[WG: Sakai QA] [WG: Security] Recent Tomcat 5.5 security fixes
Berg, A.M.
A.M.Berg at uva.nl
Thu Jan 14 00:51:25 PST 2010
Hi all,
qa1-nl now has a self signed certificate of very dubious quality running. I will add a comment in Confluence. Matthew is right we need to make sure that we have a consistent range of options for QA testing as possible.
I believe that it would be straight forward to create a maven goal that generates a self signed certificate so that can be done as part of the build process. I will look further.
Alan
Alan Berg
Interim QA Director - The Sakai Foundation
Senior Developer / Quality Assurance
Group Education and Research Services
Central Computer Services
University of Amsterdam
http://home.uva.nl/a.m.berg
-----Original Message-----
From: jonespm at gmail.com on behalf of Matthew Jones
Sent: Wed 1/13/2010 22:55
To: Sakai QA
Cc: Berg, A.M.
Subject: Re: [WG: Security] Recent Tomcat 5.5 security fixes
I believe that, as you've noticed, SSL can make a difference when testing
webdav. Most production instances have SSL enabled but none of the QA
servers do. I'd mentioned this to someone (Pete?) a while ago and don't know
if anything happened to it. Minimally we should have at least 1 QA with an
SSL cert so that we can test this. I think they're around $20 a year.
Ideally we would get a wildcard for *.sakaiproject.org and get them all
secured, but these are around $150/year.
Self signed certs are also an option but that might be more time than it's
worth. Testers testing it on dav typically would need to add the authority
to their trust on Windows and it can make selenium scripting more difficult
in the current version.
-Matthew
On Mon, Dec 7, 2009 at 11:39 AM, Charles Hedrick <hedrick at rutgers.edu>wrote:
>
> On Dec 7, 2009, at 11:30:51 AM, Seth Theriault wrote:
>
> > Charles Hedrick wrote:
> >
> >> We can't deploy a copy where uploads don't work.
> >
> > Well, we are already doing this since 5.5.26 is the "recommended"
> > version noted ont he release page:
> >
> > http://source.sakaiproject.org/release/2.6.1/
> >
> > and that is shipping in the demo.
> >
> > Is it possible for you to test 5.5.28? Would you like me to
> > install it on qa2-us?
>
> Sure. It just takes a few minutes to reproduce. This one is from Mac OS, so
> it doesn't require SSL. I'm not sure quite how to handle this. I consider it
> a blocker, but it looks like the problem is Tomcat, not Sakai.
>
> One thing I found is that the patches were done in Tomcat 6, and
> retrofitted to 5.5. The piece that actually matters for Sakai seems not to
> have made it back into 5.5. But I've tried inserting the patch and it
> doesn't fix it.
>
> >
> > Seth
> >
>
>
> _______________________________________________
> sakai-security mailing list
> sakai-security at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-security
>
> TO UNSUBSCRIBE: send email to
> sakai-security-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-qa/attachments/20100114/05d4e020/attachment.html
More information about the sakai-qa
mailing list