tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeffrey Janner" <>
Subject RE: avoiding ssl vulnerabilities in tomcat
Date Wed, 12 Aug 2009 15:22:33 GMT
Chris -
(I just did a reply in Outlook and this is how it got packaged. Didn't look that way to me,
but got it that way on the send-back.  Either Exchange or my email filter - which adds the
confidentialiy footer - did this.)

I figured it was only with the regular.  Just wanted a clarification in case some folks were
thinking it applied to the native libraries (APR). I've noticed a lot of folks confuse the
two on this list.

Also it was a slight prompt to the original poster that perhaps he should install the native
libraries when he does finally go to 6.x.  IIRC, they are not available to 4.x.

-----Original Message-----
From: Christopher Schultz [] 


(Strange... to me, your message looked like an attachment to the
security notice that would typically be put at the end of a message.
When I tried to reply to that, all the characters got all wonky. At
least coy-paste still works :)

On 8/12/2009 10:51 AM, Jeffrey Janner wrote:
> Just to clarify some things:  This CVE only applies to the default
> SSL connector functionality.  It doesn't apply to the APR/OpenSSL
> connector. Correct?

I would guess not, since APR uses openssl which has its own default set
of ciphers. On the other hand, Tomcat could override the default set of
ciphers when configuring APR at runtime.

*******************************  NOTICE  *********************************
This message is intended for the use of the individual or entity to which 
it is addressed and may contain information that is privileged, 
confidential, and exempt from disclosure under applicable law.  If the 
reader of this message is not the intended recipient or the employee or 
agent responsible for delivering this message to the intended recipient, 
you are hereby notified that any dissemination, distribution, or copying 
of this communication is strictly prohibited.  If you have received this 
communication in error, please notify us immediately by reply or by 
telephone (call us collect at 512-343-9100) and immediately delete this 
message and all its attachments.
View raw message