Solving Heartbleed issue on Tomcat with APR and OpenSSL. Compilation errors

Question

I am running TeamCity on a Windows machine that uses Tomcat as a web server and uses Apache Portable Runtime (APR) and OpenSSL for SSL.

I have not managed to upgrade the version of OpenSSL to 1.0.1g, and I think the reason is because the Tomcat native library binary (tcnative-1.dll) (http://archive.apache.org/dist/tomcat/tomcat-connectors/native/1.1.29/binaries/tomcat-native-1.1.29-win32-bin.zip) contains both APR and version 1.0.1e of OpenSSL, and I can't find a new binary with 1.0.1.g.

I've tried to compile the Tomcat native library myself, but I get compilation errors when trying to compile the "libapr" project.

The compilation errors I get are:

Error   4   error LNK2019: unresolved external symbol __InterlockedIncrement referenced in function _apr_atomic_inc32@4 C:\Users\heartbleed\tomcat-native-1.1.29-win32-src\jni\apr\apr_atomic.obj   libapr
Error   5   error LNK2019: unresolved external symbol __InterlockedExchangeAdd referenced in function _apr_atomic_add32@8   C:\Users\heartbleed\tomcat-native-1.1.29-win32-src\jni\apr\apr_atomic.obj   libapr
Error   6   error LNK2019: unresolved external symbol __InterlockedExchange referenced in function _apr_atomic_set32@8  C:\Users\heartbleed\tomcat-native-1.1.29-win32-src\jni\apr\apr_atomic.obj   libapr
Error   7   error LNK2019: unresolved external symbol __InterlockedDecrement referenced in function _apr_atomic_dec32@4 C:\Users\heartbleed\tomcat-native-1.1.29-win32-src\jni\apr\apr_atomic.obj   libapr
Error   8   error LNK2019: unresolved external symbol __InterlockedCompareExchange referenced in function _apr_atomic_cas32@12  C:\Users\heartbleed\tomcat-native-1.1.29-win32-src\jni\apr\apr_atomic.obj   libapr
Error   9   error LNK1120: 5 unresolved externals   C:\Users\heartbleed\tomcat-native-1.1.29-win32-src\jni\apr\Debug\libapr-1.dll   1   1   libapr

I am trying to compile in Visual Studio Ultimate 2013 (perhaps too new a version of Visual Studio?).

How do I fix this problem?

Has anyone successfully built Tomcat native library with OpenSSL 1.0.1.g?

Updates

I've set the "Platform Toolset" to v100 (as advised here https://groups.google.com/forum/#!topic/UniMRCP/Iybpn51UYnI) and the previous compilation errors went away, but now I get new ones:

Error   9   error C1083: Cannot open include file: 'apr.h': No such file or directory   C:\Users\heartbleed\tomcat-native-1.1.29-win32-src\jni\native\include\tcn.h 26  1   tcnative

More updates

I did manage to solve the compilation problems and build a tcnative-1.dll with OpenSSL 1.0.1g, and my TeamCity is up and running with the Heartbleed problem fixed! I am busy now. But please ask if you want a detailed description of the procedure.

Answer 1

At present, the tcnative team has finished working on the next version which has the Heartbleed fix in. So one can get this version from Latest tcnative with heartbleed fix.

This version will soon be released officially.

Answer 2

This is what I did.

I started off with Visual Studio 2013.

Install Visual C++ 2010 Express (http://go.microsoft.com/?linkid=9709949).

Install OpenSSL (http://slproweb.com/products/Win32OpenSSL.html), I chose "Win32 OpenSSL v1.0.1g".

Download Tomcat Native (http://apache.mirrors.spacedump.net//tomcat/tomcat-connectors/native/1.1.29/source/tomcat-native-1.1.29-win32-src.zip) Extract it somewhere.

Download APR source code (http://apache.mirrors.spacedump.net//apr/apr-1.5.0-win32-src.zip) Extract it and move it into the directory "tomcat-native-1.1.29-win32-src/jni". Rename it from "apr-1.5.0" directory to "apr", so that you have a "apr" folder in the "jni" folder.

Open up "tomcat-native-1.1.29-win32-src/jni/native/libtcnative.dsw" in Visual Studio 2013. It will make some conversions.

Change from "Debug" to "Release".

For projects "apr" and "tcnative". right click on them, go into Properties -> Configuration Properties. Set "Platform Toolset" to "v100".

Right click "tcnative" click Properties -> Configuration Properties -> C/C++ -> Additional Include Directories -> Edit

• Change "./srclib/apr/include" to "../apr/include"
• Change "./srclib/apr/include/arch/win32" to "../apr/include/arch/win32"
• Add "C:\OpenSSL-Win32\include" (or wherever you installed OpenSSL).

Go to Configuration Properties -> Linker -> Input -> Additional Dependencies -> Edit

• Change "libeay32.lib" to "libeay32MT.lib"
• Change "ssleay32.lib" to "ssleay32MT.lib"

Go to Configuration Properties -> Linker -> Additional Library Directories -> Edit.

• Add "C:\OpenSSL-Win32\lib\VC\static" (or wherever you installed OpenSSL).

Right click tcnative and click on Build.

After the build completes you will find "tcnative-1.dll"

inside "tomcat-native-1.1.29-win32-src\jni\native\LibR"

Answer 3

Apache Tomcat 7.0.53 (latest release) is vulnerable to Heartbleed, if you are using Tomcat Native (check if tcnative-1.dll is in bin folder. That's the case if you download the Tomcat Windows binary).

You can find the binaries for Windows (x86 and x64) at http://people.apache.org/~mturk/native/1.1.30/binaries/.

I hope they will release it officially soon at http://tomcat.apache.org/download-native.cgi.

Just download the DLL file, put it into Tomcat/bin folder, restart Tomcat and you're done.

To verify the fix, check file catalina.log:

Apr 11, 2014 8:39:27 AM org.apache.catalina.core.AprLifecycleListener initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1g 7 Apr 2014)

The Heartbleed fix has been in OpenSSL since OpenSSL 1.0.1f.

Answer 4

For now here's the dll that I built: https://docs.google.com/file/d/0B4GOp0amHg-0SU5GXzZuM2lJT3c/edit

Answer 5

I believe Tomcat is not vulnerable to Heartbleed out of the box.

Yes, the APR library is linked and SSLEngine is on.

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

But if you look at the server.xml config file of a default Tomcat deployment, its SSL connector uses JSSE, not the APR library.

<!-- Define a SSL HTTP/1.1 Connector on port 8443
     This connector uses the BIO implementation that requires the JSSE
     style configuration. When using the APR/native implementation, the
     OpenSSL style configuration is required as described in the APR/native
     documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />
-->

So it shouldn't be explotable via Heartbleed. Unless you manually changed the SSL connector to use APR, I think it's safe to say, you are not vulnerable.