Re: How can I tell which version of OpenSSL is being used with tomcat?
2014-04-10 12:25 GMT+04:00 Christopher Schultz : > > (...) > > Andrew, if you haven't changed the Tomcat default configuration and > you used the service installer, you likely have a vulnerable server > depending upon exactly which version you installed, because the > installer automatically installs tcnative, and the default protocol in > server.xml (HTTP/1.1) auto-prefers the APR connector to the BIO connector. > The default configuration is NOT vulnerable to HeartBleed. as the HTTPS protocol is not enabled by default. You need to generate or buy a server certificate and configure it to enable HTTPS. If you have configured HTTPS, then you should know what connector you are using, because the configuration attributes differ, as explained below. > To check if you are using APR, just check your > configuration. If you're specifying attributes like > SSLCertificateKeyFile then you are using OpenSSL (and still should > track-down the version). If you see attributes like "keystoreFile", > then you are using JSSE and you are not vulnerable to this particular > issue being discussed this week. > Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I tell which version of OpenSSL is being used with tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 4/9/14, 12:59 PM, Jeffrey Janner wrote: >> -Original Message- From: Andrew Russell >> [mailto:andrew.russ...@gmail.com] Sent: Wednesday, April 09, 2014 >> 12:02 PM To: users@tomcat.apache.org Subject: How can I tell >> which version of OpenSSL is being used with tomcat? >> >> If I installed tomcat on windows using the service installer, how >> can I know which version of openssl was used? > [Jeff Janner] > > Did you select the Native Libraries when you ran the installer? If > so, you are most likely to be using OpenSSL for SSL services. How > can you be sure? Do you have any set up to use SSL? > Did you specify the protocol parameter when you created the > connector? If not, then the default is to use the APR library if > the Native Libraries are available and the APR Lifecycle Listener > is in your server.xml and the SSLEngine is set to "on". In other > words, you'll need to review your server.xml and the tomcat > documentation on configuring Tomcat to see if you are vulnerable. > > However, a perhaps easier way is to check your latest catalina.log > file. If it contains this line: INFO: OpenSSL successfully > initialized (OpenSSL 1.0.1e 11 Feb 2013) Then you are susceptible > (any version 1.0.1 < 1.0.1g). It's possible to be safe and still not have 1.0.1g. Debian, for instance, has shipped a patch to 1.0.1e to fix this problem but it does not have the feature changes of 1.0.1f and 1.0.1g. This is kind of what Debian does. *shrug* > Also, if you do have the native libraries in the bin directory, > you can check its version by hovering over the tcnative-1.dll file > and checking the value of File Version. The latest is 1.1.29, > which has the bug. I'm not sure at which release the bug was > introduced. The Bugzilla bug says versions 1.1.24 - 1.1.29. I haven't personally verified those version numbers. Honestly, your best bet is to run one of the HB testers online if you really have no idea what you're running. Of course, if you've patched OpenSSL (or your package manager has updated and you've updated and restarted Tomcat) then you'll never know if you *were* vulnerable. Andrew, if you haven't changed the Tomcat default configuration and you used the service installer, you likely have a vulnerable server depending upon exactly which version you installed, because the installer automatically installs tcnative, and the default protocol in server.xml (HTTP/1.1) auto-prefers the APR connector to the BIO connector. To check if you are using APR, just check your configuration. If you're specifying attributes like SSLCertificateKeyFile then you are using OpenSSL (and still should track-down the version). If you see attributes like "keystoreFile", then you are using JSSE and you are not vulnerable to this particular issue being discussed this week. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRlWSAAoJEBzwKT+lPKRYapsQAK6RlP6zHeh8+Sm4guaBdfIN 7K258eemdlg0TtqC3EZj0/2X+NNDG7Q74Dmi7V6r3TnVFitONdPic5WrDv+EQbmW ArVkwN4ibUV529ho66mb3bzYWkimX8ZzmTFqGQ0Cd+kokWjTYd2wzcz933UP00mS EogEQbjJfY+LYkujvsjsqFQhSt91bH9CGIcuwwzBpMjkNKmtVmO6O5izdemVh2gH JlGBzzaXUwPgfFTwP2WOGLzQk/40Or1ovRfXWbGeVnV9ThYZp62OZypeyKQVnRUg uusJX/Ikeqn+fGo+OavnzluY/n/e3Qsl7I9pjSW84y7Xz6I4BqJ2K92dJXkfztY/ +zf60n70AqhgMrT3GGiMbItflldex1cLaP1MIktZSJD+/ASjvmv6cVxhT6rZMB3+ riG3r/WJkDLbnj7uOWoZdYBiFfEric1rN2tL4hbjfNzHbQE9S7DCXVIuOypHBQkI 6nK7/Ez+3qdO29W3WxsYSH++07/wGuOFF44JcW64hh5gUauZUevhXBHzmQfVJz4T CgP2lhqCT+DBDbzYbmCRFXkA+gSloSb8G1zQJAG7Puhk+6gQg5TUr8oJ3lmV+nZv kFh0AX3OhGxSeJKLeO71DLGq3Uc1w0ee4Xom63GIbtPfsZYIirrjeJSbKO6jOBQQ Qt7KhUjjpajKHBIdxgn/ =6UQL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I tell which version of OpenSSL is being used with tomcat?
> -Original Message- > From: Andrew Russell [mailto:andrew.russ...@gmail.com] > Sent: Wednesday, April 09, 2014 12:02 PM > To: users@tomcat.apache.org > Subject: How can I tell which version of OpenSSL is being used with > tomcat? > > If I installed tomcat on windows using the service installer, how can I > know which version of openssl was used? [Jeff Janner] Did you select the Native Libraries when you ran the installer? If so, you are most likely to be using OpenSSL for SSL services. How can you be sure? Do you have any set up to use SSL? Did you specify the protocol parameter when you created the connector? If not, then the default is to use the APR library if the Native Libraries are available and the APR Lifecycle Listener is in your server.xml and the SSLEngine is set to "on". In other words, you'll need to review your server.xml and the tomcat documentation on configuring Tomcat to see if you are vulnerable. However, a perhaps easier way is to check your latest catalina.log file. If it contains this line: INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Then you are susceptible (any version 1.0.1 < 1.0.1g). Also, if you do have the native libraries in the bin directory, you can check its version by hovering over the tcnative-1.dll file and checking the value of File Version. The latest is 1.1.29, which has the bug. I'm not sure at which release the bug was introduced. Anyone? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I tell which version of OpenSSL is being used with tomcat?
On 4/9/14 10:17 AM, Andrew Russell wrote: Thank you for the quick response! It's a mixed bag, some are java keystores and some are pfx files. So I'm only using OpenSSL if it's marked as such in the configuration file? All I know is JSSE, myself. From our own server.xml, running with security by JSSE, on an IBM Midrange system (the names have been changed to protect the innocent): -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I tell which version of OpenSSL is being used with tomcat?
On Wed, Apr 9, 2014 at 12:13 PM, James H. H. Lampert < jam...@touchtonecorp.com> wrote: > On 4/9/14 10:01 AM, Andrew Russell wrote: > >> If I installed tomcat on windows using the service installer, how can I >> know which version of openssl was used? >> > > All I know is that if you're using a Java keystore and Keytool (or > KeyStore Explorer) to set it up and maintain it, you're most likely not > using ANY version of OpenSSL; you're using JSSE (which isn't affected by > HeartBleed) instead. > > Given that I've never set up security for Tomcat on any platform other > than an IBM Midrange system (on which JSSE seems to be the only viable > choce for SSL in Tomcat), I was actually rather astonished when I first > learned that other platforms usually used OpenSSL. > > -- > JHHL > > Thank you for the quick response! It's a mixed bag, some are java keystores and some are pfx files. So I'm only using OpenSSL if it's marked as such in the configuration file?
Re: How can I tell which version of OpenSSL is being used with tomcat?
On 4/9/14 10:01 AM, Andrew Russell wrote: If I installed tomcat on windows using the service installer, how can I know which version of openssl was used? All I know is that if you're using a Java keystore and Keytool (or KeyStore Explorer) to set it up and maintain it, you're most likely not using ANY version of OpenSSL; you're using JSSE (which isn't affected by HeartBleed) instead. Given that I've never set up security for Tomcat on any platform other than an IBM Midrange system (on which JSSE seems to be the only viable choce for SSL in Tomcat), I was actually rather astonished when I first learned that other platforms usually used OpenSSL. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org