tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arlo White <awh...@calpoly.edu>
Subject Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?
Date Tue, 08 Apr 2014 22:36:02 GMT
What would the Tomcat code change be?

I suppose it'd be nice if Tomcat refused to boot and logged an ERROR 
with a vulnerable SSL version? Is that what you were thinking?

On 04/08/2014 03:13 PM, Jeffrey Janner wrote:
> Ognjen,
> Has anyone entered a bugzilla request for this one?
> Jeff
>
>> -----Original Message-----
>> From: Ognjen Blagojevic [mailto:ognjen.d.blagojevic@gmail.com]
>> Sent: Tuesday, April 08, 2014 3:02 PM
>> To: Tomcat Users List
>> Subject: Re: Does the HeartBleed vulnerability affect Apache Tomcat
>> servers using Tomcat Native?
>>
>> On 8.4.2014 18:48, Arlo White wrote:
>>> Are Apache Tomcat servers using Tomcat Native & APR vulnerable to the
>>> HeartBleed OpenSSL bug, or does this layer insulate them?
>>> http://heartbleed.com/
>> They are vulnerable. There is no layer to insulate.
>>
>> You may test with:
>>
>>     http://filippo.io/Heartbleed/
>>
>> I tested with Tomcat 8.0.5 with tcnative 1.1.29, which includes OpenSSL
>> 1.0.1e, on Windows 7 64-bit, and it confirms the vulnerability.
>>
>> JSSE Connectors are not vulnerables so, one possible workaround is to
>> swich to NIO or BIO connector until patched version of tcnative is
>> available.
>>
>> -Ognjen
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message