On 8.4.2014 18:48, Arlo White wrote:
Are Apache Tomcat servers using Tomcat Native & APR vulnerable to the
HeartBleed OpenSSL bug, or does this layer insulate them?
http://heartbleed.com/
They are vulnerable. There is no layer to insulate.
You may test with:
http://filippo.io/Heartbleed/
I tested with Tomcat 8.0.5 with tcnative 1.1.29, which includes OpenSSL
1.0.1e, on Windows 7 64-bit, and it confirms the vulnerability.
JSSE Connectors are not vulnerables so, one possible workaround is to
swich to NIO or BIO connector until patched version of tcnative is
available.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
