Stuff I'm Up To

Technical Ramblings

Git – Version Control — October 13, 2017

Git – Version Control

We have a distinct lack of version control in the relatively small development team that manages one of our business applications. One of the main challenges isn’t really related to the developers, but to the vendor that connects remotely and “fixes” things without leaving any clue as to what has been changed.

So I came up with a sneaky plan to deploy Git onto the servers and manage the versions of configuration files used by the application. I can then capture any changes and roll back as necessary.

Continue reading

Advertisements
Tomcat log4j Errors — October 12, 2017

Tomcat log4j Errors

As I’ve been spending a lot of time with Tomcat these days I’ve tried to clear out the stderr log of error messages. One of the frustrating warnings I had to deal with was this:

log4j:WARN Continuable parsing error 208 and column 23
log4j:WARN The content of element type "log4j:configuration" must match "(renderer*,throwableRenderer?,appender*,plugin*,(category|logger)*,root?,(categoryFactory|loggerFactory)?)".

The log4j.xml file parsed correctly and was obviously working as we were seeing log output. But this error had me baffled for a while. I checked the syntax of the xml file, ensured it was sound structurally and couldn’t for the life of me spot the problem.

Turns out the order of the elements in the file is important and must match the order of the string listed above. We’d got some logger elements after the root element. A move of the root element below the logger elements and the error message went away.

 

Forcing Tomcat to HTTPS — September 28, 2017

Forcing Tomcat to HTTPS

As our environment needs change more and more of our internal services are being forced to change to HTTPS.

Tomcat supports the deployment of services using HTTPS, but many of our vendors have taken the easy route and just use HTTP on the standard port 8080. This is now going to become a bit of a hurdle as we now need to advise clients of the change to HTTPS and the port change involved.

Securing Tomcat with valid certificates is the start of the journey and adding a connector using HTTPS is the first step. Then we need to make calls to the non-secure HTTP site redirect over to the HTTPS version.

Continue reading

SSL 64-bit Block Size Cipher Suites Supported (SWEET32) – Tomcat — February 3, 2017

SSL 64-bit Block Size Cipher Suites Supported (SWEET32) – Tomcat

Following on from the Windows vulnerability for SWEET32, Here’s how to resolve the same issue with Tomcat 8. This use the OpenSSL format string for ciphers, so can also be applied to anything using the same cipher list.

ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!ECDHE-RSA-DES-CBC3-SHA"

Simply by adding the !ECDHE-RSA-DES-CBC3-SHA to your existing : delimited cipher list disables the cipher on the server. The prefix ! means NOT – which disables the cipher.

Alternatively you can simply disable all ciphers using triple DES using !3DES.

When you encounter some other cipher vulnerability listed in you Nessus scan just copy the cipher name into the list prefixed with !. Be wary that some of your connecting applications may not like this. So keep a log of what you added so you can rollback.

To use the AES 256 bit ciphers, it is necessary to install the JCE Unlimited Strength Jurisdiction Policy Files.