tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: avoiding ssl vulnerabilities in tomcat
Date Wed, 12 Aug 2009 15:13:22 GMT
Hash: SHA1


(Strange... to me, your message looked like an attachment to the
security notice that would typically be put at the end of a message.
When I tried to reply to that, all the characters got all wonky. At
least coy-paste still works :)

On 8/12/2009 10:51 AM, Jeffrey Janner wrote:
> Just to clarify some things:  This CVE only applies to the default
> SSL connector functionality.  It doesn't apply to the APR/OpenSSL
> connector. Correct?

I would guess not, since APR uses openssl which has its own default set
of ciphers. On the other hand, Tomcat could override the default set of
ciphers when configuring APR at runtime.

I can't seem to find this bug listed in bugzilla for any version of
Tomcat, so I can't see which commit fixed it (and whether it included
connectors other than Coyote). I also looked at the release notes, but
they don't include a changelog. The changelog itself for Tomcat 5.5 does
not contain the text "1858". The only thing I can find in the changelog
is this note under 5.5.17 which is listed as a fix without a bug number:

Make the default cipher suites available for SSL the same as the set of
cipher suites enabled by default rather than the set of all cipher
suites. This prevents ciphers suites that do not provide confidentiality
protection and/or server authentication being used by default. (markt)

Tomcat 6.0 does not appear to suffer from this vulnerability, and there
does not appear to be a changelog for Tomcat 4 (at least not easily
accessible from the web site).

Fortunately, GI/M/F:

...though I can't find anything in there :(

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message