2014-04-10 12:25 GMT+04:00 Christopher Schultz <ch...@christopherschultz.net>: > > (...) > > Andrew, if you haven't changed the Tomcat default configuration and > you used the service installer, you likely have a vulnerable server > depending upon exactly which version you installed, because the > installer automatically installs tcnative, and the default protocol in > server.xml (HTTP/1.1) auto-prefers the APR connector to the BIO connector. >
The default configuration is NOT vulnerable to HeartBleed. as the HTTPS protocol is not enabled by default. You need to generate or buy a server certificate and configure it to enable HTTPS. If you have configured HTTPS, then you should know what connector you are using, because the configuration attributes differ, as explained below. > To check if you are using APR, just check your <Connector> > configuration. If you're specifying attributes like > SSLCertificateKeyFile then you are using OpenSSL (and still should > track-down the version). If you see attributes like "keystoreFile", > then you are using JSSE and you are not vulnerable to this particular > issue being discussed this week. > Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
