You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/03/23 14:50:57 UTC
svn commit: r1788258 - /httpd/httpd/branches/2.4.x/STATUS
Author: wrowe
Date: Thu Mar 23 14:50:56 2017
New Revision: 1788258
URL: http://svn.apache.org/viewvc?rev=1788258&view=rev
Log:
I'm wrong. Reviewing SecurityPolicy (2.0.13 + 1.2.4) at
https://www.openssl.org/docs/fips/ - using FIPS_mode_set(1) for revalidation
was actually expressly called out in section 3. While mod_ssl is 'unloaded'
(unconfigured) the process is not operating in a fips validated manner, but
once the configuration resets FIPS_mode_set(1) it resumes validated behavior.
Modified:
httpd/httpd/branches/2.4.x/STATUS
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1788258&r1=1788257&r2=1788258&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Thu Mar 23 14:50:56 2017
@@ -172,11 +172,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
http://svn.apache.org/r1781190
http://svn.apache.org/r1781312
2.4.x patch: http://home.apache.org/~ylavic/patches/httpd-2.4.x-mod_ssl-restart_leaks-v2.patch
- +1: ylavic, jim
- -1: wrowe - FIPS_mode_set(0) breaks FIPS policy and should be a noop, AIUI?
- (FIPS_mod_set(1) is per-process, but if openssl has been unloaded,
- unloaded, then it is obviously repeated on reload. Perhaps dodge the
- second mode set with linked-in mod_ssl?)
+ +1: ylavic, jim, wrowe
*) mod_proxy_hcheck: Don't validate timed out responses.
trunk patch: http://svn.apache.org/r1779574