top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x

0 votes
567 views

Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x ? I noticed that Tomcat native connector version 1.1.22 uses : OpenSSL 0.9.8 which doesn't have the heartbleeding bug, but 1.1.24 and 1.1.29 also include the buggy openssl.

How can I find which version of Tomcat uses which version of Tomcat native connector ? For example, how can I figure out which version of Tomcat native connector is used by Tomcat 7.0 build 47.

posted Apr 10, 2014 by Abhay Kulkarni

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button
Check the following link: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_47/build.properties.default

Section: Tomcat native library
commented Apr 10, 2014 by Dewang Chaudhary

1 Answer

+1 vote

If you use JSSE for your SSL support, then you're not affected, no matter what version of OpenSSL your Tomcat uses.

Kind of makes all that futzing around with Keytool (because JSSE is apparently the only SSL option for Tomcat on an IBM Midrange box) all worth it. ;-)

answer Apr 10, 2014 by anonymous
Similar Questions
0 votes
Tomcat config: 'compression' versus 'SSLDisableCompression'

I was wondering if someone could clarify the difference between the configuration parameters 'compression' versus 'SSLDisableCompression' or point me to some documentation that explains it?

Do they both refer to the same type of compression?

Based on the Tomcat docs I know the former controls whether or not the connector uses gzip compression. Regarding the latter, the Tomcat docs say:
"Disables compression if set to true and OpenSSL supports disabling compression.". Is that referring to a different type of compression?

Here is the behavior I'm seeing:

--compression=on and SSLDisableCompression=false, the responses are gzip'd
--compression=on and SSLDisableCompression=true, the responses are gzip'd
--compression=off and SSLDisableCompression=false, the responses are not gzip'd

Environment:

Tomcat 7.0.40
Java 7
RHEL (Linux)
APR/native connector with SSL
OpenSSL 1.0.0
APR 1.4.8
+1 vote
How to create custom session and cookie in Tomcat 7/8 ?

I'm trying to figure out how I can create custom session cookies. I've found the Manager interface for creating the sessions, but there's nothing about the actual session cookie. I don't see anything in the Valve interface that will let me do this either. Is this possible in Tomcat 7 (or 8?).

0 votes
Security Headers Implementation in Tomcat 6.x version

We are using Tomcat 6.x version and we need to implement the following headers in our environment.

Headers:
1) Strict-Transport-Security
2) Content-Security-Policy
3) Public-Key-Pins
4) X-Frame-Options
5) X-XSS-Protection
6) X-Content-Type-Options
7) X-Robots-Tag

When I checked the Tomcat 6 version webpage (https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see any filters that implement any these headers. Some of them are available in Tomcat 7 version webpage (https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot upgrade to Tomcat 7.x version due to some constraints.

Can you kindly guide me how to implement these headers in Tomcat 6.x version. All your comments on this topic are welcome.

0 votes
Application Deployment in Tomcat 7.X

We are using tomcat 7.X for our project. So far we deploy only one application in tomcat.

Now we are planning to deploy one more application with existing one.

There is requirement that failure of deployment of new application should not affect existing application deployment and tomcat startup. As per my understanding, If any application deployment fails, Tomcat startup will fail.

Please let us know if there is any way to start the tomcat in case of failure of one application deployment also.

+2 votes
Tomcat: Behavior changed from 5.x to 7.x

I got a Problem with Tomcat deployment. I am using TC 7.0.42, OS: Win2k8r2, J 1.7.0._45.

We used to deploy unpacked webapps (dirs) on a Tomcat 5.0.26 outside the Webapps-dir. We used the manager (web-IF) to deploy these apps, giving the context name and the local directory. The tomcat ran the app from this location. It creates a .xml in it's config dir.

Now in TC7, the tomcat COPIES the APP from the given location to the default Webapps directory. But we want it to run from where it is, not a copy. One way to archieve this is to manually create a .xml file in the conf/server/localhost dir. But our deployment process needs it to be done via web interface. So, is there any possibility to configure tomcat 7 to behave like tomcat 5 when deploying local webapp directories from outside the webapps dir? I tried autoDeploy and unpackWars to false, but it didn't help. :(

...