Getting a grasp on Heartbleed and IDPs

Cantor, Scott cantor.2 at osu.edu
Thu Apr 10 13:39:32 EDT 2014


On 4/10/14, 1:32 PM, "Ian Young" <ian at iay.org.uk> wrote:
>
>On 10 Apr 2014, at 18:25, Nate Klingenstein <ndk at internet2.edu> wrote:
>
>> Wherein Apache was protecting 8443, of course.  Sorry.  If you're a
>>Tomcat-only IdP deployment, your exposure from this vulnerability is
>>basically nil.
>
>I think we still have concerns that a Tomcat-only deployment may be
>vulnerable if it was configured to use the Apache Portable Runtime as an
>SSL accelerator, as it would mean that there was a live OpenSSL inside
>the same process as the JVM.
>
>If anyone has any definitive information about this either way it would
>be really helpful.

I don't have any information on the continued relevance of that option,
but I can definitely say that if you use the APR connector for TLS in
Tomcat (that's APR, not AJP, two different things), you would be subject
to the issue if the version of OpenSSL was affected.

-- Scott




More information about the users mailing list