[WG: Sakai QA] [WG: Security] Recent Tomcat 5.5 security fixes
Matthew Jones
jonespm at umich.edu
Wed Jan 13 13:55:37 PST 2010
I believe that, as you've noticed, SSL can make a difference when testing
webdav. Most production instances have SSL enabled but none of the QA
servers do. I'd mentioned this to someone (Pete?) a while ago and don't know
if anything happened to it. Minimally we should have at least 1 QA with an
SSL cert so that we can test this. I think they're around $20 a year.
Ideally we would get a wildcard for *.sakaiproject.org and get them all
secured, but these are around $150/year.
Self signed certs are also an option but that might be more time than it's
worth. Testers testing it on dav typically would need to add the authority
to their trust on Windows and it can make selenium scripting more difficult
in the current version.
-Matthew
On Mon, Dec 7, 2009 at 11:39 AM, Charles Hedrick <hedrick at rutgers.edu>wrote:
>
> On Dec 7, 2009, at 11:30:51 AM, Seth Theriault wrote:
>
> > Charles Hedrick wrote:
> >
> >> We can't deploy a copy where uploads don't work.
> >
> > Well, we are already doing this since 5.5.26 is the "recommended"
> > version noted ont he release page:
> >
> > http://source.sakaiproject.org/release/2.6.1/
> >
> > and that is shipping in the demo.
> >
> > Is it possible for you to test 5.5.28? Would you like me to
> > install it on qa2-us?
>
> Sure. It just takes a few minutes to reproduce. This one is from Mac OS, so
> it doesn't require SSL. I'm not sure quite how to handle this. I consider it
> a blocker, but it looks like the problem is Tomcat, not Sakai.
>
> One thing I found is that the patches were done in Tomcat 6, and
> retrofitted to 5.5. The piece that actually matters for Sakai seems not to
> have made it back into 5.5. But I've tried inserting the patch and it
> doesn't fix it.
>
> >
> > Seth
> >
>
>
> _______________________________________________
> sakai-security mailing list
> sakai-security at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-security
>
> TO UNSUBSCRIBE: send email to
> sakai-security-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-qa/attachments/20100113/ae5db3de/attachment.html
More information about the sakai-qa
mailing list