| Summary: | OpenSSL 1.0.1g is vulnerable to a man-in-the-middle attack | ||
|---|---|---|---|
| Product: | Tomcat Native | Reporter: | Bhupesh Saini <bsaini> |
| Component: | Library | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | bbutt, javabrett, klemen.novak, mail4deepak, schelldorfer, tom.jennings |
| Priority: | P2 | ||
| Version: | 1.1.30 | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | All | ||
| Attachments: |
DLL for Win32
DLL for x64 |
||
|
Description
Bhupesh Saini
2014-06-05 22:27:31 UTC
See Comment 20 (and Comment 7) in issue 56363. https://issues.apache.org/bugzilla/show_bug.cgi?id=56363#c20 This is CVE-2014-0224. It's caused my rating on Qualys SSL test to drop from an A+ to an F. Is there any way to mitigate the vulnerability? Mladen? Any chance you could roll us out a new version pretty quickly? Pretty please? In the meantime, I'll see what I can do about building my own. I currently do not have the toolset required. Is there anyone working on this problem? Please fix the issue as soon as possible. Thank you. (In reply to Klemen Novak from comment #3) > Is there anyone working on this problem? One person, and it looks that it is not going very well. The progress is discussed in issue 56363 and on dev mailing list. Help is welcome. I went ahead and downloaded MS Visual Studio Express today in hopes of trying to do my own build based on Mladen's instructions in Bug 56363. Unfortunately, I'm juggling a half-dozen other time-critical projects right now, and that's as far as I've gotten. Again, does anyone know if there is a way to mitigate the problem? Perhaps limit the cipher list to strongest ciphers only? Jeffrey, if you take a look at my post here (http://markmail.org/message/gex3hshaprlxcuzs), you'll find a DOS batch file that, with a few prerequisites, will download and build the 32-bit x86 openssl.exe and a statically-linked 32-bit x86 libtcnative-1.dll for you. (It downloads and builds all of the dependencies -- OpenSSL and APR, first). I'm really only having trouble building the 64-bit flavors at this point. My instructions were followed using a freely-downloadable Windows 8.1 VirtualBox image, so you can use and abuse it without mucking-up your own system. Please join that thread on the dev list to discuss further. This is enough abuse of Bugzilla for now. ;) I was able to build the DLL for Win32 and x64 using Visual Studio 2010. It contains APR 1.5.1 and OpenSSL 1.0.1h 5 Jun 2014. I tested the Win32 DLL on Tomcat 7.0.53 / Windows Server 2003 and it's working fine. I can provide the DLLs (Win32 and x64) for further testing, if somebody is interested. Martin Schelldorfer is will test them. Please provide me with link. Thank you. I will test them with tomcat 6 and 7 on windows 2008 R2 and then try with SSLLabs. Created attachment 31776 [details]
DLL for Win32
DLL for Win32
APR 1.5.1 and OpenSSL 1.0.1h 5 Jun 2014
Created attachment 31777 [details]
DLL for x64
DLL for x64
APR 1.5.1 and OpenSSL 1.0.1h 5 Jun 2014
DLLs for Win32/x64 APR 1.5.1 and OpenSSL 1.0.1h 5 Jun 2014 There appear to be a couple of problems with those DLLs. The depends tool reports that: - the 32-bit DLL depends on 64-bit libraries - the 64-bit DLL depends the MS Visual C runtime msvcr100.dll There a a few hoops that need to be jumped through to build these DLLs 'correctly' (i.e. with the same minimal dependencies as the ASF versions). Good progress has been made documenting these hoops in the last few days. The latest information can be found on the wiki: http://wiki.apache.org/tomcat/BuildTcNativeWin I've just got the build environment set up and I am about to start building the various versions (IA64, AMD64, X86) of OpenSSL and APR. I'll be updating the Wiki as I go along. (In reply to Mark Thomas from comment #12) > There appear to be a couple of problems with those DLLs. > > The depends tool reports that: > - the 32-bit DLL depends on 64-bit libraries That looks like incorrect analysis by the depends tool. I see the same for the 32-bit DLL I built. > - the 64-bit DLL depends the MS Visual C runtime msvcr100.dll This still looks like an issue though I have built x86 and x64 versions using what should be pretty much the same toolchain as is used for the releases. The results can be obtained from: http://people.apache.org/~markt/dev/tomcat-native-1.1.31-dev/ I've performed a quick smoke test and they seem OK but further testing would be appreciated. (In reply to Mark Thomas from comment #14) > I have built x86 and x64 versions using what should be pretty much the same > toolchain as is used for the releases. The results can be obtained from: > http://people.apache.org/~markt/dev/tomcat-native-1.1.31-dev/ > > I've performed a quick smoke test and they seem OK but further testing would > be appreciated. I tested your 1.1.32-dev x86 DLL on Tomcat 7.0.53 / Windows Server 2003. It's working fine for me. Hi, I tested Mark Thomas version and it works on my servers. Windows 2008 R2 x64, Tomcat 7.0.54 x64. I also tested the server with SSLLabs and its ok. I works fine. 1.1.31 has been released (it may take up to 24 hours to reach all the mirrors) and the Windows binaries were built with OpenSSL 1.0.1h. The formal release announcement is expected tomorrow once the new version has replicated to the mirrors. |