-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeffrey,
On 4/9/14, 12:59 PM, Jeffrey Janner wrote: >> -----Original Message----- From: Andrew Russell >> [mailto:[email protected]] Sent: Wednesday, April 09, 2014 >> 12:02 PM To: [email protected] Subject: How can I tell >> which version of OpenSSL is being used with tomcat? >> >> If I installed tomcat on windows using the service installer, how >> can I know which version of openssl was used? > [Jeff Janner] > > Did you select the Native Libraries when you ran the installer? If > so, you are most likely to be using OpenSSL for SSL services. How > can you be sure? Do you have any <Connectors> set up to use SSL? > Did you specify the protocol parameter when you created the > connector? If not, then the default is to use the APR library if > the Native Libraries are available and the APR Lifecycle Listener > is in your server.xml and the SSLEngine is set to "on". In other > words, you'll need to review your server.xml and the tomcat > documentation on configuring Tomcat to see if you are vulnerable. > > However, a perhaps easier way is to check your latest catalina.log > file. If it contains this line: INFO: OpenSSL successfully > initialized (OpenSSL 1.0.1e 11 Feb 2013) Then you are susceptible > (any version 1.0.1 < 1.0.1g). It's possible to be safe and still not have 1.0.1g. Debian, for instance, has shipped a patch to 1.0.1e to fix this problem but it does not have the feature changes of 1.0.1f and 1.0.1g. This is kind of what Debian does. *shrug* > Also, if you do have the native libraries in the bin directory, > you can check its version by hovering over the tcnative-1.dll file > and checking the value of File Version. The latest is 1.1.29, > which has the bug. I'm not sure at which release the bug was > introduced. The Bugzilla bug says versions 1.1.24 - 1.1.29. I haven't personally verified those version numbers. Honestly, your best bet is to run one of the HB testers online if you really have no idea what you're running. Of course, if you've patched OpenSSL (or your package manager has updated and you've updated and restarted Tomcat) then you'll never know if you *were* vulnerable. Andrew, if you haven't changed the Tomcat default configuration and you used the service installer, you likely have a vulnerable server depending upon exactly which version you installed, because the installer automatically installs tcnative, and the default protocol in server.xml (HTTP/1.1) auto-prefers the APR connector to the BIO connector. To check if you are using APR, just check your <Connector> configuration. If you're specifying attributes like SSLCertificateKeyFile then you are using OpenSSL (and still should track-down the version). If you see attributes like "keystoreFile", then you are using JSSE and you are not vulnerable to this particular issue being discussed this week. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRlWSAAoJEBzwKT+lPKRYapsQAK6RlP6zHeh8+Sm4guaBdfIN 7K258eemdlg0TtqC3EZj0/2X+NNDG7Q74Dmi7V6r3TnVFitONdPic5WrDv+EQbmW ArVkwN4ibUV529ho66mb3bzYWkimX8ZzmTFqGQ0Cd+kokWjTYd2wzcz933UP00mS EogEQbjJfY+LYkujvsjsqFQhSt91bH9CGIcuwwzBpMjkNKmtVmO6O5izdemVh2gH JlGBzzaXUwPgfFTwP2WOGLzQk/40Or1ovRfXWbGeVnV9ThYZp62OZypeyKQVnRUg uusJX/Ikeqn+fGo+OavnzluY/n/e3Qsl7I9pjSW84y7Xz6I4BqJ2K92dJXkfztY/ +zf60n70AqhgMrT3GGiMbItflldex1cLaP1MIktZSJD+/ASjvmv6cVxhT6rZMB3+ riG3r/WJkDLbnj7uOWoZdYBiFfEric1rN2tL4hbjfNzHbQE9S7DCXVIuOypHBQkI 6nK7/Ez+3qdO29W3WxsYSH++07/wGuOFF44JcW64hh5gUauZUevhXBHzmQfVJz4T CgP2lhqCT+DBDbzYbmCRFXkA+gSloSb8G1zQJAG7Puhk+6gQg5TUr8oJ3lmV+nZv kFh0AX3OhGxSeJKLeO71DLGq3Uc1w0ee4Xom63GIbtPfsZYIirrjeJSbKO6jOBQQ Qt7KhUjjpajKHBIdxgn/ =6UQL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
