You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Andrew Russell <an...@gmail.com> on 2014/04/09 19:01:41 UTC
How can I tell which version of OpenSSL is being used with tomcat?
If I installed tomcat on windows using the service installer, how can I
know which version of openssl was used?
Re: [OT] How can I tell which version of OpenSSL is being used with
tomcat?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Konstantin,
On 4/10/14, 3:06 AM, Konstantin Kolinko wrote:
> 2014-04-10 12:25 GMT+04:00 Christopher Schultz
> <ch...@christopherschultz.net>:
>>
>> (...)
>>
>> Andrew, if you haven't changed the Tomcat default configuration
>> and you used the service installer, you likely have a vulnerable
>> server depending upon exactly which version you installed,
>> because the installer automatically installs tcnative, and the
>> default protocol in server.xml (HTTP/1.1) auto-prefers the APR
>> connector to the BIO connector.
>>
>
> The default configuration is NOT vulnerable to HeartBleed. as the
> HTTPS protocol is not enabled by default. You need to generate or
> buy a server certificate and configure it to enable HTTPS.
You are correct: the default configuration has SSL disabled.
But, since this was a question about SSL, I figured that the OP had
SSL enabled.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTR4K5AAoJEBzwKT+lPKRYJ7oP/jKhBgd9tTFdMC+NFNhA8T4x
Qv/ffTpBx24RMk3+bNQFb4bBtnH9wNIbpR+MI8KM4fRvrtLy/8rtFo84GShq4GaD
dPGkOUtkSrLVFX3utG5+wt301kZGS17cbXg1wTy/2jdsI+AuAZ6ur/lT8LDMtaak
8OTiQvRcb6ToKARPgXx7S/+7dHhdfuQJFA++jLc9OUFfmdNZzhyhkJnMDhbtVbCn
2doCqQe6JbRBONwqDJX/RYxOjUlLjiJqaZsMHpasCVwf1+TukTySURNkV68IAa+E
NPOR6u7s5H3FfuFj0dLYUIrIQ8AoI4EtwX+T7eYZRS3tZwClaf1woIll01TEWKm8
G4KqmFcFvoh9T6jTJBCDhYgb18Z4+0LWMWEe0iHjzcNdATM++8b+CmkIFyc0oU10
MjxBo36HbAdtGG42MtLXg9IkTSYzmfCFnFiJyhFq8C42H10IM1XNsT8D3gX5+c9A
htHcoPmrMwn0ExVuGstyHHJgoXqICuUU3dRRAA9VCJ42hslpaM8l19wzHAkGDVNd
LbvQUBZZWv7mBGdsEXW6lpn4WDi5nF8OOSPmN8c2X14XPcONfsu7CqIA3q0IXjcJ
wIpC4A8s82WR+xQXDuSE2im1oSYNTENTfdpnfEz6h9V/brSD6yZ1stue4PgdqtrU
Zg71tWDYQip36e7SJpMU
=th+K
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How can I tell which version of OpenSSL is being used with tomcat?
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-04-10 12:25 GMT+04:00 Christopher Schultz <ch...@christopherschultz.net>:
>
> (...)
>
> Andrew, if you haven't changed the Tomcat default configuration and
> you used the service installer, you likely have a vulnerable server
> depending upon exactly which version you installed, because the
> installer automatically installs tcnative, and the default protocol in
> server.xml (HTTP/1.1) auto-prefers the APR connector to the BIO connector.
>
The default configuration is NOT vulnerable to HeartBleed. as the
HTTPS protocol is not enabled by default. You need to generate or buy
a server certificate and configure it to enable HTTPS.
If you have configured HTTPS, then you should know what connector you
are using, because the configuration attributes differ, as explained
below.
> To check if you are using APR, just check your <Connector>
> configuration. If you're specifying attributes like
> SSLCertificateKeyFile then you are using OpenSSL (and still should
> track-down the version). If you see attributes like "keystoreFile",
> then you are using JSSE and you are not vulnerable to this particular
> issue being discussed this week.
>
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How can I tell which version of OpenSSL is being used with tomcat?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jeffrey,
On 4/9/14, 12:59 PM, Jeffrey Janner wrote:
>> -----Original Message----- From: Andrew Russell
>> [mailto:andrew.russell@gmail.com] Sent: Wednesday, April 09, 2014
>> 12:02 PM To: users@tomcat.apache.org Subject: How can I tell
>> which version of OpenSSL is being used with tomcat?
>>
>> If I installed tomcat on windows using the service installer, how
>> can I know which version of openssl was used?
> [Jeff Janner]
>
> Did you select the Native Libraries when you ran the installer? If
> so, you are most likely to be using OpenSSL for SSL services. How
> can you be sure? Do you have any <Connectors> set up to use SSL?
> Did you specify the protocol parameter when you created the
> connector? If not, then the default is to use the APR library if
> the Native Libraries are available and the APR Lifecycle Listener
> is in your server.xml and the SSLEngine is set to "on". In other
> words, you'll need to review your server.xml and the tomcat
> documentation on configuring Tomcat to see if you are vulnerable.
>
> However, a perhaps easier way is to check your latest catalina.log
> file. If it contains this line: INFO: OpenSSL successfully
> initialized (OpenSSL 1.0.1e 11 Feb 2013) Then you are susceptible
> (any version 1.0.1 < 1.0.1g).
It's possible to be safe and still not have 1.0.1g. Debian, for
instance, has shipped a patch to 1.0.1e to fix this problem but it
does not have the feature changes of 1.0.1f and 1.0.1g. This is kind
of what Debian does. *shrug*
> Also, if you do have the native libraries in the bin directory,
> you can check its version by hovering over the tcnative-1.dll file
> and checking the value of File Version. The latest is 1.1.29,
> which has the bug. I'm not sure at which release the bug was
> introduced.
The Bugzilla bug says versions 1.1.24 - 1.1.29. I haven't personally
verified those version numbers.
Honestly, your best bet is to run one of the HB testers online if you
really have no idea what you're running. Of course, if you've patched
OpenSSL (or your package manager has updated and you've updated and
restarted Tomcat) then you'll never know if you *were* vulnerable.
Andrew, if you haven't changed the Tomcat default configuration and
you used the service installer, you likely have a vulnerable server
depending upon exactly which version you installed, because the
installer automatically installs tcnative, and the default protocol in
server.xml (HTTP/1.1) auto-prefers the APR connector to the BIO connector.
To check if you are using APR, just check your <Connector>
configuration. If you're specifying attributes like
SSLCertificateKeyFile then you are using OpenSSL (and still should
track-down the version). If you see attributes like "keystoreFile",
then you are using JSSE and you are not vulnerable to this particular
issue being discussed this week.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTRlWSAAoJEBzwKT+lPKRYapsQAK6RlP6zHeh8+Sm4guaBdfIN
7K258eemdlg0TtqC3EZj0/2X+NNDG7Q74Dmi7V6r3TnVFitONdPic5WrDv+EQbmW
ArVkwN4ibUV529ho66mb3bzYWkimX8ZzmTFqGQ0Cd+kokWjTYd2wzcz933UP00mS
EogEQbjJfY+LYkujvsjsqFQhSt91bH9CGIcuwwzBpMjkNKmtVmO6O5izdemVh2gH
JlGBzzaXUwPgfFTwP2WOGLzQk/40Or1ovRfXWbGeVnV9ThYZp62OZypeyKQVnRUg
uusJX/Ikeqn+fGo+OavnzluY/n/e3Qsl7I9pjSW84y7Xz6I4BqJ2K92dJXkfztY/
+zf60n70AqhgMrT3GGiMbItflldex1cLaP1MIktZSJD+/ASjvmv6cVxhT6rZMB3+
riG3r/WJkDLbnj7uOWoZdYBiFfEric1rN2tL4hbjfNzHbQE9S7DCXVIuOypHBQkI
6nK7/Ez+3qdO29W3WxsYSH++07/wGuOFF44JcW64hh5gUauZUevhXBHzmQfVJz4T
CgP2lhqCT+DBDbzYbmCRFXkA+gSloSb8G1zQJAG7Puhk+6gQg5TUr8oJ3lmV+nZv
kFh0AX3OhGxSeJKLeO71DLGq3Uc1w0ee4Xom63GIbtPfsZYIirrjeJSbKO6jOBQQ
Qt7KhUjjpajKHBIdxgn/
=6UQL
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: How can I tell which version of OpenSSL is being used with
tomcat?
Posted by Jeffrey Janner <Je...@PolyDyne.com>.
> -----Original Message-----
> From: Andrew Russell [mailto:andrew.russell@gmail.com]
> Sent: Wednesday, April 09, 2014 12:02 PM
> To: users@tomcat.apache.org
> Subject: How can I tell which version of OpenSSL is being used with
> tomcat?
>
> If I installed tomcat on windows using the service installer, how can I
> know which version of openssl was used?
[Jeff Janner]
Did you select the Native Libraries when you ran the installer?
If so, you are most likely to be using OpenSSL for SSL services.
How can you be sure?
Do you have any <Connectors> set up to use SSL? Did you specify the protocol parameter when you created the connector? If not, then the default is to use the APR library if the Native Libraries are available and the APR Lifecycle Listener is in your server.xml and the SSLEngine is set to "on".
In other words, you'll need to review your server.xml and the tomcat documentation on configuring Tomcat to see if you are vulnerable.
However, a perhaps easier way is to check your latest catalina.log file. If it contains this line:
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
Then you are susceptible (any version 1.0.1 < 1.0.1g).
Also, if you do have the native libraries in the bin directory, you can check its version by hovering over the tcnative-1.dll file and checking the value of File Version. The latest is 1.1.29, which has the bug. I'm not sure at which release the bug was introduced.
Anyone?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How can I tell which version of OpenSSL is being used with tomcat?
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
On 4/9/14 10:17 AM, Andrew Russell wrote:
> Thank you for the quick response!
>
> It's a mixed bag, some are java keystores and some are pfx files.
>
> So I'm only using OpenSSL if it's marked as such in the configuration file?
All I know is JSSE, myself.
From our own server.xml, running with security by JSSE, on an IBM
Midrange system (the names have been changed to protect the innocent):
> <!-- Define a SSL HTTP/1.1 Connector on port 443
> This connector uses the JSSE configuration, when using APR, the
> connector should be using the OpenSSL style configuration
> described in the APR documentation -->
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="/foo/tomcat/bar.ks" alias="foobar"
> clientAuth="false" sslProtocol="TLS" />
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How can I tell which version of OpenSSL is being used with tomcat?
Posted by Andrew Russell <an...@gmail.com>.
On Wed, Apr 9, 2014 at 12:13 PM, James H. H. Lampert <
jamesl@touchtonecorp.com> wrote:
> On 4/9/14 10:01 AM, Andrew Russell wrote:
>
>> If I installed tomcat on windows using the service installer, how can I
>> know which version of openssl was used?
>>
>
> All I know is that if you're using a Java keystore and Keytool (or
> KeyStore Explorer) to set it up and maintain it, you're most likely not
> using ANY version of OpenSSL; you're using JSSE (which isn't affected by
> HeartBleed) instead.
>
> Given that I've never set up security for Tomcat on any platform other
> than an IBM Midrange system (on which JSSE seems to be the only viable
> choce for SSL in Tomcat), I was actually rather astonished when I first
> learned that other platforms usually used OpenSSL.
>
> --
> JHHL
>
>
Thank you for the quick response!
It's a mixed bag, some are java keystores and some are pfx files.
So I'm only using OpenSSL if it's marked as such in the configuration file?
Re: How can I tell which version of OpenSSL is being used with tomcat?
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
On 4/9/14 10:01 AM, Andrew Russell wrote:
> If I installed tomcat on windows using the service installer, how can I
> know which version of openssl was used?
All I know is that if you're using a Java keystore and Keytool (or
KeyStore Explorer) to set it up and maintain it, you're most likely not
using ANY version of OpenSSL; you're using JSSE (which isn't affected by
HeartBleed) instead.
Given that I've never set up security for Tomcat on any platform other
than an IBM Midrange system (on which JSSE seems to be the only viable
choce for SSL in Tomcat), I was actually rather astonished when I first
learned that other platforms usually used OpenSSL.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org