-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Arlo,
On 4/8/14, 4:36 PM, Arlo White wrote: > What would the Tomcat code change be? No code changes, even at the tcnative level. It just requires a re-link (remember, it's statically-linked on win32) with a safe OpenSSL build. > I suppose it'd be nice if Tomcat refused to boot and logged an > ERROR with a vulnerable SSL version? Is that what you were > thinking? While this sounds like a good idea in theory, it can fail in practice. For example, I have an updated Debian 7 system: $ openssl version OpenSSL 1.0.1e 11 Feb 2013 But when I run http://filippo.io/Heartbleed against it, it says that I am protected. That's likely due to a recent Debian-only patch against 1.0.1e: http://www.debian.org/security/2014/dsa-2896 So this means that Debian's OpenSSL version, which will report 1.0.1e, is safe, so rejecting it based upon version number is not appropriate. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRUBQAAoJEBzwKT+lPKRYh+IQAI/uUZ6STud7vt6U2pCsMU3Q K6PjZp04gXi36qYlyzGeXUf1W1v4Hkc5lNRQDohT4PnOShkdAC+QLVOyHu0pjfpO mn9feM6WJVw9ayP0dUo3YJpSXwYz9yic02iT4qrl94b3dv7M6QFwqXe5//ZLXAAU QxzUHEZzYf4rjdWLu0y0BwNkdGoMw+UuWmo3gWBl1AzbRsT9MnREGgkgv9PXhklO kIG2dx6WsygFXKAnEHwMTLlNZV/kbIDTcqzjY/en3Z2grDJ1+mIjP9tQJ2LbJ3II r+wabNpMOc9FMBpN9kgEnv4MoZgOukbsjf6f1CTrNQrAhYHC90cKcFgx7TChIkUY 253d8yLSf8CkaKzr7G813EqCpRqSKDGv8RB/NEc1U0B/ayrVMXTzhBu1ZU4BZXLq Mv/gHqY9NgvRjxP1hyU+eMGHQHxlumHbytbSdf/eGigM50Tt1ZUrdMqX2jbc31xt 6vDlx0szpZgqoVutRPngqoYhiSAW6q04rk0SUH3HnQQn1sMg08N2eGac6oPUm4dX wdeq51TPO1Zoh1G+DuLbxj035qSK9QwLRjiC+zZhZUsuIP1I2432CK2xxAIh41ub iC899Axdg6NQPRQ6O3MUlHIHBGuYLIZGSRTzVjWwg+iwIIRyY3mmyDZq9DoeoPbU kNBMK5esM8E05B4zuxdi =QgTY -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
