[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #23 from Doug dgil...@opentext.com --- (In reply to Christopher Schultz from comment #22) (In reply to Konstantin Kolinko from comment #20) (In reply to Doug from comment #19) See current thread Building tcnative on win32, Building tcnative on win32 [progress!] on dev mailing list. http://tomcat.markmail.org/thread/ohhpa3k2kicyvjvy Maybe somebody could help there. I'll post my current build script which has a few pre-requisites. Thanks, I would really appreciate that! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #20 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Doug from comment #19) See current thread Building tcnative on win32, Building tcnative on win32 [progress!] on dev mailing list. http://tomcat.markmail.org/thread/ohhpa3k2kicyvjvy Maybe somebody could help there. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #21 from Christopher Schultz ch...@christopherschultz.net --- (In reply to Doug from comment #19) As a result of the latest OpenSSL vulnerability in 1.0.1g, I've been trying the build described here. However, the resulting .dll is always 200-300 KB (the build from April is ~1.5 MB), depending on which version of vc++ I use, and Tomcat cannot use it. Would you be able to provide a build with the latest OpenSSL 1.0.1h? Or more explicit instructions on completing the build on Windows? The problem is likely that you are not building tcnative statically, but instead as a dynamically-linked DLL. For convenience, the Tomcat team provides a statically-linked tcnative which means it contains OpenSSL, APR, and tcnative. Note that, if a dynamically-linked DLL were distributed, no rebuild would be necessary to upgrade OpenSSL. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #22 from Christopher Schultz ch...@christopherschultz.net --- (In reply to Konstantin Kolinko from comment #20) (In reply to Doug from comment #19) See current thread Building tcnative on win32, Building tcnative on win32 [progress!] on dev mailing list. http://tomcat.markmail.org/thread/ohhpa3k2kicyvjvy Maybe somebody could help there. I'll post my current build script which has a few pre-requisites. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #19 from Doug dgil...@opentext.com --- As a result of the latest OpenSSL vulnerability in 1.0.1g, I've been trying the build described here. However, the resulting .dll is always 200-300 KB (the build from April is ~1.5 MB), depending on which version of vc++ I use, and Tomcat cannot use it. Would you be able to provide a build with the latest OpenSSL 1.0.1h? Or more explicit instructions on completing the build on Windows? (In reply to Mladen Turk from comment #10) I'll update the BUILDING with windows section since everyone are so concerned of my health :) It's very simple. The biggest problem is compiling apr and openssl. OpenSSL needs to be patched to allow /MD with static lib (something I tried to convince openssl developers for years without luck). We have the patch in the source dist. Then you have to put apr and openssl include and lib files to some directory C:\foo\bar\include C:\foo\bar\lib Then execute: nmake -f NMAKEMakefile WITH_APR=C:\foo\bar WITH_OPENSSL=C:\foo\bar APR_DECLARE_STATIC=1 [ENABLE_OCSP=1] When building APR I also modify apr.hw and set APR_HAVE_IPV6 to 1. That's it. 10 minutes for all architectures on an average box. Note. Forget about IDE builds. They change the format of those .dsp, .vcproj whatever files with each version. Use nmake and command line. You'll need them to build openssl anyhow, so why not for all. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #16 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Mladen Turk from comment #14) Binaries uploaded http://apache.org/dist/tomcat/tomcat-connectors/native/1.1.30/ The correct download link is http://tomcat.apache.org/download-native.cgi (A policy is that we do not advertise direct links to the ASF server, but suggest using the mirrors, as linked from the download page.) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #17 from Keith Davis keithda...@solidtechservice.com --- (In reply to Christopher Schultz from comment #15) Just a note: r1587378 in trunk now requires tcnative 1.1.30, so Tomcat 8.0.6 will require tcnative 1.1.30 to start. Please forgive my lack of understanding, but what am we are supposed to do to patch our servers? Build our own and then use this connector? What is the connector for? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #18 from Mladen Turk mt...@apache.org --- (In reply to Keith Davis from comment #17) Please forgive my lack of understanding, but what am we are supposed to do to patch our servers? Build our own and then use this connector? What is the connector for? Bugzilla is not support forum. Please use tomcat users list instead -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #12 from Klemen Novak klemen.no...@mikrocop.com --- Any news on the build for windows? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #13 from Mladen Turk mt...@apache.org --- Vote passed, ANN will follow after mirror sync. cca 24 hrs max -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Mladen Turk mt...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #14 from Mladen Turk mt...@apache.org --- Binaries uploaded http://apache.org/dist/tomcat/tomcat-connectors/native/1.1.30/ Took some time because of our own infrastructure Heartblead issues. I'll create ANN message tomorrow after mirrors sync with Apache server. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #15 from Christopher Schultz ch...@christopherschultz.net --- Just a note: r1587378 in trunk now requires tcnative 1.1.30, so Tomcat 8.0.6 will require tcnative 1.1.30 to start. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Thomas Gelzh tho...@gelzhaeuser.de changed: What|Removed |Added CC||tho...@gelzhaeuser.de -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #11 from Gary Bollinger gbollin...@chalexcorp.com --- Is there a prediction on when this compile will be released? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Tomi Korkalainen tomi.korkalai...@gmail.com changed: What|Removed |Added CC||tomi.korkalai...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Jani Similä jani.sim...@gmail.com changed: What|Removed |Added CC||jani.sim...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #2 from Mladen Turk mt...@apache.org --- Update done and tested. We'll start release process today or tomorrow and new version containing OpenSSL 1.0.1g will be available after VOTE finishes and we create ANN message. I'll close this issue when we send the ANN message. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Luke Hall lh...@vocera.com changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #3 from Luke Hall lh...@vocera.com --- Is there any possibility that you could provide us with a copy of the updated Tomcat Native library now? My company has several affected servers and we have been struggling to build the library ourselves, but with no success. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #4 from Mike Noordermeer m...@normi.net --- While I understand that the disclosure process of this bug has been far from optimal, and really appreciate all effort the maintainer(s) spend on this project, a turnaround time of 3 days for such a critical issue is not acceptable and currently forcing us to use the Java SSL implementation and BIO/NIO connectors. Would it, for future reference, be possible to document the Windows library build process better? We too have been struggling (and failing) to build the library ourselves, which has forced us to switch to the BIO connector due to the extreme severity of the issue. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Mike Noordermeer m...@normi.net changed: What|Removed |Added Status|NEEDINFO|NEW --- Comment #5 from Mike Noordermeer m...@normi.net --- BTW, Luke, the intended release can be found at http://people.apache.org/~mturk/native/1.1.30/. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #6 from jeffrey.jan...@polydyne.com --- Thanks to Mladen for his effort on getting this out as fast as he has. The ease with which this problem was addressable on the *NIX platforms leads me to ask if there is a better way of addressing the native libraries in the Windows world? The *NIX guys could just go get the latest OpenSSL version, install it, and restart their Tomcats, because the libraries are dynamically linked. However, the Windows version is statically linked, so we had to wait for Mladen to work his magic or try to do the build ourselves using minimal instructions. My question is, what would be the downside to leaving the Windows version as a set of 2 or 3 dll files instead of statically linking them as they are now? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #7 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Mike Noordermeer from comment #4) 1. The timing is unfortunate. There is a conference going on right now. Key people are there. http://www.apachecon.com/ Also this bug is where I learned this issue from. Thank you Mike for filing it. 2. Nobody here works for Microsoft. Providing windows binaries is a courtesy and may stop at any random moment. Would it, for future reference, be possible to document the Windows library build process better? 3. Documentation improvement patches are appreciated. You may submit one via bugzilla. (In reply to Jeffrey.Janner from comment #6) However, the Windows version is statically linked, so we had to wait for Mladen to work his magic or try to do the build ourselves using minimal instructions. 4. a) That would be a mess. b) Somebody would still need to build OpenSSL for you. http://openssl.org/ provides source code only. See 2. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #8 from Mike Noordermeer m...@normi.net --- (In reply to Konstantin Kolinko from comment #7) 2. Nobody here works for Microsoft. Providing windows binaries is a courtesy and may stop at any random moment. That's good to know, and may be something to mention on the site, so people don't build production infrastructure on it. Would it, for future reference, be possible to document the Windows library build process better? 3. Documentation improvement patches are appreciated. You may submit one via bugzilla. I would love to improve the documentation, but at the moment it seems nobody knows how the Windows build works except for Mladen. See for instance this post of Mark Thomas: http://mail-archives.apache.org/mod_mbox/tomcat-dev/201205.mbox/%3c4fba6dfc.4090...@apache.org%3E -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #9 from jeffrey.jan...@polydyne.com --- (In reply to Konstantin Kolinko from comment #7) (In reply to Jeffrey.Janner from comment #6) However, the Windows version is statically linked, so we had to wait for Mladen to work his magic or try to do the build ourselves using minimal instructions. 4. a) That would be a mess. b) Somebody would still need to build OpenSSL for you. http://openssl.org/ provides source code only. See 2. Yep. Luckily, that site has a link (http://www.openssl.org/related/binaries.html) to someone who provides binaries almost as fast as OpenSSL releases them. That site is http://slproweb.com/products/Win32OpenSSL.html. I think in this case he and Mladen had versions available at about the same time, though we're still waiting on an approved release from the ASF. Overall, I'm generally OK getting the full suite from the ASF, its just would be nice to have alternatives. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #10 from Mladen Turk mt...@apache.org --- I'll update the BUILDING with windows section since everyone are so concerned of my health :) It's very simple. The biggest problem is compiling apr and openssl. OpenSSL needs to be patched to allow /MD with static lib (something I tried to convince openssl developers for years without luck). We have the patch in the source dist. Then you have to put apr and openssl include and lib files to some directory C:\foo\bar\include C:\foo\bar\lib Then execute: nmake -f NMAKEMakefile WITH_APR=C:\foo\bar WITH_OPENSSL=C:\foo\bar APR_DECLARE_STATIC=1 [ENABLE_OCSP=1] When building APR I also modify apr.hw and set APR_HAVE_IPV6 to 1. That's it. 10 minutes for all architectures on an average box. Note. Forget about IDE builds. They change the format of those .dsp, .vcproj whatever files with each version. Use nmake and command line. You'll need them to build openssl anyhow, so why not for all. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 r.schilpero...@greenvalley.nl changed: What|Removed |Added CC||r.schilperoort@greenvalley. ||nl -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #1 from Mladen Turk mt...@apache.org --- Working on it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Klemen Novak klemen.no...@mikrocop.com changed: What|Removed |Added CC||klemen.no...@mikrocop.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Keith Davis keithda...@solidtechservice.com changed: What|Removed |Added CC||keithdavis@solidtechservice ||.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Neven Cvetkovic neven.cvetko...@gmail.com changed: What|Removed |Added CC||neven.cvetko...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org