Getting a grasp on Heartbleed and IDPs
Ian Young
ian at iay.org.uk
Thu Apr 10 13:32:01 EDT 2014
On 10 Apr 2014, at 18:25, Nate Klingenstein <ndk at internet2.edu> wrote:
> Wherein Apache was protecting 8443, of course. Sorry. If you're a Tomcat-only IdP deployment, your exposure from this vulnerability is basically nil.
I think we still have concerns that a Tomcat-only deployment may be vulnerable if it was configured to use the Apache Portable Runtime as an SSL accelerator, as it would mean that there was a live OpenSSL inside the same process as the JVM.
If anyone has any definitive information about this either way it would be really helpful.
-- Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140410/844218d8/attachment.bin
More information about the users
mailing list