Getting a grasp on Heartbleed and IDPs

Cantor, Scott cantor.2 at
Thu Apr 10 13:39:32 EDT 2014

On 4/10/14, 1:32 PM, "Ian Young" <ian at> wrote:
>On 10 Apr 2014, at 18:25, Nate Klingenstein <ndk at> wrote:
>> Wherein Apache was protecting 8443, of course.  Sorry.  If you're a
>>Tomcat-only IdP deployment, your exposure from this vulnerability is
>>basically nil.
>I think we still have concerns that a Tomcat-only deployment may be
>vulnerable if it was configured to use the Apache Portable Runtime as an
>SSL accelerator, as it would mean that there was a live OpenSSL inside
>the same process as the JVM.
>If anyone has any definitive information about this either way it would
>be really helpful.

I don't have any information on the continued relevance of that option,
but I can definitely say that if you use the APR connector for TLS in
Tomcat (that's APR, not AJP, two different things), you would be subject
to the issue if the version of OpenSSL was affected.

-- Scott

More information about the users mailing list