2014-04-15 5:14 GMT+04:00 <schu...@apache.org>: > Author: schultz > Date: Tue Apr 15 01:14:40 2014 > New Revision: 1587379 > > URL: http://svn.apache.org/r1587379 > Log: > Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 > Add more nuanced support for entering/requiring FIPS mode when using APR > connector. > > Modified: > tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java > tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties > tomcat/trunk/java/org/apache/tomcat/jni/SSL.java > tomcat/trunk/webapps/docs/config/listeners.xml >
(...) > Modified: tomcat/trunk/webapps/docs/config/listeners.xml > URL: > http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/listeners.xml?rev=1587379&r1=1587378&r2=1587379&view=diff > ============================================================================== > --- tomcat/trunk/webapps/docs/config/listeners.xml (original) > +++ tomcat/trunk/webapps/docs/config/listeners.xml Tue Apr 15 01:14:40 2014 > @@ -112,12 +112,22 @@ > </attribute> > > <attribute name="FIPSMode" required="false"> > - <p>Set to <code>on</code> to instruct OpenSSL to go into FIPS mode. > + <p>Set to <code>on</code> to request that OpenSSL be in FIPS mode > + (if OpenSSL is already in FIPS mode, it will remain in FIPS mode). > + Set to <code>enter</code> to force OpenSSL to enter FIPS mode (an > error > + will occur if OpenSSL is already in FIPS mode). > + Set to <code>require</code> to require that OpenSSL <i>already</i> be > + in FIPS mode (an error will occur if OpenSSL is not already in FIPS > + mode). > FIPS mode <em>requires you to have a FIPS-capable OpenSSL library > which > you must build yourself</em>. > - FIPS mode also requires Tomcat native library version 1.1.23 or > later, > - which <em>must be built against the FIPS-compatible OpenSSL</em> > library. > - If this attribute is "on", <b>SSLEngine</b> must be enabled as well. > + <code>FIPSMode="on"</code> or <code>FIPSMode="require"</code> > requires > + Tomcat native library version 1.1.30 or later, while The text below makes no sense. As you changed TCN_REQUIRED_PATCH in r1587378 to require 1.1.30, Tomcat will refuse to load older versions of TCNative. > + <code>FIPSMode="enter"</code> can probably be done with Tomcat native > + library version 1.2.23 or later -- either of which <em>must be built > + against the FIPS-compatible OpenSSL</em> library. > + If this attribute is set to any of the above values, <b>SSLEngine</b> > + must be enabled as well for any effect. > The default value is <code>off</code>.</p> > </attribute> > Changelog entry for this change and for r1587378 = where? Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
