What would the Tomcat code change be?
I suppose it'd be nice if Tomcat refused to boot and logged an ERROR
with a vulnerable SSL version? Is that what you were thinking?
On 04/08/2014 03:13 PM, Jeffrey Janner wrote:
Ognjen,
Has anyone entered a bugzilla request for this one?
Jeff
-----Original Message-----
From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com]
Sent: Tuesday, April 08, 2014 3:02 PM
To: Tomcat Users List
Subject: Re: Does the HeartBleed vulnerability affect Apache Tomcat
servers using Tomcat Native?
On 8.4.2014 18:48, Arlo White wrote:
Are Apache Tomcat servers using Tomcat Native & APR vulnerable to the
HeartBleed OpenSSL bug, or does this layer insulate them?
http://heartbleed.com/
They are vulnerable. There is no layer to insulate.
You may test with:
http://filippo.io/Heartbleed/
I tested with Tomcat 8.0.5 with tcnative 1.1.29, which includes OpenSSL
1.0.1e, on Windows 7 64-bit, and it confirms the vulnerability.
JSSE Connectors are not vulnerables so, one possible workaround is to
swich to NIO or BIO connector until patched version of tcnative is
available.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
