You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by ihunter <ih...@hotmail.com> on 2014/04/10 14:18:36 UTC
OpenSSL Version and HeartBleed
Hi Folks,
Sorry about this - we're having a dose of paranoia regarding HeartBleed.
I *believe* that TomEE 1.6.0 comes with OpenSSL at version 1.0.1c.
I don't know about our old installation Tomcat 6.0.35.
Can someone please give me a definitive answer on what versions are
involved, and if we need to take any action on this HeartBleed thing.
Many Thanks
Ian Hunter
--
View this message in context: http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.
Re: OpenSSL Version and HeartBleed
Posted by Thiago Veronezi <th...@veronezi.org>.
>>That's one reason why I opted for a TomEE Linux package that doesn't redestribute
each and every dependency but re-uses those provided by the OS already :)
Yup... I realized that in the first line of your email. :) This is a pretty
good example.
[]s,
Thiago.
On Fri, Apr 11, 2014 at 3:09 PM, dsh <da...@gmail.com> wrote:
> Hi,
>
> I'd suppose that the OpenSSL version used by APR depends on the OpenSSL
> version provided by the underlying OS too. Additionally that yet doesn't
> say anything about the hearbleed vulnerability cause OpenSSL could have
> been deactivated by the corresponding compile flag (-DOPENSSL_NO_HEARTBEATS
> ).
>
> The above statement concerning [1] only applies to Windows where each app
> usually ships its own version of OpenSSL as a dependency. As you can see in
> certain situations this has a major drawback cause now each app distributor
> must provide a support statement that certifies that the bundled OpenSSL
> version isn't vulnerable or has been updated.
>
> That's one reason why I opted for a TomEE Linux package that doesn't
> redestribute each and every dependency but re-uses those provided by the OS
> already :)
>
> [1] http://people.apache.org/~mturk/native/1.1.30/
>
> Cheers
> Daniel
>
>
>
> Cheers
> Daniel
>
>
> On Fri, Apr 11, 2014 at 5:03 PM, frapien <Fr...@gmx.de> wrote:
>
> > Apache Tomcat Native library 1.1.30 using APR version 1.4.8 using OpenSSL
> > 1.0.1g you can use from ...
> >
> > http://people.apache.org/~mturk/native/1.1.30/
> >
> >
> >
> > --
> > View this message in context:
> >
> http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702p4668722.html
> > Sent from the OpenEJB Dev mailing list archive at Nabble.com.
> >
>
Re: OpenSSL Version and HeartBleed
Posted by dsh <da...@gmail.com>.
Hi,
You are welcome. Quiet frankly I think the actual flaw in this matter isn't
in the code but sits in front of the computer. Actually it looks like the
mindset of many people seems to be flawed in regards to how they think open
source development actually works. These mindsets are kind of demanding as
such as people think things such as heartbleed should not happen. The
contrary is the case. Such things will happen every now and then if the
boundary constraints aren't set accordingly (e.g. see: Conway's_law).
Here in this particular case it is said a C developer should never make
such trivial mistakes. I even read some statements that OF COURSE such
flaws need to happen if somebody does a commit some when around midnight at
a new year's eve. That completely neglects how open source development
actually works. And it probably means we should stop coding altogether
right now, considering the habits many of us actually have :)
We all know that OSS is made possible by volunteers where each one probably
dedicates his/her personal time to a bunch of different projects. That
means OSS developers are usually not committed at a full time basis to be
able to work on a single particular domain.
That said, I think the boundary constraints for OSS project actually need
to be adjusted instead of making OSS developers personally responsible for
their mistakes. If the boundary constraints are setup accordingly they will
serve as a first line of defense to prevent such "oversights".
On a final word. It is as well curious that commercial entities don't seem
to audit OSS accordingly in support of deactivating unnecessary features
via an appropriate compiler or autoconf flag (here:
-DOPENSSL_NO_HEARTBEATS). Actually it took two years until an aduti catch
the "oversight". Instead many companies seem to be using either the
official binaries without modification or they don't much care about fine
tuning compiler options or autoconf flags :)
Cheers
Daniel
On Sat, Apr 12, 2014 at 9:40 AM, Jean-Louis MONTEIRO <je...@gmail.com>wrote:
> Thanks Daniel for this interesting and accurate answer.
>
>
> 2014-04-11 21:09 GMT+02:00 dsh <da...@gmail.com>:
>
> > Hi,
> >
> > I'd suppose that the OpenSSL version used by APR depends on the OpenSSL
> > version provided by the underlying OS too. Additionally that yet doesn't
> > say anything about the hearbleed vulnerability cause OpenSSL could have
> > been deactivated by the corresponding compile flag
> (-DOPENSSL_NO_HEARTBEATS
> > ).
> >
> > The above statement concerning [1] only applies to Windows where each app
> > usually ships its own version of OpenSSL as a dependency. As you can see
> in
> > certain situations this has a major drawback cause now each app
> distributor
> > must provide a support statement that certifies that the bundled OpenSSL
> > version isn't vulnerable or has been updated.
> >
> > That's one reason why I opted for a TomEE Linux package that doesn't
> > redestribute each and every dependency but re-uses those provided by the
> OS
> > already :)
> >
> > [1] http://people.apache.org/~mturk/native/1.1.30/
> >
> > Cheers
> > Daniel
> >
> >
> >
> > Cheers
> > Daniel
> >
> >
> > On Fri, Apr 11, 2014 at 5:03 PM, frapien <Fr...@gmx.de> wrote:
> >
> > > Apache Tomcat Native library 1.1.30 using APR version 1.4.8 using
> OpenSSL
> > > 1.0.1g you can use from ...
> > >
> > > http://people.apache.org/~mturk/native/1.1.30/
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > >
> >
> http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702p4668722.html
> > > Sent from the OpenEJB Dev mailing list archive at Nabble.com.
> > >
> >
>
>
>
> --
> Jean-Louis
>
Re: OpenSSL Version and HeartBleed
Posted by Jean-Louis MONTEIRO <je...@gmail.com>.
Thanks Daniel for this interesting and accurate answer.
2014-04-11 21:09 GMT+02:00 dsh <da...@gmail.com>:
> Hi,
>
> I'd suppose that the OpenSSL version used by APR depends on the OpenSSL
> version provided by the underlying OS too. Additionally that yet doesn't
> say anything about the hearbleed vulnerability cause OpenSSL could have
> been deactivated by the corresponding compile flag (-DOPENSSL_NO_HEARTBEATS
> ).
>
> The above statement concerning [1] only applies to Windows where each app
> usually ships its own version of OpenSSL as a dependency. As you can see in
> certain situations this has a major drawback cause now each app distributor
> must provide a support statement that certifies that the bundled OpenSSL
> version isn't vulnerable or has been updated.
>
> That's one reason why I opted for a TomEE Linux package that doesn't
> redestribute each and every dependency but re-uses those provided by the OS
> already :)
>
> [1] http://people.apache.org/~mturk/native/1.1.30/
>
> Cheers
> Daniel
>
>
>
> Cheers
> Daniel
>
>
> On Fri, Apr 11, 2014 at 5:03 PM, frapien <Fr...@gmx.de> wrote:
>
> > Apache Tomcat Native library 1.1.30 using APR version 1.4.8 using OpenSSL
> > 1.0.1g you can use from ...
> >
> > http://people.apache.org/~mturk/native/1.1.30/
> >
> >
> >
> > --
> > View this message in context:
> >
> http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702p4668722.html
> > Sent from the OpenEJB Dev mailing list archive at Nabble.com.
> >
>
--
Jean-Louis
Re: OpenSSL Version and HeartBleed
Posted by dsh <da...@gmail.com>.
Hi,
I'd suppose that the OpenSSL version used by APR depends on the OpenSSL
version provided by the underlying OS too. Additionally that yet doesn't
say anything about the hearbleed vulnerability cause OpenSSL could have
been deactivated by the corresponding compile flag (-DOPENSSL_NO_HEARTBEATS
).
The above statement concerning [1] only applies to Windows where each app
usually ships its own version of OpenSSL as a dependency. As you can see in
certain situations this has a major drawback cause now each app distributor
must provide a support statement that certifies that the bundled OpenSSL
version isn't vulnerable or has been updated.
That's one reason why I opted for a TomEE Linux package that doesn't
redestribute each and every dependency but re-uses those provided by the OS
already :)
[1] http://people.apache.org/~mturk/native/1.1.30/
Cheers
Daniel
Cheers
Daniel
On Fri, Apr 11, 2014 at 5:03 PM, frapien <Fr...@gmx.de> wrote:
> Apache Tomcat Native library 1.1.30 using APR version 1.4.8 using OpenSSL
> 1.0.1g you can use from ...
>
> http://people.apache.org/~mturk/native/1.1.30/
>
>
>
> --
> View this message in context:
> http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702p4668722.html
> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>
Re: OpenSSL Version and HeartBleed
Posted by frapien <Fr...@gmx.de>.
Apache Tomcat Native library 1.1.30 using APR version 1.4.8 using OpenSSL
1.0.1g you can use from ...
http://people.apache.org/~mturk/native/1.1.30/
--
View this message in context: http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702p4668722.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.
Re: OpenSSL Version and HeartBleed
Posted by agumbrecht <ag...@tomitribe.com>.
TomEE or Tomcat do not actually ship OpenSSL, but have mechanisms such as APR
that can utilize it. You should ensure that the OpenSSL installed on your
machines is up to date.
See the following to get a better feel as to where OpenSSL has a potential
surface area with TomEE/Tomcat:
https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
https://tomcat.apache.org/tomcat-7.0-doc/apr.html
Andy
--
View this message in context: http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702p4668704.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.
Re: OpenSSL Version and HeartBleed
Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.
Indeed
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Wed, Apr 23, 2014 at 10:35 AM, dsh <da...@gmail.com> wrote:
> Another perspective on this matter:
>
> "Returning to Heartbleed, one thing conspicuously missing from the
> downshouting against OpenSSL is any pointer to a closed-source
> implementation that is known to have a lower defect rate over time. This is
> for the very good reason that no such empirically-better implementation
> exists." - Eric S Raymond
>
> Cheers
> Daniel
>
>
> On Mon, Apr 14, 2014 at 7:22 AM, Romain Manni-Bucau
> <rm...@gmail.com>wrote:
>
> > Well depend a lot of your config. Even Tomcat 7.0.53 is vulnerable to
> > heartbleed (fix release in progress with tc native)...but only if you use
> > native. In summary if you dont use apr you are safe (jsse typically).
> > Le 13 avr. 2014 23:10, "ihunter" <ih...@hotmail.com> a écrit :
> >
> > > Hi Folks,
> > >
> > > Sorry about this - we're having a dose of paranoia regarding
> HeartBleed.
> > >
> > > I *believe* that TomEE 1.6.0 comes with OpenSSL at version 1.0.1c.
> > >
> > > I don't know about our old installation Tomcat 6.0.35.
> > >
> > > Can someone please give me a definitive answer on what versions are
> > > involved, and if we need to take any action on this HeartBleed thing.
> > >
> > > Many Thanks
> > > Ian Hunter
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > >
> >
> http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702.html
> > > Sent from the OpenEJB Dev mailing list archive at Nabble.com.
> > >
> >
>
Re: OpenSSL Version and HeartBleed
Posted by dsh <da...@gmail.com>.
Another perspective on this matter:
“Returning to Heartbleed, one thing conspicuously missing from the
downshouting against OpenSSL is any pointer to a closed-source
implementation that is known to have a lower defect rate over time. This is
for the very good reason that no such empirically-better implementation
exists." - Eric S Raymond
Cheers
Daniel
On Mon, Apr 14, 2014 at 7:22 AM, Romain Manni-Bucau
<rm...@gmail.com>wrote:
> Well depend a lot of your config. Even Tomcat 7.0.53 is vulnerable to
> heartbleed (fix release in progress with tc native)...but only if you use
> native. In summary if you dont use apr you are safe (jsse typically).
> Le 13 avr. 2014 23:10, "ihunter" <ih...@hotmail.com> a écrit :
>
> > Hi Folks,
> >
> > Sorry about this - we're having a dose of paranoia regarding HeartBleed.
> >
> > I *believe* that TomEE 1.6.0 comes with OpenSSL at version 1.0.1c.
> >
> > I don't know about our old installation Tomcat 6.0.35.
> >
> > Can someone please give me a definitive answer on what versions are
> > involved, and if we need to take any action on this HeartBleed thing.
> >
> > Many Thanks
> > Ian Hunter
> >
> >
> >
> > --
> > View this message in context:
> >
> http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702.html
> > Sent from the OpenEJB Dev mailing list archive at Nabble.com.
> >
>
Re: OpenSSL Version and HeartBleed
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Well depend a lot of your config. Even Tomcat 7.0.53 is vulnerable to
heartbleed (fix release in progress with tc native)...but only if you use
native. In summary if you dont use apr you are safe (jsse typically).
Le 13 avr. 2014 23:10, "ihunter" <ih...@hotmail.com> a écrit :
> Hi Folks,
>
> Sorry about this - we're having a dose of paranoia regarding HeartBleed.
>
> I *believe* that TomEE 1.6.0 comes with OpenSSL at version 1.0.1c.
>
> I don't know about our old installation Tomcat 6.0.35.
>
> Can someone please give me a definitive answer on what versions are
> involved, and if we need to take any action on this HeartBleed thing.
>
> Many Thanks
> Ian Hunter
>
>
>
> --
> View this message in context:
> http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702.html
> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>