Jess Holle wrote:
FYI, it would appear that this is a case of someone passing a
ServletRequest object to another thread and invoking methods on it at
just the wrong point in time so as to utterly corrupt a later request.
Changing the code to make an appropriate copy of the ServletRequest
obje
FYI, it would appear that this is a case of someone passing a
ServletRequest object to another thread and invoking methods on it at
just the wrong point in time so as to utterly corrupt a later request.
Changing the code to make an appropriate copy of the ServletRequest
object and pass that in
Much as I loathe downgrading, would it be possible/advisable to downgrade the
native libraries to 1.1.23 with Tomcat 7.0.50?
That version is the last to use a pre-1.0.1 version of OpenSSL (1.0.0g).
This could help us at least until we get a blessed version from the APR team?
Jeffrey Janner
Sr. N
> -Original Message-
> From: Andrew Russell [mailto:andrew.russ...@gmail.com]
> Sent: Wednesday, April 09, 2014 12:02 PM
> To: users@tomcat.apache.org
> Subject: How can I tell which version of OpenSSL is being used with
> tomcat?
>
> If I installed tomcat on windows using the service inst
On 4/9/14 10:17 AM, Andrew Russell wrote:
Thank you for the quick response!
It's a mixed bag, some are java keystores and some are pfx files.
So I'm only using OpenSSL if it's marked as such in the configuration file?
All I know is JSSE, myself.
From our own server.xml, running with securit
On Wed, Apr 9, 2014 at 12:13 PM, James H. H. Lampert <
jam...@touchtonecorp.com> wrote:
> On 4/9/14 10:01 AM, Andrew Russell wrote:
>
>> If I installed tomcat on windows using the service installer, how can I
>> know which version of openssl was used?
>>
>
> All I know is that if you're using a Ja
On 4/9/14 10:01 AM, Andrew Russell wrote:
If I installed tomcat on windows using the service installer, how can I
know which version of openssl was used?
All I know is that if you're using a Java keystore and Keytool (or
KeyStore Explorer) to set it up and maintain it, you're most likely not
If I installed tomcat on windows using the service installer, how can I
know which version of openssl was used?
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Tuesday, April 08, 2014 6:27 PM
> To: Tomcat Users List
> Subject: Re: Windows tcnative openssl ciphers question
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Jeffrey,
>
> On 4/7/14
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Wednesday, April 09, 2014 12:25 AM
> To: Tomcat Users List
> Subject: Re: Does the HeartBleed vulnerability affect Apache Tomcat
> servers using Tomcat Native?
>
>
> Arlo,
>
> On 4/8/14, 5:36 P
Chris,
On 9.4.2014 14:53, Christopher Schultz wrote:
My recommendation would be to treat everything OpenSSL touches as
tainted and re-key anyway.
[I will assume we are talking about OpenSSH implementation.]
That dependins of the definition of "what OpenSSL touches". OpenSSL
consists of two l
On Wed, Apr 9, 2014 at 2:53 PM, Christopher Schultz
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Ognjen,
>
> On 4/9/14, 3:30 AM, Ognjen Blagojevic wrote:
>> On 9.4.2014 9:49, André Warnier wrote:
>>> I wonder if I may ask this list-OT question to the SSH experts on
>>> the list :
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ognjen,
On 4/9/14, 3:30 AM, Ognjen Blagojevic wrote:
> On 9.4.2014 9:49, André Warnier wrote:
>> I wonder if I may ask this list-OT question to the SSH experts on
>> the list :
>>
>> I run some 25 webservers (Apache httpd-only, Tomcat-only, or
>> A
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Arlo,
On 4/8/14, 4:36 PM, Arlo White wrote:
> What would the Tomcat code change be?
No code changes, even at the tcnative level. It just requires a
re-link (remember, it's statically-linked on win32) with a safe
OpenSSL build.
> I suppose it'd be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ognjen,
On 4/9/14, 3:16 AM, Ognjen Blagojevic wrote:
> Chris,
>
> On 9.4.2014 7:22, Christopher Schultz wrote:
>> - -1
>>
>> Switching to JSSE only stops the hemorrhaging. You should
>> consider all your server keys compromised if OpenSSL 1.0.1 w
Ognjen Blagojevic wrote:
André,
On 9.4.2014 9:49, André Warnier wrote:
I wonder if I may ask this list-OT question to the SSH experts on the
list :
I run some 25 webservers (Apache httpd-only, Tomcat-only, or Apache
httpd + Tomcat).
I do not use HTTPS on any of them.
But I use SSH (OpenSSH) to
Hey,
I just modified service.bat to set the JRE_HOME. It working really good
now.
Thanks for the help.
Akshay Jain
André,
On 9.4.2014 9:49, André Warnier wrote:
I wonder if I may ask this list-OT question to the SSH experts on the
list :
I run some 25 webservers (Apache httpd-only, Tomcat-only, or Apache
httpd + Tomcat).
I do not use HTTPS on any of them.
But I use SSH (OpenSSH) to connect to them over the
I have been using tomcat 6.0.18 with myfaces 1.2.2 and it works well. I
now have to upgrade to tomcat 6.0.32 and the application fails to work.
The error is strange - there is no exception, no problem visible in
logs, seems like the data from input fields is just not submitted. It is
probably co
Chris,
On 9.4.2014 7:22, Christopher Schultz wrote:
- -1
Switching to JSSE only stops the hemorrhaging. You should consider all
your server keys compromised if OpenSSL 1.0.1 was used (prior to "g"
patch level). If you switch to JSSE, your key may already have been
compromised, so the switch doe
I wonder if I may ask this list-OT question to the SSH experts on the list :
I run some 25 webservers (Apache httpd-only, Tomcat-only, or Apache httpd +
Tomcat).
I do not use HTTPS on any of them.
But I use SSH (OpenSSH) to connect to them over the Internet for support purposes, with
"authorize
21 matches
Mail list logo
