-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 4/10/14, 3:32 PM, James H. H. Lampert wrote: > On 4/10/14 2:10 PM, Ji Song wrote: >> Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x ? I >> noticed that Tomcat native connector version 1.1.22 uses : >> OpenSSL 0.9.8 which doesn't have the heartbleeding bug, but >> 1.1.24 and 1.1.29 also include the buggy openssl. > > If you use JSSE for your SSL support, then you're not affected, no > matter what version of OpenSSL your Tomcat uses. +1 Conversely, the version of Tomcat is not relevant, here: it's only the version of tcnative you are using. If you have 1.1.23 or earlier, then you are safe from this particular vulnerability (but there may be other issues with older versions). If you are on 1.1.24-1.1.29, then you have been vulnerable. tcnative can be used with any version of Tomcat, though certain versions of Tomcat have minimum requirements for the tcnative version. I can't stress enough that once you update to a fixed version, *you must re-key your server* and obtain a replacement certificate from your CA. You must also consider any communication that traversed your system while vulnerable to be compromised. That means that every password that went through your system during the period of vulnerability ought to be changed. > Kind of makes all that futzing around with Keytool (because JSSE > is apparently the only SSL option for Tomcat on an IBM Midrange > box) all worth it. ;-) Erm, maybe not. ;) You can actually use pkcs12 and avoid using keytool altogether. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRxbBAAoJEBzwKT+lPKRYnH4QAJwy4GbC4hLHIXZ3nn+slf9G 3NWGlpLo9Ua6ft4SvEiVxfWJ6hqShlWm6XcLwVjfG9TdAjL5NgXkQL5fXS/eWHTM 0HgMJnkkc6xPn/BgPpno9CcOcboBdH0wT+eazhuurKF7qdpancaujKbA2tf+gA59 929DbZTJLBSvYpY7eevdiIiFCzKrgUkpKUIOhj3QY8GsT2sfiMeSuY3R2X9CoSNa Jt8Zdew2eSsOTWURgeOFRfobKHDc2dIC9Z2/O0lUac16W8+IaM7rjzuXEGaZGUb2 6v0+CuMeGcoHpUg7h7P2xD1CgqR3U1MfSD8IEhW2axi3h9Z4DpsjZG8CTbgV2EDX zaZnv9cZld03j8efCkviYDM6LI4PY3H3/+gzIHvjzVdqLXACIyivYsEfLNw7/b7v 3TVB57dmB8At87WgH/15EHoJRPg75TtFC41YQLMXF/GrTE/GSrYnjjqLCVh+Yf+B nl/yVbGgDh+BLXlcVw9qMc7WCTkYLIi5ga3doh+i+fOYOQ/sLF+NWpTF1I2Nj7bR ilVS4nSAFPhrl/jbZxN7ojCyuo30/p0pDRKktZk/wGVj5Jgn9QSirEEjbLT1O9Au reEmnc25okkviPNFdHmxuDaSJIfLdCrXXGxpt6qWQ9Mcan/3X7boo8GAFZTLvsEM FAva6x+0v5/Gw/2Xc/88 =w2/Y -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
