I wonder if I may ask this list-OT question to the SSH experts on the list :
I run some 25 webservers (Apache httpd-only, Tomcat-only, or Apache httpd +
Tomcat).
I do not use HTTPS on any of them.
But I use SSH (OpenSSH) to connect to them over the Internet for support purposes, with
Chris,
On 9.4.2014 7:22, Christopher Schultz wrote:
- -1
Switching to JSSE only stops the hemorrhaging. You should consider all
your server keys compromised if OpenSSL 1.0.1 was used (prior to g
patch level). If you switch to JSSE, your key may already have been
compromised, so the switch does
I have been using tomcat 6.0.18 with myfaces 1.2.2 and it works well. I
now have to upgrade to tomcat 6.0.32 and the application fails to work.
The error is strange - there is no exception, no problem visible in
logs, seems like the data from input fields is just not submitted. It is
probably
André,
On 9.4.2014 9:49, André Warnier wrote:
I wonder if I may ask this list-OT question to the SSH experts on the
list :
I run some 25 webservers (Apache httpd-only, Tomcat-only, or Apache
httpd + Tomcat).
I do not use HTTPS on any of them.
But I use SSH (OpenSSH) to connect to them over the
Hey,
I just modified service.bat to set the JRE_HOME. It working really good
now.
Thanks for the help.
Akshay Jain
Ognjen Blagojevic wrote:
André,
On 9.4.2014 9:49, André Warnier wrote:
I wonder if I may ask this list-OT question to the SSH experts on the
list :
I run some 25 webservers (Apache httpd-only, Tomcat-only, or Apache
httpd + Tomcat).
I do not use HTTPS on any of them.
But I use SSH (OpenSSH)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ognjen,
On 4/9/14, 3:16 AM, Ognjen Blagojevic wrote:
Chris,
On 9.4.2014 7:22, Christopher Schultz wrote:
- -1
Switching to JSSE only stops the hemorrhaging. You should
consider all your server keys compromised if OpenSSL 1.0.1 was
used
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Arlo,
On 4/8/14, 4:36 PM, Arlo White wrote:
What would the Tomcat code change be?
No code changes, even at the tcnative level. It just requires a
re-link (remember, it's statically-linked on win32) with a safe
OpenSSL build.
I suppose it'd be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ognjen,
On 4/9/14, 3:30 AM, Ognjen Blagojevic wrote:
On 9.4.2014 9:49, André Warnier wrote:
I wonder if I may ask this list-OT question to the SSH experts on
the list :
I run some 25 webservers (Apache httpd-only, Tomcat-only, or
Apache
On Wed, Apr 9, 2014 at 2:53 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ognjen,
On 4/9/14, 3:30 AM, Ognjen Blagojevic wrote:
On 9.4.2014 9:49, André Warnier wrote:
I wonder if I may ask this list-OT question to the SSH experts
Chris,
On 9.4.2014 14:53, Christopher Schultz wrote:
My recommendation would be to treat everything OpenSSL touches as
tainted and re-key anyway.
[I will assume we are talking about OpenSSH implementation.]
That dependins of the definition of what OpenSSL touches. OpenSSL
consists of two
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, April 09, 2014 12:25 AM
To: Tomcat Users List
Subject: Re: Does the HeartBleed vulnerability affect Apache Tomcat
servers using Tomcat Native?
Arlo,
On 4/8/14, 5:36 PM, Arlo
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Tuesday, April 08, 2014 6:27 PM
To: Tomcat Users List
Subject: Re: Windows tcnative openssl ciphers question
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jeffrey,
On 4/7/14, 4:07 PM,
If I installed tomcat on windows using the service installer, how can I
know which version of openssl was used?
On 4/9/14 10:01 AM, Andrew Russell wrote:
If I installed tomcat on windows using the service installer, how can I
know which version of openssl was used?
All I know is that if you're using a Java keystore and Keytool (or
KeyStore Explorer) to set it up and maintain it, you're most likely not
On Wed, Apr 9, 2014 at 12:13 PM, James H. H. Lampert
jam...@touchtonecorp.com wrote:
On 4/9/14 10:01 AM, Andrew Russell wrote:
If I installed tomcat on windows using the service installer, how can I
know which version of openssl was used?
All I know is that if you're using a Java keystore
On 4/9/14 10:17 AM, Andrew Russell wrote:
Thank you for the quick response!
It's a mixed bag, some are java keystores and some are pfx files.
So I'm only using OpenSSL if it's marked as such in the configuration file?
All I know is JSSE, myself.
From our own server.xml, running with
-Original Message-
From: Andrew Russell [mailto:andrew.russ...@gmail.com]
Sent: Wednesday, April 09, 2014 12:02 PM
To: users@tomcat.apache.org
Subject: How can I tell which version of OpenSSL is being used with
tomcat?
If I installed tomcat on windows using the service installer,
Much as I loathe downgrading, would it be possible/advisable to downgrade the
native libraries to 1.1.23 with Tomcat 7.0.50?
That version is the last to use a pre-1.0.1 version of OpenSSL (1.0.0g).
This could help us at least until we get a blessed version from the APR team?
Jeffrey Janner
Sr.
FYI, it would appear that this is a case of someone passing a
ServletRequest object to another thread and invoking methods on it at
just the wrong point in time so as to utterly corrupt a later request.
Changing the code to make an appropriate copy of the ServletRequest
object and pass that
Jess Holle wrote:
FYI, it would appear that this is a case of someone passing a
ServletRequest object to another thread and invoking methods on it at
just the wrong point in time so as to utterly corrupt a later request.
Changing the code to make an appropriate copy of the ServletRequest
21 matches
Mail list logo
