Web Stack and the TLS Vulnerability
By jyri on Jan 12, 2010
What about Web Stack?
Unlike Web Server which uses NSS for its SSL/TLS implementation, the various components in Web Stack use OpenSSL for the same purpose. Therefore, the state of the vulnerability for Web Stack components depend on whether OpenSSL has been updated to prevent the renegotiation attack (mostly).
The key is that Web Stack does not ship a private copy of OpenSSL - it uses the OpenSSL libraries present in the system. So it comes down to whether the system OpenSSL is vulnerable or not.
|Version||OpenSolaris||Solaris 10||Red Hat Linux|
|Web Stack 1.5 / OpenSolaris 2009.06||Safe only when openssl-0.9.8l shows up in release repo||Safe, once Sun Alert fixes are installed by user||Vulnerable, no relief available|
|Upcoming Web Stack 1.6 / OpenSolaris 2010.03||Safe (openssl-0.9.8l already in dev repo)||Safe, once Sun Alert fixes are installed by user||Vulnerable, no relief available|