Konstantin, On 11/9/11 2:24 PM, Konstantin Kolinko wrote: > 2011/11/10 Mark Thomas <ma...@apache.org>: >>>> On 09/11/2011 21:34, schu...@apache.org wrote: >>>>> Author: schultz Date: Wed Nov 9 21:34:31 2011 New Revision: >>>>> 1199980 >>>>> >>>>> URL: http://svn.apache.org/viewvc?rev=1199980&view=rev Log: >>>>> Fixed bug #50570 - Allow explicit use of FIPS mode in APR >>>>> lifecycle listener - Added "FIPSMode" attribute to >>>>> AprLifecycleListener that causes OpenSSL to go into FIPS mode >>>> >>>> Isn't this dependent on an tcnative update? >>> >>> Yes, it is. I'm updating the documentation for AprLifecycleListener >>> and I will mention the version dependency in there. If this is not >>> yet appropriate to release, I can roll-back the patch. >> >> What happens if I try this with 1.1.22? If it blows up, that is bad. >> If it logs an error, that is fine. If it silently carries on, that is bad. >> > > Just testing this. > > If I do not set FIPSMode property, all is OK. No difference from > previous behaviour. > > If I set FIPSMode="on", the following happens > > [[[ > 10-Nov-2011 01:13:59.484 INFO [main] > org.apache.catalina.core.AprLifecycleListener.init Loaded APR based > Apache Tomcat Native library 1.1.22. > 10-Nov-2011 01:13:59.500 INFO [main] > org.apache.catalina.core.AprLifecycleListener.init APR capabilities: > IPv6 [false], sendfile [true], accept filters [false], random [true]. > 10-Nov-2011 01:13:59.937 INFO [main] > org.apache.catalina.core.AprLifecycleListener.initializeSSL > Initializing FIPS mode... > 10-Nov-2011 01:13:59.937 SEVERE [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to > initialize the SSLEngine. > java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.SSL.fipsModeSet(I)I > at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method) > at > org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:248) > at > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:109) > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) > at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) > at org.apache.catalina.startup.Catalina.load(Catalina.java:573) > at org.apache.catalina.startup.Catalina.load(Catalina.java:598) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) > (...) > 10-Nov-2011 01:14:01.203 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 1030 ms > ]]] > > There is java.lang.UnsatisfiedLinkError (and not the > IllegalStateException that the code throws). > > Despite this error, Tomcat startup sequence continues. > > I guess that from FIPS PoV the failure to initialize FIPS mode should > be more fatal, regardless of its cause. > Be it because of native lib returning error code or this tc-native > version mismatch. > Maybe even throw an error if SSLEngine was not "on". Now it just > causes the FIPS mode to be ignored. > > I do not know why UnsatisfiedLinkError error was not enough to break it.
Because the AprLifecycleListener's code looks like this:
if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) {
synchronized (lock) {
init();
if (aprAvailable) {
try {
initializeSSL();
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
log.error(sm.getString("aprListener.sslInit"), t);
}
}
}
The error is caught, logged, and execution continues.
I did not feel that this was an appropriate patch to include changes to
exception handling within the AprLivecycleListener.
-chris
signature.asc
Description: OpenPGP digital signature
