Getting a grasp on Heartbleed and IDPs

Ian Young ian at
Thu Apr 10 13:42:35 EDT 2014

On 10 Apr 2014, at 18:39, Cantor, Scott <cantor.2 at> wrote:

> I don't have any information on the continued relevance of that option,
> but I can definitely say that if you use the APR connector for TLS in
> Tomcat (that's APR, not AJP, two different things), you would be subject
> to the issue if the version of OpenSSL was affected.

Alas, the last comment on this page seems to be an existence proof:

So just being tomcat-only doesn't necessarily mean you are immune; if you are using APR (and apparently some systems come configured that way by default) then you are vulnerable.

	-- Ian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
Url : 

More information about the users mailing list