi7u+n9s
HQq2q+1I5VNje1+0Y44qyfnnrfomhDxyawMBCe62q9mJqOXsQJnT3pryuoHpSwJm
IV/fgCVq4lTF95rACCpX51xtnRJGbG/vgUjtHvxRRpEgkoDBCzVPyiW5z04TXRhE
GkjrlDM88X91gYI8KemYnAFL6CleBXl2SAiI6ULfhbjfeunDmxucVwHBo6cNe5Wc
pCNyTyHghqjfHEYYBX96Y7VcuUsbUbgDsz1BFd1D2/wg1nGX5tep4inQdbLnuTO/
MbxmLi8tntOY197nHA6MjK+PH3QpTRD3N551ljXZwSUwxE9InXx04SSseozjhrRp
3Y0ovqDJGMFx37sQL7UB4dFOxee/MazyHHdU61hbD5DaswkQLoo5YUzBq+Oupn1g
KEn9K4ScViHPfQbdmlm+IgLw5p2MVsOS4BBGcReQ7+ig1hS7TpceQMw0QcWCFb7P
1vkd9qFkPb3OR+KOfg063osL88qAN8sq1ejRO2Bf1R8Hrlq7s6I=
=QOeR
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

The following votes were cast:

Binding:
+1: schultz, remm, fschumacher, violetagg, ebourg

Non-binding:
+1: isapir

The vote therefore passes.

Thanks to everyone who contributed towards this release.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]