-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ognjen,
On 4/8/14, 2:02 PM, Ognjen Blagojevic wrote: > On 8.4.2014 18:48, Arlo White wrote: >> Are Apache Tomcat servers using Tomcat Native & APR vulnerable to >> the HeartBleed OpenSSL bug, or does this layer insulate them? >> http://heartbleed.com/ > > They are vulnerable. There is no layer to insulate. > > You may test with: > > http://filippo.io/Heartbleed/ > > I tested with Tomcat 8.0.5 with tcnative 1.1.29, which includes > OpenSSL 1.0.1e, on Windows 7 64-bit, and it confirms the > vulnerability. > > JSSE Connectors are not vulnerables so, one possible workaround is > to swich to NIO or BIO connector until patched version of tcnative > is available. - -1 Switching to JSSE only stops the hemorrhaging. You should consider all your server keys compromised if OpenSSL 1.0.1 was used (prior to "g" patch level). If you switch to JSSE, your key may already have been compromised, so the switch does not protect you. If you were lucky enough to have been ignored by Internet miscreants, then switching will protect you, but it's a bad bet. The better bet is to upgrade ASAP to a 1.0.1g version of OpenSSL and then re-key everything. Then change all your passwords. :( - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRNkrAAoJEBzwKT+lPKRYOy8P/jrcbHmsXqAVGhZbYvE8Bpxy BJyWM2Cs0jt7yifNGVj6X3KPczQp1OEGk/sWQdNrb96It/8Y8Wf4ACWcgdHy8buS gk/RznsFsE5n3KoN9nxlLbw7Zzqxbx4OtpFuH2wh1aC31xbNvRtNLv639Y9ydLOY w+2R5DcASFVbh0t5aUHozULHwXwkylfqZlkX/KGtOVlr6InG9EJtJTwtW/JpbUdB TvHDI/djmKdoR1RCnjwWpg0NiX+8luQh+CKPE6vyZAX8vypOhMNJ9QEbfQbTtsUT 0Hah/dY/QQBrI6FliSPKHzMunlPZe6eRH5m2fJrWPKjnH3932qLFBnFByKDQdb52 KcQ5SNPOEUV4YL7kXd0uz3n6ejV/UrcLuMj0zJN3ySYBNmfzzqXDiOF9BHHe5hKj fjFzIgi9FEnmPxUpUlAdqenNGWbEffmaSmeaMtUSPW60NpswEs8OWRl+oyQEB3eC 9azb25FDsQHS4I4aj9JYFxlKzTpt8jDz2O7ddNaS5ql6m26iAPlWWAfU/r6+T2oj M8SWvGFO4FyfINngfDQl6NHbYvhrwuoEGPXNZyskrT5PpUZl/OkHrmM1iXXjigS/ jkyGt5JCZUO0tb3psxpfv0Zq/O25Qyg+H3vipemwC2mmlKJsZInNXhecy40LDbwL 3yPI60zrlr8yKEbULjTS =C7kz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
