> -----Original Message----- > From: Andrew Russell [mailto:andrew.russ...@gmail.com] > Sent: Wednesday, April 09, 2014 12:02 PM > To: users@tomcat.apache.org > Subject: How can I tell which version of OpenSSL is being used with > tomcat? > > If I installed tomcat on windows using the service installer, how can I > know which version of openssl was used? [Jeff Janner]
Did you select the Native Libraries when you ran the installer? If so, you are most likely to be using OpenSSL for SSL services. How can you be sure? Do you have any <Connectors> set up to use SSL? Did you specify the protocol parameter when you created the connector? If not, then the default is to use the APR library if the Native Libraries are available and the APR Lifecycle Listener is in your server.xml and the SSLEngine is set to "on". In other words, you'll need to review your server.xml and the tomcat documentation on configuring Tomcat to see if you are vulnerable. However, a perhaps easier way is to check your latest catalina.log file. If it contains this line: INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Then you are susceptible (any version 1.0.1 < 1.0.1g). Also, if you do have the native libraries in the bin directory, you can check its version by hovering over the tcnative-1.dll file and checking the value of File Version. The latest is 1.1.29, which has the bug. I'm not sure at which release the bug was introduced. Anyone? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
