Konstantin, On 3/18/14, 4:11 PM, Konstantin Kolinko wrote: > 2014-03-18 23:46 GMT+04:00 Christopher Schultz <[email protected]>: >> Mark, >> >> On 3/17/14, 8:19 AM, Mark Thomas wrote: >>> It has been a while since 8.0.3 and the change log is looking rather >>> long. I've a few things left I want to look at but I expect to be in a >>> position to tag 8.0.4 late today / early tomorrow. >> >> Any objections to adding the fix for >> https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there >> has been a tcnative release? >> >> I needed a tcnative release to include some support code to allow the >> APR listener to allow FIPS mode when OpenSSL had already been >> initialized in FIPS mode before the APR listener tries to enter it. >> (Wow, that sentence is awful. Read the bug for a long-winded explanation). >> > > According to tc-native changelog, the new function you are calling > there will be in 1.1.30. > > The recent release was of mod_jk, not of tc-native.
As soon as I realized my mistake re: mod_jk vc tcnative, I tried to post
a recant. For some reason, it was either not sent or not received.
Weird. Anyway, apologies for the confusion. I *am* aware that no
tcnative version has shipped, and therefore this patch is not yet
appropriate.
> (BTW, no announcement article on tomcat.a.o). Thus '-1'.
-1 for what specifically?
> Regarding the patch:
> 1) Why in the "on" case you are calling "SSL.fipsModeGet()"? If you
> hadn't done that, I think it would work with older library versions.
The idea is to avoid attempting to enter FIPS mode if the library is
already in FIPS mode. I didn't know this was possible, but evidently the
whole OS can be put into FIPS mode such that any time OpenSSL is loaded
into a running program, it's already in FIPS mode.
Attempting to enter FIPS mode when already in FIPS mode causes an error
which, if you can't call FIPS_mode() (get), is indistinguishable from
failing to enable FIPS mode.
Thus, I've added a few options regarding what to do given the current
state of FIPS mode versus what the user intends. Please see comment #3
from the bug to see what the general intent is.
> 2) In documentation part: update required version of tc-native in
> description of this feature.
I will add that, but not until I know what version will be required. It
will most likely be 1.1.30 but it may be i.e. 1.1.31 if 1.1.30 never ships.
> 3) Update "recommended"/"required" versions in APRLifecycleListener?
Ditto.
> 4) Code style: position of opening '{'.
Ok.
Thanks,
-chris
signature.asc
Description: OpenPGP digital signature
