Getting a grasp on Heartbleed and IDPs

Ian Young ian at
Thu Apr 10 13:32:01 EDT 2014

On 10 Apr 2014, at 18:25, Nate Klingenstein <ndk at> wrote:

> Wherein Apache was protecting 8443, of course.  Sorry.  If you're a Tomcat-only IdP deployment, your exposure from this vulnerability is basically nil.

I think we still have concerns that a Tomcat-only deployment may be vulnerable if it was configured to use the Apache Portable Runtime as an SSL accelerator, as it would mean that there was a live OpenSSL inside the same process as the JVM.

If anyone has any definitive information about this either way it would be really helpful.

	-- Ian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
Url : 

More information about the users mailing list