You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/03/23 14:50:57 UTC

svn commit: r1788258 - /httpd/httpd/branches/2.4.x/STATUS

Author: wrowe
Date: Thu Mar 23 14:50:56 2017
New Revision: 1788258

URL: http://svn.apache.org/viewvc?rev=1788258&view=rev
Log:
I'm wrong. Reviewing SecurityPolicy (2.0.13 + 1.2.4) at 
https://www.openssl.org/docs/fips/ - using FIPS_mode_set(1) for revalidation
was actually expressly called out in section 3. While mod_ssl is 'unloaded'
(unconfigured) the process is not operating in a fips validated manner, but
once the configuration resets FIPS_mode_set(1) it resumes validated behavior.



Modified:
    httpd/httpd/branches/2.4.x/STATUS

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1788258&r1=1788257&r2=1788258&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Thu Mar 23 14:50:56 2017
@@ -172,11 +172,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
                   http://svn.apache.org/r1781190
                   http://svn.apache.org/r1781312
      2.4.x patch: http://home.apache.org/~ylavic/patches/httpd-2.4.x-mod_ssl-restart_leaks-v2.patch
-     +1: ylavic, jim
-     -1: wrowe - FIPS_mode_set(0) breaks FIPS policy and should be a noop, AIUI?
-         (FIPS_mod_set(1) is per-process, but if openssl has been unloaded,
-          unloaded, then it is obviously repeated on reload. Perhaps dodge the
-          second mode set with linked-in mod_ssl?)
+     +1: ylavic, jim, wrowe
 
   *) mod_proxy_hcheck: Don't validate timed out responses.
      trunk patch: http://svn.apache.org/r1779574