Ognjen, Has anyone entered a bugzilla request for this one? Jeff > -----Original Message----- > From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com] > Sent: Tuesday, April 08, 2014 3:02 PM > To: Tomcat Users List > Subject: Re: Does the HeartBleed vulnerability affect Apache Tomcat > servers using Tomcat Native? > > On 8.4.2014 18:48, Arlo White wrote: > > Are Apache Tomcat servers using Tomcat Native & APR vulnerable to the > > HeartBleed OpenSSL bug, or does this layer insulate them? > > http://heartbleed.com/ > > They are vulnerable. There is no layer to insulate. > > You may test with: > > http://filippo.io/Heartbleed/ > > I tested with Tomcat 8.0.5 with tcnative 1.1.29, which includes OpenSSL > 1.0.1e, on Windows 7 64-bit, and it confirms the vulnerability. > > JSSE Connectors are not vulnerables so, one possible workaround is to > swich to NIO or BIO connector until patched version of tcnative is > available. > > -Ognjen > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org