Does GlassFish 3 use OpenSSL for encryption?

Question

Does GlassFish 3 use OpenSSL for encryption? Our security staff is concerned about the Heartbleed vulnerability.

score 2 · Answer 1 · answered Apr 10 '14 at 19:34

2

Glassfish does not use OpenSSL, it uses JSSE.

However, sometimes in production GlassFish is being run behind an Apache or Nginx server in which case you obviously would be vulnerable, because they use OpenSSL.

answered Apr 10 '14 at 19:34

syntaxerror

106
1
6

By default, your glassfish/java installation would be using the Oracle implementation of SSLSocketFactory, which is not affected. But it's worth noting that your glassfish or java installations might be configured to use an OpenSSL implementation, so check [the configuration](http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization) if you want to be super sure. – Ryan Bennetts Apr 11 '14 at 04:07

score 2 · Answer 2 · edited Jun 20 '20 at 09:12

One should probably distinguish the Open Source Edition and the Oracle editions. The answer for Heartbleed vulnerability for the latter is no, however the Oracle Glassfish versions do use OpenSSL somehow:

http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

1.0 Oracle products that, while using OpenSSL, were not subject to CVE-2014-0160

...

Oracle GlassFish Server 3.x.x [Product ID 8493]

...

Sun GlassFish Enterprise Server 2.x [Product ID 8493]

The OpenSSL versions must be to old in this products.

Does GlassFish 3 use OpenSSL for encryption?

2 Answers2