We are trying to determine our window of vulnerability for Heartbleed. Does anyone have an idea of how to determine which version of OpenSSL was used to build a given Tomcat Native DLL?
Our server has had Tomcat 6 on it (not sure which version of tcnative-1.dll, but trying to track it down), upgraded to Tomcat 7 (with tcnative-1.dll version 1.1.27).
I can't find any information anywhere on which versions of tcnative-1.dll were linked against which openssl versions.
The Apache changelog doesn't have this info, and documentation provides a website that has the DLL it was linked against, but no information about which of the 17 versions it used.
Best Answer
The answer can be seen from this bugzilla entry of the apache tomcat project:
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363
Affected versions are 1.1.24 until 1.1.29 (the last officially at the moment).
For the versions since 1.1.23 (which was linked against openssl 1.0.0g) you find a VERSIONS file inside of the windows binary packages you can download from the tomcat archive which give information about the libraries.
Earlier tcnative-1 versions at least contain a openssl.exe bundled which can be queried for version information with the command "version".