You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2011/11/09 22:34:32 UTC
svn commit: r1199980 - in /tomcat/trunk/java/org/apache:
catalina/core/AprLifecycleListener.java
catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Author: schultz
Date: Wed Nov 9 21:34:31 2011
New Revision: 1199980
URL: http://svn.apache.org/viewvc?rev=1199980&view=rev
Log:
Fixed bug #50570 - Allow explicit use of FIPS mode in APR lifecycle listener
- Added "FIPSMode" attribute to AprLifecycleListener that causes OpenSSL to go into FIPS mode
Modified:
tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
Modified: tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=1199980&r1=1199979&r2=1199980&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java Wed Nov 9 21:34:31 2011
@@ -29,6 +29,7 @@ import org.apache.juli.logging.LogFactor
import org.apache.tomcat.jni.Library;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.res.StringManager;
+import org.apache.tomcat.jni.SSL;
@@ -66,11 +67,13 @@ public class AprLifecycleListener
// ---------------------------------------------- Properties
protected static String SSLEngine = "on"; //default on
+ protected static String FIPSMode = "off"; // default off, valid only when SSLEngine="on"
protected static String SSLRandomSeed = "builtin";
protected static boolean sslInitialized = false;
protected static boolean aprInitialized = false;
protected static boolean sslAvailable = false;
protected static boolean aprAvailable = false;
+ protected static boolean fipsModeActive = false;
protected static final Object lock = new Object();
@@ -106,7 +109,7 @@ public class AprLifecycleListener
initializeSSL();
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
- log.info(sm.getString("aprListener.sslInit"));
+ log.error(sm.getString("aprListener.sslInit"), t);
}
}
}
@@ -138,6 +141,7 @@ public class AprLifecycleListener
aprInitialized = false;
sslInitialized = false; // Well we cleaned the pool in terminate.
sslAvailable = false; // Well we cleaned the pool in terminate.
+ fipsModeActive = false;
}
private static void init()
@@ -220,6 +224,7 @@ public class AprLifecycleListener
//only once per VM
return;
}
+
sslInitialized = true;
String methodName = "randSet";
@@ -237,6 +242,25 @@ public class AprLifecycleListener
method = clazz.getMethod(methodName, paramTypes);
method.invoke(null, paramValues);
+ if("on".equalsIgnoreCase(AprLifecycleListener.FIPSMode)) {
+ log.info(sm.getString("aprListener.initializingFIPS"));
+
+ int result = SSL.fipsModeSet(1);
+
+ // success is defined as return value = 1
+ if(1 == result) {
+ fipsModeActive = true;
+
+ log.info(sm.getString("aprListener.initializeFIPSSuccess"));
+ } else {
+ // This case should be handled by the native method,
+ // but we'll make absolutely sure, here.
+ log.error(sm.getString("aprListener.initializeFIPSFailed"));
+
+ throw new IllegalStateException(sm.getString("aprListener.initializeFIPSFailed"));
+ }
+ }
+
sslAvailable = true;
}
@@ -245,6 +269,10 @@ public class AprLifecycleListener
}
public void setSSLEngine(String SSLEngine) {
+ // Ensure that the SSLEngine is consistent with that used for SSL init
+ if(sslInitialized)
+ throw new IllegalStateException(sm.getString("aprListener.tooLateForSSLEngine"));
+
AprLifecycleListener.SSLEngine = SSLEngine;
}
@@ -253,7 +281,24 @@ public class AprLifecycleListener
}
public void setSSLRandomSeed(String SSLRandomSeed) {
+ // Ensure that the random seed is consistent with that used for SSL init
+ if(sslInitialized)
+ throw new IllegalStateException(sm.getString("aprListener.tooLateForSSLRandomSeed"));
+
AprLifecycleListener.SSLRandomSeed = SSLRandomSeed;
}
+ public void setFIPSMode(String FIPSMode)
+ {
+ // Ensure that the FIPS mode is consistent with that used for SSL init
+ if(sslInitialized)
+ throw new IllegalStateException(sm.getString("aprListener.tooLateForFIPSMode"));
+
+ AprLifecycleListener.FIPSMode = FIPSMode;
+ }
+
+ public boolean isFIPSModeActive()
+ {
+ return fipsModeActive;
+ }
}
Modified: tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1199980&r1=1199979&r2=1199980&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties Wed Nov 9 21:34:31 2011
@@ -52,6 +52,13 @@ aprListener.aprDestroy=Failed shutdown o
aprListener.sslInit=Failed to initialize the SSLEngine.
aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0}.
aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters [{2}], random [{3}].
+aprListener.initializingFIPS=Initializing FIPS mode...
+aprListener.initializeFIPSSuccess=Successfully entered FIPS mode
+aprListener.initializeFIPSFailed=Failed to enter FIPS mode
+aprListener.tooLateForSSLEngine=Cannot setSSLEngine: SSL has already been initialized
+aprListener.tooLateForSSLRandomSeed=Cannot setSSLRandomSeed: SSL has already been initialized
+aprListener.tooLateForFIPSMode=Cannot setFIPSMode: SSL has already been initialized
+
asyncContextImpl.requestEnded=The request associated with the AsyncContext has already completed processing.
containerBase.threadedStartFailed=A child container failed during start
containerBase.threadedStopFailed=A child container failed during stop
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1199980&r1=1199979&r2=1199980&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Wed Nov 9 21:34:31 2011
@@ -230,6 +230,15 @@ public final class SSL {
public static native int initialize(String engine);
/**
+ * Enable/Disable FIPS Mode.
+ *
+ * @param mode 1 - enable, 0 - disable
+ *
+ * @return FIPS_mode_set return code
+ */
+ public static native int fipsModeSet(int mode);
+
+ /**
* Add content of the file to the PRNG
* @param filename Filename containing random data.
* If null the default file will be tested.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java
catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Konstantin,
On 11/9/11 3:39 PM, Konstantin Kolinko wrote:
> 2011/11/10 Christopher Schultz <ch...@christopherschultz.net>:
>>>
>>> There is java.lang.UnsatisfiedLinkError (and not the
>>> IllegalStateException that the code throws).
>>>
>>> Despite this error, Tomcat startup sequence continues.
>>>
>>> I guess that from FIPS PoV the failure to initialize FIPS mode should
>>> be more fatal, regardless of its cause.
>>> Be it because of native lib returning error code or this tc-native
>>> version mismatch.
>>> Maybe even throw an error if SSLEngine was not "on". Now it just
>>> causes the FIPS mode to be ignored.
>>>
>>> I do not know why UnsatisfiedLinkError error was not enough to break it.
>>
>> Because the AprLifecycleListener's code looks like this:
>>
>> if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) {
>> synchronized (lock) {
>> init();
>> if (aprAvailable) {
>> try {
>> initializeSSL();
>> } catch (Throwable t) {
>> ExceptionUtils.handleThrowable(t);
>> log.error(sm.getString("aprListener.sslInit"), t);
>> }
>> }
>> }
>>
>>
>> The error is caught, logged, and execution continues.
>>
>> I did not feel that this was an appropriate patch to include changes to
>> exception handling within the AprLivecycleListener.
>>
>
> Maybe add explicit FIPS mode status check below the above error
> handling? Something like:
>
> if ("on".equalsIgnoreCase(FIPSMode) && !fipsModeActive) {
> fail fatally;
> }
I could certainly do that, but I figured that the listener was written
such that it would not fail. I didn't want to alter that behavior just
to add FIPS support.
-chris
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java
catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 11/10/11 6:28 AM, Mark Thomas wrote:
> On 09/11/2011 23:39, Konstantin Kolinko wrote:
>> Maybe add explicit FIPS mode status check below the above error
>> handling? Something like:
>>
>> if ("on".equalsIgnoreCase(FIPSMode) && !fipsModeActive) {
>> fail fatally;
>> }
>
> +1
Sounds good to me. What about checking for either FIPS *or* SSL
initialization failure? I suppose that the connector will bomb if SSL
doesn't initialize properly.
-chris
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java
catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Posted by Mark Thomas <ma...@apache.org>.
On 09/11/2011 23:39, Konstantin Kolinko wrote:
> Maybe add explicit FIPS mode status check below the above error
> handling? Something like:
>
> if ("on".equalsIgnoreCase(FIPSMode) && !fipsModeActive) {
> fail fatally;
> }
+1
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache:
catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/11/10 Christopher Schultz <ch...@christopherschultz.net>:
>>
>> There is java.lang.UnsatisfiedLinkError (and not the
>> IllegalStateException that the code throws).
>>
>> Despite this error, Tomcat startup sequence continues.
>>
>> I guess that from FIPS PoV the failure to initialize FIPS mode should
>> be more fatal, regardless of its cause.
>> Be it because of native lib returning error code or this tc-native
>> version mismatch.
>> Maybe even throw an error if SSLEngine was not "on". Now it just
>> causes the FIPS mode to be ignored.
>>
>> I do not know why UnsatisfiedLinkError error was not enough to break it.
>
> Because the AprLifecycleListener's code looks like this:
>
> if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) {
> synchronized (lock) {
> init();
> if (aprAvailable) {
> try {
> initializeSSL();
> } catch (Throwable t) {
> ExceptionUtils.handleThrowable(t);
> log.error(sm.getString("aprListener.sslInit"), t);
> }
> }
> }
>
>
> The error is caught, logged, and execution continues.
>
> I did not feel that this was an appropriate patch to include changes to
> exception handling within the AprLivecycleListener.
>
Maybe add explicit FIPS mode status check below the above error
handling? Something like:
if ("on".equalsIgnoreCase(FIPSMode) && !fipsModeActive) {
fail fatally;
}
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java
catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Konstantin,
On 11/9/11 2:24 PM, Konstantin Kolinko wrote:
> 2011/11/10 Mark Thomas <ma...@apache.org>:
>>>> On 09/11/2011 21:34, schultz@apache.org wrote:
>>>>> Author: schultz Date: Wed Nov 9 21:34:31 2011 New Revision:
>>>>> 1199980
>>>>>
>>>>> URL: http://svn.apache.org/viewvc?rev=1199980&view=rev Log:
>>>>> Fixed bug #50570 - Allow explicit use of FIPS mode in APR
>>>>> lifecycle listener - Added "FIPSMode" attribute to
>>>>> AprLifecycleListener that causes OpenSSL to go into FIPS mode
>>>>
>>>> Isn't this dependent on an tcnative update?
>>>
>>> Yes, it is. I'm updating the documentation for AprLifecycleListener
>>> and I will mention the version dependency in there. If this is not
>>> yet appropriate to release, I can roll-back the patch.
>>
>> What happens if I try this with 1.1.22? If it blows up, that is bad.
>> If it logs an error, that is fine. If it silently carries on, that is bad.
>>
>
> Just testing this.
>
> If I do not set FIPSMode property, all is OK. No difference from
> previous behaviour.
>
> If I set FIPSMode="on", the following happens
>
> [[[
> 10-Nov-2011 01:13:59.484 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.init Loaded APR based
> Apache Tomcat Native library 1.1.22.
> 10-Nov-2011 01:13:59.500 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.init APR capabilities:
> IPv6 [false], sendfile [true], accept filters [false], random [true].
> 10-Nov-2011 01:13:59.937 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL
> Initializing FIPS mode...
> 10-Nov-2011 01:13:59.937 SEVERE [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
> initialize the SSLEngine.
> java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.SSL.fipsModeSet(I)I
> at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)
> at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:248)
> at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:109)
> at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
> at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
> at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
> (...)
> 10-Nov-2011 01:14:01.203 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 1030 ms
> ]]]
>
> There is java.lang.UnsatisfiedLinkError (and not the
> IllegalStateException that the code throws).
>
> Despite this error, Tomcat startup sequence continues.
>
> I guess that from FIPS PoV the failure to initialize FIPS mode should
> be more fatal, regardless of its cause.
> Be it because of native lib returning error code or this tc-native
> version mismatch.
> Maybe even throw an error if SSLEngine was not "on". Now it just
> causes the FIPS mode to be ignored.
>
> I do not know why UnsatisfiedLinkError error was not enough to break it.
Because the AprLifecycleListener's code looks like this:
if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) {
synchronized (lock) {
init();
if (aprAvailable) {
try {
initializeSSL();
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
log.error(sm.getString("aprListener.sslInit"), t);
}
}
}
The error is caught, logged, and execution continues.
I did not feel that this was an appropriate patch to include changes to
exception handling within the AprLivecycleListener.
-chris
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache:
catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/11/10 Mark Thomas <ma...@apache.org>:
>>> On 09/11/2011 21:34, schultz@apache.org wrote:
>>>> Author: schultz Date: Wed Nov 9 21:34:31 2011 New Revision:
>>>> 1199980
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=1199980&view=rev Log:
>>>> Fixed bug #50570 - Allow explicit use of FIPS mode in APR
>>>> lifecycle listener - Added "FIPSMode" attribute to
>>>> AprLifecycleListener that causes OpenSSL to go into FIPS mode
>>>
>>> Isn't this dependent on an tcnative update?
>>
>> Yes, it is. I'm updating the documentation for AprLifecycleListener
>> and I will mention the version dependency in there. If this is not
>> yet appropriate to release, I can roll-back the patch.
>
> What happens if I try this with 1.1.22? If it blows up, that is bad.
> If it logs an error, that is fine. If it silently carries on, that is bad.
>
Just testing this.
If I do not set FIPSMode property, all is OK. No difference from
previous behaviour.
If I set FIPSMode="on", the following happens
[[[
10-Nov-2011 01:13:59.484 INFO [main]
org.apache.catalina.core.AprLifecycleListener.init Loaded APR based
Apache Tomcat Native library 1.1.22.
10-Nov-2011 01:13:59.500 INFO [main]
org.apache.catalina.core.AprLifecycleListener.init APR capabilities:
IPv6 [false], sendfile [true], accept filters [false], random [true].
10-Nov-2011 01:13:59.937 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL
Initializing FIPS mode...
10-Nov-2011 01:13:59.937 SEVERE [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
initialize the SSLEngine.
java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.SSL.fipsModeSet(I)I
at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)
at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:248)
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:109)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
(...)
10-Nov-2011 01:14:01.203 INFO [main]
org.apache.catalina.startup.Catalina.start Server startup in 1030 ms
]]]
There is java.lang.UnsatisfiedLinkError (and not the
IllegalStateException that the code throws).
Despite this error, Tomcat startup sequence continues.
I guess that from FIPS PoV the failure to initialize FIPS mode should
be more fatal, regardless of its cause.
Be it because of native lib returning error code or this tc-native
version mismatch.
Maybe even throw an error if SSLEngine was not "on". Now it just
causes the FIPS mode to be ignored.
I do not know why UnsatisfiedLinkError error was not enough to break it.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java
catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Posted by Christopher Schultz <ch...@christopherschultz.net>.
All,
On 11/9/11 4:32 PM, Christopher Schultz wrote:
> I see several ways to move forward, here, not necessarily mutually
> exclusive:
>
> 1. terminate SSL on FIPS error
> 2. set sslInitialized after initialization is complete (including
> FIPS), not before
> 3. set error state in SSL class to prevent connectors from using
> an improperly-initialized SSL environment
I forgot one:
4. Have an explicit check in lifecycleEvent() that throws an error
instead of merely logging the error.
-chris
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java
catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 11/9/11 2:12 PM, Mark Thomas wrote:
> What happens if I try this with 1.1.22?
Here is the behavior under various circumstances:
1.1.23, openssl-fips, FIPSMode!="on" : regular startup
1.1.23, openssl-fips, FIPSMode="on" : enter FIPS mode
1.1.23, openssl, FIPSMode!="on" : regular startup
1.1.23, openssl, FIPSMode="on", error:
java.lang.Exception: FIPS was not available to tcnative at build
time. You will need to re-build tcnative against an OpenSSL with
FIPS.
1.1.22, any combination: UnsatisfiedLinkError followed by SSL connector
configuration NOT in FIPS mode :(
Honestly, I am surprised that the Connector comes up when
AprLifecycleListener fails to set sslAvailable = true. I think I might
need to shut-down the SSL engine if there are any errors coming back
from setFIPSMode.
I think I might also want to set sslInitialized = true *after* all of
the initialization has actually occurred: AprLifecycleListener is/was
setting sslInitialized=true *before* any initialization actually occurs.
I see several ways to move forward, here, not necessarily mutually
exclusive:
1. terminate SSL on FIPS error
2. set sslInitialized after initialization is complete (including
FIPS), not before
3. set error state in SSL class to prevent connectors from using
an improperly-initialized SSL environment
Comments?
-chris
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java
catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Posted by Mark Thomas <ma...@apache.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/11/2011 22:09, Christopher Schultz wrote:
> Mark,
>
> On 11/9/11 2:06 PM, Mark Thomas wrote:
>> On 09/11/2011 21:34, schultz@apache.org wrote:
>>> Author: schultz Date: Wed Nov 9 21:34:31 2011 New Revision:
>>> 1199980
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1199980&view=rev Log:
>>> Fixed bug #50570 - Allow explicit use of FIPS mode in APR
>>> lifecycle listener - Added "FIPSMode" attribute to
>>> AprLifecycleListener that causes OpenSSL to go into FIPS mode
>>
>> Isn't this dependent on an tcnative update?
>
> Yes, it is. I'm updating the documentation for AprLifecycleListener
> and I will mention the version dependency in there. If this is not
> yet appropriate to release, I can roll-back the patch.
What happens if I try this with 1.1.22? If it blows up, that is bad.
If it logs an error, that is fine. If it silently carries on, that is bad.
Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJOuvrfAAoJEBDAHFovYFnnZxQQANYotg5DUaa2IJlr0wgI2oGr
8ya5N38EsHjwUYLU+0j35b1Q7n1AWi0AxK2GFaW8Gqde54W0MZOdkYfg6/RGHTKB
gDIWHACkd3QEmnxSgyRZd+EBqjFrxIn94rGlG3l3Q+uVhI6sT0Ljqh5BwH7f85qv
A0PHxby3SJWfk38MdE9168A8+wrBL3JMtdSJU2Wd6mZEANPr8oEp0tJ6EeI3HpfX
oc4H7GGmJf1wBfUPzhVBTxZKJ+6RWzxxKqtQPHVm6q/8s2/qT3kHBCIUPAdL2qpd
IEsAorUGg9PW2a70nX20l9ANr0WWuR7jjh/AGHhPVd11ahqsNXRc2yw1vxMVPHua
xsHx6Hx7g/Zt8iZL3OGhq75x6ewTmAPp6Df4GFUqm4y4foUWJQEH9gdr2F2nTr3C
87KbGgGOhUh10DPArTWyqeZYQqNKb0I369qcClE552zzIhzsYA1wyuwaEECYZRWR
7/RS5Zz3gdT/z/vdYyds6wayIYFny31PQ8vGpfwrAW+e0HmnV8WEjBX6grdXEq51
M8845CaFXKO0U3GwVw2ECnYUcvTCiGm/lWe5s1fHWXXRKTpsCmw0LVGPAPdg/ore
M+nVgLN32DKNiUGCUL/koj9v0YJdLYfKDsWJidRsCcXfoJWPodm0VlOsJbwj/1jS
jEL/Re/qFpMszaIS6Jpo
=Y0eN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java
catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 11/9/11 2:06 PM, Mark Thomas wrote:
> On 09/11/2011 21:34, schultz@apache.org wrote:
>> Author: schultz
>> Date: Wed Nov 9 21:34:31 2011
>> New Revision: 1199980
>>
>> URL: http://svn.apache.org/viewvc?rev=1199980&view=rev
>> Log:
>> Fixed bug #50570 - Allow explicit use of FIPS mode in APR lifecycle listener
>> - Added "FIPSMode" attribute to AprLifecycleListener that causes OpenSSL to go into FIPS mode
>
> Isn't this dependent on an tcnative update?
Yes, it is. I'm updating the documentation for AprLifecycleListener and
I will mention the version dependency in there. If this is not yet
appropriate to release, I can roll-back the patch.
-chris
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java
catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Posted by Mark Thomas <ma...@apache.org>.
On 09/11/2011 21:34, schultz@apache.org wrote:
> Author: schultz
> Date: Wed Nov 9 21:34:31 2011
> New Revision: 1199980
>
> URL: http://svn.apache.org/viewvc?rev=1199980&view=rev
> Log:
> Fixed bug #50570 - Allow explicit use of FIPS mode in APR lifecycle listener
> - Added "FIPSMode" attribute to AprLifecycleListener that causes OpenSSL to go into FIPS mode
Isn't this dependent on an tcnative update?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org