https://issues.apache.org/bugzilla/show_bug.cgi?id=57465
--- Comment #5 from brian.m.pick...@gmail.com --- (In reply to Mark Thomas from comment #4) > Again, which of those do you think apply to tc-native? Just because OpenSSL > has a vulnerability that does not mean that tc-native automatically has the > vulnerability. I admit most of those CVEs effect the ssl3_get_key_exchange function, which I believe ssl3 is switched off in tcnative by default and is known to be an insecure protocol. And I do not know if DTLS is a protocol supported by tomcat native. However the reported ability to defeat the certificate blacklist does seems somewhat problematic as reported in CVE-2014-8275. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org