-1

A Java Servlet I maintain uses SSL encryption. I THINK it uses JSSE SSL by Oracle and after the HeartBleed Bug announcement I don't want to be using OpenSSL. Can someone tell me how I can be sure this is the case please?

So far I have found nothing on Google.

jww
  • 97,681
  • 90
  • 411
  • 885
AJF
  • 1,801
  • 4
  • 27
  • 54
  • Are we to use divination to determine what SSL you are using without you posting the actual relevant info? – Ceiling Gecko Apr 10 '14 at 11:22
  • I am not that experienced in SSL and didn't set things up initially so I apologise. What information do I need to look for? I created screen dumps of what SSL commands I have used and they all involve navigating to the JDK_Location\bin and commence with "keytool", i.e. keytool -import. Also in the JDK_Location\JRE\lib I have the jsse.jar. Does this point to me using JSSE and not OpenSSL? – AJF Apr 10 '14 at 11:47
  • Which servlet container are you using? – Bruno Apr 10 '14 at 14:00
  • Tomcat V7.0. I just run the following on the Live server; C:\>openssl version -a 'openssl' is not recognized as an internal or external command, operable program or batch file. – AJF Apr 10 '14 at 14:53
  • I take it this means I have nothing to worry about and must be using JSSE after all. Yes?? – AJF Apr 10 '14 at 14:54
  • See this question http://serverfault.com/questions/587839/is-there-a-way-to-manually-check-for-openssl-cve-2014-0160-vulnerability – Kevin Panko Apr 13 '14 at 01:32
  • The comment above had a link that was very helpful. We have discovered that the connections on the server are okay apart from one where OpenSSL is used for Port Forwarding. We will resolve that connection. Thanks for everyones help – AJF Apr 14 '14 at 09:31

2 Answers2

1

I am not sure if I understand correctly but if you're trying to find out if your servlet is prone to heartbleed attacks and if it is reachable from the internet you might want to take a look at: http://filippo.io/Heartbleed/

Moh-Aw
  • 2,976
  • 2
  • 30
  • 44
1

This isn't so much about the openssl command (which might not be on your path anyway) than about the OpenSSL library.

If you're using Tomcat, you would be relying on the OpenSSL library if you've set up the APR connector. Otherwise, you'll be using the JSSE (unless you've providing your own SSLImplementation classes, which is very unlikely).

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • The server.xml file has several listener tags but only one mentions SSL as – AJF Apr 10 '14 at 15:17
  • 1
    Check whether you're using `tcnative` (see Installation/Windows section in the link I gave you earlier). – Bruno Apr 10 '14 at 15:23
  • If tcnative a dll that would be in C:\Windows\system32 it is not there. – AJF Apr 10 '14 at 15:42
  • 1
    It's not necessarily in that directory (in fact unlikely). See whether there are path modifications, as described at the bottom of this page: http://tomcat.apache.org/native-doc/ – Bruno Apr 10 '14 at 15:46
  • Thanks again for your assistance. There is a setenv.bat file in the tomcat\bin location as it is one I had to create but does not reference anything about the tc- native libraries and also I examined the PATH environment variable and also does not reference anything about OpenSSL or tc- native. – AJF Apr 11 '14 at 09:27