1

After reading an article about the Heartbleed security bug, I understand that it is good practice to check the OpenSSL version Apache Tomcat is using.

The article contains this sentence:

What version of OpenSSL is Tomcat using?

This information is logged by AprLifecycleListener when Tomcat starts. For example,

10-Apr-2014 19:25:28.801 INFO [main] org.apache.catalina.core.AprLifecycleListener.init Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.8.
10-Apr-2014 19:25:28.804 INFO [main] org.apache.catalina.core.AprLifecycleListener.init APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
10-Apr-2014 19:25:29.955 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.0.1g 7 Apr 2014)

I spent a couple of hours searching but can't find this information in the Tomcat logs. Is there another place where I should look? Is there another way to figure this out?

I'm using Tomcat 6 on Windows Server 2003. I tried to change the log level to Info, and then to Debug, each time restarting the web server, to no avail.

Ziba Leah
  • 133
  • 1
  • 1
  • 5

2 Answers2

4

OpenSSL is not part of Tomcat. It's a seperate application. You don't need OpenSSL to use Tomcat. OpenSSL is used for SSL on Unix and Linux systems. Windows has its own SSL implementation, but you can install openssl on Windows as well.

Do you use SSL for Tomcat? So do you connect to the tomcat webapp using something like https://localhost:8443 or do you have IIS or Apache inbetween? The log example you quote is an example!

If you have Openssl installed, you can find the version by following these steps:

  • Click the Windows "Start" button and type "cmd" into the search text box. Press "Enter" to open your Windows command line.
  • Type "openssl /?" to view a list of options for the command line utility. This also shows you the proper syntax for the command.
  • Type "openssl version" and press "Enter." The OpenSSL version is displayed in the Windows command line utility.

If the openssl command returns an error, it's probably not installed.

SPRBRN
  • 8,149
2

There are several common modes of deployment for Tomcat on MS-Windows if HTTPS is enabled:

  1. Tomcat running behind IIS, OpenSSL is not used
  2. Tomcat running behind Apache, OpenSSL is that used by Apache
  3. Tomcat standalone server with JSSE connector (Java SSL), OpenSSL is not used
  4. Tomcat standalone server with APR connector, OpenSSL in use

If you have a standalone Tomcat server you can determine which HTTPS method is used by inspecting the Connector protocol configuration. The Apache provided Tomcat 6.0 binaries include APR (and hence OpenSSL) by default, though you may not be using it (upgrade anyway!). Further, if you have OpenSSL installed separately, it's irrelevant from Tomcat's point of view (though it might be used by your Apache or other web server).

If you are using an official (contrib) Apache-2.2 web server binary, the OpenSSL version number is typically encoded in the installer package file name. For 2.4 there are several different packaged versions. At least one (Apachehaus) documents the OpenSSL version and provide an openssl.exe you can run, though it may not be in the normal user PATH it's in the bin/ subdirectory of the Apache installation.

If you have LogLevel of "info" or higher, Apache will log the mod_ssl and OpenSSL versions on startup. Since 6.0.36, Tomcat6 does the same (bug #53057).

To peek at what DLLs a running process has loaded Process Explorer is handy, sadly though it appears that the normal Tomcat binary distribution link OpenSSL (and more) into a single DLL (tcnative-1.dll) rather than an easily identifiable (and replaceable) libssl.dll/libcrypto.dll (or similar) as is the convention on *nix systems. (This analysis will work on the Apachehaus Apache httpd though.)

A fairly primitive but reliable way then is to use find (or strings if you have it already), from a cmd prompt:

cd \Program Files\apache-tomcat\bin
find "OpenSSL" tcnative-1.dll
[...]
TLSv1 part of OpenSSL 1.0.1d 5 Feb 2013
SSLv3 part of OpenSSL 1.0.1d 5 Feb 2013
SSLv2 part of OpenSSL 1.0.1d 5 Feb 2013
DTLSv1 part of OpenSSL 1.0.1d 5 Feb 2013

Process Explorer will tell you the location of tcnative-1.dll for a running tomcat6 process if you cannot find it easily.

To summarise:

  • check netstat -abn -p TCP to see what's listening on 443 (or whatever HTTPS port you use)
  • check your connector to see if, and how, Tomcat provides SSL
  • check your webserver version and HTTPS configuration
mr.spuratic
  • 2,758