Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Does openSSL CVE-2014-0160 effect jetty users?

Well, if you use Tomcat with JBoss, you can actually plug in OpenSSL quite easily...

2014-04-09 11:51 GMT+02:00 Lothar Kimmeringer <job@xxxxxxxxxxxxxx>:
Am 09.04.2014 11:13, schrieb Peter Ondruška:
> On Wednesday, 9 April 2014, maarten ligtvoet <maartenligtvoet@xxxxxxxxx <mailto:maartenligtvoet@xxxxxxxxx>> wrote:
>>     Does the openSSL heartbleed bug effect jetty users?
> Jetty uses Java VM's SSL, not OpenSSL.

and to continue the answer: Since the SSL-implementation should be
in Pure Java, missing boundary-checks aren't a topic there.

A final answer depends on the configuration of your JVM, though.
In theory, you can change the SSLSocketFactory by one that
actually uses OpenSSL via JNI, but that's something never being
heard of - at least by me.

Regards, Lothar
jetty-users mailing list


TesTcl - a unit test framework for iRules

Back to the top