After reading an article about the Heartbleed security bug, I understand that it is good practice to check the OpenSSL version Apache Tomcat is using.
The article contains this sentence:
What version of OpenSSL is Tomcat using?
This information is logged by AprLifecycleListener when Tomcat starts. For example,
10-Apr-2014 19:25:28.801 INFO [main] org.apache.catalina.core.AprLifecycleListener.init Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.8. 10-Apr-2014 19:25:28.804 INFO [main] org.apache.catalina.core.AprLifecycleListener.init APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 10-Apr-2014 19:25:29.955 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.0.1g 7 Apr 2014)
I spent a couple of hours searching but can't find this information in the Tomcat logs. Is there another place where I should look? Is there another way to figure this out?
I'm using Tomcat 6 on Windows Server 2003. I tried to change the log level to Info, and then to Debug, each time restarting the web server, to no avail.
Best Answer
OpenSSL is not part of Tomcat. It's a seperate application. You don't need OpenSSL to use Tomcat. OpenSSL is used for SSL on Unix and Linux systems. Windows has its own SSL implementation, but you can install openssl on Windows as well.
Do you use SSL for Tomcat? So do you connect to the tomcat webapp using something like
https://localhost:8443or do you have IIS or Apache inbetween? The log example you quote is an example!If you have Openssl installed, you can find the version by following these steps:
If the openssl command returns an error, it's probably not installed.