Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David, On 4/10/14, 10:39 AM, David Landis wrote: > On Wed, Apr 9, 2014 at 1:24 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: >> >> >>> (Checked http://filippo.io/Heartbleed before and after) I built >>> APR and Tomcat Native from source on the server, so I assume >>> it's doing dynamic library loading. >>> >>> Is the binary build staticly linked? Otherwise, I'm not sure >>> it's necessary to redo the builds. >> >> The ASF only provides binaries for win32, and yes, they are >> statically-linked. Users without the expertise to build their >> own tcnative binary will have to wait for the tcnative team to >> roll a new release. >> > > > What about for Linux? If you originally compiled libtcnative with > an older OpenSSL, is it sufficient to simply upgrade that OpenSSL, > or does the libtcnative need to be recompiled? Thanks. Most people use dynamically-linked libraries in Linux (or everywhere for that matter... the static-linked win32 library is done for particular reasons). So simply upgrading OpenSSL on Linux will usually take care of everything. If you happened to build tcnative yourself and did so with static-linking against OpenSSL, then you'll have to re-build. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRxUuAAoJEBzwKT+lPKRYLUkP/0TG7KSOrwjb9T8bum8OQgMO FUduF+ejGmZLG9M/Y/Z91kuSsQiGpri/ZCNWrewtctUgPoxK9Id9glCMnsN/IlY5 ZB/jBaJAvisqsT/fqivUwIUtUdKi03Wu8P1KfbZdfJtb7ebp/Y6vFfT4hY5z3UjK U88jYmvqy0+rlaBmOHevxImxaiIAtpGxUNUFD5JkJT3EhWHQxruIUfaNhthO0NSD ODP7iGb4HwaRPpaE97LUNquNuFBtDJKuXjo7b9JxiePZmhkhh5WNFbwYDcU1Wp/L aBX8TQKN0Wka7qnYUmk4iIqJgRPvNBOgWPKduvQ8Ptl3jlRUy9QxJ5HB4pSXjozl ToeczGloWDPXdbLLAKSszyefIVQ5IFk6wI2nR3xsxlVbZ612NwoEaa+wjh+gwrSJ sh4d1e7Xl1qSX58+AvT+GI/XgP779J6sP3hrCTapeUpD9wxocuepAMfvWgkFm6lT b94eaH08cf5uV/jqQJvGFwjRC9dIScWLASVPOw6qE7X1yeqwLH/kYeS6CtxepEFl c2xia48bQVP04ivEWa16JQY3+mx/x6KT+/pFdZMDgagfKcHDIgwF6G+cuT43y4rc Twu1yBPfZlGSt2ZYNUVxsdaGcjy8CNYDGroGCSonaP6hZAu9L92muY/UvkEYaFoW KVGeOMVS/5NCSdiUCGoF =J2qI -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
On Wed, Apr 9, 2014 at 1:24 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > > > > (Checked http://filippo.io/Heartbleed before and after) I built APR > > and Tomcat Native from source on the server, so I assume it's doing > > dynamic library loading. > > > > Is the binary build staticly linked? Otherwise, I'm not sure it's > > necessary to redo the builds. > > The ASF only provides binaries for win32, and yes, they are > statically-linked. Users without the expertise to build their own > tcnative binary will have to wait for the tcnative team to roll a new > release. > What about for Linux? If you originally compiled libtcnative with an older OpenSSL, is it sufficient to simply upgrade that OpenSSL, or does the libtcnative need to be recompiled? Thanks.
RE: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
> -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Wednesday, April 09, 2014 12:25 AM > To: Tomcat Users List > Subject: Re: Does the HeartBleed vulnerability affect Apache Tomcat > servers using Tomcat Native? > > > Arlo, > > On 4/8/14, 5:36 PM, Arlo White wrote: > > After updating OpenSSL I simply restarted Tomcat to eliminate the > > vulnerability. > > - -1 > > You must re-key your server, and get a new cert from your CA. You have > stopped the bleeding but your key should still be considered > compromised. > > > (Checked http://filippo.io/Heartbleed before and after) I built APR > > and Tomcat Native from source on the server, so I assume it's doing > > dynamic library loading. > > > > Is the binary build staticly linked? Otherwise, I'm not sure it's > > necessary to redo the builds. > > The ASF only provides binaries for win32, and yes, they are statically- > linked. Users without the expertise to build their own tcnative binary > will have to wait for the tcnative team to roll a new release. > > - -chris Just to clarify what Chris is saying, ASF provides statically-linked binaries for Windows in zip files with the string "win32" in the name. The zip file actually contains versions for both x86 and x64 versions of Windows. And yes, some of us don't have the expertise and/or tools to build the library ourselves under Windows. Jeff
Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Arlo, On 4/8/14, 4:36 PM, Arlo White wrote: > What would the Tomcat code change be? No code changes, even at the tcnative level. It just requires a re-link (remember, it's statically-linked on win32) with a safe OpenSSL build. > I suppose it'd be nice if Tomcat refused to boot and logged an > ERROR with a vulnerable SSL version? Is that what you were > thinking? While this sounds like a good idea in theory, it can fail in practice. For example, I have an updated Debian 7 system: $ openssl version OpenSSL 1.0.1e 11 Feb 2013 But when I run http://filippo.io/Heartbleed against it, it says that I am protected. That's likely due to a recent Debian-only patch against 1.0.1e: http://www.debian.org/security/2014/dsa-2896 So this means that Debian's OpenSSL version, which will report 1.0.1e, is safe, so rejecting it based upon version number is not appropriate. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRUBQAAoJEBzwKT+lPKRYh+IQAI/uUZ6STud7vt6U2pCsMU3Q K6PjZp04gXi36qYlyzGeXUf1W1v4Hkc5lNRQDohT4PnOShkdAC+QLVOyHu0pjfpO mn9feM6WJVw9ayP0dUo3YJpSXwYz9yic02iT4qrl94b3dv7M6QFwqXe5//ZLXAAU QxzUHEZzYf4rjdWLu0y0BwNkdGoMw+UuWmo3gWBl1AzbRsT9MnREGgkgv9PXhklO kIG2dx6WsygFXKAnEHwMTLlNZV/kbIDTcqzjY/en3Z2grDJ1+mIjP9tQJ2LbJ3II r+wabNpMOc9FMBpN9kgEnv4MoZgOukbsjf6f1CTrNQrAhYHC90cKcFgx7TChIkUY 253d8yLSf8CkaKzr7G813EqCpRqSKDGv8RB/NEc1U0B/ayrVMXTzhBu1ZU4BZXLq Mv/gHqY9NgvRjxP1hyU+eMGHQHxlumHbytbSdf/eGigM50Tt1ZUrdMqX2jbc31xt 6vDlx0szpZgqoVutRPngqoYhiSAW6q04rk0SUH3HnQQn1sMg08N2eGac6oPUm4dX wdeq51TPO1Zoh1G+DuLbxj035qSK9QwLRjiC+zZhZUsuIP1I2432CK2xxAIh41ub iC899Axdg6NQPRQ6O3MUlHIHBGuYLIZGSRTzVjWwg+iwIIRyY3mmyDZq9DoeoPbU kNBMK5esM8E05B4zuxdi =QgTY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ognjen, On 4/9/14, 3:16 AM, Ognjen Blagojevic wrote: > Chris, > > On 9.4.2014 7:22, Christopher Schultz wrote: >> - -1 >> >> Switching to JSSE only stops the hemorrhaging. You should >> consider all your server keys compromised if OpenSSL 1.0.1 was >> used (prior to "g" patch level). If you switch to JSSE, your key >> may already have been compromised, so the switch does not >> protect you. >> >> If you were lucky enough to have been ignored by Internet >> miscreants, then switching will protect you, but it's a bad bet. >> The better bet is to upgrade ASAP to a 1.0.1g version of OpenSSL >> and then re-key everything. >> >> Then change all your passwords. :( > > I agree. What I was supposed to say is: After you revoke > certificates, and reissue a new one, you may switch to JSSE > connector, and then, wait for patched version of tcnative dll. > Thank you for pointing that out. Yup. Technically, it should only require a re-link, since none of the tcnative code should actually need a change. However, it's probably best to bump the version number to avoid too much confusion. Mladen is working on it right now. We'll see what action he chooses to take. I hope he builds a new version from current 1.1 branch, 'cause I want some new features available ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRTyiAAoJEBzwKT+lPKRYLooP/i9oosXJyTyrzsDVpK0CZgnF RX6DwYkpxUzrli/Z0qcy1Foj1N1NxDtHGi+gx7VadiM22+W9HQcd2yG4FddiJEXJ uDq3SE/zWM5Wfr+TAbzyISP3DtbLGaqf1wi9f79pH5eSH1C1H7Kd+aeYk+6Ac3Ek FKt6hQWr9RBqSnzJavGHOPKa/9zcoQeYF+XwB583lejeZbcyDI4gYS2Yur/Uu+Yl wKXMLSt5pDkeqXkMtF6ZOUYr5DCX+Bg7ZpjPQIsfW9j0OLMRjynql6RNE55Ebxst P/K8LCv55h8fiB6nXP5/jqH59KPROs6gT9flwZwZ2wc5y27HLTZkswWrg4PLPpso htIGQPlto/RBLzwRFNcd4tg5L5QTuZbDx1T73fLHgaN393ymxtDzmuSx96/S+oLa GGK7+sxAndfseQX25CW9hqFhkFXip30clKXIgl7ZA3EWax193Jt8pf61Rc3HsMJQ AvPZ637CxuKPIPnVqYatefzertdJLbJ9X454veUScn1okT1dwhundESwmkBDiXw8 ujuIffz1MrI/jVXUYJ4hsHtN2eSulN7arJnuQ3uVd+lOyDdvRh7purctOwru/4ND ZlPjXE6bUAPOhDzY8WzM6zdHUKST2X1HDfOlElE/xJiHwqITzrZMqZKM/V9m7KqY f7R71H/nVFZFAU/Y4lGt =PMId -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
Chris, On 9.4.2014 7:22, Christopher Schultz wrote: - -1 Switching to JSSE only stops the hemorrhaging. You should consider all your server keys compromised if OpenSSL 1.0.1 was used (prior to "g" patch level). If you switch to JSSE, your key may already have been compromised, so the switch does not protect you. If you were lucky enough to have been ignored by Internet miscreants, then switching will protect you, but it's a bad bet. The better bet is to upgrade ASAP to a 1.0.1g version of OpenSSL and then re-key everything. Then change all your passwords. :( I agree. What I was supposed to say is: After you revoke certificates, and reissue a new one, you may switch to JSSE connector, and then, wait for patched version of tcnative dll. Thank you for pointing that out. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Arlo, On 4/8/14, 5:36 PM, Arlo White wrote: > After updating OpenSSL I simply restarted Tomcat to eliminate the > vulnerability. - -1 You must re-key your server, and get a new cert from your CA. You have stopped the bleeding but your key should still be considered compromised. > (Checked http://filippo.io/Heartbleed before and after) I built APR > and Tomcat Native from source on the server, so I assume it's doing > dynamic library loading. > > Is the binary build staticly linked? Otherwise, I'm not sure it's > necessary to redo the builds. The ASF only provides binaries for win32, and yes, they are statically-linked. Users without the expertise to build their own tcnative binary will have to wait for the tcnative team to roll a new release. - -chris > On 04/08/2014 03:30 PM, Jeffrey Janner wrote: >>> -Original Message- From: Jeffrey Janner >>> [mailto:jeffrey.jan...@polydyne.com] Sent: Tuesday, April 08, >>> 2014 5:14 PM To: 'Tomcat Users List' Subject: RE: Does the >>> HeartBleed vulnerability affect Apache Tomcat servers using >>> Tomcat Native? >>> >>> Ognjen, Has anyone entered a bugzilla request for this one? >>> Jeff >>> >> Answering myself: >> https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Might I >> suggest folks please go vote this one up big time! >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRNmkAAoJEBzwKT+lPKRYvAIQAL3KZI8JhuzFNCYA9DNLK7Fy Su6+c3NtIXcHd6vqIiQxsEDLd6s/hRs8lTZuIEqNGY+1OjjoYTTRr/aJDQeX+hQn 7cL8NcG+N5G+6br0IORfjorTgzoONI+RHN90RNhNWMtHfPrzw6AHxN187iLhYCxT uj0TanotVsoVHLqyFLFRHw9E55sec2w+foXEbcKAZeLNqsbfGSKKHlc2LzOi0XNX OkQ5cEvJO93uPgJoMhbBCQIvvEXYpOwNgqBfami8/vVlc1WEN9kxYhF/kTxRVgUn D0P9Ur5JquUglwk72qXDCuaqSzGBgR8VhCEqVgwY0gT+cIamkxntg0smVnhxCZVp XJnZz5m51+LmnfHdzasVPegVe1br7RLMWFrnI9CvQ44rJ7wDdbNL7zyWKrEdUAQj fEyacnXSk+VsO4ohtGk6a0RvXSWTOQd26xGtEHp9w/xgSFxKr3K2q9V/jy27vnfb /qLDVVnVBPJIYr5srref26sP4OqHAd/d8F/0pPEKGjUY3oAYvMpHiFXr0hxj9iob gTCNFOli+PTW+htQg5iVnVA2+fwnB7D/NLcY1LuIe9JTfDVQxCq56T78GaXbWrel lA4gYiZHR9xw1lZWy+JClUkmxgQtjzaJH7HocFGfXkwfU9Lmqybqhw3HAygDs27i BYiCM83vAmo5L81x0YZa =fHHn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ognjen, On 4/8/14, 2:02 PM, Ognjen Blagojevic wrote: > On 8.4.2014 18:48, Arlo White wrote: >> Are Apache Tomcat servers using Tomcat Native & APR vulnerable to >> the HeartBleed OpenSSL bug, or does this layer insulate them? >> http://heartbleed.com/ > > They are vulnerable. There is no layer to insulate. > > You may test with: > > http://filippo.io/Heartbleed/ > > I tested with Tomcat 8.0.5 with tcnative 1.1.29, which includes > OpenSSL 1.0.1e, on Windows 7 64-bit, and it confirms the > vulnerability. > > JSSE Connectors are not vulnerables so, one possible workaround is > to swich to NIO or BIO connector until patched version of tcnative > is available. - -1 Switching to JSSE only stops the hemorrhaging. You should consider all your server keys compromised if OpenSSL 1.0.1 was used (prior to "g" patch level). If you switch to JSSE, your key may already have been compromised, so the switch does not protect you. If you were lucky enough to have been ignored by Internet miscreants, then switching will protect you, but it's a bad bet. The better bet is to upgrade ASAP to a 1.0.1g version of OpenSSL and then re-key everything. Then change all your passwords. :( - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRNkrAAoJEBzwKT+lPKRYOy8P/jrcbHmsXqAVGhZbYvE8Bpxy BJyWM2Cs0jt7yifNGVj6X3KPczQp1OEGk/sWQdNrb96It/8Y8Wf4ACWcgdHy8buS gk/RznsFsE5n3KoN9nxlLbw7Zzqxbx4OtpFuH2wh1aC31xbNvRtNLv639Y9ydLOY w+2R5DcASFVbh0t5aUHozULHwXwkylfqZlkX/KGtOVlr6InG9EJtJTwtW/JpbUdB TvHDI/djmKdoR1RCnjwWpg0NiX+8luQh+CKPE6vyZAX8vypOhMNJ9QEbfQbTtsUT 0Hah/dY/QQBrI6FliSPKHzMunlPZe6eRH5m2fJrWPKjnH3932qLFBnFByKDQdb52 KcQ5SNPOEUV4YL7kXd0uz3n6ejV/UrcLuMj0zJN3ySYBNmfzzqXDiOF9BHHe5hKj fjFzIgi9FEnmPxUpUlAdqenNGWbEffmaSmeaMtUSPW60NpswEs8OWRl+oyQEB3eC 9azb25FDsQHS4I4aj9JYFxlKzTpt8jDz2O7ddNaS5ql6m26iAPlWWAfU/r6+T2oj M8SWvGFO4FyfINngfDQl6NHbYvhrwuoEGPXNZyskrT5PpUZl/OkHrmM1iXXjigS/ jkyGt5JCZUO0tb3psxpfv0Zq/O25Qyg+H3vipemwC2mmlKJsZInNXhecy40LDbwL 3yPI60zrlr8yKEbULjTS =C7kz -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
After updating OpenSSL I simply restarted Tomcat to eliminate the vulnerability. (Checked http://filippo.io/Heartbleed before and after) I built APR and Tomcat Native from source on the server, so I assume it's doing dynamic library loading. Is the binary build staticly linked? Otherwise, I'm not sure it's necessary to redo the builds. On 04/08/2014 03:30 PM, Jeffrey Janner wrote: -Original Message- From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Tuesday, April 08, 2014 5:14 PM To: 'Tomcat Users List' Subject: RE: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native? Ognjen, Has anyone entered a bugzilla request for this one? Jeff Answering myself: https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Might I suggest folks please go vote this one up big time! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
What would the Tomcat code change be? I suppose it'd be nice if Tomcat refused to boot and logged an ERROR with a vulnerable SSL version? Is that what you were thinking? On 04/08/2014 03:13 PM, Jeffrey Janner wrote: Ognjen, Has anyone entered a bugzilla request for this one? Jeff -Original Message- From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com] Sent: Tuesday, April 08, 2014 3:02 PM To: Tomcat Users List Subject: Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native? On 8.4.2014 18:48, Arlo White wrote: Are Apache Tomcat servers using Tomcat Native & APR vulnerable to the HeartBleed OpenSSL bug, or does this layer insulate them? http://heartbleed.com/ They are vulnerable. There is no layer to insulate. You may test with: http://filippo.io/Heartbleed/ I tested with Tomcat 8.0.5 with tcnative 1.1.29, which includes OpenSSL 1.0.1e, on Windows 7 64-bit, and it confirms the vulnerability. JSSE Connectors are not vulnerables so, one possible workaround is to swich to NIO or BIO connector until patched version of tcnative is available. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
> -Original Message- > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Sent: Tuesday, April 08, 2014 5:14 PM > To: 'Tomcat Users List' > Subject: RE: Does the HeartBleed vulnerability affect Apache Tomcat > servers using Tomcat Native? > > Ognjen, > Has anyone entered a bugzilla request for this one? > Jeff > Answering myself: https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Might I suggest folks please go vote this one up big time!
RE: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
Ognjen, Has anyone entered a bugzilla request for this one? Jeff > -Original Message- > From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com] > Sent: Tuesday, April 08, 2014 3:02 PM > To: Tomcat Users List > Subject: Re: Does the HeartBleed vulnerability affect Apache Tomcat > servers using Tomcat Native? > > On 8.4.2014 18:48, Arlo White wrote: > > Are Apache Tomcat servers using Tomcat Native & APR vulnerable to the > > HeartBleed OpenSSL bug, or does this layer insulate them? > > http://heartbleed.com/ > > They are vulnerable. There is no layer to insulate. > > You may test with: > >http://filippo.io/Heartbleed/ > > I tested with Tomcat 8.0.5 with tcnative 1.1.29, which includes OpenSSL > 1.0.1e, on Windows 7 64-bit, and it confirms the vulnerability. > > JSSE Connectors are not vulnerables so, one possible workaround is to > swich to NIO or BIO connector until patched version of tcnative is > available. > > -Ognjen > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
On 8.4.2014 18:48, Arlo White wrote: Are Apache Tomcat servers using Tomcat Native & APR vulnerable to the HeartBleed OpenSSL bug, or does this layer insulate them? http://heartbleed.com/ They are vulnerable. There is no layer to insulate. You may test with: http://filippo.io/Heartbleed/ I tested with Tomcat 8.0.5 with tcnative 1.1.29, which includes OpenSSL 1.0.1e, on Windows 7 64-bit, and it confirms the vulnerability. JSSE Connectors are not vulnerables so, one possible workaround is to swich to NIO or BIO connector until patched version of tcnative is available. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
