search

OWASP / www-project-csrfguard

The aim of this project is to protect Java applications against CSRF attacks with the use of Synchronizer Tokens
https://owasp.org/www-project-csrfguard/
BSD 3-Clause "New" or "Revised" License
78 stars 43 forks source link

JDK version and TLS protocol errors and solutions #7

Closed mw866 closed 3 years ago

mw866 commented 4 years ago

Two errors when running mvn clean install and the solutions

Error 1: JDK 6 not supported Error message:

$ java -version
java version "1.8.0_251"
Java(TM) SE Runtime Environment (build 1.8.0_251-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.251-b08, mixed mode)

$ mvn clean install
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  3.219 s
[INFO] Finished at: 2020-05-19T14:41:11+08:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.5.1:compile (default-compile) on project csrfguard: Compilation failure
[ERROR] Failure executing javac,  but could not parse the error:
[ERROR] warning: [options] bootstrap class path not set in conjunction with -source 6
[ERROR] error: Source option 6 is no longer supported. Use 7 or later.
[ERROR] error: Target option 6 is no longer supported. Use 7 or later.
[ERROR] 
[ERROR] 
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

Solution: Use older JDK versions by setting JAVA_HOME environment variable.

export JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.7.0_80.jdk/Contents/Home

Error 2: TLS version Error message:

$ java -version

javax.net.ssl.SSLException: Received fatal alert: protocol_version

Solution: Set TLS version to TLSv1.2

export JAVA_TOOL_OPTIONS="-Dhttps.protocols=TLSv1.2"'

Explanation: https://stackoverflow.com/questions/16541627/javax-net-ssl-sslexception-received-fatal-alert-protocol-version

aramrami commented 4 years ago

Thanks for this issue. Could you create a push request?

forgedhallpass commented 4 years ago

@aramrami I've upgraded the Project Language Level to Java 1.8 in my pull requests. https://github.com/aramrami/OWASP-CSRFGuard/pull/129/

aramrami commented 4 years ago

May we need to create a new branch and assign a new version number ? What do you think ?

Azzeddine

Le mar. 4 août 2020 à 20:31, forgedhallpass notifications@github.com a écrit :

@aramrami https://github.com/aramrami I've upgraded the Project Language Level to Java 1.8 in my pull requests. aramrami/OWASP-CSRFGuard#129 https://github.com/aramrami/OWASP-CSRFGuard/pull/129

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OWASP/www-project-csrfguard/issues/7#issuecomment-668783712, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXCEE3BVNAEUK6MEMDFDLR7BO2XANCNFSM4NEW3EGA .

forgedhallpass commented 4 years ago

This depends on the branching strategy you want on the project. You can create a new branch, which will be later on merged to the master, or you can create a release branch or tag the latest stable version and then we could use the master as the development branch. Working with a feature branch could lead to merging issues if others will work in a parallel branch as I've done quite a lot of refactoring in the project. I am working to fix some other issues I've identified and would like to create at least a minor release before the end of this month as I would like to use the new code base in some of my projects.

Please let me know what have you decided, so that I can continue pushing my changes in one way or another.

aramrami commented 4 years ago

I prefer to create a new branch for Java 8 because the project is used worldwide with Java 6 and 7. Could you help with that ? Azzeddine

Le mer. 5 août 2020 à 08:40, forgedhallpass notifications@github.com a écrit :

This depends on the branching strategy you want on the project. You can create a new branch, which will be later on merged to the master, or you can create a release branch or tag the latest stable version and then we could use the master as the development branch. Working with a feature branch could lead to merging issues if others will work in a parallel branch as I've did quite a lot of refactoring in the project. I am working to fix some other issues I've identified and would like to create at least a minor release before the end of this month as I would like to use the new code base in some of my projects.

Please let me know what have you decided, so that I can continue pushing my changes in a way or another.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OWASP/www-project-csrfguard/issues/7#issuecomment-669035878, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXCEHGDSYXNB3KG5LEAC3R7EEIDANCNFSM4NEW3EGA .

-- Cordialement/Regards/Mit freundlichen Grüßen/Cordiali saluti/Saludos/تحية خالصة

Azzedine Ramrami

OWASP Morocco Chapter

OWASP AppSec Africa President

IBM Security - Senior Security & Network Architect Data & Application Security, Cogntive Security, IoT/OT/ICS/SCADA Security & SIEM Certified Mile2 CPTE/CPTC/CDFE/CSWAE and EC-Council C|EH OWASP Morocco Leader/OWASP AppSec Africa President IBM Security Global Speaker

OWASP RAF Project Leader

OWASP CSRFGuard Project Leader

*Consider giving back, and supporting the open source community by becoming a *member https://www.owasp.org/index.php/Membership or making a donation https://www.owasp.org/index.php/Donate today!

Join us at AppSec https://2018.appsecmorocco.org/ https://2018.appsecmorocco.org/Morocco https://2018.appsecmorocco.org/

Phone: +33 1 58 75 18 17 | Mobile: +33 6 65 48 90 04 / +33 6 10 25 93 15 E-mail: azzedine.ramrami@fr.ibm.com azzeddine.ramrami@gmail.com Skype: azzeddine.ramrami

forgedhallpass commented 4 years ago

Java 6 and 7 has already reached their end of life. I don't think we should try to maintain backwards compatibility indefinitely. In my opinion the new releases should go forward by supporting newer technologies. Users can merge the fixes back to the latest version that supports java 6, if they feel like to, or can remain on the last stable version.

Maintaining multiple versions in parallel is costly, and considering that there aren't too many contributors, I'd say there isn't capacity to do so either.

Could you help with that ?

I do not have the rights to create new branches. You have also told me previously to work on your repository instead, so I've created my pull requests there, but they should be be approved.

aramrami commented 4 years ago

Hi, I can give the right if you want to help and join us for the version 4.0. What is the GitHub account ?

Azzeddine

Le mer. 5 août 2020 à 12:00, forgedhallpass notifications@github.com a écrit :

Java 6 and 7 has already reached their end of life. I don't think we should try to maintain backwards compatibility indefinitely. In my opinion the new releases should go forward by supporting newer technologies. Users can merge the fixes back to the latest version that supports java 6, if they feel like to, or can remain on the last stable version.

Maintaining multiple versions in parallel is costly, and considering that there aren't too many contributors, I'd say there isn't capacity to do so either.

Could you help with that ?

I do not have the rights to create new branches. You have also told me previously to work on your repository instead, so I've created my pull requests there, but they should be be approved.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OWASP/www-project-csrfguard/issues/7#issuecomment-669127908, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXCEGRLYLUZ3573VGDCNTR7E3TPANCNFSM4NEW3EGA .

-- Cordialement/Regards/Mit freundlichen Grüßen/Cordiali saluti/Saludos/تحية خالصة

Azzedine Ramrami

OWASP Morocco Chapter

OWASP AppSec Africa President

IBM Security - Senior Security & Network Architect Data & Application Security, Cogntive Security, IoT/OT/ICS/SCADA Security & SIEM Certified Mile2 CPTE/CPTC/CDFE/CSWAE and EC-Council C|EH OWASP Morocco Leader/OWASP AppSec Africa President IBM Security Global Speaker

OWASP RAF Project Leader

OWASP CSRFGuard Project Leader

*Consider giving back, and supporting the open source community by becoming a *member https://www.owasp.org/index.php/Membership or making a donation https://www.owasp.org/index.php/Donate today!

Join us at AppSec https://2018.appsecmorocco.org/ https://2018.appsecmorocco.org/Morocco https://2018.appsecmorocco.org/

Phone: +33 1 58 75 18 17 | Mobile: +33 6 65 48 90 04 / +33 6 10 25 93 15 E-mail: azzedine.ramrami@fr.ibm.com azzeddine.ramrami@gmail.com Skype: azzeddine.ramrami

forgedhallpass commented 4 years ago

"forgedhallpass" is my GitHub account user name.

forgedhallpass commented 3 years ago

The source and target java versions within the new code-base was upgraded to 1.8. This should solve your issue.

For maintaining compatibility with legacy applications the old 3.x version has been moved to a separate branch, but probably no active development will be done on it.